f0fbd0654d4bf299c08f1f83e7b6c3a1f332b49c24b3cf0b9b87757b8c13f093

General

Target

f0fbd0654d4bf299c08f1f83e7b6c3a1f332b49c24b3cf0b9b87757b8c13f093.bin.sample.exe
Size

1.8MB
MD5

10d7151b9ee53b8da8ee6f85001ffb20
SHA1

76d33ef58ea7b012342d975d871db64840da9675
SHA256

f0fbd0654d4bf299c08f1f83e7b6c3a1f332b49c24b3cf0b9b87757b8c13f093
SHA512

1c6d2d7f509b462b5d48db61817ee42a7204d10141c59394eb190d0dba733b831a6344bb85197dfac358939379e640c9f38732d376e28f92e187806ca574d10f

Score

10^/10

persistence ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OPENTHIS.html

Ransom Note

Critical Error! Your files have been corrupted! Follow these directions to easily restore them: 1. Purchase around $200 in Bitcoin (BTC). To learn more about Bitcoin, visit https://bitcoin.org/en/buy or https://buy.bitcoin.com 2. Send the new Bitcoin to the following address: 14BfVG4vH71NLmhu7vFKi9EMmeZFoiAsYP 3. Contact our Tech Support team at insupport@messagesafe.io and explain your issue. 4. After confirming your Bitcoin transfer, we will send you a file-repair tool to fix your entire system. 5. Run our file-cleaner and wait... Your data will be restored. To test our services, you may send up to 2 files for repairing before making the Bitcoin transfer. Estimated repair time after Bitcoin transfer: 24 hours

Emails

insupport@messagesafe.io

Wallets

14BfVG4vH71NLmhu7vFKi9EMmeZFoiAsYP

URLs

https://bitcoin.org/en/buy

https://buy.bitcoin.com

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Modifies extensions of user files 2 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

f0fbd0654d4bf299c08f1f83e7b6c3a1f332b49c24b3cf0b9b87757b8c13f093.bin.sample.exe

description	ioc	process
File created	C:\Users\Admin\Pictures\UpdateGrant.crw.REDROMAN	f0fbd0654d4bf299c08f1f83e7b6c3a1f332b49c24b3cf0b9b87757b8c13f093.bin.sample.exe
File created	C:\Users\Admin\Pictures\MergeFormat.raw.REDROMAN	f0fbd0654d4bf299c08f1f83e7b6c3a1f332b49c24b3cf0b9b87757b8c13f093.bin.sample.exe

Drops startup file 2 IoCs

Processes:

f0fbd0654d4bf299c08f1f83e7b6c3a1f332b49c24b3cf0b9b87757b8c13f093.bin.sample.exe7zG.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OPENTHIS.html	f0fbd0654d4bf299c08f1f83e7b6c3a1f332b49c24b3cf0b9b87757b8c13f093.bin.sample.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OPENTHIS.7z.tmp	7zG.exe

Modifies service 2 TTPs 5 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

vssvc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer	vssvc.exe

Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

1488 vssadmin.exe
2524 vssadmin.exe

pid	process
1488	vssadmin.exe
2524	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000039e08b06c84715459283081ff7bb5a60000000000200000000001066000000010000200000001e8c7e9a07b824437d9aca30bd2dc0850907b41d714e3e08989fb6695f6692d3000000000e8000000002000020000000908f8722f85467ce4d1b9f4e2e2a6bb84d2b4629b11187a682e6b35d8ca758962000000006c3a253ebe8f73bbd51c6284892612c678344c9ab9d255ed3852b619fa02ec84000000001a385691194c44f92befcd06a604ed8f746a3e809857b57411cdd85c79d5927ef3ba2136fecbfd8f72d8896081b926d98f0585c2e1bfd48f7c7970eb8da535a	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e092d53180bed601	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{5A775821-2A73-11EB-8332-F65A7312C48E} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000039e08b06c84715459283081ff7bb5a6000000000020000000000106600000001000020000000d014d6d73683ab094af7153ed2faf9026bb25b998f1ac9f866845562a873b902000000000e8000000002000020000000abdc66d033a425b63fa17ad12199f488991b80060334aa23237a45f216a803c790000000774bdfef5c1eaec690842716fa716c610107517f8c5d7c0fdb0368cea6851a11f3bddf473b5de7da58b0c7c3b3a81f0f98ffc9d861135477febee8827889c34d5fe791a887c21c9d81d8dedbb576bcb7e1c93ad20806ab090d59b8822079dcd5c310cac3612a591a53aaa2a59c1e2ffcda461283ef5fec733d7e3b380c9e345d6f872f65e8015bf72a73afe5636a4c8340000000d699895f8b82a96bc2c0ef5ec6aae2357650b27149aeff4f56a2d7aec293e17e78aca551ce64d01627bb552ef333d9f9461d8d52ff25d3acf01e9aba05aee5ec	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe

Modifies registry class 2 IoCs

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache	rundll32.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

2644 NOTEPAD.EXE
Runs net.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exepowershell.exe

pid process

1380 powershell.exe
1472 powershell.exe

pid	process
2644	NOTEPAD.EXE

pid	process
1380	powershell.exe
1472	powershell.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

powershell.exepowershell.exevssvc.exe7zG.exe

description	pid	process
Token: SeDebugPrivilege	1380	powershell.exe
Token: SeDebugPrivilege	1472	powershell.exe
Token: SeBackupPrivilege	2356	vssvc.exe
Token: SeRestorePrivilege	2356	vssvc.exe
Token: SeAuditPrivilege	2356	vssvc.exe
Token: SeRestorePrivilege	1876	7zG.exe
Token: 35	1876	7zG.exe
Token: SeSecurityPrivilege	1876	7zG.exe
Token: SeSecurityPrivilege	1876	7zG.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

iexplore.exe7zG.exe

pid process

2788 iexplore.exe
1876 7zG.exe

Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid	process
2788	iexplore.exe
2788	iexplore.exe
2852	IEXPLORE.EXE
2852	IEXPLORE.EXE
2852	IEXPLORE.EXE
2852	IEXPLORE.EXE
2852	IEXPLORE.EXE
2852	IEXPLORE.EXE
2852	IEXPLORE.EXE
2852	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 34 IoCs

Processes:

f0fbd0654d4bf299c08f1f83e7b6c3a1f332b49c24b3cf0b9b87757b8c13f093.bin.sample.exepowershell.execmd.exenet.exenet.exerundll32.exeiexplore.exe

description	pid	process	target process
PID 1740 wrote to memory of 1380	1740	f0fbd0654d4bf299c08f1f83e7b6c3a1f332b49c24b3cf0b9b87757b8c13f093.bin.sample.exe	powershell.exe
PID 1740 wrote to memory of 1380	1740	f0fbd0654d4bf299c08f1f83e7b6c3a1f332b49c24b3cf0b9b87757b8c13f093.bin.sample.exe	powershell.exe
PID 1740 wrote to memory of 1380	1740	f0fbd0654d4bf299c08f1f83e7b6c3a1f332b49c24b3cf0b9b87757b8c13f093.bin.sample.exe	powershell.exe
PID 1740 wrote to memory of 1472	1740	f0fbd0654d4bf299c08f1f83e7b6c3a1f332b49c24b3cf0b9b87757b8c13f093.bin.sample.exe	powershell.exe
PID 1740 wrote to memory of 1472	1740	f0fbd0654d4bf299c08f1f83e7b6c3a1f332b49c24b3cf0b9b87757b8c13f093.bin.sample.exe	powershell.exe
PID 1740 wrote to memory of 1472	1740	f0fbd0654d4bf299c08f1f83e7b6c3a1f332b49c24b3cf0b9b87757b8c13f093.bin.sample.exe	powershell.exe
PID 1472 wrote to memory of 396	1472	powershell.exe	cmd.exe
PID 1472 wrote to memory of 396	1472	powershell.exe	cmd.exe
PID 1472 wrote to memory of 396	1472	powershell.exe	cmd.exe
PID 396 wrote to memory of 1488	396	cmd.exe	vssadmin.exe
PID 396 wrote to memory of 1488	396	cmd.exe	vssadmin.exe
PID 396 wrote to memory of 1488	396	cmd.exe	vssadmin.exe
PID 396 wrote to memory of 2524	396	cmd.exe	vssadmin.exe
PID 396 wrote to memory of 2524	396	cmd.exe	vssadmin.exe
PID 396 wrote to memory of 2524	396	cmd.exe	vssadmin.exe
PID 396 wrote to memory of 2556	396	cmd.exe	net.exe
PID 396 wrote to memory of 2556	396	cmd.exe	net.exe
PID 396 wrote to memory of 2556	396	cmd.exe	net.exe
PID 2556 wrote to memory of 2568	2556	net.exe	net1.exe
PID 2556 wrote to memory of 2568	2556	net.exe	net1.exe
PID 2556 wrote to memory of 2568	2556	net.exe	net1.exe
PID 396 wrote to memory of 2596	396	cmd.exe	net.exe
PID 396 wrote to memory of 2596	396	cmd.exe	net.exe
PID 396 wrote to memory of 2596	396	cmd.exe	net.exe
PID 2596 wrote to memory of 2608	2596	net.exe	net1.exe
PID 2596 wrote to memory of 2608	2596	net.exe	net1.exe
PID 2596 wrote to memory of 2608	2596	net.exe	net1.exe
PID 2408 wrote to memory of 2644	2408	rundll32.exe	NOTEPAD.EXE
PID 2408 wrote to memory of 2644	2408	rundll32.exe	NOTEPAD.EXE
PID 2408 wrote to memory of 2644	2408	rundll32.exe	NOTEPAD.EXE
PID 2788 wrote to memory of 2852	2788	iexplore.exe	IEXPLORE.EXE
PID 2788 wrote to memory of 2852	2788	iexplore.exe	IEXPLORE.EXE
PID 2788 wrote to memory of 2852	2788	iexplore.exe	IEXPLORE.EXE
PID 2788 wrote to memory of 2852	2788	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\f0fbd0654d4bf299c08f1f83e7b6c3a1f332b49c24b3cf0b9b87757b8c13f093.bin.sample.exe
"C:\Users\Admin\AppData\Local\Temp\f0fbd0654d4bf299c08f1f83e7b6c3a1f332b49c24b3cf0b9b87757b8c13f093.bin.sample.exe"
1⤵
- Modifies extensions of user files
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:1740

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -WindowStyle Hidden get-wmiobject win32_computersystem | "fl model"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1380

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" Start-Process C:\ProgramData\amdkey.bat -Verb runas
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1472

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\ProgramData\amdkey.bat"
3⤵
- Suspicious use of WriteProcessMemory
PID:396

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
4⤵
- Interacts with shadow copies
PID:1488

C:\Windows\system32\vssadmin.exe
vssadmin.exe Resize ShadowStorage /For=C: /On=C: /MaxSize=320MB
4⤵
- Interacts with shadow copies
PID:2524

C:\Windows\system32\net.exe
net user /add RedROMAN p4zzaub71h
4⤵
- Suspicious use of WriteProcessMemory
PID:2556

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user /add RedROMAN p4zzaub71h
5⤵
PID:2568

C:\Windows\system32\net.exe
net localgroup administrators RedROMAN /add
4⤵
- Suspicious use of WriteProcessMemory
PID:2596

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup administrators RedROMAN /add
5⤵
PID:2608

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:2356

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\TraceRename.ex_.REDROMAN
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2408

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\TraceRename.ex_.REDROMAN
2⤵
- Opens file in notepad (likely ransom note)
PID:2644

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OPENTHIS.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2788

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2788 CREDAT:275457 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2852

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" a -i#7zMap21596:184:7zEvent14446 -ad -saa -- "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OPENTHIS"
1⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1876

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Account Manipulation

1

T1098

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

File Deletion

2

T1107

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\amdkey.bat
MD5
e1ccfa2c9fccc3306d6a2beafee97e88

SHA1
769a6f5692364611fb1c97b7f8909e305df46b0c

SHA256
8c6a13f418d0c11640ea15a0c42a4edc9f4175c4c924573c35b86929a7d25aaf

SHA512
f5ecf42ded57faa60cd98f7e43438c7b7158afb7061b836805469840880ae6b980dfe99f66bce8b52f2fa27eb0d07a48631da8f8fb82a3f12754a2024d70460c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
615a05ffd0f3a4dcd2131e2adf26bd96

SHA1
eac9f1ddb099e7cd653d9d0c757dfe6a753088ba

SHA256
3f29ece07a651a0ceae9569e84cade5b60f15ae6a2e44ae42b9fc1d6c37b2947

SHA512
1c0ef46ce6b39ab2290d4e6910a068219225de26f475f7842317e452aa987ef3e4ba3b9a209c1086c5120091fd8b7d774511d04a0f9917bb4d2320b946323faf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
f71960fa9c39f9a785ffd967ffe4b1c1

SHA1
613d89d563c7f4e5248112ecce2e5b89c39a2284

SHA256
9f331c03980bc7f49bfbae55df8c2c8f7a87aabe30ecce2c1d46995b6e9a7176

SHA512
974d3494e07999231ed93f5e620674b4c196a5be975562e98da259253820b4c5338fba5c90a475820ccfafd1302e7266ca0d4b8ea4e0b4fdaa98748159b0329a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OPENTHIS.html
MD5
a15162a522fbd1ed603ab6415f4de0de

SHA1
33299e2baaff029b82c724630d4b5e5424353f18

SHA256
5d4d8f87b815bbc435d6b8b1b3d3349d06a6d82226a4ad0e17accf8b750d80dc

SHA512
d45ba782b9977131ce3b30661ec5db27fd94a169dc42ca6f0a907db20186c54348eaeae763279113fb81783d56478b9c98b2038948eb4c7cb18d00f4c292650d

Download Submit
C:\Users\Admin\Desktop\TraceRename.ex_.REDROMAN
MD5
61168d9b275e0d90b3d4df579d75a16e

SHA1
809b023d9ecf86b095791af6b39bc1985299c577

SHA256
6afb6dd934bc5725ea928d9b97e05493018954316795aca81c236596132252e4

SHA512
d183c1d906196b90ca95b8585a7c3915e80db087569cb3bcac206d040ce942a2d458043dfaf4d72f2fa0020965b000428ee4856c97d508a26811995861b734d5

Download Submit
\??\PIPE\samr
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/396-19-0x0000000000000000-mapping.dmp

Download
memory/1380-8-0x000000001C5F0000-0x000000001C5F1000-memory.dmp

Filesize
4KB

Download
memory/1380-6-0x00000000023A0000-0x00000000023A1000-memory.dmp

Filesize
4KB

Download
memory/1380-1-0x0000000000000000-mapping.dmp

Download
memory/1380-7-0x000000001C200000-0x000000001C201000-memory.dmp

Filesize
4KB

Download
memory/1380-2-0x000007FEF58A0000-0x000007FEF628C000-memory.dmp

Filesize
9.9MB

Download
memory/1380-3-0x00000000024F0000-0x00000000024F1000-memory.dmp

Filesize
4KB

Download
memory/1380-4-0x000000001AC90000-0x000000001AC91000-memory.dmp

Filesize
4KB

Download
memory/1380-5-0x0000000002440000-0x0000000002441000-memory.dmp

Filesize
4KB

Download
memory/1472-14-0x0000000002750000-0x0000000002751000-memory.dmp

Filesize
4KB

Download
memory/1472-12-0x00000000023D0000-0x00000000023D1000-memory.dmp

Filesize
4KB

Download
memory/1472-17-0x000000001B9B0000-0x000000001B9B1000-memory.dmp

Filesize
4KB

Download
memory/1472-9-0x0000000000000000-mapping.dmp

Download
memory/1472-13-0x000000001ABE0000-0x000000001ABE1000-memory.dmp

Filesize
4KB

Download
memory/1472-15-0x0000000002780000-0x0000000002781000-memory.dmp

Filesize
4KB

Download
memory/1472-11-0x000007FEF5830000-0x000007FEF621C000-memory.dmp

Filesize
9.9MB

Download
memory/1488-20-0x0000000000000000-mapping.dmp

Download
memory/1740-0-0x000000013F640000-0x000000013F811000-memory.dmp

Filesize
1.8MB

Download
memory/2524-21-0x0000000000000000-mapping.dmp

Download
memory/2556-22-0x0000000000000000-mapping.dmp

Download
memory/2568-23-0x0000000000000000-mapping.dmp

Download
memory/2596-24-0x0000000000000000-mapping.dmp

Download
memory/2608-25-0x0000000000000000-mapping.dmp

Download
memory/2644-27-0x0000000000000000-mapping.dmp

Download
memory/2664-29-0x000007FEF7730000-0x000007FEF79AA000-memory.dmp

Filesize
2.5MB

Download
memory/2852-30-0x0000000000000000-mapping.dmp

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads