Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

2025-03-19...uk.exe

windows7-x64

10

2025-03-19...uk.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    19/03/2025, 02:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2025-03-19_6f1f60d754943d430fc0972d80250baa_cova_ryuk.exe

  • Size

    1.0MB

  • MD5

    6f1f60d754943d430fc0972d80250baa

  • SHA1

    adf06a5a69d5baf86e78f43e239ad4e0e8f25315

  • SHA256

    768e033c269b8035a23a73c3b31be5d659daa626daa08c17a3b302cc07fe2348

  • SHA512

    bd4e2ce0cf5a86d538e815efce24062155b6026ffa2b03564a001f0eaccf39c02b2b17a6fe5676b338bb6ac8e73df160a9e9e2af80cdb6821aba72764386e522

  • SSDEEP

    24576:TR+cl7X1BRnI6hmebOe1gmx2Jg+DTcTugiIwsQhlRv9x/9K4CfFiEr0CJ:l+clb1BRntmeSKHStRv9xFK1gEr0E

Score
10/10
badrabbitmimikatzdefense_evasiondiscoveryransomware

Malware Config

Signatures

  • BadRabbit

    Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.

    ransomwarebadrabbit
  • Badrabbit family
    badrabbit
  • Mimikatz

    mimikatz is an open source tool to dump credentials on Windows.

    mimikatz
  • Mimikatz family
    mimikatz
  • mimikatz is an open source tool to dump credentials on Windows 1 IoCs
  • Executes dropped EXE 4 IoCs
  • Deobfuscate/Decode Files or Information 1 TTPs 3 IoCs

    Payload decoded via CertUtil.

    defense_evasion
  • Enumerates connected drives 3 TTPs 6 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 20 IoCs
    ransomware
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 36 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Delays execution with timeout.exe 12 IoCs
    defense_evasion
  • Modifies Control Panel 10 IoCs
    defense_evasion
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-03-19_6f1f60d754943d430fc0972d80250baa_cova_ryuk.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-03-19_6f1f60d754943d430fc0972d80250baa_cova_ryuk.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3020
    • C:\Users\Admin\AppData\Local\Temp\A2-Cryptor.exe
      "C:\Users\Admin\AppData\Local\Temp\A2-Cryptor.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1684
      • C:\Windows\system32\cmd.exe
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\96D3.tmp\96D4.tmp\96D5.bat C:\Users\Admin\AppData\Local\Temp\A2-Cryptor.exe"
        3⤵
        • Enumerates connected drives
        • Suspicious use of WriteProcessMemory
        PID:2708
        • C:\Windows\system32\mode.com
          MODE CON: COLS=100 LINES=25
          4⤵
            PID:2832
          • C:\Windows\system32\mode.com
            MODE CON: COLS=100 LINES=25
            4⤵
              PID:2884
            • C:\Windows\system32\certutil.exe
              certutil -decode "Image.bin" "Encrypted.jpeg"
              4⤵
              • Deobfuscate/Decode Files or Information
              PID:2932
            • C:\Windows\system32\timeout.exe
              timeout /t 3
              4⤵
              • Delays execution with timeout.exe
              PID:1512
            • C:\Windows\system32\timeout.exe
              timeout /t 3
              4⤵
              • Delays execution with timeout.exe
              PID:1944
            • C:\Windows\system32\timeout.exe
              timeout /t 3
              4⤵
              • Delays execution with timeout.exe
              PID:948
            • C:\Windows\system32\timeout.exe
              timeout /t 5
              4⤵
              • Delays execution with timeout.exe
              PID:2024
            • C:\Windows\system32\timeout.exe
              timeout /t 5
              4⤵
              • Delays execution with timeout.exe
              PID:2436
            • C:\Windows\system32\wscript.exe
              wscript "0.vbs"
              4⤵
              • Sets desktop wallpaper using registry
              • Modifies Control Panel
              PID:1432
              • C:\Windows\System32\RUNDLL32.EXE
                "C:\Windows\System32\RUNDLL32.EXE" user32.dll, UpdatePerUserSystemParameters
                5⤵
                  PID:2260
                • C:\Windows\System32\RUNDLL32.EXE
                  "C:\Windows\System32\RUNDLL32.EXE" user32.dll, UpdatePerUserSystemParameters
                  5⤵
                    PID:2996
                • C:\Windows\system32\wscript.exe
                  wscript "0.vbs"
                  4⤵
                  • Sets desktop wallpaper using registry
                  • Modifies Control Panel
                  PID:2100
                  • C:\Windows\System32\RUNDLL32.EXE
                    "C:\Windows\System32\RUNDLL32.EXE" user32.dll, UpdatePerUserSystemParameters
                    5⤵
                      PID:1688
                    • C:\Windows\System32\RUNDLL32.EXE
                      "C:\Windows\System32\RUNDLL32.EXE" user32.dll, UpdatePerUserSystemParameters
                      5⤵
                        PID:2972
                    • C:\Windows\system32\wscript.exe
                      wscript "0.vbs"
                      4⤵
                      • Sets desktop wallpaper using registry
                      • Modifies Control Panel
                      PID:2108
                      • C:\Windows\System32\RUNDLL32.EXE
                        "C:\Windows\System32\RUNDLL32.EXE" user32.dll, UpdatePerUserSystemParameters
                        5⤵
                          PID:1584
                        • C:\Windows\System32\RUNDLL32.EXE
                          "C:\Windows\System32\RUNDLL32.EXE" user32.dll, UpdatePerUserSystemParameters
                          5⤵
                            PID:2876
                        • C:\Windows\system32\wscript.exe
                          wscript "0.vbs"
                          4⤵
                          • Sets desktop wallpaper using registry
                          • Modifies Control Panel
                          PID:852
                          • C:\Windows\System32\RUNDLL32.EXE
                            "C:\Windows\System32\RUNDLL32.EXE" user32.dll, UpdatePerUserSystemParameters
                            5⤵
                              PID:1592
                            • C:\Windows\System32\RUNDLL32.EXE
                              "C:\Windows\System32\RUNDLL32.EXE" user32.dll, UpdatePerUserSystemParameters
                              5⤵
                                PID:2312
                            • C:\Windows\system32\wscript.exe
                              wscript "0.vbs"
                              4⤵
                              • Sets desktop wallpaper using registry
                              • Modifies Control Panel
                              PID:2080
                              • C:\Windows\System32\RUNDLL32.EXE
                                "C:\Windows\System32\RUNDLL32.EXE" user32.dll, UpdatePerUserSystemParameters
                                5⤵
                                  PID:2360
                                • C:\Windows\System32\RUNDLL32.EXE
                                  "C:\Windows\System32\RUNDLL32.EXE" user32.dll, UpdatePerUserSystemParameters
                                  5⤵
                                    PID:2748
                                • C:\Windows\system32\timeout.exe
                                  timeout /t 4
                                  4⤵
                                  • Delays execution with timeout.exe
                                  PID:2428
                                • C:\Windows\system32\wscript.exe
                                  wscript "m.vbs"
                                  4⤵
                                    PID:2940
                                  • C:\Windows\system32\mode.com
                                    MODE CON: COLS=100 LINES=25
                                    4⤵
                                      PID:2232
                                • C:\Users\Admin\AppData\Local\Temp\BadRabbit.exe
                                  "C:\Users\Admin\AppData\Local\Temp\BadRabbit.exe"
                                  2⤵
                                  • Executes dropped EXE
                                  • Drops file in Windows directory
                                  • System Location Discovery: System Language Discovery
                                  • Suspicious use of WriteProcessMemory
