Overview

overview

10

Static

static

26f5a4b79e...14.exe

windows7_x64

10

26f5a4b79e...14.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    152s
  • max time network
    179s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    16-06-2022 06:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    26f5a4b79ee5a6cc0acacd5d285a10907ff9eb2d32af5bddef3ad81f663a5b14.exe

  • Size

    238KB

  • MD5

    c2cd821ccd6eec05ec67be3a99ba0f71

  • SHA1

    916e018fe28774ef227e839b98dc0a85c13d64a3

  • SHA256

    26f5a4b79ee5a6cc0acacd5d285a10907ff9eb2d32af5bddef3ad81f663a5b14

  • SHA512

    8fbe6edcd6c58ec34815e5ba422cf335445a50a958de5758bcefa29fc9179a7fe9c31fb7f5d5c5f310304709496e7e64f539a25d907a349c1e15bf8861f3d548

Score
10/10
discoveryransomware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\!HELP_SOS.hta

Ransom Note
English Deutsch Italiano Português Español Français 한국어 Nederlands العربية فارسی 中文 The file is encrypted but can be restored Die Datei ist verschlüsselt, aber kann wiederhergestellt werden Il file è crittografato, ma può essere ripristinato O arquivo está criptografado, mas poderá ser descriptografado El archivo está encriptado pero puede ser restaurado Le fichier est crypté mais peut être restauré 파일은 암호화되었지만 복원 할 수 있습니다 Het bestand is versleuteld maar kan worden hersteld الملف مشفر لكن من الممكن إسترجاعه این فایل رمزگذاری شده است اما می تواند بازیابی شود 文件已被加密,但是可以解密 The file you tried to open and other important files on your computer were encrypted by "SAGE 2.0 Ransomware". Action required to restore your files. File recovery instructions You probably noticed that you can not open your files and that some software stopped working correctly. This is expected. Your files content is still there, but it was encrypted by "SAGE 2.0 Ransomware" . Your files are not lost, it is possible to revert them back to normal state by decrypting. The only way you can do that is by getting "SAGE Decrypter" software and your personal decryption key. Using any other software which claims to be able to restore your files will result in files being damaged or destroyed. You can purchase "SAGE Decrypter" software and your decryption key at your personal page you can access by following links: http://7gie6ffnkrjykggd.op7su2.com/ http://7gie6ffnkrjykggd.pe6zawc.com/ If you are asked for your personal key, copy it to the form on the site. This is your personal key: AWLuRCaH58mvPpXSIPixiup5_ED1jMVx4gEe7OjDjRNUZeyP91SCU2LA You will also be able to decrypt one file for free to make sure "SAGE Decrypter" software is able to recover your files If none of those links work for you for a prolonged period of time or you need your files recovered as fast as possible, you can also access your personal page using "Tor Browser". In order to do that you need to: open Internet Explorer or any other internet browser; copy the address https://www.torproject.org/download/download-easy.html.en into address bar and press "Enter"; once the page opens, you will be offered to download Tor Browser, download it and run the installator, follow installation instructions; once installation is finished, open the newly installed Tor Browser and press the "Connect" button (button can be named differently if you installed non-English version); Tor Browser will establish connection and open a normal browser window; copy the address http://7gie6ffnkrjykggd.onion/login/AWLuRCaH58mvPpXSIPixiup5_ED1jMVx4gEe7OjDjRNUZeyP91SCU2LA into this browser address bar and press "Enter"; your personal page should be opened now; if it didn't then wait for a bit and try again. If you can not perform this steps then check your internet connection and try again. If it still doesn't work, try asking some computer guy for help in performing this steps for you or look for some video guides on YouTube. You can find a copy of this instruction in files named "!HELP_SOS" stored next to your encrypted files. Anleitung zur Dateiwiederherstellung Sie haben sicherlich gemerkt, dass Sie Ihre Daten nicht öffnen können und dass Programme nicht mehr ordnungsgemäß funktionieren. Dies ist zu erwarten. Die Dateiinhalte existieren noch, aber wurden mit {us_enc}} verschlüsselt. Ihre Daten sind nicht verloren. Es ist möglich, sie mit Hilfe von Entschlüsselung in ihren Originalzustand zurückzuversetzen. Die einzige Möglichkeit das zu tun, ist die Verwendung von "SAGE Decrypter" Software und Ihr persönlicher Entschlüsselungskey. Das Verwenden von anderer Software, die angeblich ihre Daten wiederherstellen kann, wird dazu führen, dass Ihre Daten beschädigt oder zerstört werden. Sie können die "SAGE Decrypter" Software und Ihren Entschlüsselungskey auf Ihrer persönlichen Seite erwerben, indem Sie diesen Links folgen: http://7gie6ffnkrjykggd.op7su2.com/ http://7gie6ffnkrjykggd.pe6zawc.com/ Falls Sie nach ihrem persönlichen Key gefragt werden, kopieren Sie ihn in das Formular auf dieser Seite. Dies ist Ihr persönlicher Key: AWLuRCaH58mvPpXSIPixiup5_ED1jMVx4gEe7OjDjRNUZeyP91SCU2LA Sie können eine Datei gratis entschlüssen, um sicher zu sein, dass die "SAGE Decrypter" Software ihre Daten wiederherstellen kann Falls keine dieser Links über einen längeren Zeitraum funktionieren sollten oder Sie Ihre Daten so schnell wie möglich wiederherstellen müssen, können Sie Ihre persönliche Seite mit Hilfe des "Tor Browser" aufrufen. Dazu benötigen Sie: Öffnen Sie den Internet Explorer oder einen anderen Internetbrowser; Kopieren Sie diese Adresse https://www.torproject.org/download/download-easy.html.en in die Adressleiste und drücken Sie "Enter"; So bald sich die Seite öffnet, wird Ihnen der Download des Tor Browser angeboten. Laden Sie ihn herunter und führen Sie die Installation aus, indem Sie den Installationsanweisungen folgen; Wenn die Installation abgeschlossen ist, öffnen Sie den soeben installierten Tor Browser und drücken Sie den "Connect" Knopf (Der Namen kann abweichen, falls Sie eine nicht-englische Version installiert haben); Tor Browser wird eine Verbindung herstellen und ein normales Browserfenster öffnen; Kopieren Sie die Adresse http://7gie6ffnkrjykggd.onion/login/AWLuRCaH58mvPpXSIPixiup5_ED1jMVx4gEe7OjDjRNUZeyP91SCU2LA in die Browseradressleiste und drücken Sie "Enter"; Ihre persönliche Seite sollte sich nun geöffnet haben; falls nicht: Warten Sie eine Weile und versuchen Sie es erneut. Falls Sie nicht in der Lage sind, diese Schritte durchzuführen, überprüfen Sie Ihre Internetverbindung. Wenn es noch immer nicht funktioniert, fragen Sie jemanden, der sich mit Computern auskennt, um diese Schritte durchzuführen oder schauen Sie sich einige Videoanleitungen auf {a_youtube}} an. Sie finden eine Kopie dieser Anleitung in einer Datei namens "!HELP_SOS" neben Ihren verschlüsselten Daten. Istruzioni per il recupero dei file Probabilmente hai notato che non puoi più aprire i tuoi file e alcuni software hanno smesso di funzionare correttamente. Questo era previsto. I tuoi file si trovano ancora al loro posto, ma sono stati crittografati da "SAGE 2.0 Ransomware" . I tuoi file non sono persi, è possibile farli tornare al loro stato normale eseguendo una decrittazione. L'unico modo in cui è possibile farlo è scaricare il software "SAGE Decrypter" e la tua chiave personale di decrittazione. Utilizzando un qualsiasi altro software che sostiene di essere in grado di ripristinare i tuoi file, li danneggerà o distruggerà per sempre. È possibile acquistare il software "SAGE Decrypter" e la tua chiave di decrittazione nella tua pagina personale a cui puoi accedere dai seguenti collegamenti: http://7gie6ffnkrjykggd.op7su2.com/ http://7gie6ffnkrjykggd.pe6zawc.com/ Se viene richiesta la chiave personale, è possibile copiarla dal modulo del sito. Questa è la chiave personale: AWLuRCaH58mvPpXSIPixiup5_ED1jMVx4gEe7OjDjRNUZeyP91SCU2LA Sarà anche possibile decriptare un file gratuitamente per assicurarsi che il software "SAGE Decrypter" sia in grado di recuperare i file Se nessuno dei collegamenti funziona per un periodo di tempo prolungato o è necessario ripristinare il prima possibile, è possibile accedere alla propria pagina personale anche utilizzando "Tor Browser". Per poterlo fare è necessario: aprire Internet Explorer o qualsiasi altro browser internet; copiare l'indirizzo https://www.torproject.org/download/download-easy.html.en nella barra degli indirizzi e premere "Enter"; una volta aperta la pagina, verrà offerta la possibilità di scaricare Tor Browser, scarica ed esegui il file seguendo le istruzioni di installazione; una volta completata l'installazione, aprire il nuovo Tor Browser e premere il pulsante "Connect" (il pulsante potrebbe avere un nome diverso se non si è installata la versione inglese); Tor Browser stabilirà una connessione e aprirà una normale finestra di navigazione; copiare l'indirizzo http://7gie6ffnkrjykggd.onion/login/AWLuRCaH58mvPpXSIPixiup5_ED1jMVx4gEe7OjDjRNUZeyP91SCU2LA nella barra degli indirizzi del browser e premere "Enter"; ora dovrebbe essere possibile aprire la pagina personale; se così non fosse, attendere qualche istante e riprovare. Se non è possibile eseguire questo passaggio, controllare la connessione internet e riprovare. Se ancora non funziona, prova a chiedere se qualche esperto di computer può farlo al posto tuo oppure dai un'occhiata a qualche video guida su YouTube. Puoi trovare una copia di queste istruzioni nel file di nome "!HELP_SOS" conservato con i tuoi file criptati. Instruções sobre como recuperar os arquivos criptografado: Você já deve ter percebido que todos os seus arquivos não estão mais acessível e alguns dos seus programas não estão funcionando corretamente. Já era de se esperar! Os seus arquivos ainda estão salvos em seu computador, porém não estão acessível porque foram criptografados por "SAGE 2.0 Ransomware" . Os seus arquivos não foram deletados, é possível descriptografá-los. A única maneira de descriptografá-los é usando o programa, "SAGE Decrypter" e a sua chave de descriptografia pessoal. Ao tentar utilizar decodificadores de terceiros para tentar restaurar os seus arquivos, irar corromper todos os seus arquivos, podendo gerar danos irreversíveis. Você pode comprar o "SAGE Decrypter" e sua chave pessoal para decodificação nos seguintes links: http://7gie6ffnkrjykggd.op7su2.com/ http://7gie6ffnkrjykggd.pe6zawc.com/ Caso seja solicitado uma chave pessoal, copie e cole no formulário no site. Essa é a sua chave pessoal: AWLuRCaH58mvPpXSIPixiup5_ED1jMVx4gEe7OjDjRNUZeyP91SCU2LA Você pode descriptografar um arquivo gratuitamente para ter certeza de que o "SAGE Decrypter", seja capaz de descriptografar todos os seus arquivos no seu computador. Se nenhum dos links estiver disponível no momento ou se você precisar com urgência dos seus arquivos, você também pode acessar a sua página pessoal usando o "Tor Browser". Instruções sobre como utilizá-lo: abra o Internet Explorer ou qualquer outro navegador; copie o endereço do https://www.torproject.org/download/download-easy.html.en e cole na barra de endereço em seu navegador e pressione "Enter"; quando a página for aberta em seguida, você verá as informações sobre o Navegador Tor e o link para download, abra o arquivo e siga as instruções de instalação; Quando a instalação estiver concluída, abra o Navegador Tor e pressione o botão "Connect"(o botão pode ter outro nome, se você instalou uma versão do programa que não seja em inglês); O Navegador Tor irá estabelecer uma conexão e, em seguida, abrirá uma janela no navegador; copie o endereço do http://7gie6ffnkrjykggd.onion/login/AWLuRCaH58mvPpXSIPixiup5_ED1jMVx4gEe7OjDjRNUZeyP91SCU2LA e cole na barra de endereço do Navegador Tor, em seguida, pressione "Enter"; a sua página pessoal irá abrir em alguns instantes; caso a página não abra, aguarde um pouco e tente novamente. Se você não conseguir executar todas as etapas, certifique-se de que você está conectado à internet e tente novamente. Se você ainda tiver dificuldade para conectar, peça ajuda a um técnico de informática para auxiliá-lo no processo ou procure vídeos que possam ajudá-lo no YouTube. Você pode encontrar uma cópia do arquivo de instrução chamado "!HELP_SOS" salvo junto ao seus arquivos criptografados. Instrucciones para la recuperación de archivos Probablemente hayas notado que no puedes abrir tus archivos y que algunas aplicaciones dejaron de funcionar correctamente. Era de esperarse. El contenido de tus archivos aún está allí, pero fué encriptado por "SAGE 2.0 Ransomware" . Tus archivos no están perdidos, es posible regresarlos a su estado normal decodificándolos. La única forma de hacerlo es con el software "SAGE Decrypter" y su clave personal de descifrado. Usar cualquier otro software que asegure ser capaz de restaurar tus archivos resultará en un daño o destrucción de los archivos. Puedes comprar el software "SAGE Decrypter" y tu clave de descifrado en tu página personal que puedes accesar a través de los siguientes links: http://7gie6ffnkrjykggd.op7su2.com/ http://7gie6ffnkrjykggd.pe6zawc.com/ Si te es solicitada la clave personal, cópiala en el formulario del sitio. Esta es tu clave personal: AWLuRCaH58mvPpXSIPixiup5_ED1jMVx4gEe7OjDjRNUZeyP91SCU2LA También podrás descifrar un archivo gratis para asegurarte que el software "SAGE Decrypter" es capaz de recuperar tus archivos Si ninguno de esos links te funciona por un tiempo prolongado o si necesitas recuperar tus archivos lo más rápido posible, también puedes accesar a tu página personal usando el "Tor Browser". Con la finalidad de hacerlo necesitas: abrir Internet Explorer o cualquier otro navegador de internet; copia la dirección https://www.torproject.org/download/download-easy.html.en en la barra de direcciones y presiona "Enter"; una vez que abra la página, le será ofrecida la descarga de Tor Browser, descárgalo y ejecuta el instalador, siguiendo las instrucciones de instalación; una vez culminada la instalación, abre el recien instalado Tor Browser y presione el botón "Connect" (el botón puede tener un nombre diferente dependiendo de la versión instalada); copia la dirección http://7gie6ffnkrjykggd.onion/login/AWLuRCaH58mvPpXSIPixiup5_ED1jMVx4gEe7OjDjRNUZeyP91SCU2LA en la barra de direcciones del navegador y presiona "Enter"; tu página personal debería abrir ahora; si no lo hace, espera un momento e intenta de nuevo. Si no puedes hacer el procedimiento, chequea tu conexión a internet e inténtalo de nuevo. Si aún no funciona, intenta pidiéndole ayuda a un técnico de computación para seguir las instrucciones o mira algunos videos de ayuda en YouTube. Puedes encontrar una copia de estas instrucciones en los archivos llamados "!HELP_SOS" almacenados junto a tus archivos encriptados. Les instructions pour restaurer le fichier Vous avez sûrement remarqué que vous ne pouvez pas ouvrir vos fichiers et qu’un logiciel a arrêté de fonctionner correctement. C’est attendu. Le contenu de vos fichiers est encore disponible, mais il a été crypté par "SAGE 2.0 Ransomware" . Vos fichiers ne sont pas perdus, c’est possible de les récupérer et les avoir à l’état normal en les décryptant. La seule façon de le faire et en ayant le logiciel "SAGE Decrypter" et votre clé de décryptage. En utilisant un autre logiciel qui prétend pouvoir restaurer vos fichiers va endommager et détruir vos fichiers. Vous pouvez acheter le logiciel "SAGE Decrypter" et votre clé de décryptage sur votre profile auquel vous pouvez accéder en cliquant sur ce lien: http://7gie6ffnkrjykggd.op7su2.com/ http://7gie6ffnkrjykggd.pe6zawc.com/ Si vous êtes demandé de fournir votre clé, copiez la dans le formulaire du site. Voici votre clé personnelle: AWLuRCaH58mvPpXSIPixiup5_ED1jMVx4gEe7OjDjRNUZeyP91SCU2LA Vous serez en mesure de décrypter un fichier gratuitement pour être sûre que le logiciel "SAGE Decrypter" est capable de restaurer vos fichiers Si aucun des liens ne marche pour vous pour une période prolongée ou si vous avez besoin de restaurer vos fichiers rapidement, vous pouvez accéder à votre profile en utilisant "Navigateut Tor". Pour le faire vous devez: Ouvrez Explorer ou n’importe quel autre navigateut; Copiez cette addresse https://www.torproject.org/download/download-easy.html.en dans la barre d’adresse et cliquez sur "Enterer"; Une fois que la page est ouverte, on va vous proposer de télécharger le navigateur Tor, Téléchargez-le et lancez l’installation, suivez les instructions d’installation ; Une fois l’installation faite, ouvrez votre nouveau navigateur Tor et appuyez sur le bouton "Connect" (Le bouton peut être nommé différemment si vous n’avez pas installé la version en anglais); Le navigateur Tor va établir une connection et ouvrir une fenêtre ordinaire de navigateur ; copiez l’adresse http://7gie6ffnkrjykggd.onion/login/AWLuRCaH58mvPpXSIPixiup5_ED1jMVx4gEe7OjDjRNUZeyP91SCU2LA dans la barre d’adresse et cliquez sur "Entrer"; Votr
URLs

http://7gie6ffnkrjykggd.op7su2.com/

http://7gie6ffnkrjykggd.pe6zawc.com/

http://7gie6ffnkrjykggd.onion/login/AWLuRCaH58mvPpXSIPixiup5_ED1jMVx4gEe7OjDjRNUZeyP91SCU2LA

http://7gie6ffnkrjykggd.onion/login/AWLuRCaH58mvPpXSIPixiup5_ED1jMVx4gEe7OjDjRNUZeyP91SCU2LA到浏览器的地址栏,然后按下"回车"键;

Signatures

  • Contacts a large (7719) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Executes dropped EXE 2 IoCs
  • Modifies extensions of user files 7 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
    ransomware
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies Control Panel 1 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 38 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 3 IoCs
  • Modifies registry class 15 IoCs
  • Runs ping.exe 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: LoadsDriver 50 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 8 IoCs
  • Suspicious use of SetWindowsHookEx 16 IoCs
  • Suspicious use of WriteProcessMemory 45 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\26f5a4b79ee5a6cc0acacd5d285a10907ff9eb2d32af5bddef3ad81f663a5b14.exe
    "C:\Users\Admin\AppData\Local\Temp\26f5a4b79ee5a6cc0acacd5d285a10907ff9eb2d32af5bddef3ad81f663a5b14.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:1576
    • C:\Users\Admin\AppData\Local\Temp\26f5a4b79ee5a6cc0acacd5d285a10907ff9eb2d32af5bddef3ad81f663a5b14.exe
      "C:\Users\Admin\AppData\Local\Temp\26f5a4b79ee5a6cc0acacd5d285a10907ff9eb2d32af5bddef3ad81f663a5b14.exe" g
      2⤵
      • Suspicious use of FindShellTrayWindow
      PID:1572
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /CREATE /TN "HP43icp3" /TR "C:\Users\Admin\AppData\Roaming\srpj9hP6.exe" /SC ONLOGON /RL HIGHEST /F
      2⤵
      • Creates scheduled task(s)
      PID:1128
    • C:\Users\Admin\AppData\Roaming\srpj9hP6.exe
      "C:\Users\Admin\AppData\Roaming\srpj9hP6.exe"
      2⤵
      • Executes dropped EXE
      • Modifies extensions of user files
      • Checks computer location settings
      • Sets desktop wallpaper using registry
      • Modifies Control Panel
      • Modifies data under HKEY_USERS
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:4592
      • C:\Users\Admin\AppData\Roaming\srpj9hP6.exe
        "C:\Users\Admin\AppData\Roaming\srpj9hP6.exe" g
        3⤵
        • Executes dropped EXE
        • Suspicious use of FindShellTrayWindow
        PID:4680
      • C:\Windows\SysWOW64\mshta.exe
        "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\!HELP_SOS.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
        3⤵
          PID:448
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f1.vbs"
          3⤵
            PID:460
          • C:\Windows\SysWOW64\schtasks.exe
            "C:\Windows\System32\schtasks.exe" /DELETE /TN /F "HP43icp3"
            3⤵
              PID:1012
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\__config16184093.bat"
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:4472
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1 -n 2
                4⤵
                • Runs ping.exe
                PID:2140
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\__config252888.bat"
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:4412
            • C:\Windows\SysWOW64\PING.EXE
              ping 127.0.0.1 -n 2
              3⤵
              • Runs ping.exe
              PID:1284
        • C:\Program Files (x86)\Internet Explorer\ielowutil.exe
          "C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
          1⤵
            PID:2184
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
            1⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:4940
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4940 CREDAT:17410 /prefetch:2
              2⤵
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:4988
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4940 CREDAT:82948 /prefetch:2
              2⤵
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:2440
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4940 CREDAT:17414 /prefetch:2
              2⤵
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:3384
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4940 CREDAT:17418 /prefetch:2
              2⤵
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:3472
          • C:\Windows\system32\AUDIODG.EXE
            C:\Windows\system32\AUDIODG.EXE 0x2fc 0x2f4
            1⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:5036

          Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\ProgramData\Microsoft\Network\Connections\Pbk\rasphone.pbk
            Filesize

            2KB

            MD5

            110ea891292e3a11e4a543d479aa8d1d

            SHA1

            e91bed98bf77cdc79f34570f1ea63a27b496530a

            SHA256

            276a18fa66a2c9da84311017ebcab55cc58b4bcce4fc1079906389852846be16

            SHA512

            44e9ba2d667513512efa5e0641b70be8d94b933f72992b31bf207a0b845956d8e2830d0d47b8a5d0508771fd61a32bdcc3e8124cbc920eb4772548ab45a4674c

            Download Submit

          • C:\ProgramData\Microsoft\Network\Connections\Pbk\rasphone.pbk
            Filesize

            2KB

            MD5

            6d9a00e82a3834103bf137ff70b19684

            SHA1

            a2c1eaed45e3660ade4165bc59a9f38037eef486

            SHA256

            fa0668b7bd415b73312ab9a4bfc07ed9cb54d32aae651d90cbc72e2bd40e881d

            SHA512

            94574dcd206056c8d3839105f24b46f226201b052222c9cc371d559b735ba1aea4ddf99b409d8dee496b276be7d5d51988432c884f148f8dcff6e0eaef22930e

            Download Submit

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
            Filesize

            471B

            MD5

            253626de057b0d04c41cb8a08245fcbe

            SHA1

            ffcb46236625dc17807021f8fe706efda9970958

            SHA256

            75b3965bbb50f8e182b84896c7496cc36b3710b95bf607734a2dae8c40588989

            SHA512

            6bab75dea365fe30bc00ac7d53db9d9876929ad2f7576d9090fdd5a3950f2e98b46edd573f3c5c8ab2ccaaab9c4c2e36cc515fa6419b7931a4a9e8b2b44e3113

            Download Submit

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
            Filesize

            434B

            MD5

            3895372ed18d1913aea2ecac859b0ce1

            SHA1

            95797a31fb0087d5f48c2541ef5ba835b7200ff0

            SHA256

            c86a944b7c54e5b7d04bb5d2f648ec002aec36b1ea700696ccde5d04b2625185

            SHA512

            8a823b66343576617f5169f819e7ac661d55cb6c393997df04f15aa50207844960c33a836ab0eef0f121a43ce7445cf78ba1de550876caa30493d7f9e279a7ce

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\__config16184093.bat
            Filesize

            218B

            MD5

            8f267b238307c7860f37fdeaefdc3548

            SHA1

            0bf6a0515796ad3b138feceb24a4e9ff48aed406

            SHA256

            b1b856fb63f66e36a25604223ad3aff171631ee0a052b3f926a4085fa17efb1f

            SHA512

            fe68232f5949909090505397ccd803f93355bf16c2ad84708bf4ffec90de68fd39630c8ee6a9d40268d3a35ee6219afcbee164f421439afe5f31929af7a850a4

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\__config252888.bat
            Filesize

            227B

            MD5

            1e8c5838db63b92198de92957ef20172

            SHA1

            31609e51b5ddbddedfcc78a9ab8201749b17d18b

            SHA256

            accba60a1555d17f7d990e8e40280c2f344120de968280b212b714edc690561d

            SHA512

            58c3027427749dfb78387f90b88e76c8d8eb3242f43c62cb9aede72f288caafc78126e140a1874a20649fa75523809526d7f2936e4dce53aaf9b9f4527b82bd4

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\f1.vbs
            Filesize

            3KB

            MD5

            4c999bbfddd5513d08d2d414c92ac2f4

            SHA1

            23e40ea4b75dc037a5cdfce521826737090dce09

            SHA256

            9a55ac3ff3c115b686c19da0a88a9e7525aa62d49c69b107addf8efd33a16215

            SHA512

            7b48cbff08a98f273afb78262167030395fab421718df559625867b91f98fbb0eb0152e8002568428086d1bd3f03f9c9ab26fdabdf9e33ffcea8f5c56529b944

            Download Submit

          • C:\Users\Admin\AppData\Roaming\L85kmSXC.tmp
            Filesize

            65B

            MD5

            f152f43111cf087813bd828e6abcb78f

            SHA1

            66cb2ba24f02e87d494bfe7c712a94a83561ce28

            SHA256

            5690752969a9abd697876985cc7aac3f13d7521bd91058026f81e504f2e5bdae

            SHA512

            a1d03caa8551145f565736e07882576c81036dc01a4816a0a5319ac63821b41c4e6de3f49e20f463f38aef92b14eb30f49e84f5237dcc3424870d814ab9a1a83

            Download Submit

          • C:\Users\Admin\AppData\Roaming\srpj9hP6.exe
            Filesize

            238KB

            MD5

            c2cd821ccd6eec05ec67be3a99ba0f71

            SHA1

            916e018fe28774ef227e839b98dc0a85c13d64a3

            SHA256

            26f5a4b79ee5a6cc0acacd5d285a10907ff9eb2d32af5bddef3ad81f663a5b14

            SHA512

            8fbe6edcd6c58ec34815e5ba422cf335445a50a958de5758bcefa29fc9179a7fe9c31fb7f5d5c5f310304709496e7e64f539a25d907a349c1e15bf8861f3d548

            Download Submit

          • C:\Users\Admin\AppData\Roaming\srpj9hP6.exe
            Filesize

            238KB

            MD5

            c2cd821ccd6eec05ec67be3a99ba0f71

            SHA1

            916e018fe28774ef227e839b98dc0a85c13d64a3

            SHA256

            26f5a4b79ee5a6cc0acacd5d285a10907ff9eb2d32af5bddef3ad81f663a5b14

            SHA512

            8fbe6edcd6c58ec34815e5ba422cf335445a50a958de5758bcefa29fc9179a7fe9c31fb7f5d5c5f310304709496e7e64f539a25d907a349c1e15bf8861f3d548

            Download Submit

          • C:\Users\Admin\AppData\Roaming\srpj9hP6.exe
            Filesize

            238KB

            MD5

            c2cd821ccd6eec05ec67be3a99ba0f71

            SHA1

            916e018fe28774ef227e839b98dc0a85c13d64a3

            SHA256

            26f5a4b79ee5a6cc0acacd5d285a10907ff9eb2d32af5bddef3ad81f663a5b14

            SHA512

            8fbe6edcd6c58ec34815e5ba422cf335445a50a958de5758bcefa29fc9179a7fe9c31fb7f5d5c5f310304709496e7e64f539a25d907a349c1e15bf8861f3d548

            Download Submit

          • C:\Users\Admin\Desktop\!HELP_SOS.hta
            Filesize

            52KB

            MD5

            3890fc84f1b9c77e570f59fa854fa0ef

            SHA1

            844d7dc91ad1ec3cc5e1eea7537efb670d0a1d1e

            SHA256

            7a7db2d8d81d5622a7a3cc5df8f4c10d6cc6c9c7950bafc3e5b7c66cf34dfb3b

            SHA512

            715f2514b92d319fea178ff80fef180097c989aacf20c8d1125dd1ebb5a3034da3629f39642280349eba75235e768408ae4d3adbc755ffab7bf95a52d13cdf44

            Download Submit

          • memory/1572-144-0x00000000039A0000-0x00000000039CF000-memory.dmp

            Filesize

            188KB

            Download

          • memory/1572-137-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/1572-136-0x00000000039A0000-0x00000000039CF000-memory.dmp

            Filesize

            188KB

            Download

          • memory/1576-130-0x0000000003A30000-0x0000000003A5F000-memory.dmp

            Filesize

            188KB

            Download

          • memory/1576-135-0x0000000003A30000-0x0000000003A5F000-memory.dmp

            Filesize

            188KB

            Download

          • memory/1576-131-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/4592-152-0x0000000003940000-0x000000000396F000-memory.dmp

            Filesize

            188KB

            Download

          • memory/4592-147-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/4592-146-0x0000000003940000-0x000000000396F000-memory.dmp

            Filesize

            188KB

            Download

          • memory/4680-153-0x0000000003890000-0x00000000038BF000-memory.dmp

            Filesize

            188KB

            Download

          • memory/4680-155-0x0000000003890000-0x00000000038BF000-memory.dmp

            Filesize

            188KB

            Download

          • memory/4680-154-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download