Malware Analysis Report

2025-01-23 13:59

Sample ID 241227-ett61s1phz
Target The-MALWARE-Repo-master.zip
SHA256 b7dd3bce3ebfbc2d5e3a9f00d47f27cb6a5895c4618c878e314e573a7c216df1
Tags
chimera lokibot agilenet collection defense_evasion discovery evasion execution impact persistence privilege_escalation ransomware spyware stealer trojan macro upx aspackv2 macro_on_action geforce host guest mydoom darkcomet njrat modiloader remcos revengerat wipelock
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b7dd3bce3ebfbc2d5e3a9f00d47f27cb6a5895c4618c878e314e573a7c216df1

Threat Level: Known bad

The file The-MALWARE-Repo-master.zip was found to be: Known bad.

Malicious Activity Summary

chimera lokibot agilenet collection defense_evasion discovery evasion execution impact persistence privilege_escalation ransomware spyware stealer trojan macro upx aspackv2 macro_on_action geforce host guest mydoom darkcomet njrat modiloader remcos revengerat wipelock

Chimera

RevengeRat Executable

Chimera Ransomware Loader DLL

Modifies Windows Defender Real-time Protection settings

Chimera family

Lokibot family

Modiloader family

Mydoom family

Modifies WinLogon for persistence

Lokibot

Njrat family

Detects MyDoom family

Revengerat family

Remcos family

Darkcomet family

Wipelock Android payload

Wipelock family

ModiLoader First Stage

UAC bypass

Deletes shadow copies

Renames multiple (3294) files with added filename extension

Office macro that triggers on suspicious action

Disables Task Manager via registry modification

Disables RegEdit via registry modification

Suspicious Office macro

Modifies Windows Firewall

Event Triggered Execution: Image File Execution Options Injection

Disables use of System Restore points

ASPack v2.12-2.42

Executes dropped EXE

Obfuscated with Agile.Net obfuscator

Deletes itself

Impair Defenses: Safe Mode Boot

Looks up external IP address via web service

Requests dangerous framework permissions

Accesses Microsoft Outlook profiles

Declares services with permission to bind to the system

Adds Run key to start application

Declares broadcast receivers with permission to handle system events

Drops desktop.ini file(s)

Suspicious use of SetThreadContext

AutoIT Executable

UPX packed file

Drops file in Program Files directory

Event Triggered Execution: Netsh Helper DLL

Browser Information Discovery

Unsigned PE

System Location Discovery: System Language Discovery

NSIS installer

Modifies registry class

Suspicious use of AdjustPrivilegeToken

outlook_win_path

Suspicious use of FindShellTrayWindow

Modifies Internet Explorer settings

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Modifies data under HKEY_USERS

Suspicious use of SetWindowsHookEx

Interacts with shadow copies

Suspicious behavior: RenamesItself

outlook_office_path

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Enumerates system info in registry

Uses Volume Shadow Copy service COM API

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Reported

2024-12-27 04:16

Signatures

Darkcomet family

darkcomet

Detects MyDoom family

Description Indicator Process Target
N/A N/A N/A N/A

ModiLoader First Stage

Description Indicator Process Target
N/A N/A N/A N/A

Modiloader family

modiloader

Mydoom family

mydoom

Njrat family

njrat

Remcos family

remcos

RevengeRat Executable

stealer
Description Indicator Process Target
N/A N/A N/A N/A

Revengerat family

revengerat

Wipelock Android payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Wipelock family

wipelock

Office macro that triggers on suspicious action

macro macro_on_action
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious Office macro

macro
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by wallpaper services to bind with the system. Allows apps to provide live wallpapers. android.permission.BIND_WALLPAPER N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-27 04:14

Reported

2024-12-27 04:23

Platform

win11-20241007-en

Max time kernel

378s

Max time network

387s

Command Line

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master.zip"

Signatures

Chimera

ransomware chimera
Description Indicator Process Target
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\hu-hu\YOUR_FILES_ARE_ENCRYPTED.HTML C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\HawkEye.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\da-dk\YOUR_FILES_ARE_ENCRYPTED.HTML C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\HawkEye.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ar-ae\YOUR_FILES_ARE_ENCRYPTED.HTML C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\HawkEye.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\hu-hu\YOUR_FILES_ARE_ENCRYPTED.HTML C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\HawkEye.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\images\themes\dark\YOUR_FILES_ARE_ENCRYPTED.HTML C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\HawkEye.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\YOUR_FILES_ARE_ENCRYPTED.HTML C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\HawkEye.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000049\YOUR_FILES_ARE_ENCRYPTED.HTML C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\HawkEye.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\uk-ua\YOUR_FILES_ARE_ENCRYPTED.HTML C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\HawkEye.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\uk-ua\YOUR_FILES_ARE_ENCRYPTED.HTML C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\HawkEye.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\fi-fi\YOUR_FILES_ARE_ENCRYPTED.HTML C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\HawkEye.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\en-ae\YOUR_FILES_ARE_ENCRYPTED.HTML C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\HawkEye.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\it-it\YOUR_FILES_ARE_ENCRYPTED.HTML C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\HawkEye.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\eu-es\YOUR_FILES_ARE_ENCRYPTED.HTML C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\HawkEye.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\sl-si\YOUR_FILES_ARE_ENCRYPTED.HTML C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\HawkEye.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\nb-no\YOUR_FILES_ARE_ENCRYPTED.HTML C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\HawkEye.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\hr-hr\YOUR_FILES_ARE_ENCRYPTED.HTML C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\HawkEye.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\ja-jp\YOUR_FILES_ARE_ENCRYPTED.HTML C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\HawkEye.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\YOUR_FILES_ARE_ENCRYPTED.HTML C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\HawkEye.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\pt-br\YOUR_FILES_ARE_ENCRYPTED.HTML C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\HawkEye.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\hu-hu\YOUR_FILES_ARE_ENCRYPTED.HTML C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\HawkEye.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\en-ae\YOUR_FILES_ARE_ENCRYPTED.HTML C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\HawkEye.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ro-ro\YOUR_FILES_ARE_ENCRYPTED.HTML C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\HawkEye.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\es-es\YOUR_FILES_ARE_ENCRYPTED.HTML C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\HawkEye.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\nl-nl\YOUR_FILES_ARE_ENCRYPTED.HTML C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\HawkEye.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\nl-nl\YOUR_FILES_ARE_ENCRYPTED.HTML C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\HawkEye.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\hr-hr\YOUR_FILES_ARE_ENCRYPTED.HTML C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\HawkEye.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\da-dk\YOUR_FILES_ARE_ENCRYPTED.HTML C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\HawkEye.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\sl-si\YOUR_FILES_ARE_ENCRYPTED.HTML C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\HawkEye.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\eu-es\YOUR_FILES_ARE_ENCRYPTED.HTML C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\HawkEye.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\fr-ma\YOUR_FILES_ARE_ENCRYPTED.HTML C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\HawkEye.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\en-gb\YOUR_FILES_ARE_ENCRYPTED.HTML C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\HawkEye.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\ko-kr\YOUR_FILES_ARE_ENCRYPTED.HTML C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\HawkEye.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\nb-no\YOUR_FILES_ARE_ENCRYPTED.HTML C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\HawkEye.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\eu-es\YOUR_FILES_ARE_ENCRYPTED.HTML C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\HawkEye.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\uk-ua\YOUR_FILES_ARE_ENCRYPTED.HTML C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\HawkEye.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Appstore\YOUR_FILES_ARE_ENCRYPTED.HTML C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\HawkEye.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\YOUR_FILES_ARE_ENCRYPTED.HTML C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\HawkEye.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\YOUR_FILES_ARE_ENCRYPTED.HTML C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\HawkEye.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\de-de\YOUR_FILES_ARE_ENCRYPTED.HTML C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\HawkEye.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\YOUR_FILES_ARE_ENCRYPTED.HTML C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\HawkEye.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\zh-cn\YOUR_FILES_ARE_ENCRYPTED.HTML C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\HawkEye.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\fr-fr\YOUR_FILES_ARE_ENCRYPTED.HTML C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\HawkEye.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\ca-es\YOUR_FILES_ARE_ENCRYPTED.HTML C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\HawkEye.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\sv-se\YOUR_FILES_ARE_ENCRYPTED.HTML C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\HawkEye.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\nl-nl\YOUR_FILES_ARE_ENCRYPTED.HTML C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\HawkEye.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\ro-ro\YOUR_FILES_ARE_ENCRYPTED.HTML C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\HawkEye.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\zh-tw\YOUR_FILES_ARE_ENCRYPTED.HTML C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\HawkEye.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\themes\dark\YOUR_FILES_ARE_ENCRYPTED.HTML C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\HawkEye.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\eu-es\YOUR_FILES_ARE_ENCRYPTED.HTML C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\HawkEye.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\nb-no\YOUR_FILES_ARE_ENCRYPTED.HTML C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\HawkEye.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\zh-cn\YOUR_FILES_ARE_ENCRYPTED.HTML C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\HawkEye.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\cs-cz\YOUR_FILES_ARE_ENCRYPTED.HTML C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\HawkEye.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\pl-pl\YOUR_FILES_ARE_ENCRYPTED.HTML C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\HawkEye.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\ja-jp\YOUR_FILES_ARE_ENCRYPTED.HTML C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\HawkEye.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\en-il\YOUR_FILES_ARE_ENCRYPTED.HTML C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\HawkEye.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\en-il\YOUR_FILES_ARE_ENCRYPTED.HTML C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\HawkEye.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\sk-sk\YOUR_FILES_ARE_ENCRYPTED.HTML C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\HawkEye.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\ca-es\YOUR_FILES_ARE_ENCRYPTED.HTML C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\HawkEye.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\OneNote\YOUR_FILES_ARE_ENCRYPTED.HTML C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\HawkEye.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\eu-es\YOUR_FILES_ARE_ENCRYPTED.HTML C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\HawkEye.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\hr-hr\YOUR_FILES_ARE_ENCRYPTED.HTML C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\HawkEye.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\hu-hu\YOUR_FILES_ARE_ENCRYPTED.HTML C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\HawkEye.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\nl-nl\YOUR_FILES_ARE_ENCRYPTED.HTML C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\HawkEye.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\nb-no\YOUR_FILES_ARE_ENCRYPTED.HTML C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\HawkEye.exe N/A