                                  PID:2312
                                  • C:\Windows\SysWOW64\rundll32.exe
                                    C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
                                    3⤵
                                    • Drops file in Windows directory
                                    • System Location Discovery: System Language Discovery
                                    • Suspicious behavior: EnumeratesProcesses
                                    • Suspicious use of AdjustPrivilegeToken
                                    • Suspicious use of WriteProcessMemory
                                    PID:2880
                                    • C:\Windows\SysWOW64\cmd.exe
                                      /c schtasks /Delete /F /TN rhaegal
                                      4⤵
                                      • System Location Discovery: System Language Discovery
                                      • Suspicious use of WriteProcessMemory
                                      PID:2656
                                      • C:\Windows\SysWOW64\schtasks.exe
                                        schtasks /Delete /F /TN rhaegal
                                        5⤵
                                        • System Location Discovery: System Language Discovery
                                        PID:2968
                                    • C:\Windows\SysWOW64\cmd.exe
                                      /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 3520851949 && exit"
                                      4⤵
                                      • System Location Discovery: System Language Discovery
                                      PID:1452
                                      • C:\Windows\SysWOW64\schtasks.exe
                                        schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 3520851949 && exit"
                                        5⤵
                                        • System Location Discovery: System Language Discovery
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1156
                                    • C:\Windows\SysWOW64\cmd.exe
                                      /c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 02:52:00
                                      4⤵
                                      • System Location Discovery: System Language Discovery
                                      PID:1760
                                      • C:\Windows\SysWOW64\schtasks.exe
                                        schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 02:52:00
                                        5⤵
                                        • System Location Discovery: System Language Discovery
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2164
                                    • C:\Windows\9FD8.tmp
                                      "C:\Windows\9FD8.tmp" \\.\pipe\{597B9A13-A764-49B5-9284-69C67B8BCE2D}
                                      4⤵
                                      • Executes dropped EXE
                                      • Suspicious behavior: EnumeratesProcesses
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:2040
                                • C:\Users\Admin\AppData\Local\Temp\FMLN.exe
                                  "C:\Users\Admin\AppData\Local\Temp\FMLN.exe"
                                  2⤵
                                  • Executes dropped EXE
                                  • System Location Discovery: System Language Discovery
                                  • Suspicious use of WriteProcessMemory
                                  PID:2796
                                  • C:\Windows\SysWOW64\cmd.exe
                                    "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\9702.tmp\9703.tmp\9704.bat C:\Users\Admin\AppData\Local\Temp\FMLN.exe"
                                    3⤵
                                    • Enumerates connected drives
                                    • System Location Discovery: System Language Discovery
                                    • Suspicious use of WriteProcessMemory
                                    PID:2960
                                    • C:\Windows\SysWOW64\mode.com
                                      mode con: cols=170 lines=45
                                      4⤵
                                      • System Location Discovery: System Language Discovery
                                      PID:2728
                                    • C:\Windows\SysWOW64\certutil.exe
                                      certutil -decode "Image.bin" "Wallpaper.jpeg"
                                      4⤵
                                      • Deobfuscate/Decode Files or Information
                                      • System Location Discovery: System Language Discovery
                                      PID:2924
                                    • C:\Windows\SysWOW64\timeout.exe
                                      timeout /t 3
                                      4⤵
                                      • System Location Discovery: System Language Discovery
                                      • Delays execution with timeout.exe
                                      PID:2936
                                    • C:\Windows\SysWOW64\timeout.exe
                                      timeout /t 3
                                      4⤵
                                      • System Location Discovery: System Language Discovery
                                      • Delays execution with timeout.exe
                                      PID:2092
                                    • C:\Windows\SysWOW64\timeout.exe
                                      timeout /t 3
                                      4⤵
                                      • System Location Discovery: System Language Discovery
                                      • Delays execution with timeout.exe
                                      PID:1752
                                    • C:\Windows\SysWOW64\timeout.exe
                                      timeout /t 5
                                      4⤵
                                      • System Location Discovery: System Language Discovery
                                      • Delays execution with timeout.exe
                                      PID:756
                                    • C:\Windows\SysWOW64\timeout.exe
                                      timeout /t 5
                                      4⤵
                                      • System Location Discovery: System Language Discovery
                                      • Delays execution with timeout.exe
                                      PID:2456
                                    • C:\Windows\SysWOW64\wscript.exe
