dharma | 478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631

Analysis

max time kernel
150s
max time network
114s
platform
windows10_x64
resource
win10v20210410
submitted
18-05-2021 02:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
Size

173KB
MD5

0e3628ff2cfc0b5b457e14acc55e7fa6
SHA1

324e18c7c8776c1c9d8ec054182d98b8c8c0021e
SHA256

478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631
SHA512

7959504f076ce488559f0af15b7f4514ac25e8fcdee428870c8fbb7e3fb2ceebc042ae3668adbd14fd3204e65c61cb2298056cd43a59a8b4ac6a01070c920136

Score

10^/10

dharma persistence ransomware spyware stealer

Malware Config

Signatures

Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
ransomware dharma

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Executes dropped EXE 3 IoCs

Processes:

478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exesvchost.comsvchost.com

pid process

1828 478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
3668 svchost.com
3148 svchost.com

Drops startup file 5 IoCs

Processes:

478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-B83D631F.[cryptohelp24@cock.li].harma	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-B83D631F.[cryptohelp24@cock.li].harma	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe = "C:\\Windows\\System32\\478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe"	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Windows\System32\Info.hta = "mshta.exe \"C:\\Windows\\System32\\Info.hta\""	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\Info.hta = "mshta.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Info.hta\""	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe

Drops desktop.ini file(s) 64 IoCs

Processes:

478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Stationery\Desktop.ini	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Users\Public\desktop.ini	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu Places\desktop.ini	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\Desktop.ini	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Program Files\desktop.ini	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-3686645723-710336880-414668232-1000\desktop.ini	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe

Drops file in System32 directory 2 IoCs

Processes:

478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe

description	ioc	process
File created	C:\Windows\System32\478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File created	C:\Windows\System32\Info.hta	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe

Drops file in Program Files directory 64 IoCs

Processes:

478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe

description	ioc	process
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointVL_KMS_Client-ppd.xrm-ms	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\GenericMailBadge.scale-400.png	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\ru-ru\ui-strings.js	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File created	C:\Program Files\Microsoft Office\root\Office16\OSFPROXY.DLL.id-B83D631F.[cryptohelp24@cock.li].harma	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\config\Modules\org-netbeans-lib-profiler-common.xml	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File created	C:\Program Files\Java\jre1.8.0_66\lib\management\jmxremote.password.template.id-B83D631F.[cryptohelp24@cock.li].harma	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Grace-ppd.xrm-ms	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp4-ppd.xrm-ms.id-B83D631F.[cryptohelp24@cock.li].harma	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\nb-no\ui-strings.js.id-B83D631F.[cryptohelp24@cock.li].harma	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\themeless\S_ThumbUpOutline_22_N1.svg.id-B83D631F.[cryptohelp24@cock.li].harma	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bn_IN\LC_MESSAGES\vlc.mo	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-96_contrast-white.png	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-80_altform-colorize.png	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\remove.svg	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\plugin.js	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\css\main-selector.css	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\AppPackageSplashScreen.scale-100_contrast-white.png	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Speech_Bubble.png	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Assets\SkypeMedTile.scale-200_contrast-white.png	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\ANTQUABI.TTF.id-B83D631F.[cryptohelp24@cock.li].harma	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ff\LC_MESSAGES\vlc.mo.id-B83D631F.[cryptohelp24@cock.li].harma	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.35.452\goopdateres_am.dll.id-B83D631F.[cryptohelp24@cock.li].harma	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProVL_MAK-ul-phn.xrm-ms.id-B83D631F.[cryptohelp24@cock.li].harma	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\Assets\contrast-white\LargeLogo.scale-100_contrast-white.png	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\master_preferences.id-B83D631F.[cryptohelp24@cock.li].harma	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\LTR\SmallTile.scale-200.png	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\en\DatabaseCompare_k_col.hxk.id-B83D631F.[cryptohelp24@cock.li].harma	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxBlockMap.xml	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_filter-hover_32.svg	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\fullscreen-exit.svg.id-B83D631F.[cryptohelp24@cock.li].harma	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\hr\LC_MESSAGES\vlc.mo	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File created	C:\Program Files\VideoLAN\VLC\lua\playlist\dailymotion.luac.id-B83D631F.[cryptohelp24@cock.li].harma	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File created	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART13.BDR.id-B83D631F.[cryptohelp24@cock.li].harma	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\SetupTeardown.ps1	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\CameraIcon_contrast-black.png	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_filterselected-focus_32.svg.id-B83D631F.[cryptohelp24@cock.li].harma	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\GARABD.TTF.id-B83D631F.[cryptohelp24@cock.li].harma	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\resources.4919d9c8.pri	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\j2pcsc.dll.id-B83D631F.[cryptohelp24@cock.li].harma	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\Peacock.jpg	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\widevinecdmadapter.dll.id-B83D631F.[cryptohelp24@cock.li].harma	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInSideAdapters\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v10.0.dll.id-B83D631F.[cryptohelp24@cock.li].harma	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-white_scale-140.png.id-B83D631F.[cryptohelp24@cock.li].harma	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Trial2-pl.xrm-ms.id-B83D631F.[cryptohelp24@cock.li].harma	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Word2019VL_MAK_AE-pl.xrm-ms.id-B83D631F.[cryptohelp24@cock.li].harma	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AXSLE.dll.id-B83D631F.[cryptohelp24@cock.li].harma	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File created	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOMessageProvider.dll.id-B83D631F.[cryptohelp24@cock.li].harma	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rcp.intro_5.5.0.165303.jar.id-B83D631F.[cryptohelp24@cock.li].harma	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_25.25.13009.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GamesXboxHubSmallTile.scale-200_contrast-high.png	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Classic\mask\1s.png	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PublisherVL_MAK-ppd.xrm-ms	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\MobileScanCard_Light.pdf.id-B83D631F.[cryptohelp24@cock.li].harma	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\hr-hr\ui-strings.js.id-B83D631F.[cryptohelp24@cock.li].harma	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\zh-cn\ui-strings.js.id-B83D631F.[cryptohelp24@cock.li].harma	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\RTL\WideTile.scale-125.png	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\it-it\ui-strings.js.id-B83D631F.[cryptohelp24@cock.li].harma	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe\TEE\fr-FR.PhoneNumber.SMS.ot	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1.10531.0_x64__8wekyb3d8bbwe\Assets\Fonts\PplMDL2.1.69.ttf	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\PROGRA~2\Google\Update\1335~1.452\GOOGLE~4.EXE	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vreg\office.x-none.msi.16.x-none.vreg.dat.id-B83D631F.[cryptohelp24@cock.li].harma	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\org-openide-util.jar	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Top Shadow.eftx.id-B83D631F.[cryptohelp24@cock.li].harma	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsAppList.targetsize-40.png	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_Subscription-pl.xrm-ms	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe

Drops file in Windows directory 5 IoCs

Processes:

478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exesvchost.comsvchost.com

description	ioc	process
File opened for modification	C:\Windows\svchost.com	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

4088 vssadmin.exe
272 vssadmin.exe

pid	process
4088	vssadmin.exe
272	vssadmin.exe

Modifies registry class 2 IoCs

Processes:

478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe

pid	process
1828	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
1828	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
1828	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
1828	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
1828	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
1828	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
1828	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
1828	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
1828	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
1828	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
1828	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
1828	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
1828	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
1828	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
1828	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
1828	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
1828	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
1828	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
1828	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
1828	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
1828	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
1828	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
1828	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
1828	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
1828	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
1828	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
1828	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
1828	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
1828	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
1828	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
1828	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
1828	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
1828	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
1828	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
1828	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
1828	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
1828	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
1828	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
1828	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
1828	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
1828	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
1828	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
1828	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
1828	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
1828	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
1828	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
1828	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
1828	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
1828	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
1828	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
1828	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
1828	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
1828	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
1828	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
1828	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
1828	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
1828	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
1828	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
1828	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
1828	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
1828	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
1828	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
1828	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
1828	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 3464 vssvc.exe
Token: SeRestorePrivilege 3464 vssvc.exe
Token: SeAuditPrivilege 3464 vssvc.exe

description	pid	process
Token: SeBackupPrivilege	3464	vssvc.exe
Token: SeRestorePrivilege	3464	vssvc.exe
Token: SeAuditPrivilege	3464	vssvc.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.execmd.execmd.exesvchost.comsvchost.com

description	pid	process	target process
PID 2116 wrote to memory of 1828	2116	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
PID 2116 wrote to memory of 1828	2116	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
PID 2116 wrote to memory of 1828	2116	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
PID 1828 wrote to memory of 1704	1828	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe	cmd.exe
PID 1828 wrote to memory of 1704	1828	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe	cmd.exe
PID 1704 wrote to memory of 3512	1704	cmd.exe	mode.com
PID 1704 wrote to memory of 3512	1704	cmd.exe	mode.com
PID 1704 wrote to memory of 4088	1704	cmd.exe	vssadmin.exe
PID 1704 wrote to memory of 4088	1704	cmd.exe	vssadmin.exe
PID 1828 wrote to memory of 3944	1828	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe	cmd.exe
PID 1828 wrote to memory of 3944	1828	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe	cmd.exe
PID 3944 wrote to memory of 1772	3944	cmd.exe	mode.com
PID 3944 wrote to memory of 1772	3944	cmd.exe	mode.com
PID 1828 wrote to memory of 3668	1828	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe	svchost.com
PID 1828 wrote to memory of 3668	1828	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe	svchost.com
PID 1828 wrote to memory of 3668	1828	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe	svchost.com
PID 3944 wrote to memory of 272	3944	cmd.exe	vssadmin.exe
PID 3944 wrote to memory of 272	3944	cmd.exe	vssadmin.exe
PID 3668 wrote to memory of 280	3668	svchost.com	mshta.exe
PID 3668 wrote to memory of 280	3668	svchost.com	mshta.exe
PID 3668 wrote to memory of 280	3668	svchost.com	mshta.exe
PID 1828 wrote to memory of 3148	1828	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe	svchost.com
PID 1828 wrote to memory of 3148	1828	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe	svchost.com
PID 1828 wrote to memory of 3148	1828	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe	svchost.com
PID 3148 wrote to memory of 1972	3148	svchost.com	mshta.exe
PID 3148 wrote to memory of 1972	3148	svchost.com	mshta.exe
PID 3148 wrote to memory of 1972	3148	svchost.com	mshta.exe

C:\Users\Admin\AppData\Local\Temp\478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
"C:\Users\Admin\AppData\Local\Temp\478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe"
1⤵
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2116

C:\Users\Admin\AppData\Local\Temp\3582-490\478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe"
2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1828

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:1704

C:\Windows\system32\mode.com
mode con cp select=1251
4⤵
PID:3512

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
4⤵
- Interacts with shadow copies
PID:4088

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:3944

C:\Windows\system32\mode.com
mode con cp select=1251
4⤵
PID:1772

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
4⤵
- Interacts with shadow copies
PID:272

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3668

C:\Windows\SysWOW64\mshta.exe
C:\Windows\System32\mshta.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta
4⤵
PID:280

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3148

C:\Windows\SysWOW64\mshta.exe
C:\Windows\System32\mshta.exe C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta
4⤵
PID:1972

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3464

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

File Deletion

T1107

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\478052~1.EXE
MD5
0e3628ff2cfc0b5b457e14acc55e7fa6

SHA1
324e18c7c8776c1c9d8ec054182d98b8c8c0021e

SHA256
478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631

SHA512
7959504f076ce488559f0af15b7f4514ac25e8fcdee428870c8fbb7e3fb2ceebc042ae3668adbd14fd3204e65c61cb2298056cd43a59a8b4ac6a01070c920136

Download Submit
C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\478052~1.EXE
MD5
0e3628ff2cfc0b5b457e14acc55e7fa6

SHA1
324e18c7c8776c1c9d8ec054182d98b8c8c0021e

SHA256
478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631

SHA512
7959504f076ce488559f0af15b7f4514ac25e8fcdee428870c8fbb7e3fb2ceebc042ae3668adbd14fd3204e65c61cb2298056cd43a59a8b4ac6a01070c920136

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
MD5
bf48f828514d1e82ad7a79c00dc68037

SHA1
f146a4b4c10965b908dc5b61757d5ba685994010

SHA256
414ad1d5408a40484edb6ca0a82e1a365bfe330bc54bfe555eebb2633ff74883

SHA512
481114e7ac2d12e369dc976157e6ec07784bfc69cdafb2051e67d6970a2360257a11fa3841a5248bb015d2c3df7721633512b05dba9e568dc493ced30469d720

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
MD5
a9a946fcd7cb5c904e473081dae45208

SHA1
bcd6fc1644da1d600e8eda98f73491022167e576

SHA256
1415c35660cf43ee371df063ac312412368c3e1cadb43c673f251390cb2541cd

SHA512
b40c46ebbc262adf38ab3c225be308eb9764bd8a789d45704676303484819cec19d057565f3e9885b2530bba296aded6f4ab13610efcc8543ee7cdd878162d6f

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe
MD5
bc4cc10232329ca6dc7bdfbdaffee4ba

SHA1
ac029c3ae9d777e1b790eb20162d81599f631d9c

SHA256
5e5284be0bffd61a7f30baa158489a52658b3e04bad2e3646d1e2044b9fb0bc4

SHA512
37c07cde1824674728f30dda79cc3dc5c63b286a22660453f5ea99a1eada377db01df4be3b8aebf8cfd7df45792e1b4b27e2e1a3b22393ff5fb8b62430df921b

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Program Files (x86)\Google\Temp\GUM1CBD.tmp\GoogleUpdateSetup.exe
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleCrashHandler.exe
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleCrashHandler64.exe
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdate.exe
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateBroker.exe
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateComRegisterShell64.exe
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateCore.exe
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateOnDemand.exe
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateSetup.exe
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.exe
MD5
526c4d5d7a3f2e649a8334bc5cae1186

SHA1
5b6b1dd760141242793b7c54d7257420c3d48eb6

SHA256
6078926d74d461238569d32a1c9afdfa6c14edf7896ed5d0cd51ad9190dc669d

SHA512
41ef68a294f0eec11ca72ca489e5da694521cd67dbe0ac971e6df642a1be20aa7c947bff6e64313fa3382310e0689c41a5b3fdef0682d2c2128a9634bc074481

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe
MD5
5c5b75f878a1810edbfe9cff4323c9e3

SHA1
42e0e391aaccd51a019b5127ee0ad542d030c90a

SHA256
63c0e3d831d67ea512d2e4ea0f98463eae641413d96fb0a573cb37a232a9a93a

SHA512
4774fb98d3f5c7f755ab227483be3050bf96c1e92e5f79ffb6da90c4d292899fd05c27c5da201ffeb304781507bde8982733ea5379bb960f81aae4ee14672874

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\vcredist_x64.exe
MD5
a4c75844f97d77b297b00fbda77808ce

SHA1
b4b1a7cf682832bdfafb65a31f41dc3741584acf

SHA256
17be62abdf57a6c4a054c8b5198a3ad643f7a74ffc9dbec866bd62bc054e4b7c

SHA512
0c885c3c8b3370a9f89b9ad41887bc1fe23e556d7cee81920d166684c246980160987c9d2b733af35126fabf96489d02b7fb054784429934b6d25c8662849c73

Download Submit
C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
MD5
8bed8cf243d3719ce3db098fe4e25507

SHA1
2d5324d4e24d295c80b42718fd6bf624d45847b0

SHA256
a191d14dd5d4c4fa29b956b7b9608a5e4691035345e2227285a52640bd94ad6d

SHA512
86a049df7d72b12a38aa00642e6168fd7551702d3b38a51def7dffea7220d6a729ede66b2819e5fc031c11d042b2993a39e84ce24f01fd15fcd32f6c70886f68

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe
MD5
cb09c1a0bba7d1c95f4408a2e39c6fe7

SHA1
2120373114859a1ef0dc862445f10de5d7eaa703

SHA256
040ed34fc080c843f619b14b957f8153c9af5a64c5b3ab01a286002258674a07

SHA512
4a8686c320170594dd878640468d51181cf980feb6b34eac6f729a2f00d4568788eca995c54b6ff1aba61ffaeee88a3a76906b1d437d9cadbf937c181554984f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe
MD5
07ac1d9198334cf3879c74f9e8b03c76

SHA1
fed90290b14a98bbca8ae40902c1aa362692bfb3

SHA256
888994644e6a8ada319ce032f93e5ad42dfbecda0eb7ee38069c202ed07b875d

SHA512
c50c7e876530dec139e3e5d2e8912c36b45e0bde114a92016135af7a25567f3d155ccf4daa9ed8b6cdba7cf4abab91d0ebd4962e589fc163c3acdd11bb238281

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe
MD5
54364c87b9ea34ba6ec820fd8cfb371e

SHA1
7fb183228c359b34c8083743bc011b028d10c141

SHA256
79fe50cdc0f5149ed7db23a57397f1b8d21776ad594e6d705b08c7e5b9e1ff23

SHA512
d5d80a380c217712bfa9653c349555b3f7f6ea509fa23b8da32239efe44555a258ba22dbd456f06db7063e128698788cc4d12482afbbb61ba91fb6c5e4646b00

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
MD5
d64be1cf64058aba02cb98065d5ea3f0

SHA1
fbcc5a7492f6bcbc86f36fd191df038f6f6660d0

SHA256
db87da4d68417d25dd5b53511a5596cce452cdb9ab38682dfa12d6d898c38ec9

SHA512
549640e2c68692e77593b31abf2ab9cd407d8e87190096faa566d9b3d84c9ec35c66ea0d41460446ea9f469067582588af219e8dce7342ea7bfad53be192aba9

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
MD5
d64be1cf64058aba02cb98065d5ea3f0

SHA1
fbcc5a7492f6bcbc86f36fd191df038f6f6660d0

SHA256
db87da4d68417d25dd5b53511a5596cce452cdb9ab38682dfa12d6d898c38ec9

SHA512
549640e2c68692e77593b31abf2ab9cd407d8e87190096faa566d9b3d84c9ec35c66ea0d41460446ea9f469067582588af219e8dce7342ea7bfad53be192aba9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5023.tmp
MD5
78ea5b1dbb72adb8b191a83cac841e9b

SHA1
beff02e35d160ec2671539c0b3db8c93e15f82ef

SHA256
1eeab2592f47619f9f5f44eadedcb64b938877267bd778d0e29140122014a945

SHA512
cafa9381a505364ee71fdc670f537756e3df6128413007e565a5ecd2ee3467ee01004d856090d1e6f2c5ddccde97013a45d83683da5b1c703a027406eb1dce20

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\478052~1.EXE
MD5
0e3628ff2cfc0b5b457e14acc55e7fa6

SHA1
324e18c7c8776c1c9d8ec054182d98b8c8c0021e

SHA256
478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631

SHA512
7959504f076ce488559f0af15b7f4514ac25e8fcdee428870c8fbb7e3fb2ceebc042ae3668adbd14fd3204e65c61cb2298056cd43a59a8b4ac6a01070c920136

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\478052~1.EXE
MD5
0e3628ff2cfc0b5b457e14acc55e7fa6

SHA1
324e18c7c8776c1c9d8ec054182d98b8c8c0021e

SHA256
478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631

SHA512
7959504f076ce488559f0af15b7f4514ac25e8fcdee428870c8fbb7e3fb2ceebc042ae3668adbd14fd3204e65c61cb2298056cd43a59a8b4ac6a01070c920136

Download Submit
C:\Windows\directx.sys
MD5
3bced55482de442d0dc8903d9a3a63ca

SHA1
60b7af372128030e3717d17f9f55132fa7d47898

SHA256
e13521023a74f97d01c7dbb3126004bc039175e88bb8acf3a00f22cd63556e2c

SHA512
00bb6a5fd2f835ddc7b685896f42f270da06ffab8d6175c8277eaaa2adcf78a19da7656b164540ecacd80eb0ddf0c5fe9806d797f4fab1fae42882ed5eca2a10

Download Submit
C:\Windows\svchost.com
MD5
36fd5e09c417c767a952b4609d73a54b

SHA1
299399c5a2403080a5bf67fb46faec210025b36d

SHA256
980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2

SHA512
1813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92

Download Submit
C:\Windows\svchost.com
MD5
36fd5e09c417c767a952b4609d73a54b

SHA1
299399c5a2403080a5bf67fb46faec210025b36d

SHA256
980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2

SHA512
1813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92

Download Submit
C:\Windows\svchost.com
MD5
36fd5e09c417c767a952b4609d73a54b

SHA1
299399c5a2403080a5bf67fb46faec210025b36d

SHA256
980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2

SHA512
1813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92

Download Submit
C:\odt\office2016setup.exe
MD5
1191e6daed35e783c0e1734b8ff535ab

SHA1
5a97b09b86e71dc4b2c5cc0d801a2879e08071ac

SHA256
f32b2507ef07a9a6743ab095c5b37efdecc05aeb48387fe2864c51fd93494126

SHA512
8a5ee4ab5fba300d1a246a1b2cf43135936b4ee3b0150e04bf89dacb7f4c863ff09d9ca666e4f35c5d14329a22cd037c0c65e571308c68d8c80bd9b8563a1b19

Download Submit
memory/272-171-0x0000000000000000-mapping.dmp

Download
memory/280-172-0x0000000000000000-mapping.dmp

Download
memory/1704-117-0x0000000000000000-mapping.dmp

Download
memory/1772-167-0x0000000000000000-mapping.dmp

Download
memory/1828-114-0x0000000000000000-mapping.dmp

Download
memory/1972-176-0x0000000000000000-mapping.dmp

Download
memory/3148-173-0x0000000000000000-mapping.dmp

Download
memory/3512-119-0x0000000000000000-mapping.dmp

Download
memory/3668-168-0x0000000000000000-mapping.dmp

Download
memory/3944-166-0x0000000000000000-mapping.dmp

Download
memory/4088-120-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads