lockfile | a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0

Analysis

max time kernel
148s
max time network
133s
platform
windows10_x64
resource
win10-en-20210920
submitted
22-09-2021 12:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
Size

250KB
MD5

ef37842fc159631f9dd8f94c5e05a674
SHA1

07e19dd6f2b5ebe86614251860a067012d2a0ce9
SHA256

a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0
SHA512

e45235cea10568547a0cf9b3c3d5550eb76a67ebd950dad17bbd4fb1e441c9f904e7c6c0e268e1a8a8d6374de229bd0f096f4b45983febf6237987823ced00a4

Score

10^/10

lockfile ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\Public\LOCKFILE-README.hta

Family

lockfile

Ransom Note

LOCK FILE Any attempts to restore your files with the thrid-party software will be fatal for your files! Restore you data posible only buying private key from us. There is only one way to get your files back: contact us qTox ID: B2F873769EB6B508EBC2103DDEB7366CEFB7B09AB8314DAD0C4346169072686690489B47EAEB https://tox.chat/download.html Email: [email protected] Through a recommended Download Tor Browser - https://www.torproject.org/ and install it. Open link in Tor Browser - http://zqaflhty5hyziovsxgqvj2mrz5e5rs6oqxzb54zolccfnvtn5w2johad.onion This link only works in Tor Browser! Follow the instructions on this page Do not try to recover files yourself. this process can damage your data and recovery will become impossible Do not rename encrypted files. Do not waste time trying to find the solution on the Internet. The longer you wait, the higher will become the decryption key price Decryption of your files with the help of third parties may cause increased price (they add their fee to our). Tor Browser may be blocked in your country or corporate network. Use https://bridges.torproject.org or use Tor Browser over VPN. Thanks to the warning wallpaper provided by lockbit, it's easy to use

Emails

[email protected]

URLs

https://tox.chat/download.html

http://zqaflhty5hyziovsxgqvj2mrz5e5rs6oqxzb54zolccfnvtn5w2johad.onion

Signatures

LockFile
LockFile is a new ransomware that emerged in July 2021 with ProxyShell vulnerabilties.
ransomware lockfile

Drops file in Drivers directory 18 IoCs

description	ioc	Process
File created	C:\Windows\System32\drivers\UMDF\en-US\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\SysWOW64\drivers\UMDF\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\System32\drivers\de-DE\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\System32\drivers\en-US\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\System32\drivers\etc\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\System32\drivers\UMDF\de-DE\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\SysWOW64\drivers\fr-FR\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\SysWOW64\drivers\UMDF\en-US\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\System32\drivers\UMDF\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\SysWOW64\drivers\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\SysWOW64\drivers\de-DE\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\SysWOW64\drivers\en-US\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\System32\drivers\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\System32\drivers\fr-FR\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\System32\drivers\ja-JP\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\SysWOW64\drivers\ja-JP\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\System32\drivers\UMDF\fr-FR\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\System32\drivers\UMDF\ja-JP\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe

Modifies extensions of user files 3 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\newsend.tiff	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File renamed	C:\Users\Admin\Pictures\NewSend.tiff => C:\Users\Admin\Pictures\newsend.tiff.lockfile	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File renamed	C:\Users\Admin\Pictures\WriteResize.raw => C:\Users\Admin\Pictures\writeresize.raw.lockfile	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\FileRepository\swenum.inf_amd64_2272ffce58da1b4a\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\System32\InputMethod\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\System32\wbem\MOF\good\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_ProcessResource\en-US\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\SysWOW64\spp\tokens\legacy\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netb57va.inf_amd64_11911b9263320299\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\System32\migwiz\dlmanifests\Microsoft-Windows-RasServer-MigPlugin\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\System32\Tasks\Microsoft\Windows\Maintenance\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_WaitForAny\ja-JP\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\SysWOW64\migration\de-DE\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\System32\DiagSvcs\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netvwifimp.inf_amd64_356b66ad47b23393\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wiaep004.inf_amd64_320a448722d7c4e5\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\System32\Speech\Engines\SR\ja-JP\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\System32\Tasks\Microsoft\Windows\RetailDemo\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\System32\en-US\Licenses\_Default\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\System32\migwiz\dlmanifests\Microsoft-Windows-IIS-DL\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\System32\WindowsPowerShell\v1.0\Modules\VpnClient\de-DE\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Wdac\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\SysWOW64\en-GB\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\System32\Dism\fr-FR\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\System32\DriverStore\FileRepository\c_1394.inf_amd64_434b87ab8e7be963\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\System32\DriverStore\FileRepository\c_smartcardfilter.inf_amd64_bea10c462bfdfa9d\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\System32\DriverStore\FileRepository\lsi_sas3i.inf_amd64_78b44aee3a9f1cb6\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\System32\migwiz\dlmanifests\Microsoft-Windows-OfflineFiles-DL\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\SysWOW64\winrm\0409\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmeiger.inf_amd64_0ecea3151431bd10\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\System32\DriverStore\FileRepository\xinputhid.inf_amd64_db028d70bdb5db0d\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\System32\IME\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\SysWOW64\config\Journal\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\SysWOW64\F12\fr-FR\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\SysWOW64\wbem\en\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\SysWOW64\networklist\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\MsDtc\fr-FR\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\System32\DriverStore\FileRepository\cdrom.inf_amd64_8343533b38a2a0da\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\System32\DriverStore\FileRepository\input.inf_amd64_e15abe7d25aa2071\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mf.inf_amd64_7c397b4cb794103c\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\System32\he-IL\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\System32\PointOfService\ProtocolProviders\ja-JP\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\SysWOW64\MUI\0409\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\System32\CatRoot\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\System32\Configuration\PartialConfigurations\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wvmic_heartbeat.inf_amd64_0684025061e1df14\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\System32\spool\prtprocs\x64\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\System32\Tasks\Microsoft\Windows\CloudExperienceHost\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\System32\Tasks\Microsoft\Windows\RemoteApp and Desktop Connections Update\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\System32\DriverStore\FileRepository\msux64w10.inf_amd64_241e254b15720c14\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\SysWOW64\Licenses\neutral\Volume\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\SysWOW64\zh-CN\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\System32\DriverStore\FileRepository\bthpan.inf_amd64_59711c87047b3bee\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\System32\DriverStore\FileRepository\hal.inf_amd64_46273d75d66bd849\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netrasa.inf_amd64_f42f0f60460b8950\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wiaca00j.inf_amd64_2b730d5c3b5d1ba1\amd64\MG5300\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netl1c63x64.inf_amd64_4d6630ce07a4fb42\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\System32\Tasks\Microsoft\Windows\Work Folders\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\SysWOW64\Speech_OneCore\Common\ja-JP\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.ODataUtils\de-DE\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmx5560.inf_amd64_1965e65204acd540\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\System32\DriverStore\FileRepository\net44amd.inf_amd64_450d4b1e35cc8e0d\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\System32\slmgr\0407\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\System32\Tasks\Microsoft\Windows\RecoveryEnvironment\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\System32\da-DK\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\System32\DriverStore\FileRepository\61883.inf_amd64_a15f861d6669913e\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\System32\migwiz\dlmanifests\Microsoft-Windows-IE-ESC\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\powerpointvl_mak-ul-phn.xrm-ms	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_sortedby_hover_18.svg	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-core-output2_ja.jar	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Program Files\WindowsApps\Microsoft.People_10.1.10531.