f62e16331ff6b8514bf7285df5f829f40c5eafb6c07180afc38bb670ff77a7d6

Resubmissions

12/09/2022, 17:36

220912-v6ng1ahecq 4

12/09/2022, 16:57

220912-vgcn7sdff7 1

12/09/2022, 16:42

220912-t75x1adfe5 1

12/09/2022, 16:35

220912-t3vlgahddr 1

Analysis

max time kernel
1638s
max time network
1519s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
12/09/2022, 17:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

decrypted.xlsx
Size

44KB
MD5

87555a91dcf29533d97a5a15dcba0399
SHA1

38c779ae0852f52a0cd96f710172517a53cb230a
SHA256

da7ad3bdbc357f1579f83704c76a095a4614321606c95323bd518c8f1c21783a
SHA512

d1c154b796e5065d5d3eedb71084538148fc93a53101c0ddc549ecb94bfc835c4d0ee01b645858c46374f1e1612b8b3e515bab2f43313c4b18ad317bbad93563
SSDEEP

768:Ydi8TzBPCP4XwBkNWZ3cjvmWa+V7kX9On8YWihjZ01qMapVsiU/UFxh3+q/RNP:YM8TlZCkNWZ3c3ayEINZcHapVsXcFxhB

Score

4^/10

Malware Config

Signatures

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\WORDPAD.INI	WORDPAD.EXE

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\PhishingFilter	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = 39384a26b9aed801	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 14 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{DC7182D2-32D2-11ED-89AC-D2A4FF929712} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\DownloadWindowPlacement = 2c0000000000000000000000ffffffffffffffffffffffffffffffff100100003c000000900300001c020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe

Modifies registry class 16 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\.bin\ = "bin_auto_file"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\bin_auto_file\shell\edit\command	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\bin_auto_file\shell\edit\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\bin_auto_file\shell\open	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	EXCEL.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\.bin	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\bin_auto_file\shell\open\command	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\bin_auto_file\shell\open\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\bin_auto_file	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\bin_auto_file\shell\edit	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\bin_auto_file\shell	OpenWith.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
1936	NOTEPAD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
404	EXCEL.EXE
4284	EXCEL.EXE

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeRestorePrivilege	3268	7zG.exe
Token: 35	3268	7zG.exe
Token: SeSecurityPrivilege	3268	7zG.exe
Token: SeSecurityPrivilege	3268	7zG.exe
Token: SeRestorePrivilege	2820	7zG.exe
Token: 35	2820	7zG.exe
Token: SeSecurityPrivilege	2820	7zG.exe
Token: SeSecurityPrivilege	2820	7zG.exe
Token: SeRestorePrivilege	2184	7zG.exe
Token: 35	2184	7zG.exe
Token: SeSecurityPrivilege	2184	7zG.exe
Token: SeSecurityPrivilege	2184	7zG.exe
Token: SeRestorePrivilege	4616	7zG.exe
Token: 35	4616	7zG.exe
Token: SeSecurityPrivilege	4616	7zG.exe
Token: SeSecurityPrivilege	4616	7zG.exe

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
3268	7zG.exe
2820	7zG.exe
2184	7zG.exe
4616	7zG.exe
1560	iexplore.exe
1560	iexplore.exe
4284	EXCEL.EXE
4284	EXCEL.EXE

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
404	EXCEL.EXE
404	EXCEL.EXE
404	EXCEL.EXE
404	EXCEL.EXE
404	EXCEL.EXE
404	EXCEL.EXE
404	EXCEL.EXE
404	EXCEL.EXE
404	EXCEL.EXE
404	EXCEL.EXE
404	EXCEL.EXE
404	EXCEL.EXE
404	EXCEL.EXE
404	EXCEL.EXE
404	EXCEL.EXE
404	EXCEL.EXE
404	EXCEL.EXE
404	EXCEL.EXE
404	EXCEL.EXE
404	EXCEL.EXE
404	EXCEL.EXE
404	EXCEL.EXE
404	EXCEL.EXE
3248	WORDPAD.EXE
3248	WORDPAD.EXE
3248	WORDPAD.EXE
3248	WORDPAD.EXE
3248	WORDPAD.EXE
2084	OpenWith.exe
2084	OpenWith.exe
2084	OpenWith.exe
2084	OpenWith.exe
2084	OpenWith.exe
2084	OpenWith.exe
2084	OpenWith.exe
2084	OpenWith.exe
2084	OpenWith.exe
2084	OpenWith.exe
2084	OpenWith.exe
3284	OpenWith.exe
4356	OpenWith.exe
4356	OpenWith.exe
4356	OpenWith.exe
4356	OpenWith.exe
4356	OpenWith.exe
4356	OpenWith.exe
4356	OpenWith.exe
1560	iexplore.exe
1560	iexplore.exe
216	IEXPLORE.EXE
216	IEXPLORE.EXE
1836	OpenWith.exe
1836	OpenWith.exe
1836	OpenWith.exe
1836	OpenWith.exe
1836	OpenWith.exe
1836	OpenWith.exe
1836	OpenWith.exe
1836	OpenWith.exe
1836	OpenWith.exe
1836	OpenWith.exe
1836	OpenWith.exe
1836	OpenWith.exe
1836	OpenWith.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 392 wrote to memory of 3248	392	MSOXMLED.EXE	114
PID 392 wrote to memory of 3248	392	MSOXMLED.EXE	114
PID 2084 wrote to memory of 2784	2084	OpenWith.exe	119
PID 2084 wrote to memory of 2784	2084	OpenWith.exe	119
PID 4356 wrote to memory of 1560	4356	OpenWith.exe	124
PID 4356 wrote to memory of 1560	4356	OpenWith.exe	124
PID 1560 wrote to memory of 216	1560	iexplore.exe	125
PID 1560 wrote to memory of 216	1560	iexplore.exe	125
PID 1560 wrote to memory of 216	1560	iexplore.exe	125
PID 1836 wrote to memory of 1936	1836	OpenWith.exe	127
PID 1836 wrote to memory of 1936	1836	OpenWith.exe	127
PID 364 wrote to memory of 1868	364	MSOXMLED.EXE	130
PID 364 wrote to memory of 1868	364	MSOXMLED.EXE	130
PID 5056 wrote to memory of 4908	5056	MSOXMLED.EXE	132
PID 5056 wrote to memory of 4908	5056	MSOXMLED.EXE	132
PID 2164 wrote to memory of 4640	2164	MSOXMLED.EXE	139
PID 2164 wrote to memory of 4640	2164	MSOXMLED.EXE	139
PID 4592 wrote to memory of 916	4592	MSOXMLED.EXE	141
PID 4592 wrote to memory of 916	4592	MSOXMLED.EXE	141

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\decrypted.xlsx"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:404

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4792

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\decrypted\" -spe -an -ai#7zMap14654:100:7zEvent28780
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3268

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\decrypted\" -spe -an -ai#7zMap26480:100:7zEvent8377
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2820

C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE
"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb edit "C:\Users\Admin\AppData\Local\Temp\decrypted\[Content_Types].xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:392
- C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
  "C:\Program Files\Windows NT\Accessories\WORDPAD.EXE" "C:\Users\Admin\AppData\Local\Temp\decrypted\[Content_Types].xml"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:3248

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:2036

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\decrypted\xl\embeddings\oleObject1\" -spe -an -ai#7zMap10512:148:7zEvent14611
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2184

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2084
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\decrypted\xl\embeddings\oleObject1\[1]Ole
  2⤵
  PID:2784

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3284

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\decrypted\xl\printerSettings\printerSettings1\" -spe -an -ai#7zMap20044:170:7zEvent13556
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4616

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4356
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\decrypted\xl\printerSettings\printerSettings1.bin
  2⤵
  - Modifies Internet Explorer Phishing Filter
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1560
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1560 CREDAT:17410 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:216

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1836
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\decrypted\xl\printerSettings\printerSettings1.bin
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:1936

C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE
"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb edit "C:\Users\Admin\AppData\Local\Temp\decrypted\xl\worksheets\sheet1.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:364
- C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
  "C:\Program Files\Windows NT\Accessories\WORDPAD.EXE" "C:\Users\Admin\AppData\Local\Temp\decrypted\xl\worksheets\sheet1.xml"
  2⤵
  PID:1868

C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE
"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb edit "C:\Users\Admin\AppData\Local\Temp\decrypted\xl\worksheets\sheet2.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:5056
- C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
  "C:\Program Files\Windows NT\Accessories\WORDPAD.EXE" "C:\Users\Admin\AppData\Local\Temp\decrypted\xl\worksheets\sheet2.xml"
  2⤵
  PID:4908

C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE
"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb edit "C:\Users\Admin\AppData\Local\Temp\decrypted\xl\worksheets\sheet3.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:2164
- C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
  "C:\Program Files\Windows NT\Accessories\WORDPAD.EXE" "C:\Users\Admin\AppData\Local\Temp\decrypted\xl\worksheets\sheet3.xml"
  2⤵
  PID:4640

C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE
"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb edit "C:\Users\Admin\AppData\Local\Temp\decrypted\xl\worksheets\sheet1.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:4592
- C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
  "C:\Program Files\Windows NT\Accessories\WORDPAD.EXE" "C:\Users\Admin\AppData\Local\Temp\decrypted\xl\worksheets\sheet1.xml"
  2⤵
  - Drops file in Windows directory
  PID:916

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\decrypted.xlsx"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
PID:4284

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_C0427F5F77D9B3A439FC620EDAAB6177

Filesize
471B

MD5
3e5b4b3cc597625d4d34ffc2a70ddcc9

SHA1
a8ea6b6b1ef617e0a446598e061c22616d2d46d2

SHA256
d28dc40f026d2807a9455e1f78728b2d7bb8a761b2d1850fbade9ee98baf1cf1

SHA512
73bd4c9b6cee8017e240bc39a656c603df52efa4fee62404a75200093673ad9069068372e395ece095c4d1725706e06dc28210b64bb220f902b157de5a6dd111

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C0427F5F77D9B3A439FC620EDAAB6177

Filesize
412B

MD5
ace10711397ba5d4bdd9dd7a6a695f33

SHA1
ce6819c1e7472608d7cbcbc5b8084a03049693c1

SHA256
9f66da50586d154621c1be16aae4bcf695727683db84a4327c2b214ce5e39ff2

SHA512
7568672f8df0874d2e52b678db3114e5046f7f3dd66acdb3a85dc0e338ae9c2c120911a7a434d93908976b1d7120682a4eeb079d9424c7dafb04c71fd8bda908

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

Filesize
324KB

MD5
09054487e8c69240c9416b375b2916a9

SHA1
f00ff01ae8c39170c57f9b27cedea8ef75f455b3

SHA256
2d895d38c2f9874b296b8d5d8eef1e3738230d416f4b10517099027c0fe9b876

SHA512
971c817f16331dbf06bd908ae5440ee5bc55ddab549cee258b792170c1f2144d4cfcbd14cee31e3e2f9606d0e3e48f226564131023fc035ed67d4e1b171b97f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\TenantInfo.xml

Filesize
76B

MD5
0f8eb2423d2bf6cb5b8bdb44cb170ca3

SHA1
242755226012b4449a49b45491c0b1538ebf6410

SHA256
385347c0cbacdd3c61d2635fbd390e0095a008fd75eeb23af2f14f975c083944

SHA512
a9f23a42340b83a2f59df930d7563e8abd669b9f0955562cd3c2872e2e081f26d6d8b26357972b6d0423af05b2392bddbb46da769788e77fd169b3264ff53886

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db

Filesize
24KB

MD5
a6064fc9ce640751e063d9af443990da

SHA1
367a3a7d57bfb3e9a6ec356dfc411a5f14dfde2a

SHA256
5f72c11fd2fa88d8b8bfae1214551f8d5ee07b8895df824fa717ebbcec118a6c

SHA512
0e42dd8e341e2334eda1e19e1a344475ed3a0539a21c70ba2247f480c706ab8e2ff6dbeb790614cbde9fb547699b24e69c85c54e99ed77a08fe7e1d1b4b488d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\decrypted\[Content_Types].xml

Filesize
1KB

MD5
19b5aa9ccc71c10404efc80313bc81ff

SHA1
3a5eff43f7aefdb2266e74f0f8c3bbf95a73645b

SHA256
186dea72bd36b52c5336f85da132fa9023475cd71cc8d276aa232520b80818a4

SHA512
4f4157c636011bf273a2658e4d173805f6181953de19356d87fd3895a2503b82f166bf5a7c2b94e9e35d75bd6346a4c3a824590cc5a1e7e977c885455a57b93a

Download Submit
C:\Users\Admin\AppData\Local\Temp\decrypted\xl\embeddings\oleObject1.bin

Filesize
2KB

MD5
aacfff47cab4ecf1aabd613525abb45d

SHA1
c64f4e6b45567d3c0136059caf2d936f8132ffbf

SHA256
84db27a3bcf8a69a9cc63e2d52d4d34aa3a696b8e490751791c6359f676cb6f8

SHA512
6e59890ac2fd76b8c27faedf7dd8ac208cfec6ed7f3c35aa4204303142385d983ada2011d245d67b22e8f1e757791a0f74cd59f6f643fb63740a0cedd228833a

Download Submit
C:\Users\Admin\AppData\Local\Temp\decrypted\xl\embeddings\oleObject1\[1]Ole

Filesize
388B

MD5
9e59b8be5826389673a2c345c8972e74

SHA1
b215991c702669c752254bfd3273564c7a9967b5

SHA256
d105e1cd56a6ecfb7bb93e65e9ec627d7440d78a80c1f89c746fadf987ef20cb

SHA512
25ca1c9aefbfe6dbc0e13592394721011c8658b2d886b8edc1cfcbc68bbc671a6a2e98451723eaa9919f9f2a427e35d98adc064c49ae4300862a893eff229f0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\decrypted\xl\printerSettings\printerSettings1.bin

Filesize
5KB

MD5
75b2fcf08a69f34352c54ebc175a1748

SHA1
407683908d0582ebd04493627981fe426a928167

SHA256
1fd5106f1cbc8eff781f74bc40d21fba15a7a29481b1f033e6d401bb4c7a13cc

SHA512
58532c589735a5bfcd6692f2840278cb7a9210564b8ecc89975329d827e06eeb6f6545cb3601807db1499d4b2ccc330deca0f3bfd2a8fba1308c738d78f6f153

Download Submit
C:\Users\Admin\AppData\Local\Temp\decrypted\xl\worksheets\sheet1.xml

Filesize
667B

MD5
b57eb73f83fb1c3a6231944894367745

SHA1
38f6ac1af4bb33cc607b6cce17c9aef564163cbc

SHA256
ba4246bc7b6f1eb15e3ce179386d4b169fe19c9641077edfbea7f8545a7af69f

SHA512
abecc707e4c3104d165ea0ad2b2183d30fc7ce306cb16351fdddbda1a8fa5ae58bb581bc95f08583382a04e6139f29b978472d7ef232a3120215236b17e508ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\decrypted\xl\worksheets\sheet2.xml

Filesize
675B

MD5
cf0bc3c1e608afe83b55ad4a6a4cf359

SHA1
cb20895007f6020a157ddf0e69488c800d5536f2

SHA256
cadd39c70d737c8271df41e392d4d1f1bdd700ea98cfc2442e1c9d5964c3975e

SHA512
807a5253faf16a22210301a224f41213de4c320e486deef917441723e7b5dff53d67fd2aaf632d613a9f10c1bb982ba89469bde4147e69acb2947b3ab0e5651d

Download Submit
C:\Users\Admin\AppData\Local\Temp\decrypted\xl\worksheets\sheet3.xml

Filesize
469B

MD5
6968de6df4158534b2cfaf44b939d310

SHA1
610e507b0c41f5fa4e179df8607fa68e89aadff6

SHA256
8bb3660360e186bf94b31a0a1866f791ed18fe34c98c18330bfa4f9cc6c2009d

SHA512
4498a5494036039e3814a7a615a8d4667c44cf0629e8e205a546155c17f0bc0d639aeb490d235461ff4b80ede30ed95158c1922d24f5b24a0e702987aa596359

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

Filesize
24B

MD5
4fcb2a3ee025e4a10d21e1b154873fe2

SHA1
57658e2fa594b7d0b99d02e041d0f3418e58856b

SHA256
90bf6baa6f968a285f88620fbf91e1f5aa3e66e2bad50fd16f37913280ad8228

SHA512
4e85d48db8c0ee5c4dd4149ab01d33e4224456c3f3e3b0101544a5ca87a0d74b3ccd8c0509650008e2abed65efd1e140b1e65ae5215ab32de6f6a49c9d3ec3ff

Download Submit
memory/392-146-0x00007FF97B4F0000-0x00007FF97B500000-memory.dmp

Filesize
64KB

Download
memory/392-147-0x00007FF97B4F0000-0x00007FF97B500000-memory.dmp

Filesize
64KB

Download
memory/392-148-0x00007FF97B4F0000-0x00007FF97B500000-memory.dmp

Filesize
64KB

Download
memory/392-144-0x00007FF97B4F0000-0x00007FF97B500000-memory.dmp

Filesize
64KB

Download
memory/392-145-0x00007FF97B4F0000-0x00007FF97B500000-memory.dmp

Filesize
64KB

Download
memory/392-151-0x00007FF97B4F0000-0x00007FF97B500000-memory.dmp

Filesize
64KB

Download
memory/392-152-0x00007FF97B4F0000-0x00007FF97B500000-memory.dmp

Filesize
64KB

Download
memory/392-153-0x00007FF97B4F0000-0x00007FF97B500000-memory.dmp

Filesize
64KB

Download
memory/392-154-0x00007FF97B4F0000-0x00007FF97B500000-memory.dmp

Filesize
64KB

Download
memory/404-136-0x00007FF97B4F0000-0x00007FF97B500000-memory.dmp

Filesize
64KB

Download
memory/404-137-0x00007FF979000000-0x00007FF979010000-memory.dmp

Filesize
64KB

Download
memory/404-141-0x00007FF97B4F0000-0x00007FF97B500000-memory.dmp

Filesize
64KB

Download
memory/404-143-0x00007FF97B4F0000-0x00007FF97B500000-memory.dmp

Filesize
64KB

Download
memory/404-134-0x00007FF97B4F0000-0x00007FF97B500000-memory.dmp

Filesize
64KB

Download
memory/404-142-0x00007FF97B4F0000-0x00007FF97B500000-memory.dmp

Filesize
64KB

Download
memory/404-135-0x00007FF97B4F0000-0x00007FF97B500000-memory.dmp

Filesize
64KB

Download
memory/404-140-0x00007FF97B4F0000-0x00007FF97B500000-memory.dmp

Filesize
64KB

Download
memory/404-132-0x00007FF97B4F0000-0x00007FF97B500000-memory.dmp

Filesize
64KB

Download
memory/404-133-0x00007FF97B4F0000-0x00007FF97B500000-memory.dmp

Filesize
64KB

Download
memory/404-138-0x00007FF979000000-0x00007FF979010000-memory.dmp

Filesize
64KB

Download
memory/4284-203-0x00007FF97B4F0000-0x00007FF97B500000-memory.dmp

Filesize
64KB

Download
memory/4284-207-0x00007FF97B4F0000-0x00007FF97B500000-memory.dmp

Filesize
64KB

Download
memory/4284-206-0x00007FF97B4F0000-0x00007FF97B500000-memory.dmp

Filesize
64KB

Download
memory/4284-205-0x00007FF97B4F0000-0x00007FF97B500000-memory.dmp

Filesize
64KB

Download
memory/4284-204-0x00007FF97B4F0000-0x00007FF97B500000-memory.dmp

Filesize
64KB

Download
memory/5056-178-0x00007FF97B4F0000-0x00007FF97B500000-memory.dmp

Filesize
64KB

Download
memory/5056-179-0x00007FF97B4F0000-0x00007FF97B500000-memory.dmp

Filesize
64KB

Download
memory/5056-181-0x00007FF97B4F0000-0x00007FF97B500000-memory.dmp

Filesize
64KB

Download
memory/5056-175-0x00007FF97B4F0000-0x00007FF97B500000-memory.dmp

Filesize
64KB

Download
memory/5056-174-0x00007FF97B4F0000-0x00007FF97B500000-memory.dmp

Filesize
64KB

Download
memory/5056-172-0x00007FF97B4F0000-0x00007FF97B500000-memory.dmp

Filesize
64KB

Download
memory/5056-173-0x00007FF97B4F0000-0x00007FF97B500000-memory.dmp

Filesize
64KB

Download
memory/5056-171-0x00007FF97B4F0000-0x00007FF97B500000-memory.dmp

Filesize
64KB

Download
memory/5056-180-0x00007FF97B4F0000-0x00007FF97B500000-memory.dmp

Filesize
64KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads