7f65f443d129dcfc59b3c2a001b5a1f3cda092b3008e62a73ab87ba8f782b215

Analysis

max time kernel
584s
max time network
368s
platform
windows7_x64
resource
win7-en-20211104
submitted
13/11/2021, 13:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

lock.exe
Size

2.2MB
MD5

fc93ecb882fbc1bac46aaf4232ce9b66
SHA1

e4cfd33fc8f20f05b07299845268a54dd33ffced
SHA256

7f65f443d129dcfc59b3c2a001b5a1f3cda092b3008e62a73ab87ba8f782b215
SHA512

2fffaf9f8c2305be7c55bc23b8822dab5ce961332833e0bffbb6cbbee01f97907e4b5b4e573b682f66b5309d462302e1db7df0f6df3b34dccaf323357dc2efca

Score

10^/10

ransomware spyware stealer

Malware Config

Extracted

Path

\??\c:\users\Admin\Desktop\readme.txt

Ransom Note

ALL OF YOUR FILES HAVE BEEN ENCRYPTED !!!!! [+] Whats Happen? [+] Your files are now encrypted, and currently unavailable. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER) and it will be LEAKED. [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in out interests. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have only one ways: 1) [RECOMMENDED] Using TOR Bundle! a) Download and run TOR Windows Bundle from this site: https://www.torproject.org/download/tor/ b) Download any irc software that supports socks proxy (e.g HexChat c) Setup tor proxy for irc software ( default host: 127.0.0.1 port 9050 d) Add http://y2cyumvhavcecc6kr5tpat5gdnz2lsw5ucjxbv7s2ggxsh7gj57omuyd.onion/6667 to your network list e) Set your nickname to nick@hostname f) Connect and join #support channel 2) If TOR blocked in your country, try to use VPN and try 1) HERE IS YOUR USERID:f76621de-24cd-4ecf-bfc4-560beeff6fbc Send it to us for decryption [*] If you don't receive a response, wait a while and resend it. [*]

URLs

http://y2cyumvhavcecc6kr5tpat5gdnz2lsw5ucjxbv7s2ggxsh7gj57omuyd.onion/6667

Signatures

Modifies extensions of user files 1 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File created	C:\Users\Admin\Pictures\SelectRead.png.dst	lock.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\org-netbeans-modules-profiler_visualvm.jar.dst	lock.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\css\cpu.css.dst	lock.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\drag.png.dst	lock.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\DATETIME.JPG.dst	lock.exe
File created	C:\Program Files\Microsoft Games\Purble Place\PurblePlace.dll.dst	lock.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libpuzzle_plugin.dll.dst	lock.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\settings.html.dst	lock.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\diner_s.png.dst	lock.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libscaletempo_pitch_plugin.dll.dst	lock.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\libstl_plugin.dll.dst	lock.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\libt140_plugin.dll.dst	lock.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_vc1_plugin.dll.dst	lock.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\system.png.dst	lock.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\open_original_form.gif.dst	lock.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\info.png.dst	lock.exe
File created	C:\Program Files (x86)\Microsoft Office\Stationery\1033\CURRENCY.HTM.dst	lock.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.alert.zh_CN_5.5.0.165303.jar.dst	lock.exe
File created	C:\Program Files\Mozilla Firefox\api-ms-win-crt-math-l1-1-0.dll.dst	lock.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\access\librtp_plugin.dll.dst	lock.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\js\service.js.dst	lock.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-waning-gibbous.png.dst	lock.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.71\goopdateres_tr.dll.dst	lock.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\VIEW.ICO.dst	lock.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\reveal_hov.png.dst	lock.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\css\blafdoc.css.dst	lock.exe
File created	C:\Program Files\VideoLAN\VLC\README.txt.dst	lock.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsViewFrame.html.dst	lock.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\OUTLFLTR.DLL.dst	lock.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\Microsoft.VisualC.STLCLR.dll.dst	lock.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Data.DataSetExtensions.Resources.dll.dst	lock.exe
File created	C:\Program Files\Windows Journal\MSPVWCTL.DLL.dst	lock.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\drag.png.dst	lock.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\square_s.png.dst	lock.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationRight_SelectionSubpicture.png.dst	lock.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-output2_ja.jar.dst	lock.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\timer_up.png.dst	lock.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_AutoMask.bmp.dst	lock.exe
File created	C:\Program Files\7-Zip\Lang\ne.txt.dst	lock.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe.dst	lock.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-api-caching_ja.jar.dst	lock.exe
File created	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD10268_.GIF.dst	lock.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_HighMask.bmp.dst	lock.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\css\settings.css.dst	lock.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_photo_Thumbnail.bmp.dst	lock.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\feedbck2.gif.dst	lock.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\control\liboldrc_plugin.dll.dst	lock.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_es_plugin.dll.dst	lock.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\rtf_pressed.gif.dst	lock.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\fr\PresentationBuildTasks.resources.dll.dst	lock.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.frameworkadmin.nl_ja_4.4.0.v20140623020002.jar.dst	lock.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\images\Video-48.png.dst	lock.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightOrange.css.dst	lock.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR13F.GIF.dst	lock.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\BUTTON.JPG.dst	lock.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsHomePage.html.dst	lock.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\MANUAL.ICO.dst	lock.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\title_stripe.png.dst	lock.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_ffd27a_256x240.png.dst	lock.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BABY_01.MID.dst	lock.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01244_.GIF.dst	lock.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsDoNotTrust.html.dst	lock.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\en-US\clock.html.dst	lock.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\UIAutomationClientsideProviders.resources.dll.dst	lock.exe
File created	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD14710_.GIF.dst	lock.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
1540	NOTEPAD.EXE

Runs net.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
472	lock.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 472 wrote to memory of 1124	472	lock.exe	29
PID 472 wrote to memory of 1124	472	lock.exe	29
PID 472 wrote to memory of 1124	472	lock.exe	29
PID 1124 wrote to memory of 1656	1124	cmd.exe	30
PID 1124 wrote to memory of 1656	1124	cmd.exe	30
PID 1124 wrote to memory of 1656	1124	cmd.exe	30
PID 1124 wrote to memory of 1896	1124	cmd.exe	31
PID 1124 wrote to memory of 1896	1124	cmd.exe	31
PID 1124 wrote to memory of 1896	1124	cmd.exe	31
PID 472 wrote to memory of 360	472	lock.exe	33
PID 472 wrote to memory of 360	472	lock.exe	33
PID 472 wrote to memory of 360	472	lock.exe	33
PID 472 wrote to memory of 1340	472	lock.exe	32
PID 472 wrote to memory of 1340	472	lock.exe	32
PID 472 wrote to memory of 1340	472	lock.exe	32
PID 472 wrote to memory of 540	472	lock.exe	34
PID 472 wrote to memory of 540	472	lock.exe	34
PID 472 wrote to memory of 540	472	lock.exe	34
PID 472 wrote to memory of 632	472	lock.exe	35
PID 472 wrote to memory of 632	472	lock.exe	35
PID 472 wrote to memory of 632	472	lock.exe	35
PID 472 wrote to memory of 484	472	lock.exe	36
PID 472 wrote to memory of 484	472	lock.exe	36
PID 472 wrote to memory of 484	472	lock.exe	36
PID 472 wrote to memory of 316	472	lock.exe	37
PID 472 wrote to memory of 316	472	lock.exe	37
PID 472 wrote to memory of 316	472	lock.exe	37
PID 472 wrote to memory of 760	472	lock.exe	39
PID 472 wrote to memory of 760	472	lock.exe	39
PID 472 wrote to memory of 760	472	lock.exe	39
PID 472 wrote to memory of 804	472	lock.exe	38
PID 472 wrote to memory of 804	472	lock.exe	38
PID 472 wrote to memory of 804	472	lock.exe	38
PID 472 wrote to memory of 1168	472	lock.exe	40
PID 472 wrote to memory of 1168	472	lock.exe	40
PID 472 wrote to memory of 1168	472	lock.exe	40
PID 1168 wrote to memory of 1680	1168	cmd.exe	45
PID 1168 wrote to memory of 1680	1168	cmd.exe	45
PID 1168 wrote to memory of 1680	1168	cmd.exe	45
PID 804 wrote to memory of 1112	804	cmd.exe	48
PID 804 wrote to memory of 1112	804	cmd.exe	48
PID 804 wrote to memory of 1112	804	cmd.exe	48
PID 540 wrote to memory of 976	540	cmd.exe	42
PID 540 wrote to memory of 976	540	cmd.exe	42
PID 540 wrote to memory of 976	540	cmd.exe	42
PID 1340 wrote to memory of 1072	1340	cmd.exe	49
PID 1340 wrote to memory of 1072	1340	cmd.exe	49
PID 1340 wrote to memory of 1072	1340	cmd.exe	49
PID 484 wrote to memory of 1544	484	cmd.exe	43
PID 484 wrote to memory of 1544	484	cmd.exe	43
PID 484 wrote to memory of 1544	484	cmd.exe	43
PID 316 wrote to memory of 1192	316	cmd.exe	46
PID 316 wrote to memory of 1192	316	cmd.exe	46
PID 316 wrote to memory of 1192	316	cmd.exe	46
PID 760 wrote to memory of 1560	760	cmd.exe	44
PID 760 wrote to memory of 1560	760	cmd.exe	44
PID 760 wrote to memory of 1560	760	cmd.exe	44
PID 632 wrote to memory of 1216	632	cmd.exe	47
PID 632 wrote to memory of 1216	632	cmd.exe	47
PID 632 wrote to memory of 1216	632	cmd.exe	47
PID 360 wrote to memory of 1968	360	cmd.exe	41
PID 360 wrote to memory of 1968	360	cmd.exe	41
PID 360 wrote to memory of 1968	360	cmd.exe	41
PID 976 wrote to memory of 1448	976	net.exe	54

C:\Users\Admin\AppData\Local\Temp\lock.exe
"C:\Users\Admin\AppData\Local\Temp\lock.exe"
1⤵
- Modifies extensions of user files
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:472
- C:\Windows\system32\cmd.exe
  cmd.exe "/csc query | findstr SERVICE_NAME"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1124
- - C:\Windows\system32\sc.exe
    sc query
    3⤵
    PID:1656
- - C:\Windows\system32\findstr.exe
    findstr SERVICE_NAME"
    3⤵
    PID:1896
- C:\Windows\system32\cmd.exe
  cmd.exe "/cnet stop AeLookupSvc"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1340
- - C:\Windows\system32\net.exe
    net stop AeLookupSvc"
    3⤵
    PID:1072
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop AeLookupSvc"
      4⤵
      PID:1764
- C:\Windows\system32\cmd.exe
  cmd.exe "/cnet stop "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:360
- - C:\Windows\system32\net.exe
    net stop "
    3⤵
    PID:1968
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "
      4⤵
      PID:1100
- C:\Windows\system32\cmd.exe
  cmd.exe "/cnet stop AudioEndpointBuilder"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:540
- - C:\Windows\system32\net.exe
    net stop AudioEndpointBuilder"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:976
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop AudioEndpointBuilder"
      4⤵
      PID:1448
- C:\Windows\system32\cmd.exe
  cmd.exe "/cnet stop AudioSrv"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:632
- - C:\Windows\system32\net.exe
    net stop AudioSrv"
    3⤵
    PID:1216
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop AudioSrv"
      4⤵
      PID:1328
    - - C:\Windows\system32\cipher.exe
        
        cipher /w:L
        5⤵
        
        PID:804
- C:\Windows\system32\cmd.exe
  cmd.exe "/cnet stop BF"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:484
- - C:\Windows\system32\net.exe
    net stop BF"
    3⤵
    PID:1544
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop BF"
      4⤵
      PID:1884
- C:\Windows\system32\cmd.exe
  cmd.exe "/cnet stop BIT"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:316
- - C:\Windows\system32\net.exe
    net stop BIT"
    3⤵
    PID:1192
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop BIT"
      4⤵
      PID:1716
- C:\Windows\system32\cmd.exe
  cmd.exe "/cnet stop "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:804
- - C:\Windows\system32\net.exe
    net stop "
    3⤵
    PID:1112
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "
      4⤵
      PID:1888
- C:\Windows\system32\cmd.exe
  cmd.exe "/cnet stop Browser"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:760
- - C:\Windows\system32\net.exe
    net stop Browser"
    3⤵
    PID:1560
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop Browser"
      4⤵
      PID:924
- C:\Windows\system32\cmd.exe
  cmd.exe "/cnet stop SSDP"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1168
- - C:\Windows\system32\net.exe
    net stop SSDP"
    3⤵
    PID:1680
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SSDP"
      4⤵
      PID:1940
- C:\Windows\system32\cmd.exe
  cmd.exe /c cipher /w:C
  2⤵
  PID:1696
- - C:\Windows\system32\cipher.exe
    cipher /w:C
    3⤵
    PID:1716
- C:\Windows\system32\cmd.exe
  cmd.exe /c cipher /w:D
  2⤵
  PID:1452
- - C:\Windows\system32\cipher.exe
    cipher /w:D
    3⤵
    PID:1160
- C:\Windows\system32\cmd.exe
  cmd.exe /c cipher /w:E
  2⤵
  PID:1100
- - C:\Windows\system32\cipher.exe
    cipher /w:E
    3⤵
    PID:1188
- C:\Windows\system32\cmd.exe
  cmd.exe /c cipher /w:F
  2⤵
  PID:1468
- - C:\Windows\system32\cipher.exe
    cipher /w:F
    3⤵
    PID:1652
- C:\Windows\system32\cmd.exe
  cmd.exe /c cipher /w:G
  2⤵
  PID:884
- - C:\Windows\system32\cipher.exe
    cipher /w:G
    3⤵
    PID:900
- C:\Windows\system32\cmd.exe
  cmd.exe /c cipher /w:H
  2⤵
  PID:1932
- - C:\Windows\system32\cipher.exe
    cipher /w:H
    3⤵
    PID:1184
- C:\Windows\system32\cmd.exe
  cmd.exe /c cipher /w:I
  2⤵
  PID:1728
- - C:\Windows\system32\cipher.exe
    cipher /w:I
    3⤵
    PID:968
- C:\Windows\system32\cmd.exe
  cmd.exe /c cipher /w:J
  2⤵
  PID:1872
- - C:\Windows\system32\cipher.exe
    cipher /w:J
    3⤵
    PID:1072
- C:\Windows\system32\cmd.exe
  cmd.exe /c cipher /w:N
  2⤵
  PID:432
- - C:\Windows\system32\cipher.exe
    cipher /w:N
    3⤵
    PID:1268
- C:\Windows\system32\cmd.exe
  cmd.exe /c cipher /w:L
  2⤵
  PID:1328
- C:\Windows\system32\cmd.exe
  cmd.exe /c cipher /w:M
  2⤵
  PID:632
- - C:\Windows\system32\cipher.exe
    cipher /w:M
    3⤵
    PID:760
- C:\Windows\system32\cmd.exe
  cmd.exe /c cipher /w:P
  2⤵
  PID:1164
- - C:\Windows\system32\cipher.exe
    cipher /w:P
    3⤵
    PID:1640
- C:\Windows\system32\cmd.exe
  cmd.exe /c cipher /w:R
  2⤵
  PID:1996
- - C:\Windows\system32\cipher.exe
    cipher /w:R
    3⤵
    PID:300
- C:\Windows\system32\cmd.exe
  cmd.exe /c cipher /w:Q
  2⤵
  PID:828
- - C:\Windows\system32\cipher.exe
    cipher /w:Q
    3⤵
    PID:892
- C:\Windows\system32\cmd.exe
  cmd.exe /c cipher /w:S
  2⤵
  PID:2016
- - C:\Windows\system32\cipher.exe
    cipher /w:S
    3⤵
    PID:1524
- C:\Windows\system32\cmd.exe
  cmd.exe /c cipher /w:T
  2⤵
  PID:1688
- - C:\Windows\system32\cipher.exe
    cipher /w:T
    3⤵
    PID:964
- C:\Windows\system32\cmd.exe
  cmd.exe /c cipher /w:O
  2⤵
  PID:1556
- C:\Windows\system32\cmd.exe
  cmd.exe /c cipher /w:K
  2⤵
  PID:1372
- C:\Windows\system32\cmd.exe
  cmd.exe /c cipher /w:U
  2⤵
  PID:1972
- - C:\Windows\system32\cipher.exe
    cipher /w:U
    3⤵
    PID:1768
- C:\Windows\system32\cmd.exe
  cmd.exe /c cipher /w:V
  2⤵
  PID:1900
- - C:\Windows\system32\cipher.exe
    cipher /w:V
    3⤵
    PID:1064
- C:\Windows\system32\cmd.exe
  cmd.exe /c cipher /w:Y
  2⤵
  PID:292
- - C:\Windows\system32\cipher.exe
    cipher /w:Y
    3⤵
    PID:1264
- C:\Windows\system32\cmd.exe
  cmd.exe /c cipher /w:H
  2⤵
  PID:1140
- - C:\Windows\system32\cipher.exe
    cipher /w:H
    3⤵
    PID:1648
- C:\Windows\system32\cmd.exe
  cmd.exe /c cipher /w:W
  2⤵
  PID:1332
- - C:\Windows\system32\cipher.exe
    cipher /w:W
    3⤵
    PID:1616
- C:\Windows\system32\cmd.exe
  cmd.exe /c cipher /w:Z
  2⤵
  PID:1656
- - C:\Windows\system32\cipher.exe
    cipher /w:Z
    3⤵
    PID:1764

C:\Windows\system32\cipher.exe
cipher /w:K
1⤵
PID:360

C:\Windows\system32\cipher.exe
cipher /w:O
1⤵
PID:1380

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:560

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\readme.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:1540

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/560-119-0x000007FEFBE91000-0x000007FEFBE93000-memory.dmp

Filesize
8KB

Download