chaos | 3730e9cba4a93bc985ef7cd2368ccbf5eccd4724f514b38b20e320e5553dd08d

Resubmissions

25/03/2025, 13:12

250325-qfl42aznw9 10

25/03/2025, 13:09

25/03/2025, 13:05

25/03/2025, 13:01

25/03/2025, 12:55

25/03/2025, 12:51

05/02/2025, 11:16

16/07/2024, 08:54

Analysis

max time kernel
91s
max time network
90s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25/03/2025, 13:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6bda9faf719bb7a55e822667d909086193d323d8fa06b1a3d62437fcf6a9e24b.exe
Size

71KB
MD5

8f033c07f57f8ce2e62e3a327f423d55
SHA1

57ac411652d7b1d9accaa8a1af5f4b6a45ef7448
SHA256

6bda9faf719bb7a55e822667d909086193d323d8fa06b1a3d62437fcf6a9e24b
SHA512

f3712e7d5d55b27a4c20de07cce136e6d58ce62fa146d29b34dece6248e4456139703c50df10cb318346311cfeee0a8449d49163e821744efcde3ecfe8b880df
SSDEEP

768:zncoLkaCbCq2l52DbnoPV0Yglwlu1y7e7th3BuItxn:QoLkaCb12l0DbCV6Wqyixn

Score

10^/10

chaos defense_evasion discovery evasion execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\ProgramData\Adobe\Updater6\Restore_Files.html

Ransom Note

<img src='https://odkrywcyplanet.pl/wp-content/uploads/2020/05/galaktyka-Cosmos-Redshift-7.jpg' alt='' width='235' height='167' /> A S T R A L O C K E R 2.0   What happened? ---------------------------------------------- All Your files has been succesfully encrypted due to security problem with Your PC. All Your backups are deleted, or encrypted. Can I recover my files? ---------------------------------------------- Sure! But You need special decryptor for that. If You want to recover Your files, you need to cooperate. What can I do to get my files back? ---------------------------------------------- You can buy my decryption software, this software will allow you to recover all of your data and remove the ransomware from your computer. The price for the software is about 50$ (USD). Payment can be made in Monero, or Bitcoin (Cryptocurrency) only. What guarantees? ---------------------------------------------- I value my reputation. If i do not do my work and liabilities, nobody will pay me. This is not in my interests. All my decryption software is perfectly tested and will decrypt your data. How do I pay, where do I get Monero or Bitcoin? ---------------------------------------------- Purchasing Monero or Bitcoin varies by country, it's best to do a quick google search yourself to learn how to buy Monero or Bitcoin. You need to pay 50$ in Bitcoin or Monero. You can buy Bitcoin here: https://localbitcoins.com/ Where i can pay? ---------------------------------------------- Monero Address: 48CEU93NRDqCmH3qfksLRLeQJ9mjbFCUXEyZkStiRDWtDodmAtd7voHF1sHa17MgmoYmMoErrJstV6nC1DqYoKxT38r6TUh Bitcoin Addres: bc1qpawwquwas0gd88u66hgxp222p52madqp5lk5xw Contact ---------------------------------------------- After payment contact: [email protected] and send Your personal ID with transaction ID (if you are paying with Bitcoin) Warning! If you report these emails, they may be suspended and NOBODY gets help. It is in Your INTEREST to get the decryptor. Your personal ID is: ID12_Yashma 1)Don't change the extension of the files. You will harm the files. 2)Don't move encrypted files. 3)Don't try to recover files by Yourself. This is impossible. Your files are encrypted with Curve25519 encryption algorithm, You can't decrypt files without private key. 4)Don't report to authoritaries. If You do it, key will be deleted, and Your files will be encrypted forever. 5)The price will be lower if you email me within 24 hours after encrypting your files.

Emails

/>[email protected]<br

Signatures

Chaos
Ransomware family first seen in June 2021.
ransomware chaos

Chaos Ransomware 3 IoCs

resource	yara_rule
behavioral22/memory/2888-1-0x0000000000C00000-0x0000000000C18000-memory.dmp	family_chaos
behavioral22/files/0x000b000000012029-8.dat	family_chaos
behavioral22/memory/2760-10-0x0000000001100000-0x0000000001118000-memory.dmp	family_chaos

Chaos family
chaos
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
2308	bcdedit.exe
3008	bcdedit.exe

Deletes backup catalog 3 TTPs 1 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command and Scripting Interpreter

T1059

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
2960	wbadmin.exe

Disables Task Manager via registry modification
defense_evasion

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Restore_Files.html	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	svchost.exe

Executes dropped EXE 1 IoCs

pid	Process
2760	svchost.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe"	svchost.exe

Drops desktop.ini file(s) 64 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\FP29B0EC\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\U9KKHJMH\desktop.ini	svchost.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	svchost.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini	svchost.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Games\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	svchost.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-3533259084-2542256011-65585152-1000\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	svchost.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini	svchost.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\L1J27TKW\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\desktop.ini	svchost.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	svchost.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\desktop.ini	svchost.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\INNMDE1C\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	svchost.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	svchost.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Ringtones\desktop.ini	svchost.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	svchost.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	svchost.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\VSUVY3HP\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WK3MU41S\desktop.ini	svchost.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	svchost.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B8BOMT1Q\desktop.ini	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Interacts with shadow copies 3 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
1920	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007f0db866d9f70b4bb81874ebc6fa325200000000020000000000106600000001000020000000c0bb24c715c44d0451046b15e94a467d43785703471ec58c6f52de999a6e17d3000000000e800000000200002000000085e867348109fa5e8c5debb5548be6e4b5342d0cc44ebd15108700f035d5192d200000001b1b081c62dea85ae0c01957eae23ef311b8410d8700ed68f84411d4cd4d282740000000248899c39e060e87717ae4c4815fc909f9500ef6a48eb6442d04b5019c6a069228d08879840c51b3a37b16e2f5d50f9ca2b40d01477657ebc586b773178eab79	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{769D81A1-0979-11F0-A0C2-62CAC36041A9} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 80290564869ddb01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007f0db866d9f70b4bb81874ebc6fa3252000000000200000000001066000000010000200000009261f7e85ff6fb8fa69d9f2e0168087f9f9e7c3bf2792c7ab5a309ad85780303000000000e8000000002000020000000ecc68d8bd3a3009002b5c4296deab03d1c82a11e83673e3fb2a9f7445f3c177c90000000ecfe3c75a36739a9d91ab6192646c48effa54c4be2fa664eef7ad73a68f4c55b1ccbbc00d1f2590b6a90125ba9c8d5f2cbdb8f8832ceeb8285de845689644b271d2e3401c115fc24a5c82e5b08d962eb7c71eeb1f0704a91af3d191a5ad8e2c798a8d82d9a30523ead68fd76471f0f50fb9e2c2c4d5364a517a5022d799828e0601d9b674f3ad453dd8cf8cc21c77e014000000051767ac68e5dc30bacbb69c52c5c63a43752fb3c33c1ac6529c30040860aefd5d09029273915b9987001e6f85f40b2b5404aefd1b909b9af894a0efa7b73e274	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "449069641"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
2888	6bda9faf719bb7a55e822667d909086193d323d8fa06b1a3d62437fcf6a9e24b.exe
2760	svchost.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2888	6bda9faf719bb7a55e822667d909086193d323d8fa06b1a3d62437fcf6a9e24b.exe
2888	6bda9faf719bb7a55e822667d909086193d323d8fa06b1a3d62437fcf6a9e24b.exe
2888	6bda9faf719bb7a55e822667d909086193d323d8fa06b1a3d62437fcf6a9e24b.exe
2760	svchost.exe
2760	svchost.exe
2760	svchost.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

description	pid	Process
Token: SeDebugPrivilege	2888	6bda9faf719bb7a55e822667d909086193d323d8fa06b1a3d62437fcf6a9e24b.exe
Token: SeDebugPrivilege	2760	svchost.exe
Token: SeBackupPrivilege	596	vssvc.exe
Token: SeRestorePrivilege	596	vssvc.exe
Token: SeAuditPrivilege	596	vssvc.exe
Token: SeIncreaseQuotaPrivilege	2096	WMIC.exe
Token: SeSecurityPrivilege	2096	WMIC.exe
Token: SeTakeOwnershipPrivilege	2096	WMIC.exe
Token: SeLoadDriverPrivilege	2096	WMIC.exe
Token: SeSystemProfilePrivilege	2096	WMIC.exe
Token: SeSystemtimePrivilege	2096	WMIC.exe
Token: SeProfSingleProcessPrivilege	2096	WMIC.exe
Token: SeIncBasePriorityPrivilege	2096	WMIC.exe
Token: SeCreatePagefilePrivilege	2096	WMIC.exe
Token: SeBackupPrivilege	2096	WMIC.exe
Token: SeRestorePrivilege	2096	WMIC.exe
Token: SeShutdownPrivilege	2096	WMIC.exe
Token: SeDebugPrivilege	2096	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2096	WMIC.exe
Token: SeRemoteShutdownPrivilege	2096	WMIC.exe
Token: SeUndockPrivilege	2096	WMIC.exe
Token: SeManageVolumePrivilege	2096	WMIC.exe
Token: 33	2096	WMIC.exe
Token: 34	2096	WMIC.exe
Token: 35	2096	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2096	WMIC.exe
Token: SeSecurityPrivilege	2096	WMIC.exe
Token: SeTakeOwnershipPrivilege	2096	WMIC.exe
Token: SeLoadDriverPrivilege	2096	WMIC.exe
Token: SeSystemProfilePrivilege	2096	WMIC.exe
Token: SeSystemtimePrivilege	2096	WMIC.exe
Token: SeProfSingleProcessPrivilege	2096	WMIC.exe
Token: SeIncBasePriorityPrivilege	2096	WMIC.exe
Token: SeCreatePagefilePrivilege	2096	WMIC.exe
Token: SeBackupPrivilege	2096	WMIC.exe
Token: SeRestorePrivilege	2096	WMIC.exe
Token: SeShutdownPrivilege	2096	WMIC.exe
Token: SeDebugPrivilege	2096	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2096	WMIC.exe
Token: SeRemoteShutdownPrivilege	2096	WMIC.exe
Token: SeUndockPrivilege	2096	WMIC.exe
Token: SeManageVolumePrivilege	2096	WMIC.exe
Token: 33	2096	WMIC.exe
Token: 34	2096	WMIC.exe
Token: 35	2096	WMIC.exe
Token: SeBackupPrivilege	2276	wbengine.exe
Token: SeRestorePrivilege	2276	wbengine.exe
Token: SeSecurityPrivilege	2276	wbengine.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
220	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
220	iexplore.exe
220	iexplore.exe
3040	IEXPLORE.EXE
3040	IEXPLORE.EXE
3040	IEXPLORE.EXE
3040	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 2888 wrote to memory of 2760	2888	6bda9faf719bb7a55e822667d909086193d323d8fa06b1a3d62437fcf6a9e24b.exe	30
PID 2888 wrote to memory of 2760	2888	6bda9faf719bb7a55e822667d909086193d323d8fa06b1a3d62437fcf6a9e24b.exe	30
PID 2888 wrote to memory of 2760	2888	6bda9faf719bb7a55e822667d909086193d323d8fa06b1a3d62437fcf6a9e24b.exe	30
PID 2760 wrote to memory of 2708	2760	svchost.exe	31
PID 2760 wrote to memory of 2708	2760	svchost.exe	31
PID 2760 wrote to memory of 2708	2760	svchost.exe	31
PID 2708 wrote to memory of 1920	2708	cmd.exe	33
PID 2708 wrote to memory of 1920	2708	cmd.exe	33
PID 2708 wrote to memory of 1920	2708	cmd.exe	33
PID 2708 wrote to memory of 2096	2708	cmd.exe	36
PID 2708 wrote to memory of 2096	2708	cmd.exe	36
PID 2708 wrote to memory of 2096	2708	cmd.exe	36
PID 2760 wrote to memory of 2864	2760	svchost.exe	38
PID 2760 wrote to memory of 2864	2760	svchost.exe	38
PID 2760 wrote to memory of 2864	2760	svchost.exe	38
PID 2864 wrote to memory of 3008	2864	cmd.exe	40
PID 2864 wrote to memory of 3008	2864	cmd.exe	40
PID 2864 wrote to memory of 3008	2864	cmd.exe	40
PID 2864 wrote to memory of 2308	2864	cmd.exe	41
PID 2864 wrote to memory of 2308	2864	cmd.exe	41
PID 2864 wrote to memory of 2308	2864	cmd.exe	41
PID 2760 wrote to memory of 2772	2760	svchost.exe	42
PID 2760 wrote to memory of 2772	2760	svchost.exe	42
PID 2760 wrote to memory of 2772	2760	svchost.exe	42
PID 2772 wrote to memory of 2960	2772	cmd.exe	44
PID 2772 wrote to memory of 2960	2772	cmd.exe	44
PID 2772 wrote to memory of 2960	2772	cmd.exe	44
PID 2760 wrote to memory of 220	2760	svchost.exe	48
PID 2760 wrote to memory of 220	2760	svchost.exe	48
PID 2760 wrote to memory of 220	2760	svchost.exe	48
PID 220 wrote to memory of 3040	220	iexplore.exe	49
PID 220 wrote to memory of 3040	220	iexplore.exe	49
PID 220 wrote to memory of 3040	220	iexplore.exe	49
PID 220 wrote to memory of 3040	220	iexplore.exe	49

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\6bda9faf719bb7a55e822667d909086193d323d8fa06b1a3d62437fcf6a9e24b.exe
"C:\Users\Admin\AppData\Local\Temp\6bda9faf719bb7a55e822667d909086193d323d8fa06b1a3d62437fcf6a9e24b.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2888
- C:\Users\Admin\AppData\Roaming\svchost.exe
  "C:\Users\Admin\AppData\Roaming\svchost.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops desktop.ini file(s)
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2760
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2708
  - - C:\Windows\system32\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:1920
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2096
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2864
  - - C:\Windows\system32\bcdedit.exe
      bcdedit /set {default} bootstatuspolicy ignoreallfailures
      4⤵
      Modifies boot configuration data using bcdedit
      PID:3008
  - - C:\Windows\system32\bcdedit.exe
      bcdedit /set {default} recoveryenabled no
      4⤵
      Modifies boot configuration data using bcdedit
      PID:2308
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2772
  - - C:\Windows\system32\wbadmin.exe
      wbadmin delete catalog -quiet
      4⤵
      Deletes backup catalog
      PID:2960
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Roaming\Restore_Files.html
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:220
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:220 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:3040

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:596

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2276

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:2940

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
PID:2156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Adobe\Updater6\Restore_Files.html

Filesize
3KB

MD5
cf0cc6e9f7b71141a348d2f8a9cc800f

SHA1
bd198c4263359f42901ee30c3c24fc0ee8b2bd9e

SHA256
5a78197d3cd89269832678d0a59244b21fb0d6a8a87c2a080f68975e9c2febb9

SHA512
4dd5ff23ba3401ffc050e34dd83f37aeef6e4e24ff29809309ddd40ffce4b4b9cab2764f53dbf843c4cf870e37590ece34c98d7bce9f50b193f632a3b1db38de

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
71KB

MD5
83142242e97b8953c386f988aa694e4a

SHA1
833ed12fc15b356136dcdd27c61a50f59c5c7d50

SHA256
d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755

SHA512
bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8cc1c677898f1246276fcba6c4f7f13f

SHA1
bbb01a21d0722a07f619a36517a2b43a5a0b5596

SHA256
91e1537af3212139bb7ecd0a0a9fd4221512e2d745f47fb771626115fae6d567

SHA512
c68ef3f1ca2f7807c32405c5a020f5446493b5f4a3b69e777a89140fa4b93bc97419fb396e8eca0c5ec4c57bcbdf02b57966a092c50decc09b4bfdac29f9f4e9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b6b3b4b8315cf228c5aaa1745058973e

SHA1
dd9559a1b7bc3656cd4dfdca87dca46542149597

SHA256
397a707fb2fa9811eec27fe22ff5c125c6e0795433bd35a5aaefee9ea0a2f2c3

SHA512
d3e708bedafdcc642d08d20aa389a7935d1a3429ffb3287f1a97dcaed485fafdc6c56456163f40f84ff9f54a614b7d29baa3daa81bac334dd13881732822e0ae

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9c1b51e9eb9335887e03ec2c53f9f1dd

SHA1
d9e07a8d2bf4080614df65bc83f4241875e51a30

SHA256
c784e046947e4dc0493213362ba25e38dbc497c091899b3c4da3ab99b37c5abd

SHA512
9cadc39f38e4d3558f23966cff1c81d1c2685885a8deedf9ea055f8387841f8ef70fce07a7dd9b2e70d45bf7f27ceccbcdd813a6d93191a1e01c06146eade473

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ca927034695d8d6fa69b6bf4d114393a

SHA1
99b8e23e7bbb5dd2954ab3386997dfe153c12c11

SHA256
1f7670e45f2faa8cf6baae13050dc9741e973c035bca32dda478a6b37ba73787

SHA512
87f7bed986203f6d1610720dfa8252f3e39fef6220086abaf84f2941897c50ec95a2330234873550d6b84c8880ecb406018a9816a04d3baf76df70d654ac2955

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
cc3d3356a37063b1ab02624188188009

SHA1
4c4c6410b909f2df5137e14cc88d96132519e8a6

SHA256
0df9accf271a14c447c4b4adc32979d5e77166a578b5ba51c68cf6b1bb3db0ce

SHA512
60d614c74201dbeb8e2b8fad29fb47c62d3875db76eb6e3ca1c4a23846b6c8e905dedc4092ed24acf9e280aedb15f4880f6a84891a8089f8a9dece4745bcf6b6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9cb2a10c72a0b5fa0db656ca8b420312

SHA1
7e53d394e20becd589c4022d1ffc60d4a4f554c7

SHA256
b94d519b5815e28cbf5904e2ee4dbc7473f14a82a3c0d616094da4374702c811

SHA512
38d4594c956f8601ad694a4a64329b5f65b6d34ad3ff1905ef2ec276ca92d76ffdc197332adda2afebf29066aee62a386aedd933e33854c1af892082a3470ff5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f6729571205dca173fbc76673dc0d9eb

SHA1
b32abaf0913c2152e4e11212918decff5956621e

SHA256
ec53ed73e8976fa298f847dbd910bd7f73071cf35ab0287690ccc26718ef4255

SHA512
db42fdc680ebad375c18c51db1ea2e13f7da7f8465cf333b30a5e59ad803c4bda26c0b65449a651c4ea1587decc7bc82246ae85f6a04ac3fdafba29814d6e8a9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
95dc334b6e7c38c04c839b99fc51d327

SHA1
a97cddbae5ff5dd939bf801779050e18d6dd09ed

SHA256
23caaef294b868dc7cc5486f85c500ca18b718f3c41db2093300b6e11fe96efe

SHA512
a54ed052318d0ce60653f21831ae4cf9f888d6e0f3bb0f78706f014084a381d85fdff13b190b9d1ebb2ddb5b108bd178b46b286ea12fa346651d0a9f042f2570

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
350a07f154a5a732422ca77795fc3cc3

SHA1
f314ba9c4d627692df5d38b08e2ab44b4ab5872d

SHA256
0c7108f786cff8126ea1bdeaee70e2cd28862a38643e856845039b1f713c3300

SHA512
07201e985a449b3a2d78ed52147f8524cf74b09af8031de5afc4f8e4797351ec1266b11009c252db7b6d6d89649a67ac78b939eff85b18572f9d0461f9d9960e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
39f1aeba777071ddb54ef4364051b863

SHA1
2c17a1cc89d2059ac26d65e84f151b5d5955f9d8

SHA256
75397098c858246d101fe1e370967e7714fa050e358c8d685c0ffd35aed0a771

SHA512
88b8cca429b02805fc0a2ee92417c4c093b193bd7cf48fd0f03593324e8e75cc7ede7d088ac482a01202bd4bc4993a24e74d0e75773fd56ae460d5a86f997f27

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
070fb0b195a04854a3c2841319b4b3d4

SHA1
e7cd645522d6bcf8e2ca788c28e69d2c686b22ec

SHA256
c85daa2526ed5c80a866990510e5ef557375345089e43156e86959199c6241d9

SHA512
65eb286f1e06c24e215b68a360e0f8087ba6a13b28447a939bc68b13633d9d55ac49adefcb91d4eb7d5c7d69728cb2e5560997e9c01c8ad733628bb70e6c6103

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0dd27e660ebc130fb601ecf195e0b7ea

SHA1
47dd98b4f751baf17c70953afe504a940fe501d8

SHA256
7f01423eb9c28797d61eaa29d51ddc1775a6fad6e847ec7ffc1067af894826dc

SHA512
aaaa01c45a6cafcb5bbbac7c6030f95847d4760e1838c4bb887bb7f7572a0dc3e196b7bf7a4704f418697eed55fb86119160ee142781cfe1d4c3bf4ca98520c2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a1bbdc59ba35818d59d28ca7fa9c6197

SHA1
8f25ef29ca96590485dad7dc8171250cb0024a52

SHA256
f796a1069b7b653cd4c58cc94011df8d7add9b46b75186a1e48a7e08b35ea354

SHA512
458e54911183860172afca16ab4f10aec556165b8714bc25b3421c26a5b68dda2e893bb072e5be65e3c19b06d613f63a8cebb1d61ee3fd45668a3f3122f2eddb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1f0c7f02c5edc170fa91a8d76092787c

SHA1
94e7c8e53a6c157dc586b46118277b841d7010e2

SHA256
75af56e1055b9685d9941bd7ef89e1918a2ad285abbf045990c8d11f31feca32

SHA512
1f7ed3e899883b8a7854285fbff3686995dee41129c7f7935d632d17771e61b6216e902609684f1242bd1e48fb7fa791cab38f25a33ff57baa381017cdfc4870

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
76d37200c74a0829cfc2a14dec43335b

SHA1
f808ee16386110776e1e07659b84a35179baeb6a

SHA256
c0a64cc72b6998dbf2aedd8021d21dabd5c870b23eb2ad9865767586793d3f18

SHA512
b738a57e65174c48521d751a8b8dace2290b2da5a40e7965a054225a16184e95b7ad7ae7a9ad229e7040105e2ae8c2636f7e4bfffffc2d5ebf54d52d384e6d70

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1cd1f58efea40703be6cef65ae9c7bbd

SHA1
14e3395c7d33c03e46aafd0d06ed4dd78793a6f5

SHA256
b55cd856b7ffcab8e7837ac4e6c508046ccbb960cbc4067514bab82cc3e2c7bf

SHA512
cb2efc4ae4ae255d7b11f9da9dcdb773774e7569b71ba4cd2b7cd264cb712336678826d634bf3d5e37299ee56ff2aaa82d13465f13e6166c00c95f06295f68af

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e5b42d86006a26220040c871f8169ce7

SHA1
19f365210e3895f981d59c4f110b98cff3f120e3

SHA256
2430501baacd7636c43875fea7f0ff7296c5247dc6f72996c82691536cd5ece3

SHA512
59c5b20512ab0b3b5624b3dbe377e3d28dbe7e52426d8fd9d51e5055f389e92e1e7395a9a0b8bb2aaf79398630b09479a0a94c4a86b9ca9db1efea7f65f370af

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9298148ded18f21e0b5dfee2d4e08bbe

SHA1
1c13456e54a9339b667a20a6b8217d476dfedaea

SHA256
f0806afed0b73c9a4f552303aab379416d35c97dce2ba37aee7796c536dc43d4

SHA512
f4c80e369e9ef34ac1c9276fef3e8262030b12c26c6c5e369895921c60f05ba02cb720ff52065749f42cd6517b5e25e5f5d47fbeea80c7067409e378f7aaf37a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab6911.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar6A32.tmp

Filesize
183KB

MD5
109cab5505f5e065b63d01361467a83b

SHA1
4ed78955b9272a9ed689b51bf2bf4a86a25e53fc

SHA256
ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673

SHA512
753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
71KB

MD5
8f033c07f57f8ce2e62e3a327f423d55

SHA1
57ac411652d7b1d9accaa8a1af5f4b6a45ef7448

SHA256
6bda9faf719bb7a55e822667d909086193d323d8fa06b1a3d62437fcf6a9e24b

SHA512
f3712e7d5d55b27a4c20de07cce136e6d58ce62fa146d29b34dece6248e4456139703c50df10cb318346311cfeee0a8449d49163e821744efcde3ecfe8b880df

Download Submit
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Notepad.lnk

Filesize
1B

MD5
d1457b72c3fb323a2671125aef3eab5d

SHA1
5bab61eb53176449e25c2c82f172b82cb13ffb9d

SHA256
8a8de823d5ed3e12746a62ef169bcf372be0ca44f0a1236abc35df05d96928e1

SHA512
ca63c07ad35d8c9fb0c92d6146759b122d4ec5d3f67ebe2f30ddb69f9e6c9fd3bf31a5e408b08f1d4d9cd68120cced9e57f010bef3cde97653fed5470da7d1a0

Download Submit
memory/2760-13-0x000007FEF5790000-0x000007FEF617C000-memory.dmp

Filesize
9.9MB

Download
memory/2760-876-0x000007FEF5790000-0x000007FEF617C000-memory.dmp

Filesize
9.9MB

Download
memory/2760-10-0x0000000001100000-0x0000000001118000-memory.dmp

Filesize
96KB

Download
memory/2760-12-0x000007FEF5790000-0x000007FEF617C000-memory.dmp

Filesize
9.9MB

Download
memory/2888-11-0x000007FEF5790000-0x000007FEF617C000-memory.dmp

Filesize
9.9MB

Download
memory/2888-0-0x000007FEF5793000-0x000007FEF5794000-memory.dmp

Filesize
4KB

Download
memory/2888-4-0x000007FEF5790000-0x000007FEF617C000-memory.dmp

Filesize
9.9MB

Download
memory/2888-3-0x000007FEF5793000-0x000007FEF5794000-memory.dmp

Filesize
4KB

Download
memory/2888-2-0x000007FEF5790000-0x000007FEF617C000-memory.dmp

Filesize
9.9MB

Download
memory/2888-1-0x0000000000C00000-0x0000000000C18000-memory.dmp

Filesize
96KB

Download