                                      wscript "0.vbs"
                                      4⤵
                                      • Sets desktop wallpaper using registry
                                      • System Location Discovery: System Language Discovery
                                      • Modifies Control Panel
                                      PID:2420
                                      • C:\Windows\SysWOW64\RUNDLL32.EXE
                                        "C:\Windows\System32\RUNDLL32.EXE" user32.dll, UpdatePerUserSystemParameters
                                        5⤵
                                        • System Location Discovery: System Language Discovery
                                        PID:1572
                                      • C:\Windows\SysWOW64\RUNDLL32.EXE
                                        "C:\Windows\System32\RUNDLL32.EXE" user32.dll, UpdatePerUserSystemParameters
                                        5⤵
                                        • System Location Discovery: System Language Discovery
                                        PID:1368
                                    • C:\Windows\SysWOW64\wscript.exe
                                      wscript "0.vbs"
                                      4⤵
                                      • Sets desktop wallpaper using registry
                                      • System Location Discovery: System Language Discovery
                                      • Modifies Control Panel
                                      PID:2340
                                      • C:\Windows\SysWOW64\RUNDLL32.EXE
                                        "C:\Windows\System32\RUNDLL32.EXE" user32.dll, UpdatePerUserSystemParameters
                                        5⤵
                                        • System Location Discovery: System Language Discovery
                                        PID:2712
                                      • C:\Windows\SysWOW64\RUNDLL32.EXE
                                        "C:\Windows\System32\RUNDLL32.EXE" user32.dll, UpdatePerUserSystemParameters
                                        5⤵
                                        • System Location Discovery: System Language Discovery
                                        PID:2604
                                    • C:\Windows\SysWOW64\wscript.exe
                                      wscript "0.vbs"
                                      4⤵
                                      • Sets desktop wallpaper using registry
                                      • System Location Discovery: System Language Discovery
                                      • Modifies Control Panel
                                      PID:1748
                                      • C:\Windows\SysWOW64\RUNDLL32.EXE
                                        "C:\Windows\System32\RUNDLL32.EXE" user32.dll, UpdatePerUserSystemParameters
                                        5⤵
                                        • System Location Discovery: System Language Discovery
                                        PID:1632
                                      • C:\Windows\SysWOW64\RUNDLL32.EXE
                                        "C:\Windows\System32\RUNDLL32.EXE" user32.dll, UpdatePerUserSystemParameters
                                        5⤵
                                        • System Location Discovery: System Language Discovery
                                        PID:1480
                                    • C:\Windows\SysWOW64\wscript.exe
                                      wscript "0.vbs"
                                      4⤵
                                      • Sets desktop wallpaper using registry
                                      • System Location Discovery: System Language Discovery
                                      • Modifies Control Panel
                                      PID:1928
                                      • C:\Windows\SysWOW64\RUNDLL32.EXE
                                        "C:\Windows\System32\RUNDLL32.EXE" user32.dll, UpdatePerUserSystemParameters
                                        5⤵
                                        • System Location Discovery: System Language Discovery
                                        PID:1256
                                      • C:\Windows\SysWOW64\RUNDLL32.EXE
                                        "C:\Windows\System32\RUNDLL32.EXE" user32.dll, UpdatePerUserSystemParameters
                                        5⤵
                                        • System Location Discovery: System Language Discovery
                                        PID:2668
                                    • C:\Windows\SysWOW64\wscript.exe
                                      wscript "0.vbs"
                                      4⤵
                                      • Sets desktop wallpaper using registry
                                      • System Location Discovery: System Language Discovery
                                      • Modifies Control Panel
                                      PID:872
                                      • C:\Windows\SysWOW64\RUNDLL32.EXE
                                        "C:\Windows\System32\RUNDLL32.EXE" user32.dll, UpdatePerUserSystemParameters
                                        5⤵
                                        • System Location Discovery: System Language Discovery
                                        PID:1044
                                      • C:\Windows\SysWOW64\RUNDLL32.EXE
                                        "C:\Windows\System32\RUNDLL32.EXE" user32.dll, UpdatePerUserSystemParameters
                                        5⤵
                                        • System Location Discovery: System Language Discovery
                                        PID:2304
                                    • C:\Windows\SysWOW64\timeout.exe
                                      timeout /t 4
                                      4⤵
                                      • System Location Discovery: System Language Discovery
                                      • Delays execution with timeout.exe
                                      PID:2588
                                    • C:\Windows\SysWOW64\certutil.exe
                                      certutil -decode "Data.lp" "KillWin.exe"
                                      4⤵
                                      • Deobfuscate/Decode Files or Information
                                      • System Location Discovery: System Language Discovery
                                      PID:2968
                                    • C:\Windows\SysWOW64\wscript.exe
                                      wscript "m.vbs"
                                      4⤵
                                      • System Location Discovery: System Language Discovery
                                      PID:2924

                              Network

                              MITRE ATT&CK Enterprise v15

                              Replay Monitor

                              Loading Replay Monitor...

                              Downloads

                              • C:\Users\Admin\AppData\Local\Temp\0.vbs
                                Filesize

                                383B

                                MD5

                                e8ac1f187bb02b76ff45f3a3977c6669

                                SHA1

                                a6246d99d7f0347e246399576342e7e118d6cb2a

                                SHA256

                                8b163a7e7bc1048d74b3b0298b85bc453cf349c9adb53d76adf391ef0491db26

                                SHA512

                                f7f67854fdd19718a5fe8aaf99cf722ffb73a8151c8d3f214e89b44b0c4cba24c5fbfd390246e9cb2423919d0b4f694117c09b7697853168156d77efbb83397b

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\0.vbs
                                Filesize

                                766B

                                MD5

                                72b5aee695ab8f7c40fca542592817a5

                                SHA1

                                8045fa50bcecaa5eeac4284650642d7b901a4772

                                SHA256

                                60c004e57de6111ce9718faf9af4bed371e0d2c95a70bc9e2cce0c468b098d27

                                SHA512

                                5e6fb67f99f577f1e2bcde5de5ea02fbe61707a1287f9d4a395207e8a61616ed08c7fe6d1415183b4708eb34e369af102b7716a540d1f5a4a11f04e4d86de160

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\00000.eky
                                Filesize

                                102B

                                MD5

                                c235ac18d98e81059d6fd899ca1c96ee

                                SHA1

                                175091580ae178588fdd8d6ae2aef962284df7c1

                                SHA256

                                b88732a3c424a74a258ecaab8cd8dc37abc3d1ef91ec56b960b476295cfc904f

                                SHA512

                                c49be3b59b01b6f2f31bf948da8b40624fea0ca5e4c9bf0c07adc2ccdc976ada7a49164aedfde5c6ffbc691117075d2635810074adfa5f1cea191f74b54c2e1d

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\00000.pky
                                Filesize

                                98B

                                MD5

                                ef0f55eaea622f6bcf30b77f83f20025

                                SHA1

                                df644565103d17265b4f05155409075749e7afb3

                                SHA256

                                b870d117bd87228b787405ce1e70170dcebc4e0adb3ff34c55a2a409ed804787

                                SHA512

                                aa788a36076882e04e7245b7db7b5ab0ef5f5ae4d6937b9fccef94aa468f1f53477b66c73b91323a7640420e3b5f720aaa848ae4915ffeba7709ca0fbabb88ec

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\00000.ple
                                Filesize

                                94B

                                MD5

                                9d41c37abfe751cd940059cfd50a83c8

                                SHA1

                                9d62ed58702431deb12ce7dba0d283249910641a

                                SHA256

                                8fb448cdcf95f10f813d4ffd8af563b1d71eb5c841dcdd7247a550724c682956

                                SHA512

                                a2aae432741e2e20b7f2850b5de2f78066df14948677495771dcf426345619c61ca055e7c3256d658a27c0571ef59cfb192c58aebfaac70f695abd22af9ca075

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\00000.res
                                Filesize

                                100B

                                MD5

                                9ba95168b2fb2defb7928ba7a7d7166d

                                SHA1

                                8ebe303feaf4eaf781505fb684d0d400e18deb7f

                                SHA256

                                2a9fa8c2d69becb593a53de007734d433a1e258be65556110600b6c5a81346cc

                                SHA512

                                857e004f2d90a3950693009edc60a0c6bda17d3ec1d0db049b7e8212e8b3b86111c12905b5cc5ca71548f18e043573f49bafc4820c84b9527fb3ebe339451b0d

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\00000.vhc
                                Filesize

                                100B

                                MD5

                                10839063b35ed650bea9ba297eacaf0c

                                SHA1

                                f521b53f381f5e8ba9c57cb0fe67074a862a251c

                                SHA256

                                84ebbce9827ab4b0074aa8b0337c56c5a91adbeb3f261576edea3413b545e92e

                                SHA512

                                ffee1932d490c5c2fcbdc58802bd2e008345d1c8c30ca306484060b9ef218eb74791ca98a40f115cabfac04e8137efabae711ad29f288ad4046b64697391eea2