Chimera Ransomware Loader DLL

ransomware
Description Indicator Process Target
N/A N/A N/A N/A

Chimera family

chimera

Lokibot

trojan spyware stealer lokibot

Lokibot family

lokibot

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\Desktop\\The-MALWARE-Repo-master\\The-MALWARE-Repo-master\\Ransomware\\Annabelle.exe" C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\Annabelle.exe N/A

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\Annabelle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\Annabelle.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\Annabelle.exe N/A

Deletes shadow copies

ransomware defense_evasion impact execution

Renames multiple (3294) files with added filename extension

ransomware

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\Annabelle.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\Annabelle.exe N/A

Disables Task Manager via registry modification

evasion

Disables use of System Restore points

evasion

Event Triggered Execution: Image File Execution Options Injection

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\yandex.exe\Debugger = "RIP" C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\Annabelle.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll.exe\Debugger = "RIP" C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\Annabelle.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ksuser.dll C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\Annabelle.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\logoff.exe\Debugger = "RIP" C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\Annabelle.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe\Debugger = "RIP" C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\Annabelle.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\url.dll\Debugger = "RIP" C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\Annabelle.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rasman.dll C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\Annabelle.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\Debugger = "RIP" C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\Annabelle.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\microsoftedge.exe C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\Annabelle.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\microsoftedgecp.exe\Debugger = "RIP" C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\Annabelle.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad++.exe\Debugger = "RIP" C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\Annabelle.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DBGHELP.exe\Debugger = "RIP" C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\Annabelle.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mpg4dmod.dll C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\Annabelle.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\control.exe\Debugger = "RIP" C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\Annabelle.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Autoruns.exe C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\Annabelle.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\Annabelle.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cabinet.dll\Debugger = "RIP" C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\Annabelle.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ksuser.dll\Debugger = "RIP" C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\Annabelle.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mydocs.dll C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\Annabelle.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\webcheck.dll\Debugger = "RIP" C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\Annabelle.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\Annabelle.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\Annabelle.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\attrib.exe C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\Annabelle.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\secpol.msc C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\Annabelle.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\Annabelle.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chrome.exe\Debugger = "RIP" C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\Annabelle.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\opera.exe\Debugger = "RIP" C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\Annabelle.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\control.exe C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\Annabelle.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad++.exe C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\Annabelle.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mspaint.exe C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\Annabelle.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mspaint.exe\Debugger = "RIP" C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\Annabelle.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chkdsk.exe C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\Annabelle.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\secpol.msc\Debugger = "RIP" C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\Annabelle.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe\Debugger = "RIP" C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\Annabelle.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\opera.exe C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\Annabelle.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCuiL.exe\Debugger = "RIP" C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\Annabelle.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\gpedit.msc C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\Annabelle.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\systemexplorer.exe C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\Annabelle.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mydocs.dll\Debugger = "RIP" C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\Annabelle.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\Annabelle.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\gpedit.msc\Debugger = "RIP" C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\Annabelle.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UserAccountControlSettings.exe\Debugger = "RIP" C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\Annabelle.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\recoverydrive.exe\Debugger = "RIP" C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\Annabelle.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\logoff.exe C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\Annabelle.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chrome.exe C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\Annabelle.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\microsoftedgecp.exe C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\Annabelle.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe\Debugger = "RIP" C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\Annabelle.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\Annabelle.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\usbui.dll C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\Annabelle.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mpg4dmod.dll\Debugger = "RIP" C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\Annabelle.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rasman.dll\Debugger = "RIP" C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\Annabelle.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "RIP" C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\Annabelle.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe\Debugger = "RIP" C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\Annabelle.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\attrib.exe\Debugger = "RIP" C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\Annabelle.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bcdedit.exe C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\Annabelle.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cabinet.dll C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\Annabelle.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DCIMAN32.exe C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\Annabelle.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\shellstyle.dll\Debugger = "RIP" C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\Annabelle.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\recoverydrive.exe C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\Annabelle.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\Debugger = "RIP" C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\Annabelle.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "RIP" C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\Annabelle.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Autoruns64.exe C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\Annabelle.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger = "RIP" C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\Annabelle.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chkdsk.exe\Debugger = "RIP" C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\Annabelle.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\NetSh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\system.exe N/A

Impair Defenses: Safe Mode Boot

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\MinimalX = "1" C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\Annabelle.exe N/A

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Stealer\Lokibot.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Stealer\Lokibot.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Stealer\Lokibot.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Software\Microsoft\Windows\CurrentVersion\Run\UpdateBackup = "C:\\Users\\Admin\\Desktop\\The-MALWARE-Repo-master\\The-MALWARE-Repo-master\\Ransomware\\Annabelle.exe" C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\Annabelle.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\UpdateBackup = "C:\\Users\\Admin\\Desktop\\The-MALWARE-Repo-master\\The-MALWARE-Repo-master\\Ransomware\\Annabelle.exe" C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\Annabelle.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UpdateBackup = "C:\\Users\\Admin\\Desktop\\The-MALWARE-Repo-master\\The-MALWARE-Repo-master\\Ransomware\\Annabelle.exe" C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\Annabelle.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\HawkEye.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\HawkEye.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\HawkEye.exe N/A
File opened for modification C:\Users\Admin\OneDrive\desktop.ini C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\HawkEye.exe N/A
File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\HawkEye.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\HawkEye.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\HawkEye.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\HawkEye.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\HawkEye.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\HawkEye.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\HawkEye.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\HawkEye.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\HawkEye.exe N/A
File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\HawkEye.exe N/A
File opened for modification C:\Users\Public\AccountPictures\desktop.ini C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\HawkEye.exe N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\HawkEye.exe N/A
File opened for modification C:\Program Files (x86)\desktop.ini C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\HawkEye.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\HawkEye.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\HawkEye.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\HawkEye.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\HawkEye.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\HawkEye.exe N/A
File opened for modification C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\HawkEye.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\HawkEye.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\HawkEye.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\HawkEye.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A bot.whatismyipaddress.com N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.2104.12721.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\HawkEye.exe N/A
File opened for modification C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib\components\GroupedList\GroupedList.js C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\HawkEye.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\back-arrow-down.svg C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\HawkEye.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\pt-br\YOUR_FILES_ARE_ENCRYPTED.HTML C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\HawkEye.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.GamingApp_2105.900.24.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\Xbox_AppList.scale-125_contrast-white.png C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\HawkEye.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\Client2019_eula.txt C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\HawkEye.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\Sybase.xsl C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\HawkEye.exe N/A
File created C:\Program Files\VideoLAN\VLC\skins\YOUR_FILES_ARE_ENCRYPTED.HTML C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\HawkEye.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.32731.0_x64__8wekyb3d8bbwe\Assets\WideTile.scale-100.png C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\HawkEye.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ja-jp\ui-strings.js C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\HawkEye.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\en-gb\YOUR_FILES_ARE_ENCRYPTED.HTML C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\HawkEye.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\zh-tw\YOUR_FILES_ARE_ENCRYPTED.HTML C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\HawkEye.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_1.0.38.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.targetsize-80.png C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\HawkEye.exe N/A
File opened for modification C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\node_modules\@uifabric\utilities\lib-commonjs\dom\isVirtualElement.js C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\HawkEye.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\sk-sk\ui-strings.js C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\HawkEye.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.21012.10511.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-24_contrast-black.png C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\HawkEye.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\fr-ma\ui-strings.js C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\HawkEye.exe N/A
File opened for modification C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib-amd\components\DocumentCard\DocumentCardLogo.base.js C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\HawkEye.exe N/A
File opened for modification C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\node_modules\@uifabric\utilities\lib-amd\setFocusVisibility.js C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\HawkEye.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\it-it\YOUR_FILES_ARE_ENCRYPTED.HTML C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\HawkEye.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingNews_1.0.6.0_x64__8wekyb3d8bbwe\Assets\AppTiles\NewsAppList.targetsize-30_altform-unplated.png C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\HawkEye.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\ko-kr\ui-strings.js C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\HawkEye.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\EmptySearch.scale-400.png C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\HawkEye.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\lib\resources.jar C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\HawkEye.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Download_on_the_App_Store_Badge_it_135x40.svg C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\HawkEye.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-black_scale-80.png C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\HawkEye.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_4.0.2.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\Icons\StickyNotesSmallTile.scale-125.png C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\HawkEye.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_1.0.38.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.targetsize-32_altform-unplated_contrast-white.png C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\HawkEye.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.21012.10511.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-96_contrast-black.png C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\HawkEye.exe N/A
File opened for modification C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib-amd\components\DetailsList\ShimmeredDetailsList.js C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\HawkEye.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.42251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.targetsize-16_contrast-white.png C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\HawkEye.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\cs-cz\ui-strings.js C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\HawkEye.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Todos_0.33.33351.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SplashScreen.scale-100.png C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\HawkEye.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.42251.0_x64__8wekyb3d8bbwe\Assets\AppPackageAppList.targetsize-72_altform-unplated.png C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\HawkEye.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_1.0.22.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsAppList.targetsize-40_contrast-black.png C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\HawkEye.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_filterselected-default_32.svg C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\HawkEye.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\organize.svg C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\HawkEye.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.41182.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-32_altform-unplated_contrast-white.png C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\HawkEye.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\Theme_Illustration_Seasons_Winter_Center.svg C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\HawkEye.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2020.503.58.0_x64__8wekyb3d8bbwe\Assets\CameraAppList.targetsize-40_altform-unplated.png C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\HawkEye.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Yahoo-Dark.scale-150.png C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\HawkEye.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vreg\osm.x-none.msi.16.x-none.vreg.dat C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\HawkEye.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxIdentityProvider_12.50.6001.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\HawkEye.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingNews_1.0.6.0_x64__8wekyb3d8bbwe\Assets\AppTiles\NewsAppList.targetsize-40_altform-lightunplated.png C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\HawkEye.exe N/A
File opened for modification C:\Program Files\Windows NT\TableTextService\TableTextServiceArray.txt C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\HawkEye.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.32731.0_x64__8wekyb3d8bbwe\Assets\contrast-white\SplashScreen.scale-100_contrast-white.png C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\HawkEye.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailSplashLogo.scale-125.png C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\HawkEye.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\reviewers.gif C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\HawkEye.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-black\GenericMailMediumTile.scale-100.png C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\HawkEye.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\da.txt C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\HawkEye.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\pt-br_get.svg C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\HawkEye.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_10.2.41172.0_x64__8wekyb3d8bbwe\Assets\TipsAppList.targetsize-256_altform-lightunplated.png C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\HawkEye.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_21.21030.25003.0_x64__8wekyb3d8bbwe\Assets\PhotosLogoExtensions.targetsize-63.png C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\HawkEye.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Todos_0.33.33351.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\Illustrations\icon3.scale-125_theme-dark.png C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\HawkEye.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.6.10571.0_x64__8wekyb3d8bbwe\Images\LargeTile.scale-400_contrast-white.png C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\HawkEye.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\limited\US_export_policy.jar C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\HawkEye.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingNews_1.0.6.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\NewsAppList.scale-125.png C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\HawkEye.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_11.2104.2.0_x64__8wekyb3d8bbwe\Assets\contrast-white\SnipSketchAppList.targetsize-30_altform-unplated.png C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\HawkEye.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.41182.0_x64__8wekyb3d8bbwe\Assets\contrast-black\SmallTile.scale-125_contrast-black.png C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\HawkEye.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_21.21030.25003.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-96_altform-lightunplated_contrast-white.png C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\HawkEye.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.6.10571.0_x64__8wekyb3d8bbwe\Images\Wide310x150Logo.scale-200.png C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\HawkEye.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\file_icons.png C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\HawkEye.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.PowerAutomateDesktop_1.0.65.0_x64__8wekyb3d8bbwe\Images\contrast-white\PowerAutomateAppIcon.altform-lightunplated_targetsize-16.png C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\HawkEye.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarLargeTile.scale-400.png C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\HawkEye.exe N/A

Browser Information Discovery

discovery

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\SYSTEM32\NetSh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\SYSTEM32\NetSh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\SYSTEM32\NetSh.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\HawkEye.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Stealer\Lokibot.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Stealer\Lokibot.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\7ev3n.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\system.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\SCHTASKS.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\AgentTesla.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\vssadmin.exe N/A
N/A N/A C:\Windows\SYSTEM32\vssadmin.exe N/A
N/A N/A C:\Windows\SYSTEM32\vssadmin.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Software\Microsoft\Internet Explorer\GPU\DeviceId = "140" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\StaleCompatCache = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListDomainAttributeSet = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Software\Microsoft\Internet Explorer\GPU\Revision = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Software\Microsoft\Internet Explorer\VersionManager\FirstCheckForUpdateLowDateTime = "3347882645" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Software\Microsoft\Internet Explorer\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\HomepagesUpgradeVersion = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "9" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionLow = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Software\Microsoft\Internet Explorer\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPMigrationVer = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Software\Microsoft\Internet Explorer\BrowserEmulation C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListXMLVersionLow = "395196024" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Software\Microsoft\Internet Explorer\VersionManager\FirstCheckForUpdateHighDateTime = "31152200" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "8" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Software\Microsoft\Internet Explorer\GPU\SubSysId = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionHigh = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Software\Microsoft\Internet Explorer\GPU\SoftwareFallback = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionHigh = "268435456" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionLow = "395196024" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\StaleCompatCache = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "13" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListXMLVersionHigh = "268435456" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Software\Microsoft\Internet Explorer\GPU\VendorId = "4318" C:\Program Files\Internet Explorer\iexplore.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "228" C:\Windows\system32\LogonUI.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00 C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" C:\Windows\system32\LogonUI.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" C:\Windows\system32\BackgroundTransferHost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix C:\Windows\system32\BackgroundTransferHost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\system32\BackgroundTransferHost.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\SCHTASKS.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\HawkEye.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\HawkEye.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Stealer\Lokibot.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Stealer\Lokibot.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\shutdown.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\shutdown.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\AgentTesla.exe N/A
N/A N/A C:\Windows\system32\LogonUI.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4212 wrote to memory of 2548 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4212 wrote to memory of 2548 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4212 wrote to memory of 988 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4212 wrote to memory of 988 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4212 wrote to memory of 988 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4212 wrote to memory of 988 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4212 wrote to memory of 988 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4212 wrote to memory of 988 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4212 wrote to memory of 988 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4212 wrote to memory of 988 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4212 wrote to memory of 988 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4212 wrote to memory of 988 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4212 wrote to memory of 988 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4212 wrote to memory of 988 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4212 wrote to memory of 988 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4212 wrote to memory of 988 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4212 wrote to memory of 988 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4212 wrote to memory of 988 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4212 wrote to memory of 988 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4212 wrote to memory of 988 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4212 wrote to memory of 988 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4212 wrote to memory of 988 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4212 wrote to memory of 988 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4212 wrote to memory of 988 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4212 wrote to memory of 988 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4212 wrote to memory of 988 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4212 wrote to memory of 988 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4212 wrote to memory of 988 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4212 wrote to memory of 988 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4212 wrote to memory of 988 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4212 wrote to memory of 988 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4212 wrote to memory of 988 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4212 wrote to memory of 988 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4212 wrote to memory of 988 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4212 wrote to memory of 988 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4212 wrote to memory of 988 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4212 wrote to memory of 988 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4212 wrote to memory of 988 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4212 wrote to memory of 988 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4212 wrote to memory of 988 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4212 wrote to memory of 988 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4212 wrote to memory of 988 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4212 wrote to memory of 2716 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4212 wrote to memory of 2716 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4212 wrote to memory of 3328 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4212 wrote to memory of 3328 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4212 wrote to memory of 3328 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4212 wrote to memory of 3328 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4212 wrote to memory of 3328 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4212 wrote to memory of 3328 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4212 wrote to memory of 3328 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4212 wrote to memory of 3328 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4212 wrote to memory of 3328 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4212 wrote to memory of 3328 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4212 wrote to memory of 3328 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4212 wrote to memory of 3328 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4212 wrote to memory of 3328 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4212 wrote to memory of 3328 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4212 wrote to memory of 3328 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4212 wrote to memory of 3328 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4212 wrote to memory of 3328 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4212 wrote to memory of 3328 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4212 wrote to memory of 3328 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4212 wrote to memory of 3328 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Uses Volume Shadow Copy service COM API

