hakbit | 38bc13ef112b2f17d4d1a80243fac6a521b5d58228984aae0752d79487fa3b66

Resubmissions

16/02/2025, 01:02

250216-bd8gxstmfr 10

13/02/2025, 19:41

250213-yd78gssrap 10

Analysis

max time kernel
190s
max time network
194s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
25/01/2025, 13:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

241105-dtxrgatbpg_pw_infected.zip
Size

132.7MB
MD5

136b5aad00be845ec166ae8f6343b335
SHA1

e51860dfb734c9715b6c9b74d9c582abe03ca90c
SHA256

38bc13ef112b2f17d4d1a80243fac6a521b5d58228984aae0752d79487fa3b66
SHA512

ed56b1afa85e304d6973d69e289631f15955d1619c6943a376d7d319018057d1a6fa0aa340ea6d43037ee17014f13e74e5ebddaf3aec62bf8e2da6b20b14ce42
SSDEEP

3145728:m2t5SZQXkJuAwd3u5d5VO4Z9WSXL5qgP47khuJWCvcICllCCrE/z:m6ClwdeyqWSXVqeU5J7CvCCrgz

Score

10^/10

hakbit credential_access defense_evasion discovery execution ransomware spyware stealer upx

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt

Family

hakbit

Ransom Note

To recover your data contact the email below [email protected] Key Identifier: BFDKYufwvRzsGgBommhaUn0CNIBnB/+dMcvoDC3LZSn4WszVpjJkfEoM68VfwAO7GIwbgp5sS9z5l79s/+FILuMFYFB6y+kXi5KOUtb0CF3UTur5emPO+ikeUB3Sj/GGiRumqf84oo0ZWRGOlGhMV35J/pXHDtpQCNIGqPAs9oqgG8Ub4RcP0Hn0TBOSiqle+gJpOj1rTa9aSUhfIeysnTUn7XOLaBtgjrwwHZ+IFRwoq5eiI+0LlU+tVP2A0Qr2MkXb25oKy0Zn5Flxs0CiIC0/ibq2s2mCeMf+ZWPUhWEOYURYvw0AEzvnymEUu3MpabalhdYfJj9rcFu7BC/D4L/F0VsSvldWxQvoo74mXEdyLUVGqxwy56K7+j1AuyPlut+FS104xi+D8Ed4brN/QQe3FSYN52+LU0XhBGHN4MjvEr/kHoyLe5jLFC4wS9HGHLdAcpw55YIHuktFRKvBENyemMSRsGQaeLbGaOXGna60aCB/PU8yZ5m3/jp8L4rhJTzPG+I/YmOtYnhDi/9x2CmHKhVtcwrMk7Czl/fLsTMYRRZ6RcyE2XQyVprM/fPwPGtkq93TObd2A9fgSkVBcEV362Ndz2LnoX4v09yEwdn1ea/Wfa3HADzAIgk4MSuNo/GQgsFgfwfvpjPmgXMLpeUIp5QWjRbHL7ptzjKMXC0= Number of files that were processed is: 425

Emails

[email protected]

Signatures

Disables service(s) 3 TTPs
defense_evasion execution

Windows Service
T1543.003

Service Stop
T1489

Service Execution
T1569.002
Hakbit
Ransomware which encrypts files using AES, first seen in November 2019.
ransomware hakbit
Hakbit family
hakbit
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe

Executes dropped EXE 15 IoCs

pid	Process
1148	0a9f79abd48b95544d7e2b6658637d1eb23067a94e10bf06d05c9ecc73cf4b51.exe
4996	0di3x.exe
1588	0di3x.exe
4552	2c01b007729230c415420ad641ad92eb.exe
4896	2c01b007729230c415420ad641ad92eb.exe
3632	3DMark 11 Advanced Edition.exe
4316	3DMark 11 Advanced Edition.exe
692	3DMark 11 Advanced Edition.exe
1472	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
3188	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
3448	42f972925508a82236e8533567487761.exe
5020	42f972925508a82236e8533567487761.exe
404	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
6848	odm.exe
6880	odm.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x001a00000002aad1-163.dat	upx
behavioral2/memory/1472-174-0x0000000000400000-0x00000000004A9000-memory.dmp	upx
behavioral2/memory/3188-178-0x0000000000400000-0x00000000004A9000-memory.dmp	upx
behavioral2/memory/3188-206-0x0000000000400000-0x00000000004A9000-memory.dmp	upx
behavioral2/memory/1472-207-0x0000000000400000-0x00000000004A9000-memory.dmp	upx

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2848	sc.exe
1680	sc.exe
1916	sc.exe
668	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 4 IoCs

pid	pid_target	Process	procid_target
1596	4996	WerFault.exe	80
4452	1588	WerFault.exe	81
4976	3188	WerFault.exe	93
4704	1472	WerFault.exe	92

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0di3x.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2c01b007729230c415420ad641ad92eb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3DMark 11 Advanced Edition.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	42f972925508a82236e8533567487761.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	42f972925508a82236e8533567487761.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	odm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0a9f79abd48b95544d7e2b6658637d1eb23067a94e10bf06d05c9ecc73cf4b51.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3DMark 11 Advanced Edition.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	odm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0di3x.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2c01b007729230c415420ad641ad92eb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3DMark 11 Advanced Edition.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3960	cmd.exe
4100	PING.EXE