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\00000.zsc
                                Filesize

                                98B

                                MD5

                                4aeb7ffcb5cb78e495968fd46655d86c

                                SHA1

                                0e4a0979c45b543b5e21dcd52dc39a4ee1fac505

                                SHA256

                                02748525c1899a7c95e421b9dfb3309eab21d44eee087a58f09a5fa137c33f8d

                                SHA512

                                3e80722bae2acec63a94a9201afae6edc3527f23e416c8728e28be6190ec18cd93a2778d749a90e48d88cb615fd0676c273062ad5e63484df0790e0547367394

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\26294_28891.bat
                                Filesize

                                127B

                                MD5

                                71f2ece5d6de26f528ff0e1c9382f1c9

                                SHA1

                                12b4fe9e4f1d4e0ea494393282baeb58f5991c8e

                                SHA256

                                648b31ac461f2539e111298e9d5f8e154ed8852a4f8c57cceec17504da8cdb01

                                SHA512

                                0236aa82c44f9cdc7230d2b46c910c794820202e697031c893ed8502883f310bc202beee7d4a502f5508c8f6c320f9479e48be30f24f344624a0224a1f549c56

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\26294_28891.bat
                                Filesize

                                254B

                                MD5

                                3eadf821e9271820583661c8cdaf5701

                                SHA1

                                6532947dab5f3c12e5503b1d3adafb298b22267b

                                SHA256

                                15ac88a018fe3772f5b66bcb0c113714be8efe1ed9cc4b295ca53d58745fbe25

                                SHA512

                                2dd8e8c7165bc694c7c2b6bdaa0d0b5dbea921bb49e318b465db4896c98bce4f594d754729b61cb9781ed9748eba46f739acef3764d8de1eb5db4dbdaf1fb166

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\96D3.tmp\96D4.tmp\96D5.bat
                                Filesize

                                33KB

                                MD5

                                4b42191175209ea23203acc526307c00

                                SHA1

                                a77abea54f5b2a0084fd1574a1c5b6e1df1df054

                                SHA256

                                4ce518699c3f97015eb2f81b09325c8f67213d0efaec73bbf924a5bdf3d5152c

                                SHA512

                                fb35705095153a587a253160a92268c8e03605f87ecbb45dd3a0c4ca59e255046188cb9476d99f8164458506d2e5057e6127f0e0fe7997471e7381cc4a08ec42

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\9702.tmp\9703.tmp\9704.bat
                                Filesize

                                54KB

                                MD5

                                93841169c4264ce13735e8b116d06226

                                SHA1

                                1ceac2fe01f6bdb37bdeb73ba13cd7ed99d0f608

                                SHA256

                                82bf8fbb4b79fdd9a21518373ddd57fc2d6c53599458a055f64e20d40dc85f2b

                                SHA512

                                ce98cac504828ac676d1069f6d0cedc55ff68bf51d2b01df0108ec632bdc0aa1f809ef6ddb000fa1c59ea66723c903cf37412d98f59ff7032777a45b2c72e871

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\A2-Cryptor.exe
                                Filesize

                                122KB

                                MD5

                                d6e36f6b145a4601a84835b7e8a0bbc2

                                SHA1

                                3c7e26433f5f42fe69fbe4b3c2e6d9d7b196697c

                                SHA256

                                46038db7643482e1d25939e6c7be35a7e7529fd716570e25e4137f6a79a1c316

                                SHA512

                                e10acbaa6e1cd5cc4350dc789841e2638fb50b152aebc65bee2c07ad94f7e6ae1ce6bd51c5f5f6952f970ee364f2515417608e872c3b97b0cf749bb86fa0b72e

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\BadRabbit.exe
                                Filesize

                                431KB

                                MD5

                                fbbdc39af1139aebba4da004475e8839

                                SHA1

                                de5c8d858e6e41da715dca1c019df0bfb92d32c0

                                SHA256

                                630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da

                                SHA512

                                74eca8c01de215b33d5ceea1fda3f3bef96b513f58a750dba04b0de36f7ef4f7846a6431d52879ca0d8641bfd504d4721a9a96fa2e18c6888fd67fa77686af87

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\Data.lp
                                Filesize

                                19KB

                                MD5

                                c63727e7d32cd53e644d8ab3435778fa

                                SHA1

                                4f187b6d1a0839ffff7bcc69368b40ca007067b3

                                SHA256

                                91d5604845d13992f916f56c2301cf866973520ef647a5d7073cdddc0bca3d00

                                SHA512

                                278aa953b1578c2b7eebcd6d4dc3241a3e8862ce1ebafb2e37ec3715f2f92833f147c41227052f8ec6f06ae35d71f810913b3c28dd1675ee5e473559b3e85bc7

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\Encrypt.sk
                                Filesize

                                365B

                                MD5

                                5642d94004b9f24bc2262483b3d1499a

                                SHA1

                                094381a411568a86663475fa81b350b463aa3a5e

                                SHA256

                                57717798e06d9165f4f6c77d810957e20498693f4b235b0ed7683e51036689b9

                                SHA512

                                c1f08019dbf024ba7fc0b799faa9c7f8986a0eb9f86deb98ceda116816d9914bbf8ccce88df2bec500819a43562923a858e6f73a89551cf4a1645a39f00b5d21

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\Encrypt.sk
                                Filesize

                                438B

                                MD5

                                6d0badfaf13fdb9eacbab215a85fa987

                                SHA1

                                5f7f1d49ef33ef53dec8fda1af73b548ad1e50ec

                                SHA256

                                07056bdfa82defbdbe653d369f71e0f1e53ec890c2167360a1cb3331990716c3

                                SHA512

                                478b746061f9ce1f45edfefe863c5c665d722239dcbbaa7a17a9db7bf71b7cfd1e8a9b39e8dd03c0f490bc392bf1f4051c23105753352fd30928015d647280be

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\FMLN.exe
                                Filesize

                                258KB

                                MD5

                                c87988e35ec34779191f42b6213fdec1

                                SHA1

                                81036dcf6ea331243f2d512b8ac9611a95a18ea1

                                SHA256

                                96f3ce153153f922fb18e4722b0348aee2c76022bcdee75fadab97023003fe10

                                SHA512

                                ba32f9bc18fb187fa4dc03bb1db903255c16af62dc903521ddd8fb120e5599bbccb4fa12255f0195a5e51b6a99ee5228bc0515f299c0ebb1b1a5134e61aab9e4

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\Image.bin
                                Filesize

                                26KB

                                MD5

                                1e58f28f62db67039021c841fbe6a59d

                                SHA1

                                eb2ae648f1e09db4995f885463689d0a7aa2f06a

                                SHA256

                                eaedd7e3554c7229c7cf256797a551c76dc60099a97c44a78cd229be632f2630

                                SHA512

                                f778b345d3c6add5abf6824938449a79fdfddc606620bf173c69b9f7804cadc900759363b7e74dfde7b8283d8f0c96aec02a94a46eee6f0dc7633327e1413e81

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\Image.bin
                                Filesize

                                40KB

                                MD5

                                d02e3f265ee32c6b74f6d39f636ee3b4

                                SHA1

                                8ee895504ecad2ba4a443b0d97b8b999315f0cfe

                                SHA256

                                f118bbd880ac2bcf725c8310d6a33a6b07f15817526283373235291e1035dd02

                                SHA512

                                f0e55e031f52b9ddfba885b937b5af17b7f626b6149d1952b599fd972632b1fb500affe8b7e3710ed80fddcbe415ba27c21a97f135b14e9bee838b13697a0af3

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\KillWin.exe
                                Filesize

                                14KB

                                MD5

                                3713a4dfdfa399b20561aa8bcbea1b25

                                SHA1

                                8109cb8e9e9c00fba74d456c1756799c72072989

                                SHA256

                                8e4e731640114f96219d4aa6ce2416c2f1db7e75834cdca91c380de6b0eebbaa

                                SHA512

                                a34244e4622648dc19f2efa001bf461cec7794bb7050fadacd5369272d83db87fef711afbb5a108b7665304430a419ee7fdf09c2e8155f496eba1a321142b090

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\README.txt
                                Filesize

                                481B

                                MD5

                                024687938384c317e0cf97539bf4604e

                                SHA1

                                9c2563f37bacca7b409a3a378bfa1174442f8bb5

                                SHA256

                                c996d58bcddf5b1dff51eb4299fbca035cb1240a55e8b7f8c55dd63553bc41ff

                                SHA512

                                acd630bd58fac3122a85f348b9f7c3089b0050a6b691d159f338c8285641885230ba96f2285453de6dd2dad9123a1fad050868eee3ce07b94d25616e6bdfb1d2

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\README.txt
                                Filesize

                                1KB

                                MD5

                                3785d929ef78259c75c78ad78f775516

                                SHA1

                                6683ada895e3cd0a0b02391d7d2c9f32bdb60fd7

                                SHA256

                                a7b846a477991865fa15e7d68096bb652343d2435a115af79a6e69c67da1d53c

                                SHA512

                                5905dcff1f6452a922a30706934268a1bb37c3e4c9801e50562a073dc30b8a2d3c5925f4b26a44b41faafc36f20c0e55494a586ca2678b4e0c74be747d305d1d

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\Wallpaper.jpeg
                                Filesize

                                15KB

                                MD5

                                20aba01130e85571476712c784af05b0

                                SHA1

                                54c9002381bafbfa648dd3f5c77b1830efc1dc85

                                SHA256

                                72bdac2468fa4e19f8915817f380ceeb96ff94a64a3e29e64ac79b65bed2f6ac

                                SHA512

                                c84a603b359d3e7097229161d22a69c574a582cbbd21c8343fa06986b5058125763196b8d4e2f7bf51400ffaba63e9c565e42c32759b973439f46e5a9f84b19f

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\m.vbs
                                Filesize

                                71B

                                MD5

                                cbaa7c6cb3c383b11dd691b316f2a91b

                                SHA1

                                0f2d66cea7cc24e0dda9972e05a7b236a9bcbc9e

                                SHA256

                                5f1ffcde4ee668c3350fdd9730df67adc35c704342ac2224924069c9bae2be95

                                SHA512

                                fe74a8ccd7875e7bf9588d386fd886810dc0edd01216bf5a886add985fcbb813296a606ec83028a90d30b4df348125827300a98f2ec6081a5d981d09316a44f9

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\m.vbs
                                Filesize

                                142B

                                MD5

                                2ea256fad336c721bdeb17a95e3e8898

                                SHA1

                                668567339ff0b55b71aad4f234df9d3a3b349b18

                                SHA256

                                82e480783004826de7be825bcf2a05108d7531700cf8fb0ed272f641ce537d44

                                SHA512

                                eb7cfed75667b1fa2537bf5caa27334dff71dd343af9422977cb1ada6e41841e4e487172758e5dda28d63e93eeec9bf89b74942666ac6d0c5dd1e317bceb5df5

                                Download Submit

                              • C:\Windows\9FD8.tmp
                                Filesize

                                60KB

                                MD5

                                347ac3b6b791054de3e5720a7144a977

                                SHA1

                                413eba3973a15c1a6429d9f170f3e8287f98c21c

                                SHA256

                                301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c

                                SHA512

                                9a399916bc681964af1e1061bc0a8e2926307642557539ad587ce6f9b5ef93bdf1820fe5d7b5ffe5f0bb38e5b4dc6add213ba04048c0c7c264646375fcd01787

                                Download Submit

                              • C:\Windows\infpub.dat
                                Filesize

                                401KB

                                MD5

                                1d724f95c61f1055f0d02c2154bbccd3

                                SHA1

                                79116fe99f2b421c52ef64097f0f39b815b20907

                                SHA256

                                579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648

                                SHA512

                                f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113

                                Download Submit

                              • memory/2880-111-0x0000000000450000-0x00000000004B8000-memory.dmp

                                Filesize

                                416KB

                                Download

                              • memory/2880-43-0x0000000000450000-0x00000000004B8000-memory.dmp

                                Filesize

                                416KB

                                Download

                              • memory/2880-52-0x0000000000450000-0x00000000004B8000-memory.dmp

                                Filesize

                                416KB

                                Download

                              • memory/3020-37-0x0000000002060000-0x0000000002061000-memory.dmp

                                Filesize

                                4KB

                                Download