ransomware

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Stealer\Lokibot.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Stealer\Lokibot.exe N/A

Processes

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master.zip"

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\CookieClickerHack.exe

"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\CookieClickerHack.exe"

C:\Windows\system32\BackgroundTransferHost.exe

"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13

C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\AgentTesla.exe

"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\AgentTesla.exe"

C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\HawkEye.exe

"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\HawkEye.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\YOUR_FILES_ARE_ENCRYPTED.HTML

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7ffba2623cb8,0x7ffba2623cc8,0x7ffba2623cd8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1872,3365244310957878805,15661664107909245161,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1880 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1872,3365244310957878805,15661664107909245161,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2276 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1872,3365244310957878805,15661664107909245161,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2528 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,3365244310957878805,15661664107909245161,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3132 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,3365244310957878805,15661664107909245161,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3144 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" -k "C:\Users\Admin\Music\YOUR_FILES_ARE_ENCRYPTED.HTML"

C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Stealer\Lokibot.exe

"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Stealer\Lokibot.exe"

C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Stealer\Lokibot.exe

"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Stealer\Lokibot.exe"

C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\Annabelle.exe

"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\Annabelle.exe"

C:\Windows\SYSTEM32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\SYSTEM32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\SYSTEM32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\SYSTEM32\NetSh.exe

NetSh Advfirewall set allprofiles state off

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\7ev3n.exe

"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\7ev3n.exe"

C:\Users\Admin\AppData\Local\system.exe

"C:\Users\Admin\AppData\Local\system.exe"

C:\Windows\SysWOW64\SCHTASKS.exe

C:\Windows\System32\SCHTASKS.exe /create /SC ONLOGON /TN uac /TR "C:\Users\Admin\AppData\Local\bcd.bat" /RL HIGHEST /f

C:\Windows\System32\shutdown.exe

"C:\Windows\System32\shutdown.exe" -r -t 00 -f

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x4 /state0:0xa3a34855 /state1:0x41c64e6d

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
GB 2.18.66.65:443 tcp
GB 2.18.66.65:443 tcp
US 8.8.8.8:53 browser.pipe.aria.microsoft.com udp
GB 2.18.66.65:443 tcp
GB 2.18.66.41:443 tcp
US 8.8.8.8:53 bot.whatismyipaddress.com udp
US 8.8.8.8:53 www.veryicon.com udp
RU 95.165.168.168:8444 tcp
US 158.222.211.81:8080 tcp
RU 95.165.168.168:8444 tcp
US 8.8.8.8:53 blesblochem.com udp
US 158.222.211.81:8080 tcp
US 8.8.8.8:53 blesblochem.com udp
RU 95.165.168.168:8444 tcp
US 158.222.211.81:8080 tcp
US 8.8.8.8:53 blesblochem.com udp
RU 95.165.168.168:8444 tcp
US 8.8.8.8:53 blesblochem.com udp
US 158.222.211.81:8080 tcp
US 8.8.8.8:53 blockchain.info udp
RU 95.165.168.168:8444 tcp

Files

memory/2848-482-0x00007FFB886C5000-0x00007FFB886C6000-memory.dmp

memory/2848-483-0x000000001BF80000-0x000000001C026000-memory.dmp

memory/2848-484-0x00007FFB88410000-0x00007FFB88DB1000-memory.dmp

memory/2848-485-0x000000001C520000-0x000000001C9EE000-memory.dmp

memory/2848-486-0x000000001CB50000-0x000000001CBEC000-memory.dmp

memory/2848-487-0x00007FFB88410000-0x00007FFB88DB1000-memory.dmp

memory/2848-488-0x000000001C9F0000-0x000000001C9F8000-memory.dmp

memory/2848-489-0x000000001CDB0000-0x000000001CDFC000-memory.dmp

memory/2848-490-0x00007FFB88410000-0x00007FFB88DB1000-memory.dmp

memory/2848-491-0x00007FFB886C5000-0x00007FFB886C6000-memory.dmp

memory/2848-492-0x00007FFB88410000-0x00007FFB88DB1000-memory.dmp

memory/2848-493-0x00007FFB88410000-0x00007FFB88DB1000-memory.dmp

memory/2848-494-0x00007FFB88410000-0x00007FFB88DB1000-memory.dmp

memory/3016-495-0x0000000010000000-0x0000000010010000-memory.dmp

memory/3016-500-0x00000000051A0000-0x00000000051BA000-memory.dmp

C:\Program Files\Java\jdk-1.8\jre\lib\YOUR_FILES_ARE_ENCRYPTED.HTML

MD5 c452b6ab5fcf2f46692d3b2e9a63a2df
SHA1 3b8ee5ea327fcfb0f0d8e7c8660373c5777b21e7
SHA256 19c3e66dbd632d2081bafae5b94c3583601c6e532650bc521d4ea58474c359d2
SHA512 8578c8da31b1caddbe841c07652887c83027c0529158c62a9506736e28c694422547082a71f375a5c4f9630e185d88cea3b49628798c9929473f9045b882b495

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 e11c77d0fa99af6b1b282a22dcb1cf4a
SHA1 2593a41a6a63143d837700d01aa27b1817d17a4d
SHA256 d96f9bfcc81ba66db49a3385266a631899a919ed802835e6fb6b9f7759476ea0
SHA512 c8f69f503ab070a758e8e3ae57945c0172ead1894fdbfa2d853e5bb976ed3817ecc8f188eefd5092481effd4ef650788c8ff9a8d9a5ee4526f090952d7c859f3

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 c0a1774f8079fe496e694f35dfdcf8bc
SHA1 da3b4b9fca9a3f81b6be5b0cd6dd700603d448d3
SHA256 c041da0b90a5343ede7364ccf0428852103832c4efa8065a0cd1e8ce1ff181cb
SHA512 60d9e87f8383fe3afa2c8935f0e5a842624bb24b03b2d8057e0da342b08df18cf70bf55e41fa3ae54f73bc40a274cf6393d79ae01f6a1784273a25fa2761728b

\??\pipe\LOCAL\crashpad_4212_DYFDCRIMSZBDNMWC

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 6374f3b67576d9f47a2803c736fbb49d
SHA1 d89bc5cb0c21273d814bf633d5974d36decf6763
SHA256 4b3dd7ebe2798d304951b9b3cb684bda8e9e29e6cbdc86b1d79e6233ce2943c5
SHA512 1b1c8dcf0994936a5bdd51f745b8a4cf7387d46e3e18fe25eebb9628a3f37e8f7d07c14bbacd1cca79f6a8c29234a59f25d90be4cfc2c7a48f1cd355aaed169b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

MD5 f50f89a0a91564d0b8a211f8921aa7de
SHA1 112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256 b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512 bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 0fb5f3b3a746b927fa29db329c2d98c5
SHA1 65d7d9aa03dc70759c40543d260d22a80b004db6
SHA256 bc6781ae601f5cffcf6e7a5233fe37dc11deae5137ac627707fb8f96710e7e22
SHA512 5e55b3cc7da8337a03fce4d96e5676ab87e23d8ca600453f20dc6f1b8e043ad9600ddebe2d16f30b7040ca5c4c0bb1823b9d91be800d995de5a24c74a75a40f7

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 85f6b19b50c2b98608a8573e87415e68
SHA1 962600c656de188c9425cf550c5b376fcbaedbf0
SHA256 978c36cf1303c59948861839f83b6cdff50a30cd1507abc9c67fffb3c8ed7315
SHA512 2c037d811111a93bb6db609830d17dbfbdc1b9b527cc604229ff08cc232ddf888e8620cdbdb3c3f546ed79bce347497795fe4b60cec3410d46cb4e709aeed5dc

memory/2160-8496-0x0000000000D40000-0x0000000000D92000-memory.dmp

memory/2160-8497-0x00000000030C0000-0x00000000030D4000-memory.dmp

memory/2160-8498-0x0000000005E10000-0x00000000063B6000-memory.dmp

memory/2160-8499-0x0000000005920000-0x0000000005928000-memory.dmp

memory/2160-8500-0x00000000065E0000-0x0000000006672000-memory.dmp

memory/2160-8501-0x00000000065D0000-0x00000000065D8000-memory.dmp

memory/2160-8502-0x0000000006720000-0x0000000006764000-memory.dmp

memory/2160-8503-0x00000000066F0000-0x0000000006712000-memory.dmp

memory/1976-8504-0x0000000000400000-0x00000000004A2000-memory.dmp

memory/1976-8505-0x0000000000400000-0x00000000004A2000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3973800497-2716210218-310192997-1000\0f5007522459c86e95ffcc62f32308f1_43ef074c-17c1-4956-ab3f-c3b0c6ae62b9

MD5 d898504a722bff1524134c6ab6a5eaa5
SHA1 e0fdc90c2ca2a0219c99d2758e68c18875a3e11e
SHA256 878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9
SHA512 26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3973800497-2716210218-310192997-1000\0f5007522459c86e95ffcc62f32308f1_43ef074c-17c1-4956-ab3f-c3b0c6ae62b9

MD5 c07225d4e7d01d31042965f048728a0a
SHA1 69d70b340fd9f44c89adb9a2278df84faa9906b7
SHA256 8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a
SHA512 23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

memory/3468-8549-0x000001ECDDDE0000-0x000001ECDEDD4000-memory.dmp

memory/3468-8550-0x000001ECF9300000-0x000001ECFA88E000-memory.dmp

C:\Users\Admin\Documents\CompressClear.odp.crypt

MD5 9fa48bb6f4c0a362bbc15beb7341ecc2
SHA1 8a88205803f0036c405cb4e8aaa1d7056750ebb4
SHA256 7c0c1d492f1563c9b066300c3aafb2e02986b03ceade3da1e4819387e0e826c3
SHA512 1214dc2a533a8c5aa0692c6c082e3efd6a9618d9750af523ec7d411e5a47c7b7794b95230ddf626c79d640ce12d02e8fbcb7706d3dacbc794101fcadb28d7d44

C:\Users\Admin\Documents\CopyAssert.wps.crypt

MD5 b6572f86a60753a0808859bfa783a560
SHA1 e8800976891b1241696d2e5670e9878c53c264fa
SHA256 4f42679b0cdba9ed6c37c572629ef950a5cad8d04b1c6a7d3a15babde8c1415d
SHA512 4a7bd9409c5d6e7dd4ca76d3d486de88521fab79a49caa32d57341d25ce0691d0ff49631b5bfc5e53ae70ce64a01c46fb3d9a2e1c4cea8fa7f9b86262d7b6bd0

C:\Users\Admin\Documents\DenyRemove.pptx.crypt

MD5 37044bbad2632d2ac828c9309012b473
SHA1 132c96151139a372e07400d5b7ed5686f76aefb7
SHA256 e7b9758ff533d81d882ba3c8bc87931ad3d36f3f7935cffd7ae0ffad2e57bb85
SHA512 b435b0aac445bfc81760aebdffe742bcc6f07ec1aba85016a8448e49a396a5c23687cf6d9589d8b2f27bf91adba7743dc9a9daf259bb0ebaa17e0f3a69289d26

C:\Users\Admin\Documents\desktop.ini.crypt

MD5 4660a6ebd19a25d10d6e253f3d4ffb2c
SHA1 58ce48d37ec42d00a29c45162c059679934a8fb0
SHA256 35d78af01e70ce74e54bdbed5a5b2272335b562914372bad7a8aa8d10df3a29b
SHA512 b7790ab842690888443aefe60661f6044a61801f3878b592378c964f6a05fff52985976c9950b82e796cca721540eb7ad5b9afa7c3701196c3a4c0c280e6527d

C:\Users\Admin\Documents\EnableSearch.pdf.crypt

MD5 a961d9cc4f00ff129d123242c5d7eaa0
SHA1 4df0b27913415759e0534428558b30785dd726fc
SHA256 d8d6751df13fd70da8b5f5c693bf99d900d2b4f959c9b96323305384e10de5ff
SHA512 ec7bf53852a2f4ab125acffd0492127d3f05e12b08b59e3e9a7f026e87381a9e03ada0345b2c973b4517ceed77d411ac47977c47938047d72c3553b819bee9b8

C:\Users\Admin\Documents\GrantImport.xlsx.crypt

MD5 717b6d37dcb25f5504c299690c5121cc
SHA1 abc1343faa94aad53c522187193c2628e94e4a5e
SHA256 15de865011d6d808a84d4fe141cab50a5127b86d5a8483b4104fa08415b4cb0e
SHA512 eeeb966fce5dca54b5c985ac311a509944ad7fc4290b81884089d63fbfee26d0a45d86de266220a8777ed804f930ea5423464fac2ccc0e0ac8290a51bdc680c4

C:\Users\Admin\Documents\HideTest.docm.crypt

MD5 24cd078c83db810a407ac0cebb3c2bf8
SHA1 a965fdcde90389c42bc8111afe34d6845cfd7f0a
SHA256 1fc1be3882f16b9ae104678f0627c8c3db1b92869cb82a1e548d95cf1a9a971a
SHA512 e3ebb97510c7eb6c6a95d76948f8cd19b396ef0030025e96e48d82054c10973fd90ddf489b1a61ad7f95c72fbbd25a8168525bab9141c26a25c63f4a271117e0

C:\Users\Admin\Documents\JoinGet.csv.crypt

MD5 09c6160adae1e6ae279e851cd148bfa3
SHA1 9388d3a20e3f58d2b76b8982188e88cedc83db62
SHA256 8a3aa67470c69cefcc5ec7bf7ef021450e769519ee2dcec5f959d4d75bd82f74
SHA512 ca026f21cc704e34aa748f05e83b38c739960df141c8139d2b10ae35fd0d4e7c7e383e6d55ace6d11db56c0b3eb52729293f035e4ada523a0c3b0c3cfd278213

C:\Users\Admin\Documents\OutResize.xlsm.crypt

MD5 0135e3603cfcfc5dd0c3ba2c371b3b2e
SHA1 9794359beba600b486e9ecb5b4dc89e51ed84d89
SHA256 7ffbcfb96afa37115e0b0d60f02006b36903df0172d0e997067e08a789348fa2
SHA512 c5fa850dcbd80f6a427f4da379c9880d89779839199ae985435c01de6d97c0a7f33709f70ff92a22a05a3cbf02262647dda2151fef4342687bf982f13c793267

C:\Users\Admin\Documents\PublishDebug.pptm.crypt

MD5 0a90940c639bb6c19002383016045683
SHA1 46b5e223824e60b861707ff187e52b8ea7117480
SHA256 b27b34d5d9fc768cf4deddea0898d042ca369512028b2b44cac02af63b1438a1
SHA512 975c1475773c0222b211bbca6ac48017d6b667589118262896ae3279a8bbe8d2978a956ec6447a860166ef74b101cde232805dbe3fedbc1cc94a89f1ea8ee3aa

C:\Users\Admin\Documents\RestartRepair.txt.crypt

MD5 8e5140999b73ff55e2179e34e347b330
SHA1 a16a404f727827f3df47acb681a16ae52a5ac2ff
SHA256 1874188f09993ad10913c0466e5d52415377fb5bdae4cbc0d08d608d6fb1daf5
SHA512 ba8680ffe89fb43a037afd9652ffd4a245007e5fd4a53d99508fdf35ae1b4f67d7bb5c48e30a11556f8137e3447f5c01fe837c9c327114d8f08289b8514a9671

C:\Users\Admin\Documents\SaveOut.pptm.crypt

MD5 a4153b7f0cd500ed6c3ee75c4f251cd0
SHA1 c0cf56fe37c660579298a6838374d7a38c3cac55
SHA256 e12ee44dac49220d942a4e7c258f2f42dc6536954ddccc84d2833a0b0020f70b
SHA512 aba35405d71a2febad7996d76ce6ac925d2aa6f32752e41c67146125171e4d17f52c8f0245badff4626aa762264bb15dc580efe46141d0f44961975ed61bade1

C:\Users\Admin\Documents\SelectAdd.xlsm.crypt

MD5 2b25397d7631df80198fb706c46d9890
SHA1 5276a7c44c9b8de14bdbfc844c50fab991c10305
SHA256 5219cde4ff9906725d7c8bf7605a8f65fc3bf0877d4a0d2d2a4f1b035790a18c
SHA512 591f1c030e34707fa4f147bf34caa3cd1eb301e0b0f7229b7f0ac377fce6c89cd71dd67c51312eb365cedde2c06a36c41a6c51cb2183b6cc5bc77dd942114421

C:\Users\Admin\Documents\SplitCompress.docx.crypt

MD5 4521285388eb77822b089733e176e614
SHA1 6cb9ae24f67214d0d427bad667966a5c59142f2a
SHA256 a51c48eaf1c71fc01c4ffa24b27eee506ca9ecb88e462da8f9bd693f814bd4f1
SHA512 46847bab85a8ad80d1a57024e78d51eaeef184fcdabb381b8207e7a4382e13ee291cc9cb06510e52668bb51680a0cdd8cd6fe2856a6913a06529bb7f87f25599

C:\Users\Admin\Documents\SplitExport.xlsx.crypt

MD5 2a4063e1de21f46c7deedc31bd6b5412
SHA1 9abca40a6da30692c11d8932ad20ed6fa83d58c6
SHA256 158e7939a701dc9bfd3461481d43cf3ca4a7c59e8e8ecbca405a1fa2496d009b
SHA512 976180b43d6258fab992fa44d4e0d9c0789cce958c248a909ab16f96b0c24b07bbc0fc01d086006cca192640af8861d8bc12a64a64217df1b5bbe92d1c9f9a25

C:\Users\Admin\Documents\TraceEdit.ods.crypt

MD5 a141e561c0b8378ef11103029fe9ba42
SHA1 81a5d4137eeaed94a82f5c3f2ba8f6bf37f3c9a6
SHA256 7a7e72286505ffe6e90d62e71c076dfcc693055c8650913e76e07d88edb70749
SHA512 a7898dd0cbcb2d6e0a9fbb2d5862efd93dfffd8b7fdc5d06a2a5877b1f7353ccd731c8ab16198d5cc0bbd485634b3c3198e3ba7b3cd45eb0c14e00b528da95a4

C:\Users\Admin\Documents\UnlockLock.pptx.crypt

MD5 e837d0e6083fe95c83af3694c38a370c
SHA1 cdfd2a8b6f2594b437fd543e1292edc01258e7d7
SHA256 c3ce75142dbc9d7c14aa709eb0f18b61ff728b6c05488426fcaab19e07aa31c6
SHA512 1c79394febce58d6587bcaec255819a3bf891af0f1324c895bede6b2699c4407ec71e3853f3a82856c398aed5e6f1e77202eceb5793189fc6194499f455ea58a

C:\Users\Admin\Documents\WaitTrace.xps.crypt

MD5 e672fd72fd67c952483d659ce4534938
SHA1 75ab1ab5fc3f5c2f5257fa06c263335ef9658b33
SHA256 2e49e027a726d1739065ff71c0adff484a841b5a98f4d46a02f7069b2857b86b
SHA512 d146fd8ede82fd3178c166977760b2b9171c5b7c7abfa8b100ebefb5e4c3103855764c9058a2f094a132772da8f4546aa7e831490665393f75cbd9689f2bcb60

C:\Users\Admin\Documents\WriteOpen.csv.crypt

MD5 efcaa159d8a854e7d1d14ec7a14d511f
SHA1 0b02a85144d8d66a3259ff23ae61d39e88ad08a5
SHA256 cdd7b0852a6c1808bd1b88ba57950ede380c2406e0be5d27dc9f7f49ad080754
SHA512 4d4a9a7bd65d837f5fb393a3c99d8c8ace963dfb68b01dd90d9255bd7e005e2e86d866197c1b28007cb127e055a16f902c2c87e38d595ab445891cfb2abfe9d4

C:\Users\Admin\Music\desktop.ini.crypt

MD5 0382f9399eda6858cd13cc0034cdbebd
SHA1 f7a8df308ccbcf4ce75ec99b99c3d89a96422352
SHA256 369ad798d836eb15f47b70d5305c4008540f82badd1153f1c64fb5379572a08b
SHA512 d1bb4907261d38890cd9b4fd5d339e99335b599c6cf92f764d4c74e289bf2a24885b9429594fe6c0fce5b59497671034086f14e71cdc5460b76660c37ac3feba

C:\Users\Admin\Music\FormatReset.png.crypt

MD5 dbcb875737c5a34ec912d78e36235281
SHA1 d4d93ce733b9e90d76f837cf45de7562fcd7a9f0
SHA256 3f922e70b0b2ee1f99b56de2aa30b046b9a28d9dfc40c3560426143eb04cc810
SHA512 e69fad406519c56299545ee6e3e7ad07ad41b24a31939f5b253670ee92a041ff00a0b8bb5e69240ea54fa23a99860b4293950c6e9118b45235ae31b0c6871512

C:\Users\Admin\Music\PushInitialize.bin.crypt

MD5 e58ca92eb8749b017692abc21499e712
SHA1 ae2d06d9d97b9a2f6b8744f38431812a1c4f94b8
SHA256 5597eda9fd211a9c9b5b771ba61abf9a9d8af7eada4f5d2909c0015183e25e05
SHA512 854824e80799376b56d2782b2c579145bef0d78850af46fa821e004951690610c5ef4b007dadb2c7f59f5952099f16319ac6271bb6b18a83e2ee7951fd5bdb92

C:\Users\Admin\Music\RestartRevoke.gif.crypt

MD5 815baa37e75c3f961ccde5f07c33d4e4
SHA1 5ef49eb7a6eeb974bd8f7e5d9bb315caca825bc3
SHA256 00f33fc50bb9a925d9b33b014b04ebb03319c88b0429acdd06dc3bd1cdcecb7e
SHA512 d47ff6f5ad1da3cca217ca45f65246adb6225d45c621f025db99e7e8ae5a7d999d7e8f981cfea6ba1cfdb99c0fed4dbe8bd3fba511d3d0ef8496451c83262333

C:\Users\Admin\Music\StartSubmit.gif.crypt

MD5 8d9ca38dd19adc35b0ee765db6ba3062
SHA1 334e73af815ee3492372c65cb9d9123c5fa69174
SHA256 529ab898e020b18b2a04c1bff085d5a6be52d51f452d928e6b17ddda19e49277
SHA512 05584ccdda256e4c16ecc57120420f0e9393d774183deb3c768336219dc6cbdea509bc2d5ff9772504268d6eed8982b4318f741922bab9536aba324fb914784a

C:\Users\Admin\Music\UnprotectStep.js.crypt

MD5 648a91e7e5c634c4857853f3f2edd7c8
SHA1 b2a715cd40cd912eb03b0eacb244e55a011150d8
SHA256 22e7087be900aba660e986c96944f65dcd1e8f5a04d971705b285bc2cabb16c5
SHA512 8814ddf5fa6e488fb4c4b3f5cc9713b8e4f1a349d18be5fa08de22e191195a433af64f5191414c213f525071195bfb5589fc64bfa65ab031f89eead4e74edf20

C:\Users\Admin\Music\WriteFind.m4v.crypt

MD5 bbc81da54635bb4fc434a6504f9beef6
SHA1 be08ed40f8bb51efc3d11753737f7b8d59a5dab3
SHA256 a2f2226b22516d2728419f9dc076b295db5b13d520a16336db9dc14167551b5d
SHA512 3307289af7bc62130aed654df1a9ec1553728e6bb1088084b81de040de65cfaf962838d299d250b17c6503b8e5a7dd34d1d6db041cc3d079c15eb7367e8f64e2

C:\Users\Admin\Music\WriteSend.wma.crypt

MD5 00df5722c9065cc5bc4d059200073976
SHA1 7d4da2e6d78c50561b9fb3a4bec0f0e02d3fc67f
SHA256 acf65178e9b23b7afcf43033b8b083892607af513fbb6c7ca657830f66db07df
SHA512 8d18bd6e25588d102ab4df4a2364f87a66c1c4483f2a5ecc00d72ce7d686f267b4fc031b86465620bf3b1753b18ae7104fb5dea4e9ec182ee5d0bfe4814f4141

C:\Users\Admin\Pictures\Camera Roll\desktop.ini.crypt

MD5 d5a158b5bca51e5a1a23d7553ee4ae40
SHA1 0b02e9e83a310ebbf44cab9bf496af89e9c0ae4a
SHA256 f67a7640fc678bba1261f37a92f77d1173ffe7e28986c6747e5800704cfc4cd5
SHA512 cad9d7a7c4083748352140d977d07fe9f91900156f483c08acdd6b2193e372e3e2c84989049b8bb259cb73c5d439e723fc978af22093376d24fd2f123142a56c

C:\Users\Admin\Pictures\Saved Pictures\desktop.ini.crypt

MD5 2270d29dfd0e4b6607a203b4a75240e5
SHA1 acd86ed755f6e08e4a2848f968a54329335e213b
SHA256 532ad8a365e47658a3b4419670d977816ad2d755d48a3ea15325ce8e10db4cb1
SHA512 92a69fef50e18e3f7cef6654c8bb22e9e2d7cdea13d1e2a0da20ba4d44bb1312f3502a4516c26fafa5d95e1d1da52619ed3f20253af23ed54e4a4fc91bce113f

C:\Users\Admin\Pictures\ApproveDeny.tiff.crypt

MD5 0fad98e11f68652c6aa7ed241bd300ac
SHA1 9cc2f753389cdf62b61a11008f2159656833bf38
SHA256 35a4966697aca7c8882275aa801e217b8549e4cb629ddad8cb7ce1cd0bf65fee
SHA512 15a60ef2413c59bfb7b334b62a507a2f31a081e9c3d3ae1a3f87864bd7c555eda3ce266fd26bbcb6387c63382bc2be199a3765ccf6615b77e93b5ff5a28afd8d

C:\Users\Admin\Pictures\ClearCheckpoint.dwg.crypt

MD5 3fcba0bb11a1c4e5e1c9c3552cfa77ff
SHA1 89adeb3af44387ef862043ae6452b546a5a840da
SHA256 8441b5940116642f219f33d89e1325d93c55ad89e75b9b6f74addf753fbbc653
SHA512 2143133030ac0f4dc4cd0abe7e3250fc7dd46579e9cc508611bed41c18b1a2c766477ca63d133e45eccb2a0a1bca8c14790879c5dc9553e56fa07a5edd7247c9

C:\Users\Admin\Pictures\ClosePing.eps.crypt

MD5 33b84ce13fe8d33ffca3699468963d10
SHA1 7aa34298069848fc7bd2bb4559aad94e7df45ccc
SHA256 f3abdeff0c8ded99fae4d8864cd9da281c6c1f30ec4373ab5c49afeb3aa8510c
SHA512 63c82d807cad968d9b07cdccbd40b1d492f5bd12f1f817f3685428d35922c6521a89ecc228327802cf673dfb24ddbbf89806c4fb524fee7334c61b26f9f2a219

C:\Users\Admin\Pictures\CompareRevoke.jpeg.crypt

MD5 8e51de52b569b2c29c252d460f3d9961
SHA1 538098dc10f5dc070b850259b3c2d5a46241780b
SHA256 943fdbff35cff4dca82de3a8a1d347b02b8e57304d24e2f553356efb7211f6ca
SHA512 77d045c5fd756aedccee88fb7b7295e5a08cdc9494b04d05cd25f882a5efb73ff7930862142ec088592131e56bd152239683dfc0160d541fc832c9ca673ba3ac

C:\Users\Admin\Pictures\ConfirmExpand.gif.crypt

MD5 1d285ef10c6ebfe08f9377b345664952
SHA1 e86610202c43b34daabcb54024fc8a485d76dfd4
SHA256 48c91c32e78266883be11610fa0d43f318f3678750ec41d2ada7e075a532493e
SHA512 096e92d7225b32648136d2efa8f9bfdd73e6d22760441b34e0e4a83a2c410035ce190f7e691c78da32c4a14e5a32c689d6793f9e238504ab9d9c52419ec3e82d

C:\Users\Admin\Pictures\CopyFormat.gif.crypt

MD5 074adae8aa88014c150ddc87edc4592f
SHA1 f812cf9267d516e8299b6a40f719777f4f81f74e
SHA256 e0690a923ee3e52f37f53b9359c826a4741f3febdf44e0f9e9e64457f0d92b0f
SHA512 7433466bfcc41e2bc8d168d3f19677926239194fabfed636ca84e35c6e898f30719713a08170e09e718f9e09c37eed8fcb53413c89c61e3fc2665da8431ebb4d

C:\Users\Admin\Pictures\desktop.ini.crypt

MD5 1f37746da1129343373491459700c9f9
SHA1 36bf63c5c2c8fd57395e2d344cf47581feeb0b23
SHA256 131f805d9e6d84bb97164aca73852864f28da9f9a119808c2cbb9c06ef9bcc84
SHA512 60a73f8ceed0cc99319127449d0e582b7d5b98dc75d866416718f41df16f7251a80b13ad3f48d831b89e2a9a52c4d11c8b588dfecf1793e350b7ed199f7b59db

C:\Users\Admin\Pictures\DismountProtect.svg.crypt

MD5 8162c616f67f6d3cced69083dd839299
SHA1 f114aa00cc40f836ffdb057e05a115966248f4ae
SHA256 496c155611428ea2e57c5e6265331426c0419a9eecb1ae47ef5b32ec1fb8b75d
SHA512 68df30026ab8898a12be3b8b45ef4043b9d87f6b98a3ee5a1402362a2758f67a732a5666d13a151691c909ac610fc70e8663d45527feab7afd60e4946a72d40b

C:\Users\Admin\Pictures\ExportEdit.dwg.crypt

MD5 d21cdcf6ca04fe81a34447a8365a1067
SHA1 d9de6557e88180eb1ba8e0990695ae767e924da2
SHA256 aa91dbbc94384c45db61b104068fb3710b53c977a6a7730c6cb1dedd9dec6b27
SHA512 96bde02f8014d8e271dd1c7a7cbad2da44d0df7b1a16702ada4a87f2280c3af9a862f4f118776d0915b3122f43da833991da0d08cbe5331bf9e654659436ffaf

C:\Users\Admin\Pictures\ExportNew.eps.crypt

MD5 da9ffaf019af9f79dfc7bb9c27f01dc6
SHA1 36c9f286fdad7013886f7495f864a3201a8528c9
SHA256 b0c187a4cde20b2624884321df824da3ba55506879a3c3e37f2e02782ad93edf
SHA512 818171477af0cb084bca2c8697aad52464878ec6793e2c6388744325c1549db74b8d64b8e4a9a542bdefb4ce0e75e157e246e9f0091c3fb86083a1afc33613fb

C:\Users\Admin\Pictures\InvokeImport.dwg.crypt

MD5 38afa4ed135ced65c2f30a9e58a8a901
SHA1 cdfff2a8bc19935fd91db7de0b0aed15a93bfd35
SHA256 547d90000586fc6300a2194660c337bbba2c6d669cad67272c96d5d752d1bc68
SHA512 80de1973c2ae12443087bf8fa9ded834b9fba25f867ccb389773cd8219e57a3ab900358ca16b9dbf1249024bd88f376d92f46b648cc6d026c8dcaacd921c174e

C:\Users\Admin\Pictures\MountReceive.gif.crypt

MD5 17f6c7b9c57e9126f5bea9445633bb55
SHA1 bf0ce4ffc2a0de486f695167e4646c289074a129
SHA256 7556dc0d3ee84ef0de7813dc774856793b8c3ba2afda4d0a5f44d90f6161aeae
SHA512 85c165918ad336b7a051a0f8050682eefdd944f3a6b6767f0f6a728d662ce241c4451eab7dedf5927534a65bb64914a17234045c41bc0d1b74f25b9f02e1226c

C:\Users\Admin\Pictures\MoveRevoke.dwg.crypt

MD5 f395d135e9ea51728689aab2b4cd93a7
SHA1 e861e0ac2f6b909820bff05b7e1c1149eea76c2e
SHA256 00538a46d35e41bf6849c61ff8eb3694ac417157dd502f8ae3d7232b80bc2ec7
SHA512 2973dc0c2d6a9bbac5d14d4f15274cb9a2dc16e6a3d949308d037ef15460f2b445d8a1663d13207a184a2bd571a04db7a27b7e8b78bccfe9ebcce140f478b4ea

C:\Users\Admin\Pictures\My Wallpaper.jpg.crypt

MD5 4722397ff88a79f7cc9812cd126c87c9
SHA1 cb88b7da99e3a6eec3ba3b4bf1ae1180c5a01b82
SHA256 91fe361f3f6ba9130f1b6db87d59b426cd8e2c2fc2591f99a9c58ecd823a5762
SHA512 f382d49cefcfa95a1788bb180c1439b8907a34892611c4fa5331677ad487f745c44f94044abd6b2c5d7be3abdea4718d182ec546606fba0dfa4154ae9255e010

C:\Users\Admin\Pictures\PushDismount.raw.crypt

MD5 32598472dca92a9c70aee2d323b373b5
SHA1 65a0a25e7918835ed92daaf972b95648e9fbf8c4
SHA256 8f8cf249fc78617b8c64691bcae39bd9cbb565bc28ba49dac0caffc30e213cd8
SHA512 57b5ee7ca2be9b229c86bcc76385c4bc47507bad775fbbae0923cae9777f2e72fabdd30c1d846dd6877fe1a0bdac28e4ca9f51e384b3faa907bf82a2ba146341

C:\Users\Admin\Pictures\RegisterResume.tiff.crypt

MD5 c6ee5ac4df33fc8fb84e1c3378bb1994
SHA1 6e36eac75427e0071b4322e5ba6683241d57cd89
SHA256 883491aa1612ca453384c4fdd6367a0d50037401725c888645880188a395cf90
SHA512 41191c17c7f2d1e50cd97637cb898660e3db26d2d6c2fa9b19628344253da4e22d54dbe08f7cc5b5c2ebb5dcf668e7676ed23642de642544352491e194ef73aa

C:\Users\Admin\Pictures\RemoveMove.jpg.crypt

MD5 d6b5be1676dc3a415dbed0a3521640ad
SHA1 fef84f2561931dd1cbd2e331f502483e2fa341d9
SHA256 ec7305c150f98373ca64721905346f17c7c2993a97592cbefe5060f8dc9f4a9f
SHA512 e38cc14faf969aa3145f5f3da9a243eaaddf8c03212cdf6ad44c9a539fd931abf56967b4bb32a0925ac193e55b64b17b6e5f082e22e1024d8a9c89dba627fffb

C:\Users\Admin\Pictures\ResumeClose.tiff.crypt

MD5 50f2ce92749c1fb762ee245371d74510
SHA1 1d0fb2b63e4ba7506202fa96abffb14b73998410
SHA256 cbe9fb3080d6e0f2e63dd45d1887892db61ad541c60cd7aff56146c69fd6708e
SHA512 3c47978904ba9092013da93968906125577175ba4498ce6caa7d3a1c72a9f10eaa6666eec6b5e47e576366128d370dabebbb6a8679f32f8fb641b2e073596ca9

C:\Users\Admin\Pictures\SendConvert.dwg.crypt

MD5 1d385b33341df17c60938815d082293b
SHA1 1af175422f6dde412b4d0d90b454f88ed84fab27
SHA256 32cc62c17a9b1f4002ea26350075c5ead6661b9d0e34e8509471ab03646480d9
SHA512 4968768131de0eca88be3a90d04a87c25ee08b0a2e09f21c780b24fa858bacebb7ea5a735f8dda5f37b92111ee0eb8ec4c6a7f60579f95c0678ca3d47c962b10

C:\Users\Admin\Pictures\TestClear.dxf.crypt

MD5 13dc8545f1eecafbfebf84c50b06b166
SHA1 076d46ece9d1563ec31620d69fb79db20cbbc17d
SHA256 2024df6a51116b90756009149f80cd9a50d9730a3ea5f9790f6579e9f42a6093
SHA512 a3ce871ef0d32dde5d8252ac0b43e525ce1e1409536e03db8a59e5dedcf702c171fc333ec6bea6b8b3b68ab8fe07ed86cfc379c0aa1c6950a5b07b20a5cfe5f5

C:\Users\Admin\Pictures\UnblockDisconnect.jpg.crypt

MD5 523f67db943ea9a96a2f1daafb617a97
SHA1 e7c0430ed6b5ebdea75d993c17a16c046ac2deed
SHA256 c50b7b5a86c9603a6d2bac648deb524e1810cef15781089fa2c86a8c258721ec
SHA512 4d9de2caa3af8e9a87bb320322fd213e01833510c9beda51e53514afcf253f0bcee8bba64ef7eb1ad87b06cb63476a2e73924b0d73200810f467c18fea62367d

C:\Users\Admin\Pictures\UninstallCopy.jpeg.crypt

MD5 87fb82b0a9a963bcb5c9e980aa07a30c
SHA1 b806a1409f59dc90468dbe8096792fa0f75d6e35
SHA256 af3f46b232ad1066d126b8ba4cc213c66daed8021f5ec729fc2118e03f9509ed
SHA512 e5c02fbeb382a4c5bb5c24cd6a7d8067d79a4094e12bc4a9b49a85b04f5601a752aacff087ccd32ff7e08ec9cf49cae59f8ec7e7d081971f867e99490c074cd3

C:\Users\Admin\Pictures\YOUR_FILES_ARE_ENCRYPTED.HTML.ANNABELLE

MD5 7a70569398790b8adf45788b02805140
SHA1 ab00e859fbd10ddd58477ab189290b63a0c7db94
SHA256 ff1113e7fe32122e4940a05ec0530a20239d42d022fd2f2b31b01fa6106d6b54
SHA512 e24faa0a5479f6a1571c5abb31e495c4596bcb0bdda6e81ffd50fc7f81034f29b54a803133292dd4be6ad2d6c222fa9fe3d5109541d12dfaa8ab6230cf61ef48

C:\Users\Admin\Downloads\ComparePublish.html.crypt

MD5 3a2b748a08317aed32dce904cb899a11
SHA1 c8975c4e0b668bf41a8d727dadb70bf2fd749da4
SHA256 4c155960a52012bd11332d45d54d02c6e5667c30cde6d4ff4a48967ed9ad4914
SHA512 6f8ec3ce521edd1056261257971abd4f8cb69c46a9c17dc8af0439bc00ada95f70247e5f6218a5962a58adeaa8d1eedac95cdf77c72f25c6a37bba687f8b2997

C:\Users\Admin\Downloads\ConvertFromSet.mov.crypt

MD5 691884031dfa26404dca21d9ec0c6fb3
SHA1 bb23b2a193a7cef6806be8b78a0988a2c6ebfb57
SHA256 4b0a4027143cf5b6a6eea0ccdbc74a97ca70baa8dc0b6a7e5187ec2880d3365e
SHA512 a10b113537950e61baeed024dea84a62fe955087f841f28164fdfe50cf3d19721869a0b5662ba263eff78f1c1bbe51d1d042067472fb8482846d50d0865da16b

C:\Users\Admin\AppData\Local\system.exe

MD5 f72f443db1e56e4498c7aea8c75a99d7
SHA1 6f0ab3787e45a19900bb4eb283098ec09c35d3c2
SHA256 ab599a0b6f5ad0e68f7f8ba589830aacf44e59a9bb15a12c21e833f2b0ce8f08
SHA512 36e5113d7a020a8eaf9950f124eb6e6b214975fa60bfb39633e1c233b9e1c044927230c7cd72d5cc73406613eebc61c41b76e13caa1b7928e466472b4f29c5ef

memory/2848-9062-0x00007FFB88410000-0x00007FFB88DB1000-memory.dmp