Kills process with taskkill 47 IoCs

defense_evasion

pid	Process
1780	taskkill.exe
952	taskkill.exe
448	taskkill.exe
3716	taskkill.exe
4144	taskkill.exe
4536	taskkill.exe
4908	taskkill.exe
1168	taskkill.exe
200	taskkill.exe
548	taskkill.exe
2756	taskkill.exe
1132	taskkill.exe
3028	taskkill.exe
1572	taskkill.exe
4544	taskkill.exe
3580	taskkill.exe
812	taskkill.exe
712	taskkill.exe
1208	taskkill.exe
776	taskkill.exe
3004	taskkill.exe
3024	taskkill.exe
3940	taskkill.exe
3456	taskkill.exe
3516	taskkill.exe
3096	taskkill.exe
3732	taskkill.exe
392	taskkill.exe
3696	taskkill.exe
2904	taskkill.exe
2052	taskkill.exe
5032	taskkill.exe
3880	taskkill.exe
1824	taskkill.exe
4164	taskkill.exe
2952	taskkill.exe
2888	taskkill.exe
2844	taskkill.exe
1644	taskkill.exe
3064	taskkill.exe
4864	taskkill.exe
1864	taskkill.exe
4480	taskkill.exe
772	taskkill.exe
3100	taskkill.exe
3160	taskkill.exe
1008	taskkill.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
4884	notepad.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4100	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2068	7zFM.exe
2068	7zFM.exe
2068	7zFM.exe
2068	7zFM.exe
2068	7zFM.exe
2068	7zFM.exe
2068	7zFM.exe
2068	7zFM.exe
2068	7zFM.exe
2068	7zFM.exe
2068	7zFM.exe
2068	7zFM.exe
404	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
404	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
404	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
404	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
404	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
404	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
404	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
404	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
404	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
404	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
404	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
404	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
404	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
404	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
404	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
404	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
404	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
404	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
404	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
404	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
404	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
404	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
404	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
404	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
404	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
404	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
404	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
404	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
404	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
404	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
404	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
404	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
404	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
404	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
404	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
404	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
404	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
404	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
404	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
404	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
404	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
404	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
404	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
404	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
404	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
404	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
404	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
404	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
404	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
404	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
404	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
404	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2068	7zFM.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	2068	7zFM.exe
Token: 35	2068	7zFM.exe
Token: SeSecurityPrivilege	2068	7zFM.exe
Token: SeSecurityPrivilege	2068	7zFM.exe
Token: SeSecurityPrivilege	2068	7zFM.exe
Token: SeSecurityPrivilege	2068	7zFM.exe
Token: SeSecurityPrivilege	2068	7zFM.exe
Token: SeSecurityPrivilege	2068	7zFM.exe
Token: SeSecurityPrivilege	2068	7zFM.exe
Token: SeSecurityPrivilege	2068	7zFM.exe
Token: SeSecurityPrivilege	2068	7zFM.exe
Token: SeSecurityPrivilege	2068	7zFM.exe
Token: SeSecurityPrivilege	2068	7zFM.exe
Token: SeSecurityPrivilege	2068	7zFM.exe
Token: SeSecurityPrivilege	2068	7zFM.exe
Token: SeSecurityPrivilege	2068	7zFM.exe
Token: SeDebugPrivilege	404	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
Token: SeDebugPrivilege	1864	taskkill.exe
Token: SeDebugPrivilege	392	taskkill.exe
Token: SeDebugPrivilege	3100	taskkill.exe
Token: SeDebugPrivilege	3096	taskkill.exe
Token: SeDebugPrivilege	1132	taskkill.exe
Token: SeDebugPrivilege	3940	taskkill.exe
Token: SeDebugPrivilege	812	taskkill.exe
Token: SeDebugPrivilege	3516	taskkill.exe
Token: SeDebugPrivilege	1780	taskkill.exe
Token: SeDebugPrivilege	2904	taskkill.exe
Token: SeDebugPrivilege	3004	taskkill.exe
Token: SeDebugPrivilege	3732	taskkill.exe
Token: SeDebugPrivilege	4864	taskkill.exe
Token: SeDebugPrivilege	548	taskkill.exe
Token: SeDebugPrivilege	4544	taskkill.exe
Token: SeDebugPrivilege	3580	taskkill.exe
Token: SeDebugPrivilege	2952	taskkill.exe
Token: SeDebugPrivilege	3064	taskkill.exe
Token: SeDebugPrivilege	448	taskkill.exe
Token: SeDebugPrivilege	2888	taskkill.exe
Token: SeDebugPrivilege	3696	taskkill.exe
Token: SeDebugPrivilege	3456	taskkill.exe
Token: SeDebugPrivilege	3880	taskkill.exe
Token: SeDebugPrivilege	1824	taskkill.exe
Token: SeDebugPrivilege	4908	taskkill.exe
Token: SeDebugPrivilege	712	taskkill.exe
Token: SeDebugPrivilege	3160	taskkill.exe
Token: SeDebugPrivilege	952	taskkill.exe
Token: SeDebugPrivilege	2052	taskkill.exe
Token: SeDebugPrivilege	4164	taskkill.exe
Token: SeDebugPrivilege	3028	taskkill.exe
Token: SeDebugPrivilege	772	taskkill.exe
Token: SeDebugPrivilege	5032	taskkill.exe
Token: SeDebugPrivilege	4480	taskkill.exe
Token: SeDebugPrivilege	1208	taskkill.exe
Token: SeDebugPrivilege	1168	taskkill.exe
Token: SeDebugPrivilege	1008	taskkill.exe
Token: SeDebugPrivilege	1572	taskkill.exe
Token: SeDebugPrivilege	1644	taskkill.exe
Token: SeDebugPrivilege	4144	taskkill.exe
Token: SeDebugPrivilege	3716	taskkill.exe
Token: SeDebugPrivilege	3024	taskkill.exe
Token: SeDebugPrivilege	4536	taskkill.exe
Token: SeDebugPrivilege	2844	taskkill.exe
Token: SeDebugPrivilege	776	taskkill.exe
Token: SeDebugPrivilege	4868	powershell.exe
Token: SeDebugPrivilege	2756	taskkill.exe

Suspicious use of FindShellTrayWindow 17 IoCs

pid	Process
2068	7zFM.exe
2068	7zFM.exe
2068	7zFM.exe
2068	7zFM.exe
2068	7zFM.exe
2068	7zFM.exe
2068	7zFM.exe
2068	7zFM.exe
2068	7zFM.exe
2068	7zFM.exe
2068	7zFM.exe
2068	7zFM.exe
2068	7zFM.exe
2068	7zFM.exe
2068	7zFM.exe
2068	7zFM.exe
404	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
404	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3632	3DMark 11 Advanced Edition.exe
3632	3DMark 11 Advanced Edition.exe
6980	MiniSearchHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2068 wrote to memory of 1148	2068	7zFM.exe	77
PID 2068 wrote to memory of 1148	2068	7zFM.exe	77
PID 2068 wrote to memory of 1148	2068	7zFM.exe	77
PID 2068 wrote to memory of 4996	2068	7zFM.exe	80
PID 2068 wrote to memory of 4996	2068	7zFM.exe	80
PID 2068 wrote to memory of 4996	2068	7zFM.exe	80
PID 2068 wrote to memory of 1588	2068	7zFM.exe	81
PID 2068 wrote to memory of 1588	2068	7zFM.exe	81
PID 2068 wrote to memory of 1588	2068	7zFM.exe	81
PID 2068 wrote to memory of 4552	2068	7zFM.exe	85
PID 2068 wrote to memory of 4552	2068	7zFM.exe	85
PID 2068 wrote to memory of 4552	2068	7zFM.exe	85
PID 2068 wrote to memory of 4896	2068	7zFM.exe	88
PID 2068 wrote to memory of 4896	2068	7zFM.exe	88
PID 2068 wrote to memory of 4896	2068	7zFM.exe	88
PID 2068 wrote to memory of 3632	2068	7zFM.exe	89
PID 2068 wrote to memory of 3632	2068	7zFM.exe	89
PID 2068 wrote to memory of 3632	2068	7zFM.exe	89
PID 2068 wrote to memory of 4316	2068	7zFM.exe	90
PID 2068 wrote to memory of 4316	2068	7zFM.exe	90
PID 2068 wrote to memory of 4316	2068	7zFM.exe	90
PID 2068 wrote to memory of 692	2068	7zFM.exe	91
PID 2068 wrote to memory of 692	2068	7zFM.exe	91
PID 2068 wrote to memory of 692	2068	7zFM.exe	91
PID 2068 wrote to memory of 1472	2068	7zFM.exe	92
PID 2068 wrote to memory of 1472	2068	7zFM.exe	92
PID 2068 wrote to memory of 1472	2068	7zFM.exe	92
PID 2068 wrote to memory of 3188	2068	7zFM.exe	93
PID 2068 wrote to memory of 3188	2068	7zFM.exe	93
PID 2068 wrote to memory of 3188	2068	7zFM.exe	93
PID 2068 wrote to memory of 3448	2068	7zFM.exe	94
PID 2068 wrote to memory of 3448	2068	7zFM.exe	94
PID 2068 wrote to memory of 3448	2068	7zFM.exe	94
PID 2068 wrote to memory of 5020	2068	7zFM.exe	95
PID 2068 wrote to memory of 5020	2068	7zFM.exe	95
PID 2068 wrote to memory of 5020	2068	7zFM.exe	95
PID 2068 wrote to memory of 404	2068	7zFM.exe	100
PID 2068 wrote to memory of 404	2068	7zFM.exe	100
PID 404 wrote to memory of 1680	404	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	101
PID 404 wrote to memory of 1680	404	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	101
PID 404 wrote to memory of 1776	404	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	102
PID 404 wrote to memory of 1776	404	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	102
PID 404 wrote to memory of 2848	404	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	105
PID 404 wrote to memory of 2848	404	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	105
PID 404 wrote to memory of 668	404	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	106
PID 404 wrote to memory of 668	404	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	106
PID 404 wrote to memory of 1916	404	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	107
PID 404 wrote to memory of 1916	404	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	107
PID 404 wrote to memory of 3096	404	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	108
PID 404 wrote to memory of 3096	404	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	108
PID 404 wrote to memory of 1644	404	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	109
PID 404 wrote to memory of 1644	404	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	109
PID 404 wrote to memory of 1208	404	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	110
PID 404 wrote to memory of 1208	404	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	110
PID 404 wrote to memory of 712	404	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	111
PID 404 wrote to memory of 712	404	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	111
PID 404 wrote to memory of 812	404	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	112
PID 404 wrote to memory of 812	404	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	112
PID 404 wrote to memory of 1572	404	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	113
PID 404 wrote to memory of 1572	404	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	113
PID 404 wrote to memory of 3064	404	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	114
PID 404 wrote to memory of 3064	404	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	114
PID 404 wrote to memory of 3516	404	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	115
PID 404 wrote to memory of 3516	404	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	115

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\241105-dtxrgatbpg_pw_infected.zip"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2068
- C:\Users\Admin\AppData\Local\Temp\7zO418EBCF9\0a9f79abd48b95544d7e2b6658637d1eb23067a94e10bf06d05c9ecc73cf4b51.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO418EBCF9\0a9f79abd48b95544d7e2b6658637d1eb23067a94e10bf06d05c9ecc73cf4b51.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1148
- C:\Users\Admin\AppData\Local\Temp\7zO41825BF9\0di3x.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO41825BF9\0di3x.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4996
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4996 -s 300
    3⤵
    - Program crash
    PID:1596
- C:\Users\Admin\AppData\Local\Temp\7zO418B5AF9\0di3x.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO418B5AF9\0di3x.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1588
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1588 -s 300
    3⤵
    - Program crash
    PID:4452
- C:\Users\Admin\AppData\Local\Temp\7zO418346F9\2c01b007729230c415420ad641ad92eb.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO418346F9\2c01b007729230c415420ad641ad92eb.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4552
- - C:\Users\Admin\AppData\Roaming\wou\odm.exe
    "C:\Users\Admin\AppData\Roaming\wou\odm.exe" kja-pex
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:6880
- C:\Users\Admin\AppData\Local\Temp\7zO418C41F9\2c01b007729230c415420ad641ad92eb.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO418C41F9\2c01b007729230c415420ad641ad92eb.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4896
- - C:\Users\Admin\AppData\Roaming\wou\odm.exe
    "C:\Users\Admin\AppData\Roaming\wou\odm.exe" kja-pex
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:6848
- C:\Users\Admin\AppData\Local\Temp\7zO418EFEC9\3DMark 11 Advanced Edition.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO418EFEC9\3DMark 11 Advanced Edition.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3632
- C:\Users\Admin\AppData\Local\Temp\7zO418498C9\3DMark 11 Advanced Edition.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO418498C9\3DMark 11 Advanced Edition.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4316
- C:\Users\Admin\AppData\Local\Temp\7zO418345C9\3DMark 11 Advanced Edition.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO418345C9\3DMark 11 Advanced Edition.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:692
- C:\Users\Admin\AppData\Local\Temp\7zO418E86C9\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO418E86C9\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1472
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1472 -s 312
    3⤵
    - Program crash
    PID:4704
- C:\Users\Admin\AppData\Local\Temp\7zO4181C0C9\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO4181C0C9\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3188
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3188 -s 196
    3⤵
    - Program crash
    PID:4976
- C:\Users\Admin\AppData\Local\Temp\7zO41863FD9\42f972925508a82236e8533567487761.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO41863FD9\42f972925508a82236e8533567487761.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3448
- C:\Users\Admin\AppData\Local\Temp\7zO418F5ED9\42f972925508a82236e8533567487761.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO418F5ED9\42f972925508a82236e8533567487761.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5020
- C:\Users\Admin\AppData\Local\Temp\7zO4187D4D9\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO4187D4D9\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:404
- - C:\Windows\SYSTEM32\sc.exe
    "sc.exe" config SQLTELEMETRY start= disabled
    3⤵
    - Launches sc.exe
    PID:1680
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\$Recycle.bin
    3⤵
    PID:1776
- - C:\Windows\SYSTEM32\sc.exe
    "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
    3⤵
    - Launches sc.exe
    PID:2848
- - C:\Windows\SYSTEM32\sc.exe
    "sc.exe" config SQLWriter start= disabled
    3⤵
    - Launches sc.exe
    PID:668
- - C:\Windows\SYSTEM32\sc.exe
    "sc.exe" config SstpSvc start= disabled
    3⤵
    - Launches sc.exe
    PID:1916
- - C:\Windows\SYSTEM32\taskkill.exe
    "taskkill.exe" /IM mspub.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3096
- - C:\Windows\SYSTEM32\taskkill.exe
    "taskkill.exe" /IM mydesktopqos.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1644
- - C:\Windows\SYSTEM32\taskkill.exe
    "taskkill.exe" /IM mydesktopservice.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1208
- - C:\Windows\SYSTEM32\taskkill.exe
    "taskkill.exe" /IM mysqld.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:712
- - C:\Windows\SYSTEM32\taskkill.exe
    "taskkill.exe" /IM sqbcoreservice.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:812
- - C:\Windows\SYSTEM32\taskkill.exe
    "taskkill.exe" /IM firefoxconfig.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1572
- - C:\Windows\SYSTEM32\taskkill.exe
    "taskkill.exe" /IM agntsvc.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3064
- - C:\Windows\SYSTEM32\taskkill.exe
    "taskkill.exe" /IM thebat.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3516
- - C:\Windows\SYSTEM32\taskkill.exe
    "taskkill.exe" /IM steam.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:952
- - C:\Windows\SYSTEM32\taskkill.exe
    "taskkill.exe" /IM encsvc.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1780
- - C:\Windows\SYSTEM32\taskkill.exe
    "taskkill.exe" /IM excel.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3732
- - C:\Windows\SYSTEM32\taskkill.exe
    "taskkill.exe" /IM CNTAoSMgr.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3456
- - C:\Windows\SYSTEM32\taskkill.exe
    "taskkill.exe" /IM sqlwriter.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1824
- - C:\Windows\SYSTEM32\taskkill.exe
    "taskkill.exe" /IM tbirdconfig.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4164
- - C:\Windows\SYSTEM32\taskkill.exe
    "taskkill.exe" /IM dbeng50.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3880
- - C:\Windows\SYSTEM32\taskkill.exe
    "taskkill.exe" /IM thebat64.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1008
- - C:\Windows\SYSTEM32\taskkill.exe
    "taskkill.exe" /IM ocomm.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3160
- - C:\Windows\SYSTEM32\taskkill.exe
    "taskkill.exe" /IM infopath.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3580
- - C:\Windows\SYSTEM32\taskkill.exe
    "taskkill.exe" /IM mbamtray.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5032
- - C:\Windows\SYSTEM32\taskkill.exe
    "taskkill.exe" /IM zoolz.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3940
- - C:\Windows\SYSTEM32\taskkill.exe
    "taskkill.exe" IM thunderbird.exe /F
    3⤵
    - Kills process with taskkill
    PID:200
- - C:\Windows\SYSTEM32\taskkill.exe
    "taskkill.exe" /IM dbsnmp.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2844
- - C:\Windows\SYSTEM32\taskkill.exe
    "taskkill.exe" /IM xfssvccon.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1168
- - C:\Windows\SYSTEM32\taskkill.exe
    "taskkill.exe" /IM mspub.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2052
- - C:\Windows\SYSTEM32\taskkill.exe
    "taskkill.exe" /IM Ntrtscan.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3100
- - C:\Windows\SYSTEM32\taskkill.exe
    "taskkill.exe" /IM isqlplussvc.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2888
- - C:\Windows\SYSTEM32\taskkill.exe
    "taskkill.exe" /IM onenote.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:772
- - C:\Windows\SYSTEM32\taskkill.exe
    "taskkill.exe" /IM PccNTMon.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2904
- - C:\Windows\SYSTEM32\taskkill.exe
    "taskkill.exe" /IM msaccess.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4908
- - C:\Windows\SYSTEM32\taskkill.exe
    "taskkill.exe" /IM outlook.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4480
- - C:\Windows\SYSTEM32\taskkill.exe
    "taskkill.exe" /IM tmlisten.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4536
- - C:\Windows\SYSTEM32\taskkill.exe
    "taskkill.exe" /IM msftesql.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4144
- - C:\Windows\SYSTEM32\taskkill.exe
    "taskkill.exe" /IM powerpnt.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3028
- - C:\Windows\SYSTEM32\taskkill.exe
    "taskkill.exe" /IM mydesktopqos.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1132
- - C:\Windows\SYSTEM32\taskkill.exe
    "taskkill.exe" /IM visio.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2756
- - C:\Windows\SYSTEM32\taskkill.exe
    "taskkill.exe" /IM mydesktopservice.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3024
- - C:\Windows\SYSTEM32\taskkill.exe
    "taskkill.exe" /IM winword.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3696
- - C:\Windows\SYSTEM32\taskkill.exe
    "taskkill.exe" /IM mysqld-nt.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3716
- - C:\Windows\SYSTEM32\taskkill.exe
    "taskkill.exe" /IM wordpad.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:548
- - C:\Windows\SYSTEM32\taskkill.exe
    "taskkill.exe" /IM mysqld-opt.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2952
- - C:\Windows\SYSTEM32\taskkill.exe
    "taskkill.exe" /IM ocautoupds.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1864
- - C:\Windows\SYSTEM32\taskkill.exe
    "taskkill.exe" /IM ocssd.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:392
- - C:\Windows\SYSTEM32\taskkill.exe
    "taskkill.exe" /IM oracle.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3004
- - C:\Windows\SYSTEM32\taskkill.exe
    "taskkill.exe" /IM sqlagent.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:448
- - C:\Windows\SYSTEM32\taskkill.exe
    "taskkill.exe" /IM sqlbrowser.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4864
- - C:\Windows\SYSTEM32\taskkill.exe
    "taskkill.exe" /IM sqlservr.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4544
- - C:\Windows\SYSTEM32\taskkill.exe
    "taskkill.exe" /IM synctime.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:776
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4868
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:4884
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:3960
  - - C:\Windows\system32\PING.EXE
      ping 127.0.0.7 -n 3
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:4100
  - - C:\Windows\system32\fsutil.exe
      fsutil file setZeroData offset=0 length=524288 “%s”
      4⤵
      PID:6668
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\7zO4187D4D9\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
    3⤵
    PID:4656
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:6692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4996 -ip 4996
1⤵
PID:1512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1588 -ip 1588
1⤵
PID:1480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 1472 -ip 1472
1⤵
PID:4924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3188 -ip 3188
1⤵
PID:3540

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:6980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Windows Credential Manager

T1555.004

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Network\Downloader\edbtmp.log

Filesize
1.3MB

MD5
c78428341b0549acb2b247f86e8ce39a

SHA1
55b379e517c3b6abb14d2a059698271070fa2f72

SHA256
0989658458842bf4a2614537f1f419f6f5766563d29223c6e62c70f41f0378aa

SHA512
d0d5fd26fe284b0055fe18a4e8b1ff2180964e9f9b6d7f1432828cab0d8a8afdb28be429c6dfb579cdd1620268217a4d76014fe89704fa2b4bba35ea8e91a042

Download Submit
C:\ProgramData\Package Cache\{01B2627D-8443-41C0-97F0-9F72AC2FD6A0}v56.64.8804\windowsdesktop-runtime-7.0.16-win-x64.msi

Filesize
28.8MB

MD5
6964e3dca8c104143eda0b0451075fd4

SHA1
3b2a1f7944c21e1f9a3b9152d2bba977288df225

SHA256
b6f7fd655907f778d009af286022add5bd02de04f44228ad7ea94b1f5267b9f7

SHA512
2cc6dad7af58cf0e06f7b6411a9f2c34bb8205cedbae633af03ad425b8b606fc0c4266b703dce26e230914b2680d85e25cde4929ebacdcaf5f22859de4e3cbfa

Download Submit
C:\ProgramData\Package Cache\{2BB73336-4F69-4141-9797-E9BD6FE3980A}v64.8.8795\dotnet-host-8.0.2-win-x64.msi.energy[[email protected]]

Filesize
728KB

MD5
9ac7512ca06b720894da896b11525ec2

SHA1
13cf8bb2bf4aa59e389a9a01e29f681c913467e6

SHA256
f0c42c2a32c883340e1acf7c1b39781986d30a3d58100384e3601b6d8990cf39

SHA512
69dc447d16f03d71a6718d1013a37f1aec352f5dfa7742ffb28e8fa1562d019ea1c31780662369fd75e18de414d7ae1a81500fd399658052d00d5935f08615be

Download Submit
C:\ProgramData\Package Cache\{79043ED0-7ED1-4227-A5E5-04C5594D21F7}v48.108.8828\dotnet-runtime-6.0.27-win-x64.msi

Filesize
25.7MB

MD5
49065f965ae7700681fe4aa916ef1664

SHA1
9a0019990e5705812dd36e739d82dd7e09bf12cc

SHA256
110c5e9fa6e2ff18eaf594f85891fb1218e57bea91d5ec2bdcd24cbb40aa61dd

SHA512
838a85fe6efb529cb035a1f494f15ce6e5e9c56419e392dfc616ee8d77eda35f6584b198ef0c71699a9c389f0ea2eeb67d279c77bf91c4e5cd8464ec8e8d07cb

Download Submit
C:\ProgramData\Package Cache\{BF08E976-B92E-4336-B56F-2171179476C4}v14.30.30704\packages\vcRuntimeAdditional_x86\vc_runtimeAdditional_x86.msi.energy[[email protected]]

Filesize
180KB

MD5
2f251d89d43a3de0e9b863886e3cad8c

SHA1
dd0ff40187aa28ceceffc47768a33bb53330bdca

SHA256
ea6da87a14c670e86b95bd4999324d9ed243d6bcb554786aeaf4ccc24676c263

SHA512
bde2d8e6be4eb79d228c0df75f41fdc6efd3dce7472bc9443f5a97a53ce30107d0280c36345ef26a1b03feae7cb1355c007f6f72701a1295df3d59df94453e74

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e8eb51096d6f6781456fef7df731d97

SHA1
ec2aaf851a618fb43c3d040a13a71997c25bda43

SHA256
96bfd9dd5883329927fe8c08b8956355a1a6ceb30ceeb5d4252b346df32bc864

SHA512
0a73dc9a49f92d9dd556c2ca2e36761890b3538f355ee1f013e7cf648d8c4d065f28046cd4a167db3dea304d1fbcbcea68d11ce6e12a3f20f8b6c018a60422d2

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
77a8b2c86dd26c214bc11c989789b62d

SHA1
8b0f2d9d0ded2d7f9bff8aed6aefd6b3fdd1a499

SHA256
e288c02cbba393c9703519e660bf8709331f11978c6d994ea2a1346eef462cb8

SHA512
c287e3ae580343c43a5354347ca5444f54840fba127a2b1edc897b1dfea286fa37b5808f6e89f535c4022db8b3f29448aa4cc2f41ab0f308eec525a99fac4e5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO41825BF9\0di3x.exe

Filesize
111KB

MD5
bd97f762750d0e38e38d5e8f7363f66a

SHA1
9ae3d7053246289ff908758f9d60d79586f7fc9f

SHA256
d4b767b57f453d599559532d7351feeecd4027b89b0b117552b7a3432ed4a158

SHA512
d0f00c07563aab832b181a7ab93413a93f913f813c83d63c25f4473b7fa2003b4b2a83c97bd9766f9f45a7f2de9e922139a010612f21b15407c9f2bb58a53e39

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO418346F9\2c01b007729230c415420ad641ad92eb.exe

Filesize
1.3MB

MD5
daef338f9c47d5394b7e1e60ce38d02d

SHA1
c0a07e8c32528d29aae26aaecbf6a67ed95b8c8e

SHA256
5d03fd083b626a5516194d5e94576349100c9c98ca7d6845642ed9579980ca58

SHA512
d0f4050fc2c5f38ab598729fb6930c84bf779d47b5a8b4e860bc0e9ca8be454ad5dce001d8f88299d8a079eafd4c26efcdd2d196352acfe45e940cc107fcebf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO41863FD9\42f972925508a82236e8533567487761.exe

Filesize
3.7MB

MD5
9d2a888ca79e1ff3820882ea1d88d574

SHA1
112c38d80bf2c0d48256249bbabe906b834b1f66

SHA256
8b5b38085f12d51393ed5a481a554074d3c482d53ecd917f2f5dffdf3d2ee138

SHA512
17a9f74ecf9f118ed0252fa0bc6ce0f9758a4dc75f238cae304def9c37cd94623818dd4aef38826642ff9e549b7e6047318f8bf6de7edff2d61a298d0bf5c840

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO4187D4D9\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe

Filesize
80KB

MD5
8152a3d0d76f7e968597f4f834fdfa9d

SHA1
c3cf05f3f79851d3c0d4266ab77c8e3e3f88c73e

SHA256
69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b

SHA512
eb1a18cb03131466a4152fa2f6874b70c760317148684ca9b95044e50dc9cd19316d6e68e680ce18599114ba73e75264de5dab5afe611165b9c6c0b5f01002b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO418E86C9\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe

Filesize
669KB

MD5
ead18f3a909685922d7213714ea9a183

SHA1
1270bd7fd62acc00447b30f066bb23f4745869bf

SHA256
5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18

SHA512
6e532d9c3d186e4dac38823ae9152056346e283613f0caf088b21a1b3e5f4f6cf3bad8c407168b1072895a386e3be0b8c11ad1cb326d3d3ff0eb8562052def91

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO418EBCF9\0a9f79abd48b95544d7e2b6658637d1eb23067a94e10bf06d05c9ecc73cf4b51.exe

Filesize
355KB

MD5
b403152a9d1a6e02be9952ff3ea10214

SHA1
74fc4148f9f2979a0ec88ffa613c2147c4d5e7e5

SHA256
0a9f79abd48b95544d7e2b6658637d1eb23067a94e10bf06d05c9ecc73cf4b51

SHA512
0ac24ef826ae66bbba8bd5de70cb491d765ae33659452da97605701b3a39a33933f9d2795af1e8a8615cc99ae755fccc61fc44737122067eb05d7b1c435a4ec8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO418EFEC9\3DMark 11 Advanced Edition.exe

Filesize
11.6MB

MD5
236d7524027dbce337c671906c9fe10b

SHA1
7d345aa201b50273176ae0ec7324739d882da32e

SHA256
400b64f8c61623ead9f579b99735b1b0d9febe7c829e8bdafc9b3a3269bbe21c

SHA512
e5c2f87923b3331719261101b2f606298fb66442e56a49708199d8472c1ac4a72130612d3a9c344310f36fcb3cf39e4637f7dd8fb3841c61b01b95bb3794610a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gw2lskmp.fhy.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\wou\ait.ico

Filesize
1KB

MD5
f6efac00916f3425d6079ae5a956df11

SHA1
3153abfe46186c1186882f67444c82c544615fb7

SHA256
1e866a8f06f125fa1c439f9cb00199be827e74b87eae12368bd1e2cf7ab28728

SHA512
0ba766d5816057941ad9afc80f7b20620b0120411357fe2b97ab0a425b32d4309396ed4866c8b23c92893ed68971c4a8a8c6f25ffa411ba0c70b602a63bd4743

Download Submit
C:\Users\Admin\AppData\Roaming\wou\bro.xl

Filesize
534B

MD5
9768cbbacfffbfcb608d02f4bc7330fb

SHA1
0f9fe57a0d9c06529a1fd0e248e0a30d5e197713

SHA256
d034c340ab94743e6e100b6be021e4cd51d522cbd7f26cef2c9ecd8f8b32d009

SHA512
0c8de5ee369ea22afb1f3322d333a245f9f6df19717ac64e141e67038704600732140ad233c3dca3c5b242c5d81d671506d62c1c7418f02cab7a50463ddb43ab

Download Submit
C:\Users\Admin\AppData\Roaming\wou\bxr.ppt

Filesize
954B

MD5
cac465b663b54fdbbd33d9ad000765e3

SHA1
c0eb3507ea304f2351a8b78b5d9650e06f4e16f2

SHA256
0ab31a0031292a173464ca3e10b12405fafa528ba8bf2cc9804f046fb0d63374

SHA512
1b1e768eb95569e54f8d9fd2e63cf97bb7bb32bdb202c859843d97d9c0444670ecc9a62e4586c76d27bf9ae207f761d4aa2c9ff02c18da70ab72627a6348e350

Download Submit
C:\Users\Admin\AppData\Roaming\wou\ckx.mp3

Filesize
2KB

MD5
b9b8e845c050e6ea22d448ca1198a743

SHA1
fe63880553f7215008db04723ea5f24dfb7b8663

SHA256
3696cfcf5a30c6b60000b5b95dcf6f5f35d4bd7f087652d11016156dff9093ee

SHA512
63d6b46095be49ea1b7ede94c5b2c0ba3d63a0fb4da734e6d8491c927fd1c2f433683525279692397c9e7bce77edf68cbfd5699d7257b6b393dfa777bca94d0a

Download Submit
C:\Users\Admin\AppData\Roaming\wou\duj.mp4

Filesize
1KB

MD5
d5694baebbe78655887a7133b6e50f20

SHA1
70d681d3bab35a57b526c459550b57ea59346dae

SHA256
4b5521e2b8fb3a75290d40b6656fda7354e9f42325dcfc708c9320b76ef65f84

SHA512
84d9dadea6bfe0c66da5b2b79ef92bb626bb4309a36dc470e3aafa61d2471009742cd425e86938f045ed324ed711bb965054d0bd011be13045e996575648dd53

Download Submit
C:\Users\Admin\AppData\Roaming\wou\fcn.txt

Filesize
1KB

MD5
0de38ca65c0946e1d5fbdbc1d4669847

SHA1
6edfc43e4a209cab46018307bb122e2d99ab9014

SHA256
260fdcbce1cc2d00f253131a92317f868f23f560a12b2b050b6c1ef55382ee96

SHA512
bfdbed0661b760b07b327e946f154d9d17fd4f3a6e993f6c0ae0db7bc2382054680af230ccfdbc935e71cf0e844a0643656ecb53c38ca180b9affc6e10301d8b

Download Submit
C:\Users\Admin\AppData\Roaming\wou\guj.xl

Filesize
1KB

MD5
c4c3ae6ee04b4d7f6ddf27135b3ee98c

SHA1
df879deff7c175a607ccd2d618aad08817169862

SHA256
3693c138c8dd97c3692832ba0db9a2c7fc9b857703a95e2a1c28120be197cc48

SHA512
1b065e0166525924076727601ca09b7704027e3718b7a648ca2f0b681c488cdd5b7b17498947377f25f573a29c38063c366ae6f1f47263c14d97e9dc9ecab7a8

Download Submit
C:\Users\Admin\AppData\Roaming\wou\hlw.xl

Filesize
1KB

MD5
6dcac71783f594bdd2bcc1b69899e399

SHA1
7462074c933c83478166dc2207305048997e99f3

SHA256
abe9b8c49e1a9247d9c65fa1c9116476367a9a5124a782c4766b71c5e901fbad

SHA512
427295a9d243cf3a349d211a64d501a49e4e7b523d8de1f381f4c3ff0e654144cc98fb3738906e10a0e69fce13128a325b9718084639b20c812956eb3f0600b8

Download Submit
C:\Users\Admin\AppData\Roaming\wou\ikw.xl

Filesize
1KB

MD5
09f0fec1d6d19ac2386e76b9775f4365

SHA1
423158f9b9adde7f38b137927f5a93ba47c831eb

SHA256
f3f7197fd3f94a5d8f78a5bbc202163570fd8ffca7b31bebca2d8b536ab1cb14

SHA512
526bed188f983c116f875828e7c670ba98545da5c29566c6dd520e81c0e905ea45565db20dedb40f7884bbc64965a00f486062334fd8aeedc8fd82c000bc2920

Download Submit
C:\Users\Admin\AppData\Roaming\wou\jcp.xl

Filesize
1KB

MD5
e604c6e31a04171136522cb5eecba903

SHA1
de7c0e467212629ae134cb3126aa8dc5881f80a1

SHA256
b3411938f8e73a92a9aa5674d123058aeba2580f420b7eb68a59bfd2ec0e351d

SHA512
3a4990678f7f669c9369fc862dca25c5f92b6dbffe3832ac39199fb5e4a34793a66253cf7bc6a82d4b375793e74f68c595b26caffc73ce1aecb1be5eea35a826

Download Submit
C:\Users\Admin\AppData\Roaming\wou\ksm.docx

Filesize
1KB

MD5
cfe2da3b8867c06fb9d977843ddb803b

SHA1
78fea68e458d835cdc0f126efd69824442606d4a

SHA256
78b0bcf8ac5a6c2dfc6100d33e3e410c3034c35a81b46848d258dc2b6f0cfb13

SHA512
7bf89ee334cc8f774d5f82e9730ac8e56e4124135c1f7f873ea4722dc51ca23d4bd01df36df9b214baac4bcd1ff38450cf0d30b814827d9ab3b22f719d7e2271

Download Submit
C:\Users\Admin\AppData\Roaming\wou\lwd.dat

Filesize
1KB

MD5
5c23dd743fdaaace1d9c68b8f322ffce

SHA1
ba71258e17d5a984e8e3d9b9802d7ec6605caef3

SHA256
716549e2d672d382ed95ff2d31bf99aac8c45e6a2fdacd080016f9049a21c986

SHA512
a7cb6c70468060926e5aa93dc4e988947b23d3b5aa78064d1bcc2824e3f26d5d3748e5ac96305d80c41f83cef31060f300b4e847a358e867e61a2dbdabb354d3

Download Submit
C:\Users\Admin\AppData\Roaming\wou\mot.bmp

Filesize
1KB

MD5
f3d38da5dba9d1651ef24bf0d175f004

SHA1
0c7ddbcba9d154d5acc9efb009517ab16ba836f1

SHA256
752d1a04739a8c58a11e190f28ae40f28067f99283a9f5f2b7599d6626923d4b

SHA512
cea6863150c1e665429dbfffcb704fc37fbacce7c62d24f78169ccfb63fa29d0246cdaf20ee7cc1e1d1788ef11a8a2e5e4ab4c30cfc40813e6da08bfcb66d739

Download Submit
C:\Users\Admin\AppData\Roaming\wou\mtl.docx

Filesize
415B

MD5
49f498b35b3d709f0c5c3dfb03f490a5

SHA1
e020f4455c70fd8f898fffa6ece751a0472a0172

SHA256
47c2c4e239db2eddb632c1ff05ee2291765299045c125c7c34042d94d101b7f0

SHA512
76940ca6a02d20120a00d805ee2f4b4b3f9d4888a2d472f1f41a2048615ee95c73e031519858f40bcc4ac7c2e2b083f678e3a5ce4be12266deb24f6cb92a4276

Download Submit
C:\Users\Admin\AppData\Roaming\wou\mxs.jpg

Filesize
587B

MD5
be8f97023f92e04b41b452d84441cded

SHA1
febf06acf668daaf0171d5a0f0e1b710446f0a7f

SHA256
54187771cef906896f8dcd84a0e2c4c0d845c41838dd2bd6cd60326f5a90ad8d

SHA512
debc89107754d673c6b5a5af1e91992dca2d0db83d50cacaae34b6e6a04f11af5a272f921ad34278226eba87fbe43bc3cf82dca228ee08ee5d0353b9e7b940fa

Download Submit
C:\Users\Admin\AppData\Roaming\wou\nbm.dat

Filesize
246B

MD5
80dee780466a3f75c3509be0e5e98cce

SHA1
5e15d27e5805972f1c109c4c8381290beb5afd53

SHA256
5a69023af02f7e971cd4694975001d6aa750b5f763e07790162ddc3d8745effb

SHA512
7dd563cfa6473a99848d82b6e3677e63fd3fc4eaa0913bb14c44206c88c474cfe62d351cd4818aeb62efaf4cb776d8287c21fc993f958925af7f935ba514b2ee

Download Submit
C:\Users\Admin\AppData\Roaming\wou\nwu.docx

Filesize
843B

MD5
0243ca12e5766fb3d079c127fc7b2103

SHA1
5785d5659e484d5a5393197032613ce77ffd4d9d

SHA256
50ddce17dbba71f879bedb5dae385fa1dce4e0d15d7094be143c06fd711999b5

SHA512
3ef04d19149c6b50f11b36622adaf8907f01531ca1c84174c901de0d12c80c654a4a81c0a3817b88faf39bf5ad9a7bb713b44a610c8c2b6f967c20a1cd3313fd

Download Submit
C:\Users\Admin\AppData\Roaming\wou\odm.exe

Filesize
732KB

MD5
71d8f6d5dc35517275bc38ebcc815f9f

SHA1
cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

SHA256
fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

SHA512
4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

Download Submit
C:\Users\Admin\AppData\Roaming\wou\ojc.pdf

Filesize
1KB

MD5
473bd1f91a0500328fca91d0ed01b805

SHA1
7f8f6d549922bd138f707c7e5ecba6b331b7cff3

SHA256
a9d4deb6982b2f20d8110c404bec430ce01dbc5f99d18ba7e7b1c7a2e780ae7c

SHA512
151e8dd508129e85e55c548991620e53244b0a9c0aeda76583dbefafcd659ca541bad6b73695c121f7dfeacd043d6006a637a697e94434dab0a8d8f449fe5983

Download Submit
C:\Users\Admin\AppData\Roaming\wou\oqe.txt

Filesize
1KB

MD5
31e568e8c4df86da069f66004c89f3f1

SHA1
51372e496617d255f6a0edbba8b588503ac8afb6

SHA256
77bfc59006d352b0975aab01dd04ff03fdd951c8468c5fe5c6b4a0fa546d1f93

SHA512
017e5ea6d0d2dcf4156c3cf5b8496ca80739c2b7a228868ec2d47dfbfc2a7c806c4f5625efc1b8e7c78d060eee915bd31258d075b704515789535a8128bbaef5

Download Submit
C:\Users\Admin\AppData\Roaming\wou\oqi.ico

Filesize
661B

MD5
534e6a0a1eca4e27eb21c59d6f33de44

SHA1
73fe641f5f903b485f9a19e898a09366da6edacd

SHA256
91d25744d2ba02c4a397c9dde0068b4b4b6b9d60aa355f529f610dd5473d30f3

SHA512
c1bbc2845652de7f0ffefca2a0675411ac1197718b31aca098e7f5807242eb0b4a697a37fdc08e635036fa514ac343ab4f92757b91612da57d682743086aed75

Download Submit
C:\Users\Admin\AppData\Roaming\wou\paa.icm

Filesize
383B

MD5
31df3d434d04af2020bb8c5ea6dbbdbe

SHA1
418bc412f9124f3d500b630e19e9b818a4094e85

SHA256
f3e60fdf63282ab79fdd00fa93c5e3f17de3df7e16ec329ff76e8ca5c0c68efe

SHA512
87e3bf6b71d786fff758f7af772a0d3fc656a5a2231a5abd4a3a540484edfd3a00d7e70fe6422a25eaaf0911600d5b6e5f53891a05f7105c6bbabf77e829c517

Download Submit
C:\Users\Admin\AppData\Roaming\wou\pjo.ppt

Filesize
146B

MD5
e5c4a1639b00cbef83de7d0bda534fe6

SHA1
106c36cf41971b53cd19d3704e3ecd1f8368735d

SHA256
057a5daf66900abe93d9135f3c6193ba2dfc1ec070e01172de67e759b9334d71

SHA512
2f9cf552d8ad76330e3356d824fd04641fb11c0de4da37a6b828947fc77cd6e24e95fae6396167684c7888f976af6515eb021709b1bd315b8ad3bbd8d006c669

Download Submit
C:\Users\Admin\AppData\Roaming\wou\rca.pdf

Filesize
1KB

MD5
d3ec0089ed8ddf2ca4cbcff5f0371745

SHA1
98989c59c5f14cc5237b0afa25c52b69b5215f0d

SHA256
2cb81d56aaaca616abaa2b096994242be5aade9b382674df3800693b2bf03a71

SHA512
45b3b96a6c8af9eb8b63cc1eb47d26fe0142b10378ba5384808ec443421e984319a2be27ab91836716e54b3d0e36aae3c1813b705c158c9665185f451c9c02a3

Download Submit
C:\Users\Admin\AppData\Roaming\wou\rid.ico

Filesize
1.2MB

MD5
a5f2dcee6a2a6047aa8fdde1ae2ce290

SHA1
7a082661c9a3431cd89ed4d9959178d60b9570f7

SHA256
7da78e767ff859970c8dae593b62f1366c2c651500eb280f0077a2245a9a8625

SHA512
e001300fc56f9bc8e9d61cb904ea6dec5ca447729015c9ff3dccc021f319fcce57ebaabb196a56f80d249dfbb88b4a0a273858cf14c7b9a93c10c9c8bc243d0a

Download Submit
C:\Users\Admin\AppData\Roaming\wou\rxv.txt

Filesize
91B

MD5
4c368067b7ce217ecbc983739afd1e4d

SHA1
6dcd19e491a5468edc1cd82d958b33685502b15f

SHA256
a73039d133add44cb8d5e825184b989a7c913bf3baf9750b9b9a1128bc976052

SHA512
0463c608f743506598f957da4c9711a802734997ef05dd6d27470c6a7a6415396da372198a9b891abd4ab036932c7a03c7fb90c1b8a0a811a0e0e4dd72e74247

Download Submit
C:\Users\Admin\AppData\Roaming\wou\sfd.icm

Filesize
1KB

MD5
53dbba59ada5a1e1eb2230a672191186

SHA1
a0aff2e66432b2cb109e51e66090e45e998940e5

SHA256
545d67c686751a0ca69f18132b0a893de19e0377f618424a40a679eaa7a2814e

SHA512
eee8f42cb24dc02e5a5bd304c823b78417fd4618e7281b9393e4f11de254c2b3a3eaeaebc1fe8826588638cc78065c383076e786ce4f2c7448724b191e2c276c

Download Submit
C:\Users\Admin\AppData\Roaming\wou\smf.pdf

Filesize
2KB

MD5
7664a0c7b97b88cc4ede3eea084c334f

SHA1
494565296c16d89221b99dd5f37bd3bcf1027dcb

SHA256
418c9158137ac75fc689c1ac3451aacf5cab48fb59eef92e27ec8fa0d54be496

SHA512
3d32ad841018f047cfc97925b418050afbe0bdc2dff03a7fd46b42642d5c94e8e2c0526f5d7f5452f683bda243fab633990e91ad6b8b08aea5bca7ba83192537

Download Submit
C:\Users\Admin\AppData\Roaming\wou\soj.txt

Filesize
1006B

MD5
69661af81e86a33ae392cdbbc8b4b5fd

SHA1
90aecd78ab56466b3d8352009493df1d9802245e

SHA256
6dd07309a0b31d813679d0252c827aebed50984e24b8b2e568bd8317aeb692ff

SHA512
491a341740f1b5494cf1e248a7b6a89b80e54ab1f83541718ea357d9fcb900c3319b5ce89a5d9886e094545f9ce14906c008f0bfbcaa75f2beea9aabd74df717

Download Submit
C:\Users\Admin\AppData\Roaming\wou\ube.jpg

Filesize
2KB

MD5
57a4fa257aae3de3f1148ecfe0eb9cd2

SHA1
9c1bbaafe78b1d8da4f4f27ff025c193cf74c518

SHA256
8b3b37c688a1414d4dd3f5e427074b0658ddbbb0fcf46029a1d21ea2099fd02a

SHA512
c21621f73dabe55b3531eba8c1e913f599c1fdc556b2fd20cba0c8e2520cac05140d04c48e844fe91ecebbe3a5719e28e300ba82929cfd99b463710bae4d06b7

Download Submit
C:\Users\Admin\AppData\Roaming\wou\uec.txt

Filesize
505B

MD5
60d760043e304021c8e3f8d383fea050

SHA1
57317f3442f3c3e13fbf5f3eec109b570cbfe72e

SHA256
20fdb88ce41dd595053d95e526ecac495d4436d6b866f9bacecab613c7d7a2c0

SHA512
1fd0a46a80f86b26d051d129bc64ebd4e60f09fd915855377f0edbd595e011dd7083c904445752e19c7586df11caf7539d30ee640c13e6f4cebe5c75d6925811

Download Submit
C:\Users\Admin\AppData\Roaming\wou\ueu.docx

Filesize
637B

MD5
0a00e098ac99220d9fd2663097671f49

SHA1
e6de774a3789df2095d9853b2241c594129c7157

SHA256
1f55b2e9850fff656708c95b8b1c97747584336faf3f90475af8b3cdfab9f5b7

SHA512
cf80ec56e75621767be7ce08ee2011d4f0f27307952d696cd157112d71a2d2f4a513e60832e4bea69df83b58c5f5f3f2588480882402ef4f45fec1e624818108

Download Submit
C:\Users\Admin\AppData\Roaming\wou\usa.dat

Filesize
1KB

MD5
67ab78e5e873d4442f39e52c726d5e63

SHA1
90af7b8a4285b8e6cbc1c2af4508876ffaa1950c

SHA256
9e812dc3b3cf2787f052f993d118bf2e28bdf30fc0db69372e8e75a6987eb709

SHA512
3a443b80c64a1709e9e999848c16ff73aa5f22da694ccc2a8609a907b43e23becde3d571050fe3decc640db959e4e31586c1952d15784ae3cecda1c31ba9fd80

Download Submit
C:\Users\Admin\AppData\Roaming\wou\wab.pdf

Filesize
1000B

MD5
8ae71af478d0120d0a7b05f6b39f08eb

SHA1
98c63403b68da9c036d907fe9473a45e290c575c

SHA256
384c4b9e60d53f4ad0de9db8bf46e9df3b66591da7435f4d839edc343810246b

SHA512
085e15311cc52eb7680636b427dc2af425e861ae5c6d0b0da4896389756b3d215ea314e487ea72f6d552f6c74b0e91ef9000b08c314e5021e3ce8ab0a8cf9c1c

Download Submit
C:\Users\Admin\AppData\Roaming\wou\xpf.bmp

Filesize
982B

MD5
52ca523bd08fb33b73317342b9af50cb

SHA1
7094478176042d0fe4125ae388f1c89575585443

SHA256
33dff5d22ff9d583e48fe46330f2ed6aada86b3d5f54444c26ba88cdfa7505f3

SHA512
1e00f835310015b723ec64bf1ee8afe81a167228904ed277335307686c625c8145f740508261f308b65725d949931669195ad9e10395b8ef9b7b4f68123a1f02

Download Submit
C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt

Filesize
828B

MD5
62a1c207dfd27fe9e89f571c06dc894c

SHA1
e28c428ec5e27a286c27ecfff0e3d175987adad6

SHA256
e8e687527fdeefd522b22924ad995f638860014a404d3827b8d39fc816b71f51

SHA512
cf26934122149ee8418a72cc7bae4489e85e2bc6481c8c33b3394aa388fd1a80dda1e537d2646f7fba872596a3cad58be40ce78ca4756e53587c4ddc4a94154d

Download Submit
memory/404-220-0x0000000000E60000-0x0000000000E7A000-memory.dmp

Filesize
104KB

Download
memory/1148-16-0x0000000005500000-0x000000000550A000-memory.dmp

Filesize
40KB

Download
memory/1148-13-0x0000000000860000-0x00000000008C0000-memory.dmp

Filesize
384KB

Download
memory/1148-12-0x0000000074F6E000-0x0000000074F6F000-memory.dmp

Filesize
4KB

Download
memory/1148-203-0x0000000074F6E000-0x0000000074F6F000-memory.dmp

Filesize
4KB

Download
memory/1148-819-0x0000000007F70000-0x000000000800C000-memory.dmp

Filesize
624KB

Download
memory/1148-818-0x0000000007E80000-0x0000000007ECC000-memory.dmp

Filesize
304KB

Download
memory/1148-25-0x0000000005800000-0x000000000581C000-memory.dmp

Filesize
112KB

Download
memory/1148-18-0x00000000082B0000-0x00000000087DC000-memory.dmp

Filesize
5.2MB

Download
memory/1148-17-0x0000000074F60000-0x0000000075711000-memory.dmp

Filesize
7.7MB

Download
memory/1148-222-0x0000000074F60000-0x0000000075711000-memory.dmp

Filesize
7.7MB

Download
memory/1148-15-0x0000000005410000-0x00000000054A2000-memory.dmp

Filesize
584KB

Download
memory/1148-14-0x00000000059C0000-0x0000000005F66000-memory.dmp

Filesize
5.6MB

Download
memory/1472-174-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/1472-207-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/3188-178-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/3188-206-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/4868-249-0x000001F2F4F70000-0x000001F2F4F92000-memory.dmp

Filesize
136KB

Download