lockfile | 2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a | Triage

Analysis

max time kernel
145s
max time network
19s
platform
windows7_x64
resource
win7v20210408
submitted
28-08-2021 23:45

Sharing

Report Analysis Logs

General

Target

2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
Size

250KB
MD5

1f0a89360bb9471af8b2b1136eafd65f
SHA1

a7bd3592ff31c5c659cda9810936ddce842d6590
SHA256

2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a
SHA512

c696ee6a3a65cf01f120724c8536d14bbdc5283e6a62e1a26454629ea30c4015d62c1ba6139ca158f9952d6028ea7d9a1f76a4d2adad4e3a377d06607f5ad031

Score

10^/10

lockfile ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\Public\LOCKFILE-README.hta

Family

lockfile

Ransom Note

LOCK FILE Any attempts to restore your files with the thrid-party software will be fatal for your files! Restore you data posible only buying private key from us. There is only one way to get your files back: contact us qTox ID: B2F873769EB6B508EBC2103DDEB7366CEFB7B09AB8314DAD0C4346169072686690489B47EAEB https://tox.chat/download.html Email: [email protected] Through a recommended Download Tor Browser - https://www.torproject.org/ and install it. Open link in Tor Browser - http://zqaflhty5hyziovsxgqvj2mrz5e5rs6oqxzb54zolccfnvtn5w2johad.onion This link only works in Tor Browser! Follow the instructions on this page Do not try to recover files yourself. this process can damage your data and recovery will become impossible Do not rename encrypted files. Do not waste time trying to find the solution on the Internet. The longer you wait, the higher will become the decryption key price Decryption of your files with the help of third parties may cause increased price (they add their fee to our). Tor Browser may be blocked in your country or corporate network. Use https://bridges.torproject.org or use Tor Browser over VPN. Thanks to the warning wallpaper provided by lockbit, it's easy to use

Emails

[email protected]

URLs

https://tox.chat/download.html

http://zqaflhty5hyziovsxgqvj2mrz5e5rs6oqxzb54zolccfnvtn5w2johad.onion

Signatures

LockFile
LockFile is a new ransomware that emerged in July 2021 with ProxyShell vulnerabilties.
ransomware lockfile

Drops file in Drivers directory 9 IoCs

Processes:

2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe

description	ioc	process
File created	C:\Windows\System32\drivers\UMDF\LOCKFILE-README-QWOCTUPM-1630201299.hta	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File created	C:\Windows\SysWOW64\drivers\UMDF\LOCKFILE-README-QWOCTUPM-1630201299.hta	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File created	C:\Windows\SysWOW64\drivers\UMDF\en-US\LOCKFILE-README-QWOCTUPM-1630201299.hta	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File created	C:\Windows\System32\drivers\LOCKFILE-README-QWOCTUPM-1630201299.hta	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File created	C:\Windows\System32\drivers\etc\LOCKFILE-README-QWOCTUPM-1630201299.hta	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File created	C:\Windows\System32\drivers\UMDF\en-US\LOCKFILE-README-QWOCTUPM-1630201299.hta	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File created	C:\Windows\SysWOW64\drivers\LOCKFILE-README-QWOCTUPM-1630201299.hta	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File created	C:\Windows\SysWOW64\drivers\en-US\LOCKFILE-README-QWOCTUPM-1630201299.hta	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File created	C:\Windows\System32\drivers\en-US\LOCKFILE-README-QWOCTUPM-1630201299.hta	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe

Modifies extensions of user files 4 IoCs

Ransomware generally changes the extension on encrypted files.

Processes:

2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\BackupDisconnect.raw => C:\Users\Admin\Pictures\backupdisconnect.raw.lockfile	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File renamed	C:\Users\Admin\Pictures\OptimizeMerge.crw => C:\Users\Admin\Pictures\optimizemerge.crw.lockfile	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File opened for modification	C:\Users\Admin\Pictures\removeresolve.tiff	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File renamed	C:\Users\Admin\Pictures\RemoveResolve.tiff => C:\Users\Admin\Pictures\removeresolve.tiff.lockfile	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe

Drops startup file 1 IoCs

Processes:

2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LOCKFILE-README-QWOCTUPM-1630201299.hta	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops file in System32 directory 64 IoCs

Processes:

2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe

description	ioc	process
File created	C:\Windows\System32\DriverStore\FileRepository\mdmtdkj2.inf_amd64_neutral_0cf7696e2236ca4e\LOCKFILE-README-QWOCTUPM-1630201299.hta	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netnvm64.inf_amd64_neutral_59c2a018fe2cf0b4\LOCKFILE-README-QWOCTUPM-1630201299.hta	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnca00x.inf_amd64_neutral_eb0842aa932d01ee\Amd64\LOCKFILE-README-QWOCTUPM-1630201299.hta	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File created	C:\Windows\System32\en-US\Licenses\_Default\StarterE\LOCKFILE-README-QWOCTUPM-1630201299.hta	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File created	C:\Windows\System32\Configuration\Schema\MSFT_FileDirectoryConfiguration\LOCKFILE-README-QWOCTUPM-1630201299.hta	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmaus.inf_amd64_neutral_5fa4270b9924b918\LOCKFILE-README-QWOCTUPM-1630201299.hta	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmgl005.inf_amd64_neutral_8b56291bfd2a4061\LOCKFILE-README-QWOCTUPM-1630201299.hta	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmke.inf_amd64_neutral_3e4daa83122b1559\LOCKFILE-README-QWOCTUPM-1630201299.hta	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File created	C:\Windows\SysWOW64\migration\LOCKFILE-README-QWOCTUPM-1630201299.hta	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File created	C:\Windows\SysWOW64\migwiz\dlmanifests\Microsoft-Windows-DHCPServerMigPlugin-DL\LOCKFILE-README-QWOCTUPM-1630201299.hta	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File created	C:\Windows\SysWOW64\migwiz\dlmanifests\Microsoft-Windows-MediaPlayer\LOCKFILE-README-QWOCTUPM-1630201299.hta	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File created	C:\Windows\System32\spool\prtprocs\x64\LOCKFILE-README-QWOCTUPM-1630201299.hta	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File created	C:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_ArchiveResource\en-US\LOCKFILE-README-QWOCTUPM-1630201299.hta	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File created	C:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_UserResource\en-US\LOCKFILE-README-QWOCTUPM-1630201299.hta	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSScheduledJob\LOCKFILE-README-QWOCTUPM-1630201299.hta	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmsupr3.inf_amd64_neutral_8416bd6e64a8e858\LOCKFILE-README-QWOCTUPM-1630201299.hta	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnca00h.inf_amd64_neutral_96a8e38189e54d71\Amd64\LOCKFILE-README-QWOCTUPM-1630201299.hta	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnlx00c.inf_amd64_neutral_79ebe29715d2fa47\LOCKFILE-README-QWOCTUPM-1630201299.hta	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File created	C:\Windows\System32\en-US\Licenses\eval\HomePremiumN\LOCKFILE-README-QWOCTUPM-1630201299.hta	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File created	C:\Windows\System32\GroupPolicy\LOCKFILE-README-QWOCTUPM-1630201299.hta	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File created	C:\Windows\System32\LogFiles\SQM\LOCKFILE-README-QWOCTUPM-1630201299.hta	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File created	C:\Windows\System32\DriverStore\FileRepository\gameport.inf_amd64_neutral_fe5c4f29488f121e\LOCKFILE-README-QWOCTUPM-1630201299.hta	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmaiwa5.inf_amd64_neutral_ea8128ac5da37eb9\LOCKFILE-README-QWOCTUPM-1630201299.hta	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmtdkj5.inf_amd64_neutral_15940559c66fe8d9\LOCKFILE-README-QWOCTUPM-1630201299.hta	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnky006.inf_amd64_neutral_522043c34551b0c0\LOCKFILE-README-QWOCTUPM-1630201299.hta	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File created	C:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_GroupResource\LOCKFILE-README-QWOCTUPM-1630201299.hta	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File created	C:\Windows\System32\config\LOCKFILE-README-QWOCTUPM-1630201299.hta	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnca00a.inf_amd64_neutral_d64d696193e69d7b\Amd64\LOCKFILE-README-QWOCTUPM-1630201299.hta	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnxx002.inf_amd64_neutral_560fdd891b24f384\Amd64\LOCKFILE-README-QWOCTUPM-1630201299.hta	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File created	C:\Windows\System32\ja-JP\LOCKFILE-README-QWOCTUPM-1630201299.hta	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wiaca00a.inf_amd64_neutral_163313056d8f34ab\LOCKFILE-README-QWOCTUPM-1630201299.hta	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wvmic.inf_amd64_neutral_b94eb92e8150fa35\LOCKFILE-README-QWOCTUPM-1630201299.hta	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File created	C:\Windows\SysWOW64\fi-FI\LOCKFILE-README-QWOCTUPM-1630201299.hta	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File created	C:\Windows\SysWOW64\migwiz\dlmanifests\Microsoft-Windows-MediaPlayer-DRM-DL\LOCKFILE-README-QWOCTUPM-1630201299.hta	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File created	C:\Windows\System32\DriverStore\FileRepository\hidirkbd.inf_amd64_neutral_2b561a02e977e2e3\LOCKFILE-README-QWOCTUPM-1630201299.hta	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnlx003.inf_amd64_neutral_d1510a8315a2ea0d\LOCKFILE-README-QWOCTUPM-1630201299.hta	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnnr004.inf_amd64_neutral_3319ff2548f89fd8\Amd64\LOCKFILE-README-QWOCTUPM-1630201299.hta	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnrc003.inf_amd64_neutral_47e09b7cc0d9e993\LOCKFILE-README-QWOCTUPM-1630201299.hta	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File created	C:\Windows\SysWOW64\migwiz\dlmanifests\Microsoft-Windows-NDIS\LOCKFILE-README-QWOCTUPM-1630201299.hta	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File created	C:\Windows\SysWOW64\NetworkList\LOCKFILE-README-QWOCTUPM-1630201299.hta	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File created	C:\Windows\System32\migwiz\dlmanifests\Microsoft-Windows-shmig-DL\LOCKFILE-README-QWOCTUPM-1630201299.hta	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File created	C:\Windows\SysWOW64\NetworkList\Icons\StockIcons\LOCKFILE-README-QWOCTUPM-1630201299.hta	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File created	C:\Windows\SysWOW64\Speech\LOCKFILE-README-QWOCTUPM-1630201299.hta	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File created	C:\Windows\SysWOW64\spp\tokens\LOCKFILE-README-QWOCTUPM-1630201299.hta	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File created	C:\Windows\System32\DriverStore\FileRepository\averfx2hbtv_x64.inf_amd64_neutral_7216b6fb23536c40\LOCKFILE-README-QWOCTUPM-1630201299.hta	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File created	C:\Windows\System32\DriverStore\FileRepository\lsi_sas2.inf_amd64_neutral_e12a5c4cfbe49204\LOCKFILE-README-QWOCTUPM-1630201299.hta	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnep00d.inf_amd64_neutral_dd61103f3a2743d4\LOCKFILE-README-QWOCTUPM-1630201299.hta	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File created	C:\Windows\System32\migwiz\dlmanifests\BITSExtensions-Server\LOCKFILE-README-QWOCTUPM-1630201299.hta	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File created	C:\Windows\System32\en-US\Licenses\_Default\UltimateN\LOCKFILE-README-QWOCTUPM-1630201299.hta	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File created	C:\Windows\System32\migwiz\dlmanifests\Microsoft-ActiveDirectory-WebServices-DL\LOCKFILE-README-QWOCTUPM-1630201299.hta	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\62AXOPQ5\LOCKFILE-README-QWOCTUPM-1630201299.hta	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File created	C:\Windows\System32\DriverStore\FileRepository\ipmidrv.inf_amd64_neutral_1cb648411f252d13\LOCKFILE-README-QWOCTUPM-1630201299.hta	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdm5674a.inf_amd64_neutral_46f893a4f998bb46\LOCKFILE-README-QWOCTUPM-1630201299.hta	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmti.inf_amd64_neutral_4443b423d18c3ffc\LOCKFILE-README-QWOCTUPM-1630201299.hta	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnle004.inf_amd64_neutral_beb9bf23b7202bff\Amd64\LOCKFILE-README-QWOCTUPM-1630201299.hta	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnkm002.inf_amd64_neutral_7c42808e24ebff99\Amd64\LOCKFILE-README-QWOCTUPM-1630201299.hta	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File created	C:\Windows\SysWOW64\config\systemprofile\LOCKFILE-README-QWOCTUPM-1630201299.hta	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File created	C:\Windows\SysWOW64\en-US\Licenses\OEM\StarterN\LOCKFILE-README-QWOCTUPM-1630201299.hta	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File created	C:\Windows\System32\en-US\Licenses\_Default\StarterN\LOCKFILE-README-QWOCTUPM-1630201299.hta	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File created	C:\Windows\System32\IME\shared\LOCKFILE-README-QWOCTUPM-1630201299.hta	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File created	C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppLocker\LOCKFILE-README-QWOCTUPM-1630201299.hta	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File created	C:\Windows\SysWOW64\en-US\Licenses\_Default\ProfessionalE\LOCKFILE-README-QWOCTUPM-1630201299.hta	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File created	C:\Windows\System32\config\systemprofile\AppData\LOCKFILE-README-QWOCTUPM-1630201299.hta	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File created	C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\LOCKFILE-README-QWOCTUPM-1630201299.hta	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe

Drops file in Program Files directory 64 IoCs

Processes:

2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\pangnirtung	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ja\LC_MESSAGES\vlc.mo	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Help\1049\LOCKFILE-README-QWOCTUPM-1630201299.hta	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\dd01157_.wmf	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\j0107188.wmf	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfxrt.jar	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.update.configurator.nl_ja_4.4.0.v20140623020002.jar	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File created	C:\Program Files\MSBuild\Microsoft\LOCKFILE-README-QWOCTUPM-1630201299.hta	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\bd08808_.wmf	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\na00330_.wmf	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\webpage.dpv	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\usercontrol.zip	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\osppobjs-spp-plugin-manifest-signed.xrm-ms	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.simpleconfigurator_1.1.0.v20131217-1203.jar	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\PROOF\mswds_en.lex	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\an01084_.wmf	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\QuickStyles\default.dotx	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\smtp.jar	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\prrt.wmf	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\bs00145_.wmf	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ka\LC_MESSAGES\LOCKFILE-README-QWOCTUPM-1630201299.hta	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\bs00135_.wmf	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\j0152608.wmf	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\mspub_k_col.hxk	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Australia\perth	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_zh_hk.properties	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\ashgabat	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\easter	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\stream_config_window.html	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\HostSideAdapters\LOCKFILE-README-QWOCTUPM-1630201299.hta	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\bs01634_.wmf	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\j0234000.wmf	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File opened for modification	C:\Program Files\7-Zip\Lang\si.txt	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\bdcmetadataresource.xsd	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\PrivateAssemblies\LOCKFILE-README-QWOCTUPM-1630201299.hta	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\LOCKFILE-README-QWOCTUPM-1630201299.hta	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sr-spl.txt	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-utilities_zh_cn.jar	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\playlist\cue.luac	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\eng32.clx	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\bl00148_.wmf	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\dd01172_.wmf	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\na00057_.wmf	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ka.txt	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\Things\whoosh.wav	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\LOCKFILE-README-QWOCTUPM-1630201299.hta	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\courierstd-bold.otf	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\cancun	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.alert_5.5.0.165303.jar	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx.ui.ja_5.5.0.165303.jar	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\hh00057_.wmf	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\j0301432.wmf	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File opened for modification	C:\Program Files\DVD Maker\rtstreamsource.ax	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-progress-ui_ja.jar	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\bs01635_.wmf	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\hm00172_.wmf	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\j0090087.wmf	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\ADDINS\LOCKFILE-README-QWOCTUPM-1630201299.hta	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightOrange\LOCKFILE-README-QWOCTUPM-1630201299.hta	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectTool\Project Report Type\Fancy\LOCKFILE-README-QWOCTUPM-1630201299.hta	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ba.txt	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File created	C:\Program Files\VideoLAN\VLC\locale\wa\LC_MESSAGES\LOCKFILE-README-QWOCTUPM-1630201299.hta	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\fd00814_.wmf	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\en-US\LOCKFILE-README-QWOCTUPM-1630201299.hta	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe

Drops file in Windows directory 64 IoCs

Processes:

2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe

description	ioc	process
File created	C:\Windows\winsxs\amd64_mdmtron.inf_31bf3856ad364e35_6.1.7600.16385_none_1a632a9b22180b83\LOCKFILE-README-QWOCTUPM-1630201299.hta	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File created	C:\Windows\winsxs\amd64_prnca00a.inf.resources_31bf3856ad364e35_6.1.7600.16385_en-us_0b1f851a342db2ad\LOCKFILE-README-QWOCTUPM-1630201299.hta	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-i..l-keyboard-0000042b_31bf3856ad364e35_6.1.7600.16385_none_63467282a4519345\LOCKFILE-README-QWOCTUPM-1630201299.hta	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-mlang.resources_31bf3856ad364e35_6.1.7600.16385_de-de_dd2822fe8544398a\LOCKFILE-README-QWOCTUPM-1630201299.hta	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.Commands.UpdateDiagReport.Resources\LOCKFILE-README-QWOCTUPM-1630201299.hta	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File created	C:\Windows\IME\IMEJP10\LOCKFILE-README-QWOCTUPM-1630201299.hta	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-t..iprovider.resources_31bf3856ad364e35_6.1.7601.17514_en-us_a2e96ec3a0ee3fa3\LOCKFILE-README-QWOCTUPM-1630201299.hta	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.InteropServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\LOCKFILE-README-QWOCTUPM-1630201299.hta	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Security\Roles\App_LocalResources\LOCKFILE-README-QWOCTUPM-1630201299.hta	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File created	C:\Windows\winsxs\amd64_netfx-mscorsec_dll_b03f5f7f11d50a3a_6.1.7600.16385_none_9e8b6c6f9c9684f3\LOCKFILE-README-QWOCTUPM-1630201299.hta	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-i..e-defaultcasingfile_31bf3856ad364e35_6.1.7600.16385_none_da58f2b1dd9d0275\LOCKFILE-README-QWOCTUPM-1630201299.hta	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File created	C:\Windows\winsxs\x86_wwf-cperfcnt_31bf3856ad364e35_6.1.7600.16385_none_1f7373be61daf614\LOCKFILE-README-QWOCTUPM-1630201299.hta	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\b023321bc53c20c10ccbbd8f78c82c82\LOCKFILE-README-QWOCTUPM-1630201299.hta	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Diagnostics.TextWriterTraceListener\v4.0_4.0.0.0__b03f5f7f11d50a3a\LOCKFILE-README-QWOCTUPM-1630201299.hta	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-i..onal-codepage-10017_31bf3856ad364e35_6.1.7600.16385_none_2435364129e044b2\LOCKFILE-README-QWOCTUPM-1630201299.hta	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xaml.Hosting\664e4afe397442c26ea9ededbb639ce5\LOCKFILE-README-QWOCTUPM-1630201299.hta	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-i..p-support.resources_31bf3856ad364e35_8.0.7600.16385_en-us_15c06431e26d1b99\LOCKFILE-README-QWOCTUPM-1630201299.hta	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-ncryptui-dll.resources_31bf3856ad364e35_6.1.7600.16385_en-us_e26c71180aac7351\LOCKFILE-README-QWOCTUPM-1630201299.hta	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File created	C:\Windows\Boot\PCAT\ru-RU\LOCKFILE-README-QWOCTUPM-1630201299.hta	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System\LOCKFILE-README-QWOCTUPM-1630201299.hta	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sonic-symphonypal_31bf3856ad364e35_6.1.7600.16385_none_cd66bc3541f90a26\LOCKFILE-README-QWOCTUPM-1630201299.hta	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-w..cquisition-wiawow64_31bf3856ad364e35_6.1.7600.16385_none_2874ea220a5507fd\LOCKFILE-README-QWOCTUPM-1630201299.hta	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File created	C:\Windows\winsxs\amd64_subsystem-for-unix-based-applications_31bf3856ad364e35_6.1.7601.17514_none_d20e5d35068f261a\LOCKFILE-README-QWOCTUPM-1630201299.hta	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-ie-jsprofilercore_31bf3856ad364e35_11.2.9600.16428_none_90e013f98e0ffb66\LOCKFILE-README-QWOCTUPM-1630201299.hta	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File created	C:\Windows\Globalization\MCT\MCT-US\LOCKFILE-README-QWOCTUPM-1630201299.hta	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-help-migrate.resources_31bf3856ad364e35_6.1.7600.16385_en-us_d578b4dd9eb0ca47\LOCKFILE-README-QWOCTUPM-1630201299.hta	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-w..ure-other.resources_31bf3856ad364e35_6.1.7600.16385_en-us_09d25d5db275f73d\LOCKFILE-README-QWOCTUPM-1630201299.hta	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File created	C:\Windows\winsxs\msil_system.runtime.serialization.ref_b77a5c561934e089_6.1.7601.17514_none_a67f221874da7f4c\LOCKFILE-README-QWOCTUPM-1630201299.hta	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0\LOCKFILE-README-QWOCTUPM-1630201299.hta	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File created	C:\Windows\inf\SMSvcHost 4.0.0.0\000C\LOCKFILE-README-QWOCTUPM-1630201299.hta	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-m..qlserver-driver-rll_31bf3856ad364e35_6.1.7600.16385_none_6b30411f5be7bc84\LOCKFILE-README-QWOCTUPM-1630201299.hta	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-webdavredir-mrxdav_31bf3856ad364e35_6.1.7601.17514_none_72d0eaa6dc5b2edb\LOCKFILE-README-QWOCTUPM-1630201299.hta	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-cdosys_31bf3856ad364e35_6.1.7601.17514_none_86c0afe17064a99d\LOCKFILE-README-QWOCTUPM-1630201299.hta	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-mfh264enc_31bf3856ad364e35_6.1.7600.16385_none_f0ab47a182598e3b\LOCKFILE-README-QWOCTUPM-1630201299.hta	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File created	C:\Windows\CSC\LOCKFILE-README-QWOCTUPM-1630201299.hta	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationClient\v4.0_4.0.0.0__31bf3856ad364e35\LOCKFILE-README-QWOCTUPM-1630201299.hta	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-i..l-keyboard-0000044c_31bf3856ad364e35_6.1.7600.16385_none_596321ce6fa80913\LOCKFILE-README-QWOCTUPM-1630201299.hta	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File created	C:\Windows\winsxs\amd64_prnlx00d.inf_31bf3856ad364e35_6.1.7600.16385_none_62689a3eadfe9b80\Amd64\LOCKFILE-README-QWOCTUPM-1630201299.hta	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-compact.resources_31bf3856ad364e35_6.1.7600.16385_en-us_cd993ca7dc92d5bd\LOCKFILE-README-QWOCTUPM-1630201299.hta	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.IO.Cb3b124c8#\bcc98e7bf9586de018b1e89fb5b8abff\LOCKFILE-README-QWOCTUPM-1630201299.hta	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File created	C:\Windows\winsxs\amd64_netfx-_vc_assembly_linker_messages_b03f5f7f11d50a3a_6.1.7600.16385_none_f20aed264cd46699\LOCKFILE-README-QWOCTUPM-1630201299.hta	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File created	C:\Windows\winsxs\msil_microsoft.powershel..anagement.resources_31bf3856ad364e35_7.2.7601.23317_en-us_3a91acad53cfb27b\LOCKFILE-README-QWOCTUPM-1630201299.hta	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-e..e-ehdebug.resources_31bf3856ad364e35_6.1.7600.16385_en-us_6c5834f4c9a4b21b\LOCKFILE-README-QWOCTUPM-1630201299.hta	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-deskmon.resources_31bf3856ad364e35_6.1.7600.16385_en-us_157ecd3a5d823e33\LOCKFILE-README-QWOCTUPM-1630201299.hta	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-photo-printing-wizard_31bf3856ad364e35_6.1.7601.17514_none_56f03a373b53e5ef\LOCKFILE-README-QWOCTUPM-1630201299.hta	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-appid.resources_31bf3856ad364e35_6.1.7600.16385_en-us_921f7aaac68bcb70\LOCKFILE-README-QWOCTUPM-1630201299.hta	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-s..engine-nativeengine_31bf3856ad364e35_6.1.7600.16385_none_5ab95222c3014a28\LOCKFILE-README-QWOCTUPM-1630201299.hta	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0\9.0.0.0__b03f5f7f11d50a3a\LOCKFILE-README-QWOCTUPM-1630201299.hta	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-i..l-keyboard-0000040a_31bf3856ad364e35_6.1.7600.16385_none_58806e9270399981\LOCKFILE-README-QWOCTUPM-1630201299.hta	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-windowscolorsystem-adm_31bf3856ad364e35_6.1.7600.16385_none_f0556db6185e1bb7\LOCKFILE-README-QWOCTUPM-1630201299.hta	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-w..ig-registrar-wizard_31bf3856ad364e35_6.1.7600.16385_none_3d090e2060b5b3fc\LOCKFILE-README-QWOCTUPM-1630201299.hta	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-comctl32-v5.resources_31bf3856ad364e35_6.1.7600.16385_pt-br_c05aebf71c48096c\LOCKFILE-README-QWOCTUPM-1630201299.hta	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File created	C:\Windows\winsxs\amd64_wpf-uiautomationclient_31bf3856ad364e35_6.1.7600.16385_none_366de9d75af975b0\LOCKFILE-README-QWOCTUPM-1630201299.hta	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\LOCKFILE-README-QWOCTUPM-1630201299.hta	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-label.resources_31bf3856ad364e35_6.1.7600.16385_en-us_42bcad17bddd3828\LOCKFILE-README-QWOCTUPM-1630201299.hta	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-t..languages.resources_31bf3856ad364e35_6.1.7601.17514_hu-hu_faf66397e6b5f43f\LOCKFILE-README-QWOCTUPM-1630201299.hta	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File created	C:\Windows\winsxs\amd64_prnrc003.inf_31bf3856ad364e35_6.1.7600.16385_none_215e6e687572d186\Amd64\LOCKFILE-README-QWOCTUPM-1630201299.hta	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File created	C:\Windows\winsxs\amd64_wpdcomp.inf.resources_31bf3856ad364e35_6.1.7600.16385_en-us_2ca950a644fd00ec\LOCKFILE-README-QWOCTUPM-1630201299.hta	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-w..registrar.resources_31bf3856ad364e35_6.1.7600.16385_en-us_786caddbc35d7721\LOCKFILE-README-QWOCTUPM-1630201299.hta	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File created	C:\Windows\inf\BITS\LOCKFILE-README-QWOCTUPM-1630201299.hta	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-i..tocolimplementation_31bf3856ad364e35_11.2.9600.16428_none_e440068bb6e1438c\LOCKFILE-README-QWOCTUPM-1630201299.hta	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-photoacquire_31bf3856ad364e35_6.1.7601.17514_none_925c6a062361e055\LOCKFILE-README-QWOCTUPM-1630201299.hta	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Numerics\LOCKFILE-README-QWOCTUPM-1630201299.hta	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
File created	C:\Windows\winsxs\amd64_blbdrive.inf_31bf3856ad364e35_6.1.7600.16385_none_e96898ffe0d97c7e\LOCKFILE-README-QWOCTUPM-1630201299.hta	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe

Kills process with WMI 9 IoCs
evasion

Processes:

WMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exe

pid process

1432 WMIC.exe
1608 WMIC.exe
572 WMIC.exe
584 WMIC.exe
1932 WMIC.exe
1836 WMIC.exe
380 WMIC.exe
2040 WMIC.exe
268 WMIC.exe

Modifies Internet Explorer settings 1 TTPs 9 IoCs

Modify Registry

Processes:

mshta.exemshta.exemshta.exemshta.exemshta.exemshta.exemshta.exemshta.exemshta.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1176 PING.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WMIC.exeWMIC.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2040	WMIC.exe
Token: SeSecurityPrivilege	2040	WMIC.exe
Token: SeTakeOwnershipPrivilege	2040	WMIC.exe
Token: SeLoadDriverPrivilege	2040	WMIC.exe
Token: SeSystemProfilePrivilege	2040	WMIC.exe
Token: SeSystemtimePrivilege	2040	WMIC.exe
Token: SeProfSingleProcessPrivilege	2040	WMIC.exe
Token: SeIncBasePriorityPrivilege	2040	WMIC.exe
Token: SeCreatePagefilePrivilege	2040	WMIC.exe
Token: SeBackupPrivilege	2040	WMIC.exe
Token: SeRestorePrivilege	2040	WMIC.exe
Token: SeShutdownPrivilege	2040	WMIC.exe
Token: SeDebugPrivilege	2040	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2040	WMIC.exe
Token: SeRemoteShutdownPrivilege	2040	WMIC.exe
Token: SeUndockPrivilege	2040	WMIC.exe
Token: SeManageVolumePrivilege	2040	WMIC.exe
Token: 33	2040	WMIC.exe
Token: 34	2040	WMIC.exe
Token: 35	2040	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2040	WMIC.exe
Token: SeSecurityPrivilege	2040	WMIC.exe
Token: SeTakeOwnershipPrivilege	2040	WMIC.exe
Token: SeLoadDriverPrivilege	2040	WMIC.exe
Token: SeSystemProfilePrivilege	2040	WMIC.exe
Token: SeSystemtimePrivilege	2040	WMIC.exe
Token: SeProfSingleProcessPrivilege	2040	WMIC.exe
Token: SeIncBasePriorityPrivilege	2040	WMIC.exe
Token: SeCreatePagefilePrivilege	2040	WMIC.exe
Token: SeBackupPrivilege	2040	WMIC.exe
Token: SeRestorePrivilege	2040	WMIC.exe
Token: SeShutdownPrivilege	2040	WMIC.exe
Token: SeDebugPrivilege	2040	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2040	WMIC.exe
Token: SeRemoteShutdownPrivilege	2040	WMIC.exe
Token: SeUndockPrivilege	2040	WMIC.exe
Token: SeManageVolumePrivilege	2040	WMIC.exe
Token: 33	2040	WMIC.exe
Token: 34	2040	WMIC.exe
Token: 35	2040	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1608	WMIC.exe
Token: SeSecurityPrivilege	1608	WMIC.exe
Token: SeTakeOwnershipPrivilege	1608	WMIC.exe
Token: SeLoadDriverPrivilege	1608	WMIC.exe
Token: SeSystemProfilePrivilege	1608	WMIC.exe
Token: SeSystemtimePrivilege	1608	WMIC.exe
Token: SeProfSingleProcessPrivilege	1608	WMIC.exe
Token: SeIncBasePriorityPrivilege	1608	WMIC.exe
Token: SeCreatePagefilePrivilege	1608	WMIC.exe
Token: SeBackupPrivilege	1608	WMIC.exe
Token: SeRestorePrivilege	1608	WMIC.exe
Token: SeShutdownPrivilege	1608	WMIC.exe
Token: SeDebugPrivilege	1608	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1608	WMIC.exe
Token: SeRemoteShutdownPrivilege	1608	WMIC.exe
Token: SeUndockPrivilege	1608	WMIC.exe
Token: SeManageVolumePrivilege	1608	WMIC.exe
Token: 33	1608	WMIC.exe
Token: 34	1608	WMIC.exe
Token: 35	1608	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1608	WMIC.exe
Token: SeSecurityPrivilege	1608	WMIC.exe
Token: SeTakeOwnershipPrivilege	1608	WMIC.exe
Token: SeLoadDriverPrivilege	1608	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1628 wrote to memory of 2028	1628	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe	cmd.exe
PID 1628 wrote to memory of 2028	1628	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe	cmd.exe
PID 1628 wrote to memory of 2028	1628	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe	cmd.exe
PID 2028 wrote to memory of 2040	2028	cmd.exe	WMIC.exe
PID 2028 wrote to memory of 2040	2028	cmd.exe	WMIC.exe
PID 2028 wrote to memory of 2040	2028	cmd.exe	WMIC.exe
PID 1628 wrote to memory of 1604	1628	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe	cmd.exe
PID 1628 wrote to memory of 1604	1628	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe	cmd.exe
PID 1628 wrote to memory of 1604	1628	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe	cmd.exe
PID 1604 wrote to memory of 1608	1604	cmd.exe	WMIC.exe
PID 1604 wrote to memory of 1608	1604	cmd.exe	WMIC.exe
PID 1604 wrote to memory of 1608	1604	cmd.exe	WMIC.exe
PID 1628 wrote to memory of 588	1628	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe	cmd.exe
PID 1628 wrote to memory of 588	1628	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe	cmd.exe
PID 1628 wrote to memory of 588	1628	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe	cmd.exe
PID 588 wrote to memory of 268	588	cmd.exe	WMIC.exe
PID 588 wrote to memory of 268	588	cmd.exe	WMIC.exe
PID 588 wrote to memory of 268	588	cmd.exe	WMIC.exe
PID 1628 wrote to memory of 1620	1628	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe	cmd.exe
PID 1628 wrote to memory of 1620	1628	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe	cmd.exe
PID 1628 wrote to memory of 1620	1628	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe	cmd.exe
PID 1620 wrote to memory of 572	1620	cmd.exe	WMIC.exe
PID 1620 wrote to memory of 572	1620	cmd.exe	WMIC.exe
PID 1620 wrote to memory of 572	1620	cmd.exe	WMIC.exe
PID 1628 wrote to memory of 792	1628	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe	cmd.exe
PID 1628 wrote to memory of 792	1628	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe	cmd.exe
PID 1628 wrote to memory of 792	1628	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe	cmd.exe
PID 792 wrote to memory of 584	792	cmd.exe	WMIC.exe
PID 792 wrote to memory of 584	792	cmd.exe	WMIC.exe
PID 792 wrote to memory of 584	792	cmd.exe	WMIC.exe
PID 1628 wrote to memory of 112	1628	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe	cmd.exe
PID 1628 wrote to memory of 112	1628	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe	cmd.exe
PID 1628 wrote to memory of 112	1628	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe	cmd.exe
PID 112 wrote to memory of 1932	112	cmd.exe	WMIC.exe
PID 112 wrote to memory of 1932	112	cmd.exe	WMIC.exe
PID 112 wrote to memory of 1932	112	cmd.exe	WMIC.exe
PID 1628 wrote to memory of 1104	1628	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe	cmd.exe
PID 1628 wrote to memory of 1104	1628	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe	cmd.exe
PID 1628 wrote to memory of 1104	1628	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe	cmd.exe
PID 1104 wrote to memory of 1836	1104	cmd.exe	WMIC.exe
PID 1104 wrote to memory of 1836	1104	cmd.exe	WMIC.exe
PID 1104 wrote to memory of 1836	1104	cmd.exe	WMIC.exe
PID 1628 wrote to memory of 1116	1628	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe	cmd.exe
PID 1628 wrote to memory of 1116	1628	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe	cmd.exe
PID 1628 wrote to memory of 1116	1628	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe	cmd.exe
PID 1116 wrote to memory of 380	1116	cmd.exe	WMIC.exe
PID 1116 wrote to memory of 380	1116	cmd.exe	WMIC.exe
PID 1116 wrote to memory of 380	1116	cmd.exe	WMIC.exe
PID 1628 wrote to memory of 1692	1628	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe	cmd.exe
PID 1628 wrote to memory of 1692	1628	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe	cmd.exe
PID 1628 wrote to memory of 1692	1628	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe	cmd.exe
PID 1692 wrote to memory of 1432	1692	cmd.exe	WMIC.exe
PID 1692 wrote to memory of 1432	1692	cmd.exe	WMIC.exe
PID 1692 wrote to memory of 1432	1692	cmd.exe	WMIC.exe
PID 1628 wrote to memory of 996	1628	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe	mshta.exe
PID 1628 wrote to memory of 996	1628	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe	mshta.exe
PID 1628 wrote to memory of 996	1628	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe	mshta.exe
PID 1628 wrote to memory of 1152	1628	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe	mshta.exe
PID 1628 wrote to memory of 1152	1628	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe	mshta.exe
PID 1628 wrote to memory of 1152	1628	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe	mshta.exe
PID 1628 wrote to memory of 1648	1628	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe	mshta.exe
PID 1628 wrote to memory of 1648	1628	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe	mshta.exe
PID 1628 wrote to memory of 1648	1628	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe	mshta.exe
PID 1628 wrote to memory of 1804	1628	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe	mshta.exe

C:\Users\Admin\AppData\Local\Temp\2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe
"C:\Users\Admin\AppData\Local\Temp\2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe"
1⤵
- Drops file in Drivers directory
- Modifies extensions of user files
- Drops startup file
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1628
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic process where "name like '%vmwp%'" call terminate
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2028
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic process where "name like '%vmwp%'" call terminate
    3⤵
    - Kills process with WMI
    - Suspicious use of AdjustPrivilegeToken
    PID:2040
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic process where "name like '%virtualbox%'" call terminate
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1604
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic process where "name like '%virtualbox%'" call terminate
    3⤵
    - Kills process with WMI
    - Suspicious use of AdjustPrivilegeToken
    PID:1608
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic process where "name like '%vbox%'" call terminate
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:588
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic process where "name like '%vbox%'" call terminate
    3⤵
    - Kills process with WMI
    PID:268
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic process where "name like '%sqlservr%'" call terminate
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1620
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic process where "name like '%sqlservr%'" call terminate
    3⤵
    - Kills process with WMI
    PID:572
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic process where "name like '%mysqld%'" call terminate
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:792
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic process where "name like '%mysqld%'" call terminate
    3⤵
    - Kills process with WMI
    PID:584
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic process where "name like '%omtsreco%'" call terminate
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:112
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic process where "name like '%omtsreco%'" call terminate
    3⤵
    - Kills process with WMI
    PID:1932
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic process where "name like '%oracle%'" call terminate
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1104
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic process where "name like '%oracle%'" call terminate
    3⤵
    - Kills process with WMI
    PID:1836
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic process where "name like '%tnslsnr%'" call terminate
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1116
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic process where "name like '%tnslsnr%'" call terminate
    3⤵
    - Kills process with WMI
    PID:380
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic process where "name like '%vmware%'" call terminate
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1692
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic process where "name like '%vmware%'" call terminate
    3⤵
    - Kills process with WMI
    PID:1432
- C:\Windows\system32\mshta.exe
  mshta "C:\Users\Public\LOCKFILE-README.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
  2⤵
  - Modifies Internet Explorer settings
  PID:996
- C:\Windows\system32\mshta.exe
  mshta "C:\Users\Public\LOCKFILE-README.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
  2⤵
  PID:1152
- C:\Windows\system32\mshta.exe
  mshta "C:\Users\Public\LOCKFILE-README.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
  2⤵
  - Modifies Internet Explorer settings
  PID:1648
- C:\Windows\system32\mshta.exe
  mshta "C:\Users\Public\LOCKFILE-README.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
  2⤵
  - Modifies Internet Explorer settings
  PID:1804
- C:\Windows\system32\mshta.exe
  mshta "C:\Users\Public\LOCKFILE-README.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
  2⤵
  - Modifies Internet Explorer settings
  PID:1344
- C:\Windows\system32\mshta.exe
  mshta "C:\Users\Public\LOCKFILE-README.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
  2⤵
  - Modifies Internet Explorer settings
  PID:1260
- C:\Windows\system32\mshta.exe
  mshta "C:\Users\Public\LOCKFILE-README.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
  2⤵
  - Modifies Internet Explorer settings
  PID:1320
- C:\Windows\system32\mshta.exe
  mshta "C:\Users\Public\LOCKFILE-README.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
  2⤵
  - Modifies Internet Explorer settings
  PID:1068
- C:\Windows\system32\mshta.exe
  mshta "C:\Users\Public\LOCKFILE-README.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
  2⤵
  - Modifies Internet Explorer settings
  PID:1968
- C:\Windows\system32\mshta.exe
  mshta "C:\Users\Public\LOCKFILE-README.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
  2⤵
  - Modifies Internet Explorer settings
  PID:1340
- C:\Windows\system32\cmd.exe
  cmd /c ping 127.0.0.1 -n 5 && del "C:\Users\Admin\AppData\Local\Temp\2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a.bin.exe" && exit
  2⤵
  PID:240
- - C:\Windows\system32\PING.EXE
    ping 127.0.0.1 -n 5
    3⤵
    - Runs ping.exe
    PID:1176

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Remote System Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\LOCKFILE-README.hta

MD5
eb158675e76fc2445e6763566d99a7c3

SHA1
f204da7d6e4c3aa5bfce08b3aa203b286eec972c

SHA256
2a46f52d5cab528f6b23fc1496945129a52ab7fc240a701529db7818e7a8d9e9

SHA512
78f017e88ad661cacf0b497903cc65e891c61b3cc651d72270852511dc5c7821fc21ead347e9e2d79c9d01876204fae2f4a08da7fcc46fa7342dcf58ad85fd55

Download Submit
memory/112-70-0x0000000000000000-mapping.dmp

Download
memory/240-88-0x0000000000000000-mapping.dmp

Download
memory/268-65-0x0000000000000000-mapping.dmp

Download
memory/380-75-0x0000000000000000-mapping.dmp

Download
memory/572-67-0x0000000000000000-mapping.dmp

Download
memory/584-69-0x0000000000000000-mapping.dmp

Download
memory/588-64-0x0000000000000000-mapping.dmp

Download
memory/792-68-0x0000000000000000-mapping.dmp

Download
memory/996-78-0x0000000000000000-mapping.dmp

Download
memory/1068-85-0x0000000000000000-mapping.dmp

Download
memory/1104-72-0x0000000000000000-mapping.dmp

Download
memory/1116-74-0x0000000000000000-mapping.dmp

Download
memory/1152-79-0x0000000000000000-mapping.dmp

Download
memory/1260-83-0x0000000000000000-mapping.dmp

Download
memory/1320-89-0x000007FEFC031000-0x000007FEFC033000-memory.dmp

Filesize
8KB

Download
memory/1320-84-0x0000000000000000-mapping.dmp

Download
memory/1340-87-0x0000000000000000-mapping.dmp

Download
memory/1344-82-0x0000000000000000-mapping.dmp

Download
memory/1432-77-0x0000000000000000-mapping.dmp

Download
memory/1604-62-0x0000000000000000-mapping.dmp

Download
memory/1608-63-0x0000000000000000-mapping.dmp

Download
memory/1620-66-0x0000000000000000-mapping.dmp

Download
memory/1648-80-0x0000000000000000-mapping.dmp

Download
memory/1692-76-0x0000000000000000-mapping.dmp

Download
memory/1804-81-0x0000000000000000-mapping.dmp

Download
memory/1836-73-0x0000000000000000-mapping.dmp

Download
memory/1932-71-0x0000000000000000-mapping.dmp

Download
memory/1968-86-0x0000000000000000-mapping.dmp

Download
memory/2028-60-0x0000000000000000-mapping.dmp

Download
memory/2040-61-0x0000000000000000-mapping.dmp

Download