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\svgcheckboxselected.svg	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\nb-no\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-stil.xrm-ms	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\homebusinessr_oem_perp2-ppd.xrm-ms	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\ado210.chm	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\sk-sk\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneVideo_10.16112.11601.0_neutral_resources.scale-200_8wekyb3d8bbwe\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\fr\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.bindings_0.10.200.v20140424-2042.jar	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\OpenSSL64.DllA\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\it-it\ui-strings.js	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Help\namedurls.hxk	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Program Files\VideoLAN\VLC\locale\be\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\visualization\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Speech\en-GB\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\s_filetype_psd.svg	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\pl-pl\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\plugins\rhp\generic-rhp-app-tool-view.js	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\sl-si\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\it-it\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MEDIA\camera.wav	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Resources\1033\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\pt-br\ui-strings.js	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\sl-si\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.publisher.nl_ja_4.4.0.v20140623020002.jar	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.jface.databinding.nl_zh_4.4.0.v20140623020002.jar	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\fi-fi\ui-strings.js	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\proplus2019r_oem_perp5-pl.xrm-ms	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\he-il\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\it-it\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Program Files\Google\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\projectstdxc2rvl_kms_clientc2r-ppd.xrm-ms	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\visiostd2019vl_kms_client_ae-ul.xrm-ms	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\sk-sk\ui-strings.js	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.browser.jdp.ja_5.5.0.165303.jar	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\powerpointvl_mak-pl.xrm-ms	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Place\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\centeuro.txt	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\visioproco365r_subscription-pl.xrm-ms	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Cartridges\msql.xsl	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Program Files\WindowsApps\Microsoft.VCLibs.140.00_14.0.24123.0_x64__8wekyb3d8bbwe\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\collect_feedback\js\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_1.4.101.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\jce.jar	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Program Files\WindowsApps\Microsoft.People_10.1.10531.0_x64__8wekyb3d8bbwe\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\signhere.pdf	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000049\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe\WinStore\Resources\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_removeme-default_18.svg	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MEDIA\suction.wav	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_neutral_split.scale-100_8wekyb3d8bbwe\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\images\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\plugin.js	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\license	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.osgi.services.nl_zh_4.4.0.v20140623020002.jar	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Program Files\WindowsApps\Microsoft.People_10.1.10531.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\WinSxS\amd64_netfx4-system.diagnostics.contracts_b03f5f7f11d50a3a_4.0.15552.17062_none_5226b54d711099a0\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\WinSxS\amd64_netfx4-system.management.instrumentation_b03f5f7f11d50a3a_4.0.14917.0_none_4df2b7ceae903fa6\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-h..cfgclient.resources_31bf3856ad364e35_10.0.15063.0_ja-jp_6bfa058e64f549dc\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\InfusedApps\Frameworks\Microsoft.NET.Native.Runtime.1.4_1.4.24201.0_x86__8wekyb3d8bbwe\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\WinSxS\amd64_flpydisk.inf_31bf3856ad364e35_10.0.15063.0_none_f81de966b34a78ab\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.15063.0_es-es_c7c88d7dc401c162\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\WinSxS\wow64_windows-storage-compression-winrt_31bf3856ad364e35_10.0.15063.0_none_fda9618dd79df0f9\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\WinSxS\x86_microsoft-windows-rasauto-mui.resources_31bf3856ad364e35_10.0.15063.0_ja-jp_aaf722a283f6bf8c\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-isolatedusermode-sdk_31bf3856ad364e35_10.0.15063.0_none_82b06a2635dbf356\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-a..nager-adm.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_03906c327963ff35\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..rds-winrt.resources_31bf3856ad364e35_10.0.15063.0_de-de_fc4981b0ff073845\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..ybinaries.resources_31bf3856ad364e35_10.0.15063.0_ja-jp_4cd50149b3447ca1\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\WinSxS\amd64_netfx4-mscorsvc_dll_b03f5f7f11d50a3a_4.0.14917.0_none_5dfd59f20781c8ed\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\WinSxS\x86_microsoft-windows-d..andgroups.resources_31bf3856ad364e35_10.0.15063.0_ja-jp_f764c75ddd5672ac\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\WinSxS\amd64_netfx4-default_win32manifest_b03f5f7f11d50a3a_4.0.14917.0_none_6e8cad5048e52c92\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\WinSxS\amd64_windows-shield-provider.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_f45116fe29ef1400\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-i..l-keyboard-00010427_31bf3856ad364e35_10.0.15063.0_none_a871e963c242a092\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wad78daf4#\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-appcontract-bmpolicy_31bf3856ad364e35_10.0.15063.0_none_15d351442bf405d1\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\WinSxS\msil_mmcex.resources_31bf3856ad364e35_10.0.15063.0_de-de_8d61202490df1db8\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\WinSxS\x86_microsoft-windows-i..tbranding.resources_31bf3856ad364e35_11.0.15063.0_fr-fr_81a844d8e5843da0\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-n..k-qos-wmi.resources_31bf3856ad364e35_10.0.15063.0_de-de_566a5c7b42c9c3fc\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Security.Resources\1.0.0.0_de_31bf3856ad364e35\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-c...appxmain.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_7f69d0b9e319a2c7\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-c..speech.0c09.cortana_31bf3856ad364e35_10.0.15063.0_none_c53c7ddcb7ec4eec\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-comctl32-v5.resources_31bf3856ad364e35_10.0.15063.0_hr-hr_5c9cca69a6cd3449\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-r..intmapper.resources_31bf3856ad364e35_10.0.15063.0_ja-jp_2a7ceb51efa52333\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\WinSxS\x86_microsoft-windows-wwfcorecomp.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_12db659a94f334be\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.SecureBoot.Commands.Resources\v4.0_10.0.0.0_fr_31bf3856ad364e35\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-basic-misc-tools_31bf3856ad364e35_10.0.15063.0_none_287090a9f83a48df\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-dot3svc.resources_31bf3856ad364e35_10.0.15063.0_de-de_6f3bad5a81a201f6\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-xwizards-duiplugin_31bf3856ad364e35_10.0.15063.0_none_6b7bf5d6d67dfc9c\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\WinSxS\amd64_netfx4-fusion_dll_b03f5f7f11d50a3a_4.0.15552.17062_none_86547212d3d4af7b\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\WinSxS\x86_netfx35linq-system.addin.contract_31bf3856ad364e35_10.0.15063.0_none_dcf05af4bdb4a358\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\Assets\Fonts\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p..spaces-creator-tool_31bf3856ad364e35_10.0.15063.0_none_806743e6508512ad\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-usbperf_31bf3856ad364e35_10.0.15063.0_none_b0f64969b0de2191\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\WinSxS\x86_microsoft-windows-t..sionagent.resources_31bf3856ad364e35_10.0.15063.0_ja-jp_c9fe5739be66a46f\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\WinSxS\x86_microsoft-windows-wlangpui.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_713bc4b52c177393\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Office.Tools.Common.Implementation\v4.0_10.0.0.0__b03f5f7f11d50a3a\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Resources.Writer\v4.0_4.0.0.0__b03f5f7f11d50a3a\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-a..oldertool.resources_31bf3856ad364e35_10.0.15063.0_en-us_24642f9ed32c715b\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\WinSxS\x86_microsoft-windows-settingsync_31bf3856ad364e35_10.0.15063.0_none_460ffc437aa64763\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Workflow.Activities.resources\v4.0_4.0.0.0_fr_31bf3856ad364e35\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-programs-adm.resources_31bf3856ad364e35_10.0.15063.0_ja-jp_7349b0f59da45e1f\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\WinSxS\msil_system.web.routing.resources_31bf3856ad364e35_10.0.15063.0_ja-jp_fee1a7f2757fd4e2\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\WinSxS\x86_microsoft-windows-tapi2xclient.resources_31bf3856ad364e35_10.0.15063.0_ja-jp_ccd4023a333609ea\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\WinSxS\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.15063.0_et-ee_67d1f793253502c0\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..l-keyboard-00000485_31bf3856ad364e35_10.0.15063.0_none_fa1b63fc9be35216\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..platform2.resources_31bf3856ad364e35_11.0.15063.0_ja-jp_8e3110046c370d17\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-mapi_31bf3856ad364e35_10.0.15063.0_none_bc611a88528e688d\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-tcpip-mof_31bf3856ad364e35_10.0.15063.0_none_48f1bd0fbdbe4757\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\WinSxS\amd64_storufs.inf.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_d8ce411ae5f8d02c\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p..rpautoreg.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_3222d9eec2d1f400\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\WinSxS\msil_microsoft.powershel..filedownloadmanager_31bf3856ad364e35_10.0.15063.0_none_268c868bc150c550\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\WinSxS\x86_netfx4-web_minimaltrust_config_b03f5f7f11d50a3a_4.0.15552.17062_none_96a506ac65c9277d\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-forfiles.resources_31bf3856ad364e35_10.0.15063.0_en-us_e9c2a33a22ffb59d\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-mmdeviceapi.resources_31bf3856ad364e35_10.0.15063.0_ja-jp_07c84fc5fb075a23\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\WinSxS\amd64_usbhub3.inf.resources_31bf3856ad364e35_10.0.15063.0_de-de_e2d379b6b1567690\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\WinSxS\msil_system.runtime.compilerservices.visualc_b03f5f7f11d50a3a_4.0.15552.17062_none_406dc38258968530\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Utility.Activities\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Security\Wizard\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p..i-prnfldr.resources_31bf3856ad364e35_10.0.15063.0_en-us_3d65db1e5d683d44\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
File created	C:\Windows\WinSxS\amd64_netfx4-system.drawing.design.resources_b03f5f7f11d50a3a_4.0.14917.0_de-de_b532c330ec7380c7\RSSLLXYN-LOCKFILE-README.hta	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe

Kills process with WMI 9 IoCs

evasion

pid	Process
992	WMIC.exe
640	WMIC.exe
368	WMIC.exe
1960	WMIC.exe
3896	WMIC.exe
3992	WMIC.exe
2668	WMIC.exe
2640	WMIC.exe
504	WMIC.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3744	PING.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2668	WMIC.exe
Token: SeSecurityPrivilege	2668	WMIC.exe
Token: SeTakeOwnershipPrivilege	2668	WMIC.exe
Token: SeLoadDriverPrivilege	2668	WMIC.exe
Token: SeSystemProfilePrivilege	2668	WMIC.exe
Token: SeSystemtimePrivilege	2668	WMIC.exe
Token: SeProfSingleProcessPrivilege	2668	WMIC.exe
Token: SeIncBasePriorityPrivilege	2668	WMIC.exe
Token: SeCreatePagefilePrivilege	2668	WMIC.exe
Token: SeBackupPrivilege	2668	WMIC.exe
Token: SeRestorePrivilege	2668	WMIC.exe
Token: SeShutdownPrivilege	2668	WMIC.exe
Token: SeDebugPrivilege	2668	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2668	WMIC.exe
Token: SeRemoteShutdownPrivilege	2668	WMIC.exe
Token: SeUndockPrivilege	2668	WMIC.exe
Token: SeManageVolumePrivilege	2668	WMIC.exe
Token: 33	2668	WMIC.exe
Token: 34	2668	WMIC.exe
Token: 35	2668	WMIC.exe
Token: 36	2668	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2668	WMIC.exe
Token: SeSecurityPrivilege	2668	WMIC.exe
Token: SeTakeOwnershipPrivilege	2668	WMIC.exe
Token: SeLoadDriverPrivilege	2668	WMIC.exe
Token: SeSystemProfilePrivilege	2668	WMIC.exe
Token: SeSystemtimePrivilege	2668	WMIC.exe
Token: SeProfSingleProcessPrivilege	2668	WMIC.exe
Token: SeIncBasePriorityPrivilege	2668	WMIC.exe
Token: SeCreatePagefilePrivilege	2668	WMIC.exe
Token: SeBackupPrivilege	2668	WMIC.exe
Token: SeRestorePrivilege	2668	WMIC.exe
Token: SeShutdownPrivilege	2668	WMIC.exe
Token: SeDebugPrivilege	2668	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2668	WMIC.exe
Token: SeRemoteShutdownPrivilege	2668	WMIC.exe
Token: SeUndockPrivilege	2668	WMIC.exe
Token: SeManageVolumePrivilege	2668	WMIC.exe
Token: 33	2668	WMIC.exe
Token: 34	2668	WMIC.exe
Token: 35	2668	WMIC.exe
Token: 36	2668	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2640	WMIC.exe
Token: SeSecurityPrivilege	2640	WMIC.exe
Token: SeTakeOwnershipPrivilege	2640	WMIC.exe
Token: SeLoadDriverPrivilege	2640	WMIC.exe
Token: SeSystemProfilePrivilege	2640	WMIC.exe
Token: SeSystemtimePrivilege	2640	WMIC.exe
Token: SeProfSingleProcessPrivilege	2640	WMIC.exe
Token: SeIncBasePriorityPrivilege	2640	WMIC.exe
Token: SeCreatePagefilePrivilege	2640	WMIC.exe
Token: SeBackupPrivilege	2640	WMIC.exe
Token: SeRestorePrivilege	2640	WMIC.exe
Token: SeShutdownPrivilege	2640	WMIC.exe
Token: SeDebugPrivilege	2640	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2640	WMIC.exe
Token: SeRemoteShutdownPrivilege	2640	WMIC.exe
Token: SeUndockPrivilege	2640	WMIC.exe
Token: SeManageVolumePrivilege	2640	WMIC.exe
Token: 33	2640	WMIC.exe
Token: 34	2640	WMIC.exe
Token: 35	2640	WMIC.exe
Token: 36	2640	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2640	WMIC.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 2160 wrote to memory of 2656	2160	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe	71
PID 2160 wrote to memory of 2656	2160	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe	71
PID 2656 wrote to memory of 2668	2656	cmd.exe	72
PID 2656 wrote to memory of 2668	2656	cmd.exe	72
PID 2160 wrote to memory of 3292	2160	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe	74
PID 2160 wrote to memory of 3292	2160	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe	74
PID 3292 wrote to memory of 2640	3292	cmd.exe	75
PID 3292 wrote to memory of 2640	3292	cmd.exe	75
PID 2160 wrote to memory of 3576	2160	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe	76
PID 2160 wrote to memory of 3576	2160	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe	76
PID 3576 wrote to memory of 992	3576	cmd.exe	77
PID 3576 wrote to memory of 992	3576	cmd.exe	77
PID 2160 wrote to memory of 2800	2160	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe	78
PID 2160 wrote to memory of 2800	2160	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe	78
PID 2800 wrote to memory of 504	2800	cmd.exe	79
PID 2800 wrote to memory of 504	2800	cmd.exe	79
PID 2160 wrote to memory of 4008	2160	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe	80
PID 2160 wrote to memory of 4008	2160	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe	80
PID 4008 wrote to memory of 368	4008	cmd.exe	81
PID 4008 wrote to memory of 368	4008	cmd.exe	81
PID 2160 wrote to memory of 3328	2160	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe	82
PID 2160 wrote to memory of 3328	2160	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe	82
PID 3328 wrote to memory of 1960	3328	cmd.exe	83
PID 3328 wrote to memory of 1960	3328	cmd.exe	83
PID 2160 wrote to memory of 2928	2160	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe	84
PID 2160 wrote to memory of 2928	2160	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe	84
PID 2928 wrote to memory of 640	2928	cmd.exe	85
PID 2928 wrote to memory of 640	2928	cmd.exe	85
PID 2160 wrote to memory of 672	2160	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe	86
PID 2160 wrote to memory of 672	2160	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe	86
PID 672 wrote to memory of 3896	672	cmd.exe	87
PID 672 wrote to memory of 3896	672	cmd.exe	87
PID 2160 wrote to memory of 1864	2160	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe	88
PID 2160 wrote to memory of 1864	2160	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe	88
PID 1864 wrote to memory of 3992	1864	cmd.exe	89
PID 1864 wrote to memory of 3992	1864	cmd.exe	89
PID 2160 wrote to memory of 1104	2160	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe	96
PID 2160 wrote to memory of 1104	2160	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe	96
PID 2160 wrote to memory of 652	2160	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe	97
PID 2160 wrote to memory of 652	2160	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe	97
PID 2160 wrote to memory of 808	2160	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe	98
PID 2160 wrote to memory of 808	2160	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe	98
PID 2160 wrote to memory of 804	2160	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe	99
PID 2160 wrote to memory of 804	2160	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe	99
PID 2160 wrote to memory of 3264	2160	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe	100
PID 2160 wrote to memory of 3264	2160	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe	100
PID 2160 wrote to memory of 3860	2160	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe	107
PID 2160 wrote to memory of 3860	2160	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe	107
PID 2160 wrote to memory of 672	2160	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe	101
PID 2160 wrote to memory of 672	2160	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe	101
PID 2160 wrote to memory of 4040	2160	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe	102
PID 2160 wrote to memory of 4040	2160	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe	102
PID 2160 wrote to memory of 3300	2160	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe	103
PID 2160 wrote to memory of 3300	2160	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe	103
PID 2160 wrote to memory of 792	2160	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe	104
PID 2160 wrote to memory of 792	2160	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe	104
PID 2160 wrote to memory of 1384	2160	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe	105
PID 2160 wrote to memory of 1384	2160	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe	105
PID 1384 wrote to memory of 3744	1384	cmd.exe	109
PID 1384 wrote to memory of 3744	1384	cmd.exe	109

C:\Users\Admin\AppData\Local\Temp\a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe
"C:\Users\Admin\AppData\Local\Temp\a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe"
1⤵
- Drops file in Drivers directory
- Modifies extensions of user files
- Drops startup file
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2160
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic process where "name like '%vmwp%'" call terminate
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2656
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic process where "name like '%vmwp%'" call terminate
    3⤵
    - Kills process with WMI
    - Suspicious use of AdjustPrivilegeToken
    PID:2668
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic process where "name like '%virtualbox%'" call terminate
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3292
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic process where "name like '%virtualbox%'" call terminate
    3⤵
    - Kills process with WMI
    - Suspicious use of AdjustPrivilegeToken
    PID:2640
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic process where "name like '%vbox%'" call terminate
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3576
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic process where "name like '%vbox%'" call terminate
    3⤵
    - Kills process with WMI
    PID:992
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic process where "name like '%sqlservr%'" call terminate
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2800
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic process where "name like '%sqlservr%'" call terminate
    3⤵
    - Kills process with WMI
    PID:504
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic process where "name like '%mysqld%'" call terminate
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4008
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic process where "name like '%mysqld%'" call terminate
    3⤵
    - Kills process with WMI
    PID:368
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic process where "name like '%omtsreco%'" call terminate
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3328
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic process where "name like '%omtsreco%'" call terminate
    3⤵
    - Kills process with WMI
    PID:1960
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic process where "name like '%oracle%'" call terminate
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2928
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic process where "name like '%oracle%'" call terminate
    3⤵
    - Kills process with WMI
    PID:640
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic process where "name like '%tnslsnr%'" call terminate
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:672
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic process where "name like '%tnslsnr%'" call terminate
    3⤵
    - Kills process with WMI
    PID:3896
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic process where "name like '%vmware%'" call terminate
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1864
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic process where "name like '%vmware%'" call terminate
    3⤵
    - Kills process with WMI
    PID:3992
- C:\Windows\SYSTEM32\mshta.exe
  mshta "C:\Users\Public\LOCKFILE-README.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
  2⤵
  PID:1104
- C:\Windows\SYSTEM32\mshta.exe
  mshta "C:\Users\Public\LOCKFILE-README.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
  2⤵
  PID:652
- C:\Windows\SYSTEM32\mshta.exe
  mshta "C:\Users\Public\LOCKFILE-README.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
  2⤵
  PID:808
- C:\Windows\SYSTEM32\mshta.exe
  mshta "C:\Users\Public\LOCKFILE-README.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
  2⤵
  PID:804
- C:\Windows\SYSTEM32\mshta.exe
  mshta "C:\Users\Public\LOCKFILE-README.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
  2⤵
  PID:3264
- C:\Windows\SYSTEM32\mshta.exe
  mshta "C:\Users\Public\LOCKFILE-README.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
  2⤵
  PID:672
- C:\Windows\SYSTEM32\mshta.exe
  mshta "C:\Users\Public\LOCKFILE-README.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
  2⤵
  PID:4040
- C:\Windows\SYSTEM32\mshta.exe
  mshta "C:\Users\Public\LOCKFILE-README.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
  2⤵
  PID:3300
- C:\Windows\SYSTEM32\mshta.exe
  mshta "C:\Users\Public\LOCKFILE-README.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
  2⤵
  PID:792
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c ping 127.0.0.1 -n 5 && del "C:\Users\Admin\AppData\Local\Temp\a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0.exe" && exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1384
- - C:\Windows\system32\PING.EXE
    ping 127.0.0.1 -n 5
    3⤵
    - Runs ping.exe
    PID:3744
- C:\Windows\SYSTEM32\mshta.exe
  mshta "C:\Users\Public\LOCKFILE-README.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
  2⤵
  PID:3860

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads