0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad

Resubmissions

23-08-2021 09:03

210823-vqq93xpzhj 10

12-08-2021 21:11

210812-xvzjbhw2q2 10

08-08-2021 17:49

210808-rjh11mmpt6 10

Analysis

max time kernel
92s
max time network
97s
platform
windows7_x64
resource
win7v20210408
submitted
23-08-2021 09:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
Size

1.2MB
MD5

cc3652c078fa2bdfbbfae33335c30bda
SHA1

b3d3ad0c2c9d526717f55c431d51c2f1e957325b
SHA256

0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad
SHA512

d027e1df8c10516b81e47ef840f0e2baf971c0e0c4e77ff0fdc0122bbbb66ed210fd78336cb40d05c76d91838ae89ebb3304050dbf7fb7eeec73d47d1d26ec3d

Score

9^/10

evasion persistence ransomware spyware stealer

Malware Config

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

232 bcdedit.exe
2016 bcdedit.exe
Deletes System State backups 3 TTPs 2 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command-Line Interface
T1059

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

wbadmin.exewbadmin.exe

pid process

1132 wbadmin.exe
764 wbadmin.exe

pid	process
232	bcdedit.exe
2016	bcdedit.exe

pid	process
1132	wbadmin.exe
764	wbadmin.exe

Drops file in Drivers directory 13 IoCs

Processes:

0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe

description	ioc	process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\drivers\etc\networks.inprocess	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\drivers\etc\protocol.gpay	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\drivers\etc\services.gpay	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\drivers\etc\networks.gpay	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\drivers\etc\protocol	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\drivers\etc\protocol.inprocess	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\drivers\etc\services	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts.inprocess	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts.gpay	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File created	C:\Windows\System32\drivers\etc\!!!HOW_TO_DECRYPT!!!.mht	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\drivers\etc\networks	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\drivers\etc\services.inprocess	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe

Modifies extensions of user files 24 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\UnprotectOpen.crw.inprocess	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File renamed	C:\Users\Admin\Pictures\MoveHide.raw => C:\Users\Admin\Pictures\MoveHide.raw.inprocess	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File renamed	C:\Users\Admin\Pictures\OutJoin.png => C:\Users\Admin\Pictures\OutJoin.png.inprocess	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Users\Admin\Pictures\OutJoin.png.inprocess	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File renamed	C:\Users\Admin\Pictures\OutJoin.png.inprocess => C:\Users\Admin\Pictures\OutJoin.png.gpay	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File renamed	C:\Users\Admin\Pictures\PublishOut.png => C:\Users\Admin\Pictures\PublishOut.png.inprocess	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Users\Admin\Pictures\PublishOut.png.inprocess	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File renamed	C:\Users\Admin\Pictures\StartConnect.crw => C:\Users\Admin\Pictures\StartConnect.crw.inprocess	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File renamed	C:\Users\Admin\Pictures\UnprotectOpen.crw.inprocess => C:\Users\Admin\Pictures\UnprotectOpen.crw.gpay	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Users\Admin\Pictures\CopyUnregister.tif.inprocess	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File renamed	C:\Users\Admin\Pictures\MoveHide.raw.inprocess => C:\Users\Admin\Pictures\MoveHide.raw.gpay	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File renamed	C:\Users\Admin\Pictures\PublishOut.png.inprocess => C:\Users\Admin\Pictures\PublishOut.png.gpay	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Users\Admin\Pictures\UnprotectOpen.crw.gpay	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File renamed	C:\Users\Admin\Pictures\CopyUnregister.tif.inprocess => C:\Users\Admin\Pictures\CopyUnregister.tif.gpay	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Users\Admin\Pictures\CopyUnregister.tif.gpay	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Users\Admin\Pictures\OutJoin.png.gpay	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Users\Admin\Pictures\PublishOut.png.gpay	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File renamed	C:\Users\Admin\Pictures\UnprotectOpen.crw => C:\Users\Admin\Pictures\UnprotectOpen.crw.inprocess	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File renamed	C:\Users\Admin\Pictures\CopyUnregister.tif => C:\Users\Admin\Pictures\CopyUnregister.tif.inprocess	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Users\Admin\Pictures\MoveHide.raw.inprocess	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Users\Admin\Pictures\MoveHide.raw.gpay	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Users\Admin\Pictures\StartConnect.crw.inprocess	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File renamed	C:\Users\Admin\Pictures\StartConnect.crw.inprocess => C:\Users\Admin\Pictures\StartConnect.crw.gpay	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Users\Admin\Pictures\StartConnect.crw.gpay	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

792 cmd.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
792	cmd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSFEEditor = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe\" e"	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe

Drops desktop.ini file(s) 1 IoCs

Processes:

0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe

description	ioc	process
File opened for modification	\??\E:\$RECYCLE.BIN\S-1-5-21-2455352368-1077083310-2879168483-1000\desktop.ini	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe

Enumerates connected drives 3 TTPs 41 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssadmin.exe0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exe

description	ioc	process
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\N:	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened (read-only)	\??\R:	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\I:	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened (read-only)	\??\K:	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened (read-only)	\??\Q:	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened (read-only)	\??\T:	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened (read-only)	\??\Z:	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\H:	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened (read-only)	\??\A:	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened (read-only)	\??\F:	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened (read-only)	\??\G:	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened (read-only)	\??\P:	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened (read-only)	\??\V:	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened (read-only)	\??\D:	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\Y:	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened (read-only)	\??\E:	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\U:	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened (read-only)	\??\W:	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened (read-only)	\??\X:	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\B:	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened (read-only)	\??\O:	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\J:	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened (read-only)	\??\L:	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\f:	vssadmin.exe
File opened (read-only)	\??\f:	vssadmin.exe
File opened (read-only)	\??\M:	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened (read-only)	\??\S:	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe

Drops file in System32 directory 64 IoCs

Processes:

0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe

description	ioc	process
File opened for modification	C:\Windows\System32\config\DEFAULT	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\30c765c9-ddac-4ad1-9274-9b5710828634.inprocess	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\f22e410f-f947-4e08-8f2a-8f65df603f8d	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\Preferred.gpay	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File created	C:\Windows\System32\Tasks\Microsoft\Windows\TextServicesFramework\!!!HOW_TO_DECRYPT!!!.mht	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B2238AACCEDC3F1FFE8E7EB5F575EC9.inprocess	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\config\BCD-Template.gpay	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\config\SOFTWARE	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File created	C:\Windows\System32\config\RegBack\!!!HOW_TO_DECRYPT!!!.mht	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\config\RegBack\SOFTWARE	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\b889ab5d-f7d2-47ff-92a1-3ec877b7e01c.gpay	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B2238AACCEDC3F1FFE8E7EB5F575EC9.inprocess	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015.inprocess	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\config\SAM	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File created	C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\!!!HOW_TO_DECRYPT!!!.mht	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\1e582198-061f-43f1-abdf-d4e9b606b035.gpay	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B2238AACCEDC3F1FFE8E7EB5F575EC9	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File created	C:\Windows\System32\config\!!!HOW_TO_DECRYPT!!!.mht	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb.inprocess	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015.inprocess	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File created	C:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\!!!HOW_TO_DECRYPT!!!.mht	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\30c765c9-ddac-4ad1-9274-9b5710828634	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B2238AACCEDC3F1FFE8E7EB5F575EC9	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\!!!HOW_TO_DECRYPT!!!.mht	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File created	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\!!!HOW_TO_DECRYPT!!!.mht	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File created	C:\Windows\System32\LogFiles\Scm\!!!HOW_TO_DECRYPT!!!.mht	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\Preferred.inprocess	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\1e582198-061f-43f1-abdf-d4e9b606b035.inprocess	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015.gpay	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\config\COMPONENTS.gpay	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\config\SYSTEM	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\config\RegBack\DEFAULT	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\b889ab5d-f7d2-47ff-92a1-3ec877b7e01c.inprocess	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B2238AACCEDC3F1FFE8E7EB5F575EC9.gpay	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B2238AACCEDC3F1FFE8E7EB5F575EC9.gpay	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015.gpay	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\config\BCD-Template.inprocess	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\30c765c9-ddac-4ad1-9274-9b5710828634.gpay	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\f22e410f-f947-4e08-8f2a-8f65df603f8d.gpay	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\TextServicesFramework\MsCtfMonitor	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B2238AACCEDC3F1FFE8E7EB5F575EC9.gpay	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015.inprocess	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\LogFiles\Scm\4c8b01a2-11ff-4c41-848f-508ef4f00cf7	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\LogFiles\Scm\4c8b01a2-11ff-4c41-848f-508ef4f00cf7.gpay	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb.gpay	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\Preferred	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\4211027d-9ff6-4217-a170-b61deb4c4483.inprocess	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\4211027d-9ff6-4217-a170-b61deb4c4483.gpay	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\48f72a92-d8df-430f-9967-0e6d87138050	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\48f72a92-d8df-430f-9967-0e6d87138050.inprocess	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\f22e410f-f947-4e08-8f2a-8f65df603f8d.inprocess	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B2238AACCEDC3F1FFE8E7EB5F575EC9.inprocess	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\Preferred.inprocess	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\config\BCD-Template	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\config\COMPONENTS.inprocess	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\LogFiles\Scm\4c8b01a2-11ff-4c41-848f-508ef4f00cf7.inprocess	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\config\RegBack\SECURITY	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\config\RegBack\SYSTEM	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb.inprocess	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File created	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\!!!HOW_TO_DECRYPT!!!.mht	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe

Drops file in Program Files directory 64 IoCs

Processes:

0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Resolute.inprocess	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Tashkent.gpay	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\GMT+7	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Dublin	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Antarctica\Troll	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Yakutat	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\UTC	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Riga.gpay	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Guayaquil	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Jakarta.gpay	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Seoul.gpay	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\GMT-5.inprocess	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Indiana\Knox.gpay	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Curacao.inprocess	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Ashgabat	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Athens	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\GMT+5.gpay	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Africa\Khartoum	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Atlantic\Stanley	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\GMT+12	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Volgograd.inprocess	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Africa\Ceuta.inprocess	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Iqaluit	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Creston.gpay	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Merida.gpay	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Vladivostok	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Chatham.inprocess	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Kiritimati.inprocess	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Argentina\!!!HOW_TO_DECRYPT!!!.mht	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Africa\Lagos	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Macau	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Montevideo	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Moscow.inprocess	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\security\cacerts	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Australia\Brisbane.gpay	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Recife.gpay	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\GMT-14.gpay	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\GMT-3.inprocess	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Dhaka	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Manila	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Rome.inprocess	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Fiji.inprocess	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Indiana\Marengo.inprocess	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\meta-index	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Managua.inprocess	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Santiago.inprocess	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Yekaterinburg.inprocess	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Africa\Tripoli.inprocess	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Oral.gpay	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Yerevan.gpay	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Luxembourg	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\SystemV\CST6	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Africa\Casablanca.gpay	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Ulaanbaatar	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Yekaterinburg.gpay	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Dublin.gpay	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Wallis.inprocess	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Atikokan.gpay	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Baku.gpay	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Africa\Ndjamena.gpay	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Edmonton	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Krasnoyarsk.gpay	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Riyadh88	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File created	C:\Program Files\Java\jre7\lib\zi\Europe\!!!HOW_TO_DECRYPT!!!.mht	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe

Drops file in Windows directory 64 IoCs

Processes:

0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exewbadmin.exewbadmin.exe

description	ioc	process
File opened for modification	C:\Windows\SoftwareDistribution\Download\6c3e7934e9e70d0fb2dfeb3af2325793\cbshandler\state.inprocess	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\31babaaa45cee9a47acba0207c097502\cbshandler\state.gpay	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\f29b02fec13315ab58a997da84d42d39f8d01a1d.gpay	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Components\tables\2th0	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Components\tables\2th1	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\046b70de3a2fd676d807d11bedad4dcd\cbshandler\state.inprocess	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\Panther\setupinfo	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Components\tables\1cb0	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Components\tables\absthr_2	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Components\tables\2cb1	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Components\tables\2cb2	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Components\tables\enwindow	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.1.etl	wbadmin.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Components\tables\1cb2	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\499e9f34ae4b5b02c752dc8920c033aa\cbshandler\state.inprocess	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357.gpay	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\Boot\DVD\PCAT\BCD	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Components\tables\alloc_3	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Components\tables\dewindow	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File created	C:\Windows\SoftwareDistribution\Download\046b70de3a2fd676d807d11bedad4dcd\cbshandler\!!!HOW_TO_DECRYPT!!!.mht	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\499e9f34ae4b5b02c752dc8920c033aa\cbshandler\state.gpay	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\d881ecfb1357f383d18f1e4fd0554eb0\cbshandler\state	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\31babaaa45cee9a47acba0207c097502\cbshandler\state.inprocess	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\!!!HOW_TO_DECRYPT!!!.mht	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\f29b02fec13315ab58a997da84d42d39f8d01a1d	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Components\tables\2cb0	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Components\tables\absthr_1	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\499e9f34ae4b5b02c752dc8920c033aa\cbshandler\state	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File created	C:\Windows\SoftwareDistribution\Download\499e9f34ae4b5b02c752dc8920c033aa\cbshandler\!!!HOW_TO_DECRYPT!!!.mht	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\d881ecfb1357f383d18f1e4fd0554eb0\cbshandler\state.gpay	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.2.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.3.etl	wbadmin.exe
File opened for modification	C:\Windows\Panther\setupinfo.gpay	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File created	C:\Windows\Panther\!!!HOW_TO_DECRYPT!!!.mht	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Components\tables\1cb1	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Components\tables\absthr_0	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Components\tables\alloc_2	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File created	C:\Windows\SoftwareDistribution\Download\31babaaa45cee9a47acba0207c097502\cbshandler\!!!HOW_TO_DECRYPT!!!.mht	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.3.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.2.etl	wbadmin.exe
File created	C:\Windows\SoftwareDistribution\Download\!!!HOW_TO_DECRYPT!!!.mht	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File created	C:\Windows\Boot\DVD\EFI\!!!HOW_TO_DECRYPT!!!.mht	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\Boot\PCAT\bootmgr	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\046b70de3a2fd676d807d11bedad4dcd\cbshandler\state	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\6c3e7934e9e70d0fb2dfeb3af2325793\cbshandler\state	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.1.etl	wbadmin.exe
File opened for modification	C:\Windows\Boot\DVD\EFI\BCD	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\6c3e7934e9e70d0fb2dfeb3af2325793\cbshandler\state.gpay	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File created	C:\Windows\Boot\PCAT\!!!HOW_TO_DECRYPT!!!.mht	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\d881ecfb1357f383d18f1e4fd0554eb0\cbshandler\state.inprocess	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357.inprocess	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\Panther\setupinfo.inprocess	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File created	C:\Windows\ehome\CreateDisc\Components\tables\!!!HOW_TO_DECRYPT!!!.mht	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File created	C:\Windows\SoftwareDistribution\Download\d881ecfb1357f383d18f1e4fd0554eb0\cbshandler\!!!HOW_TO_DECRYPT!!!.mht	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\046b70de3a2fd676d807d11bedad4dcd\cbshandler\state.gpay	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357.gpay	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Components\tables\1th1	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Components\tables\1th2	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Components\tables\alloc_0	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Components\tables\alloc_1	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Components\tables\1th0	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\31babaaa45cee9a47acba0207c097502\cbshandler\state	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 13 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

Processes:

vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exe

pid	process
1988	vssadmin.exe
316	vssadmin.exe
1312	vssadmin.exe
1484	vssadmin.exe
948	vssadmin.exe
1932	vssadmin.exe
1596	vssadmin.exe
1932	vssadmin.exe
1216	vssadmin.exe
828	vssadmin.exe
1556	vssadmin.exe
240	vssadmin.exe
1476	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 38 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e0a989580e98d701	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000dc71bf4c9a03474dbea49e383bfc4e730000000002000000000010660000000100002000000019958fcd9b3a4f82a30e4cf22ab60343169ffa8625e727323d2b75dafcc277c8000000000e800000000200002000000082c327a50b48d2cb12af0ca39310792d8ad33c6c9eb2785ec790107050254b28900000000e6cbc39a4dc70c539986430e8e1476a34bd7f22858ac045da61553391a6f2dfc1bb446ad0d65461b161703aeda357a9132028e4d022ec5d1a58a8fb17b96d8cffadcb229be8d9834e5a7a9223824307a6bfa7afa578427ac3310efac6f16c1f3a84c93bcd5c9adce06c026a851405cb9c2997728976b0757bcd429d235e2e65b4c3d165b3a14e3d7a81cf000cd3478540000000660cd0b4072e130bbdf59cbb11fabb583fa5d1c83fbecd5bc3b77a9cbe84a37ff716808bc096a6755f0d81e4147dbad9248a34fef3e4f17854aa3083ec24f5af	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{808E5721-0401-11EC-995E-4607060FEA31} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{0633EE93-D776-472f-A0FF-E1416B8B2E3A}"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000dc71bf4c9a03474dbea49e383bfc4e7300000000020000000000106600000001000020000000845d3f028f81d23e5862c0176818bbea9bcb5406a898fe066341af847d659c9a000000000e8000000002000020000000fc20905c5fc0e718a14d5e99053ea1552930f13fee8197def035ae8bca353b86200000008cc4debdeab5e23f8fbc16765e74e8e54aa7c63aa853a14d1c3d3c192b5fa9a040000000b991e27b5a2f1b6c678be0dbbcb0a42735d9ebbd31604e09ef60c1e2e3c6c30e0b437315f922ef26b8c03681862dd798612130196259a0e73725ab998d462772	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\User Preferences	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\User Preferences\2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81 = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000dc71bf4c9a03474dbea49e383bfc4e7300000000020000000000106600000001000020000000ee0dae0c2a43c5ae46c39eeee029d499fa450d8cd90f59efbfcb3a9dd93cdd28000000000e80000000020000200000005f925fc192e0c09a1b4840965d0f40aa9a13d10bf1b2cd6982f344e973e2f57e100000002653f4dd83999dc14b007c0609ac0e33400000008bb69f3a16b50c644d33f59fc93d22977d50d4ca7c5ca3f5abbc5e44db2b8e58aa42a086e9b6bbf059816f89716e266a97afdb1687486596fba12f5d05696df4	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\User Preferences\88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977 = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000dc71bf4c9a03474dbea49e383bfc4e7300000000020000000000106600000001000020000000df4622b8d1342ece33bac1073861fe218c5743a94e04b84ff7b97c64f4120663000000000e8000000002000020000000c4c6366e924314c6fce5003f11e2b341a27610572e7f8301c7e99186e806cd4750000000900bf50914b5e7a28482bf260be1e235f7377994eb056ae1541ad1531385bc995a31a8668527890b830f6c3cd97563fd766adb926ee65d91884318a5a8e2b82eb73993b01baa9f2ac67a457d17c50c2a40000000e2b243132923105575c6d6b84ac4e9daa8581c1ef0d1b32ab7b77bce1ccaab4b62c69f1714c66a82bef6c4e1d9302b061e00069f4bec909b9ce6642dd73c1aa4	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

948 NOTEPAD.EXE

pid	process
948	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe

pid	process
1248	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
1248	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
1248	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
1248	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
1248	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
1248	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
1248	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
1248	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
1248	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
1248	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
1248	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
1248	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
1248	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
1248	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
1248	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
1248	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
1248	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
1248	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
1248	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
1248	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
1248	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
1248	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
1248	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
1248	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
1248	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
1248	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
1248	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
1248	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
1248	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
1248	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
1248	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
1248	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
1248	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
1248	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
1248	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
1248	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
1248	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
1248	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
1248	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
1248	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
1248	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
1248	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
1248	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
1248	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
1248	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
1248	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
1248	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
1248	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
1248	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
1248	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
1248	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
1248	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
1248	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
1248	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
1248	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
1248	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
1248	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
1248	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
1248	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
1248	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
1248	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
1248	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
1248	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
1248	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

Processes:

vssvc.exewmic.exe

description	pid	process
Token: SeBackupPrivilege	1148	vssvc.exe
Token: SeRestorePrivilege	1148	vssvc.exe
Token: SeAuditPrivilege	1148	vssvc.exe
Token: SeIncreaseQuotaPrivilege	968	wmic.exe
Token: SeSecurityPrivilege	968	wmic.exe
Token: SeTakeOwnershipPrivilege	968	wmic.exe
Token: SeLoadDriverPrivilege	968	wmic.exe
Token: SeSystemProfilePrivilege	968	wmic.exe
Token: SeSystemtimePrivilege	968	wmic.exe
Token: SeProfSingleProcessPrivilege	968	wmic.exe
Token: SeIncBasePriorityPrivilege	968	wmic.exe
Token: SeCreatePagefilePrivilege	968	wmic.exe
Token: SeBackupPrivilege	968	wmic.exe
Token: SeRestorePrivilege	968	wmic.exe
Token: SeShutdownPrivilege	968	wmic.exe
Token: SeDebugPrivilege	968	wmic.exe
Token: SeSystemEnvironmentPrivilege	968	wmic.exe
Token: SeRemoteShutdownPrivilege	968	wmic.exe
Token: SeUndockPrivilege	968	wmic.exe
Token: SeManageVolumePrivilege	968	wmic.exe
Token: 33	968	wmic.exe
Token: 34	968	wmic.exe
Token: 35	968	wmic.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1052 iexplore.exe
Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1052 iexplore.exe
1052 iexplore.exe
820 IEXPLORE.EXE
820 IEXPLORE.EXE
820 IEXPLORE.EXE
820 IEXPLORE.EXE
1052 iexplore.exe

pid	process
1052	iexplore.exe

pid	process
1052	iexplore.exe
1052	iexplore.exe
820	IEXPLORE.EXE
820	IEXPLORE.EXE
820	IEXPLORE.EXE
820	IEXPLORE.EXE
1052	iexplore.exe

Suspicious use of WriteProcessMemory 61 IoCs

Processes:

0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exeiexplore.exe

description	pid	process	target process
PID 1248 wrote to memory of 1932	1248	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe	vssadmin.exe
PID 1248 wrote to memory of 1932	1248	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe	vssadmin.exe
PID 1248 wrote to memory of 1932	1248	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe	vssadmin.exe
PID 1248 wrote to memory of 1988	1248	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe	vssadmin.exe
PID 1248 wrote to memory of 1988	1248	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe	vssadmin.exe
PID 1248 wrote to memory of 1988	1248	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe	vssadmin.exe
PID 1248 wrote to memory of 1216	1248	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe	vssadmin.exe
PID 1248 wrote to memory of 1216	1248	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe	vssadmin.exe
PID 1248 wrote to memory of 1216	1248	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe	vssadmin.exe
PID 1248 wrote to memory of 828	1248	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe	vssadmin.exe
PID 1248 wrote to memory of 828	1248	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe	vssadmin.exe
PID 1248 wrote to memory of 828	1248	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe	vssadmin.exe
PID 1248 wrote to memory of 1556	1248	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe	vssadmin.exe
PID 1248 wrote to memory of 1556	1248	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe	vssadmin.exe
PID 1248 wrote to memory of 1556	1248	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe	vssadmin.exe
PID 1248 wrote to memory of 240	1248	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe	vssadmin.exe
PID 1248 wrote to memory of 240	1248	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe	vssadmin.exe
PID 1248 wrote to memory of 240	1248	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe	vssadmin.exe
PID 1248 wrote to memory of 316	1248	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe	vssadmin.exe
PID 1248 wrote to memory of 316	1248	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe	vssadmin.exe
PID 1248 wrote to memory of 316	1248	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe	vssadmin.exe
PID 1248 wrote to memory of 1312	1248	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe	vssadmin.exe
PID 1248 wrote to memory of 1312	1248	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe	vssadmin.exe
PID 1248 wrote to memory of 1312	1248	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe	vssadmin.exe
PID 1248 wrote to memory of 1484	1248	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe	vssadmin.exe
PID 1248 wrote to memory of 1484	1248	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe	vssadmin.exe
PID 1248 wrote to memory of 1484	1248	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe	vssadmin.exe
PID 1248 wrote to memory of 1476	1248	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe	vssadmin.exe
PID 1248 wrote to memory of 1476	1248	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe	vssadmin.exe
PID 1248 wrote to memory of 1476	1248	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe	vssadmin.exe
PID 1248 wrote to memory of 948	1248	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe	vssadmin.exe
PID 1248 wrote to memory of 948	1248	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe	vssadmin.exe
PID 1248 wrote to memory of 948	1248	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe	vssadmin.exe
PID 1248 wrote to memory of 1596	1248	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe	vssadmin.exe
PID 1248 wrote to memory of 1596	1248	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe	vssadmin.exe
PID 1248 wrote to memory of 1596	1248	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe	vssadmin.exe
PID 1248 wrote to memory of 1932	1248	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe	vssadmin.exe
PID 1248 wrote to memory of 1932	1248	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe	vssadmin.exe
PID 1248 wrote to memory of 1932	1248	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe	vssadmin.exe
PID 1248 wrote to memory of 232	1248	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe	bcdedit.exe
PID 1248 wrote to memory of 232	1248	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe	bcdedit.exe
PID 1248 wrote to memory of 232	1248	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe	bcdedit.exe
PID 1248 wrote to memory of 2016	1248	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe	bcdedit.exe
PID 1248 wrote to memory of 2016	1248	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe	bcdedit.exe
PID 1248 wrote to memory of 2016	1248	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe	bcdedit.exe
PID 1248 wrote to memory of 1132	1248	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe	wbadmin.exe
PID 1248 wrote to memory of 1132	1248	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe	wbadmin.exe
PID 1248 wrote to memory of 1132	1248	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe	wbadmin.exe
PID 1248 wrote to memory of 764	1248	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe	wbadmin.exe
PID 1248 wrote to memory of 764	1248	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe	wbadmin.exe
PID 1248 wrote to memory of 764	1248	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe	wbadmin.exe
PID 1248 wrote to memory of 968	1248	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe	wmic.exe
PID 1248 wrote to memory of 968	1248	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe	wmic.exe
PID 1248 wrote to memory of 968	1248	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe	wmic.exe
PID 1052 wrote to memory of 820	1052	iexplore.exe	IEXPLORE.EXE
PID 1052 wrote to memory of 820	1052	iexplore.exe	IEXPLORE.EXE
PID 1052 wrote to memory of 820	1052	iexplore.exe	IEXPLORE.EXE
PID 1052 wrote to memory of 820	1052	iexplore.exe	IEXPLORE.EXE
PID 1248 wrote to memory of 792	1248	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe	cmd.exe
PID 1248 wrote to memory of 792	1248	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe	cmd.exe
PID 1248 wrote to memory of 792	1248	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe	cmd.exe

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

Processes:

0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe

C:\Users\Admin\AppData\Local\Temp\0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
"C:\Users\Admin\AppData\Local\Temp\0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe"
1⤵
- Drops file in Drivers directory
- Modifies extensions of user files
- Adds Run key to start application
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1248
- C:\Windows\system32\vssadmin.exe
  vssadmin.exe Resize ShadowStorage /for=c: /on=c: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:1932
- C:\Windows\system32\vssadmin.exe
  vssadmin.exe Resize ShadowStorage /for=c: /on=c: /maxsize=unbounded
  2⤵
  - Interacts with shadow copies
  PID:1988
- C:\Windows\system32\vssadmin.exe
  vssadmin.exe Resize ShadowStorage /for=d: /on=d: /maxsize=401MB
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:1216
- C:\Windows\system32\vssadmin.exe
  vssadmin.exe Resize ShadowStorage /for=d: /on=d: /maxsize=unbounded
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:828
- C:\Windows\system32\vssadmin.exe
  vssadmin.exe Resize ShadowStorage /for=e: /on=e: /maxsize=401MB
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:1556
- C:\Windows\system32\vssadmin.exe
  vssadmin.exe Resize ShadowStorage /for=e: /on=e: /maxsize=unbounded
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:240
- C:\Windows\system32\vssadmin.exe
  vssadmin.exe Resize ShadowStorage /for=f: /on=f: /maxsize=401MB
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:316
- C:\Windows\system32\vssadmin.exe
  vssadmin.exe Resize ShadowStorage /for=f: /on=f: /maxsize=unbounded
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:1312
- C:\Windows\system32\vssadmin.exe
  vssadmin.exe Resize ShadowStorage /for=g: /on=g: /maxsize=401MB
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:1484
- C:\Windows\system32\vssadmin.exe
  vssadmin.exe Resize ShadowStorage /for=g: /on=g: /maxsize=unbounded
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:1476
- C:\Windows\system32\vssadmin.exe
  vssadmin.exe Resize ShadowStorage /for=h: /on=h: /maxsize=401MB
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:948
- C:\Windows\system32\vssadmin.exe
  vssadmin.exe Resize ShadowStorage /for=h: /on=h: /maxsize=unbounded
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:1596
- C:\Windows\system32\vssadmin.exe
  vssadmin.exe Delete Shadows /All /Quiet
  2⤵
  - Interacts with shadow copies
  PID:1932
- C:\Windows\system32\bcdedit.exe
  bcdedit.exe /set {default} recoveryenabled No
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:232
- C:\Windows\system32\bcdedit.exe
  bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:2016
- C:\Windows\system32\wbadmin.exe
  wbadmin DELETE SYSTEMSTATEBACKUP
  2⤵
  - Deletes System State backups
  - Drops file in Windows directory
  PID:1132
- C:\Windows\system32\wbadmin.exe
  wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest
  2⤵
  - Deletes System State backups
  - Drops file in Windows directory
  PID:764
- C:\Windows\System32\Wbem\wmic.exe
  wmic.exe SHADOWCOPY /nointeractive
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:968
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\0ABB4A~1.EXE >> NUL
  2⤵
  - Deletes itself
  PID:792

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1148

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\README_LOCK.TXT
1⤵
- Opens file in notepad (likely ransom note)
PID:948

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Public\Desktop\!!!HOW_TO_DECRYPT!!!.mht
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1052
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1052 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:820

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\README_LOCK.TXT

MD5
3c9ff0d034c75e038a0ae611b54698ba

SHA1
2dcad5966f213870dccd275eeac2018181f05c5f

SHA256
82055c3a096216cb2b88aa6c0de90badd90cdb8e4b5b506f54f967833558be06

SHA512
bae970bc0fc696c59bf4c457c6dc63902d2b85388b6aa3215ff88abd55bbe785978c2bd0de1e1f2deddf124fa0efd1c6ebaf5f982351003f2447202163a9b1a2

Download Submit
C:\Users\Public\Desktop\!!!HOW_TO_DECRYPT!!!.mht

MD5
a6cd2b20f7df6fb7653061147d00ddbc

SHA1
d4cc238b4618ed27ccf5932b4e4e6ed048cf56fc

SHA256
f3109a33ed82755faeb1377ab288f0209f74237ab85d8002fe5cdc018f02d193

SHA512
2e00ad7d12c65e162855c10665d148a5f5a75317560218d04952a9200a7fbdb97c2d313afaf35f6c42898d4a5a7e48791dbab87f16e4107833e7063f617434c6

Download Submit
memory/232-74-0x0000000000000000-mapping.dmp

Download
memory/240-66-0x0000000000000000-mapping.dmp

Download
memory/316-67-0x0000000000000000-mapping.dmp

Download
memory/764-78-0x0000000000000000-mapping.dmp

Download
memory/792-85-0x0000000000000000-mapping.dmp

Download
memory/820-83-0x0000000000000000-mapping.dmp

Download
memory/828-64-0x0000000000000000-mapping.dmp

Download
memory/948-71-0x0000000000000000-mapping.dmp

Download
memory/968-80-0x0000000000000000-mapping.dmp

Download
memory/1132-76-0x0000000000000000-mapping.dmp

Download
memory/1216-63-0x0000000000000000-mapping.dmp

Download
memory/1248-60-0x000007FEFC0C1000-0x000007FEFC0C3000-memory.dmp

Filesize
8KB

Download
memory/1312-68-0x0000000000000000-mapping.dmp

Download
memory/1476-70-0x0000000000000000-mapping.dmp

Download
memory/1484-69-0x0000000000000000-mapping.dmp

Download
memory/1556-65-0x0000000000000000-mapping.dmp

Download
memory/1596-72-0x0000000000000000-mapping.dmp

Download
memory/1932-73-0x0000000000000000-mapping.dmp

Download
memory/1932-61-0x0000000000000000-mapping.dmp

Download
memory/1988-62-0x0000000000000000-mapping.dmp

Download
memory/2016-75-0x0000000000000000-mapping.dmp

Download