89553444e2b621c1894b6b14023db472f28120ee311adbca8618eaa0106837eb

Analysis

max time kernel
121s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
26-09-2022 17:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1.exe
Size

214KB
MD5

1175cee6112669df046466d218109fb5
SHA1

25569cd2d388f1e08ee14afd982b236d45d24b76
SHA256

89553444e2b621c1894b6b14023db472f28120ee311adbca8618eaa0106837eb
SHA512

c23c8c9025f1267e55b20c0f42103b556e9323d3e42a1a7f3ad1810565da43f55ca7a96c1cad0740462436c62f1b8392eee1ae90aa9657f3d88aafb27ac75175
SSDEEP

6144:myJE1yd7WHJmcyfjtPWna4DQFu/U3buRKlemZ9DnGAevIhdiFy+:mU/d7WsvBPWa4DQFu/U3buRKlemZ9Dn4

Score

10^/10

ransomware

Malware Config

Extracted

Path

C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Ransom Note

!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email: [email protected] and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email: [email protected] 1. Visit https://tox.chat/download.html 2. Download and install qTOX on your PC. 3. Open it, click "New Profile" and create profile. 4. Click "Add friends" button and search our contact - 126E30C4CC9DE90F79D1FA90830FDC2069A2E981ED26B6DC148DA8827FB3D63A1B46CFDEC191 Your personal ID: 839-154-C75 Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

[email protected]

URLs

https://tox.chat/download.html

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies extensions of user files 3 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

1.exe

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\ConvertUnpublish.tiff	1.exe
File opened for modification	C:\Users\Admin\Pictures\SearchCheckpoint.tiff	1.exe
File opened for modification	C:\Users\Admin\Pictures\UnprotectSave.tiff	1.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

1.exe

description	ioc	Process
File opened (read-only)	\??\K:	1.exe
File opened (read-only)	\??\F:	1.exe
File opened (read-only)	\??\X:	1.exe
File opened (read-only)	\??\V:	1.exe
File opened (read-only)	\??\P:	1.exe
File opened (read-only)	\??\M:	1.exe
File opened (read-only)	\??\I:	1.exe
File opened (read-only)	\??\G:	1.exe
File opened (read-only)	\??\B:	1.exe
File opened (read-only)	\??\Z:	1.exe
File opened (read-only)	\??\Y:	1.exe
File opened (read-only)	\??\U:	1.exe
File opened (read-only)	\??\S:	1.exe
File opened (read-only)	\??\R:	1.exe
File opened (read-only)	\??\L:	1.exe
File opened (read-only)	\??\J:	1.exe
File opened (read-only)	\??\N:	1.exe
File opened (read-only)	\??\H:	1.exe
File opened (read-only)	\??\E:	1.exe
File opened (read-only)	\??\A:	1.exe
File opened (read-only)	\??\W:	1.exe
File opened (read-only)	\??\T:	1.exe
File opened (read-only)	\??\Q:	1.exe
File opened (read-only)	\??\O:	1.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
12	geoiptool.com

Drops file in Program Files directory 64 IoCs

Processes:

1.exe

description	ioc	Process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\SplashScreen.scale-125_contrast-white.png	1.exe
File created	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\AppCS\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	1.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat	1.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Subscription-pl.xrm-ms.loplup.839-154-C75	1.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneVideo_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	1.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	1.exe
File created	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\commerce\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	1.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RMNSQUE\RMNSQUE.ELM.loplup.839-154-C75	1.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Cartridges\hive.xsl	1.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\selection-actions2x.png	1.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\triggerActionExceptionHandlers.exsd.loplup.839-154-C75	1.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp3-ppd.xrm-ms	1.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTrial2-ul-oob.xrm-ms	1.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\COMPASS\THMBNAIL.PNG.loplup.839-154-C75	1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\de-de\ui-strings.js.loplup.839-154-C75	1.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-24_altform-lightunplated.png	1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\stopwords.ENU	1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\A12_Spinner.gif.loplup.839-154-C75	1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\progress_spinner_dark.gif	1.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\etc\visualvm.conf.loplup.839-154-C75	1.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC	1.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\LEVEL\LEVEL.INF	1.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AlarmsWideTile.contrast-white_scale-100.png	1.exe
File created	C:\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\AppxMetadata\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	1.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-black_targetsize-256.png	1.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailWideTile.scale-100.png	1.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\RTL\contrast-black\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	1.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_pt_BR.jar	1.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019VL_KMS_Client_AE-ul.xrm-ms.loplup.839-154-C75	1.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BREEZE\PREVIEW.GIF	1.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SKY\PREVIEW.GIF	1.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\FileExtension.targetsize-336.png	1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_reject_18.svg	1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\es-es\ui-strings.js	1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\go-mobile.png	1.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_zh_CN.jar	1.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MANIFEST.XML.loplup.839-154-C75	1.exe
File created	C:\Program Files\VideoLAN\VLC\locale\wa\LC_MESSAGES\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	1.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\ExchangeMediumTile.scale-200.png	1.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.sdk.scheduler.nl_ja_4.4.0.v20140623020002.jar	1.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019MSDNR_Retail-ul-oob.xrm-ms.loplup.839-154-C75	1.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteNotebookSmallTile.scale-125.png	1.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-30_contrast-white.png	1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\fi-fi\ui-strings.js	1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\fill-sign-2x.png.loplup.839-154-C75	1.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\he-il\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	1.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\contbig.gif.loplup.839-154-C75	1.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Grace-ppd.xrm-ms.loplup.839-154-C75	1.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Videos\Help\RoundedFreehand3D.mp4	1.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-64_altform-lightunplated.png	1.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\StopwatchSmallTile.contrast-white_scale-200.png	1.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Car\LTR\contrast-black\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	1.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubMedTile.scale-200.png	1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\pt-br\ui-strings.js.loplup.839-154-C75	1.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\epl-v10.html	1.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	1.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-48_contrast-white.png	1.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-20_contrast-black.png	1.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailSmallTile.scale-200.png	1.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarSplashLogo.scale-250.png	1.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\sl-si\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	1.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-queries_ja.jar.loplup.839-154-C75	1.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Word2019VL_MAK_AE-ul-oob.xrm-ms.loplup.839-154-C75	1.exe

Drops file in Windows directory 1 IoCs

Processes:

1.exe

description	ioc	Process
File created	C:\Windows\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	1.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exe

pid	Process
5036	powershell.exe
5036	powershell.exe
5036	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WMIC.exevssvc.exepowershell.exeWMIC.exe

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2848	WMIC.exe
Token: SeSecurityPrivilege	2848	WMIC.exe
Token: SeTakeOwnershipPrivilege	2848	WMIC.exe
Token: SeLoadDriverPrivilege	2848	WMIC.exe
Token: SeSystemProfilePrivilege	2848	WMIC.exe
Token: SeSystemtimePrivilege	2848	WMIC.exe
Token: SeProfSingleProcessPrivilege	2848	WMIC.exe
Token: SeIncBasePriorityPrivilege	2848	WMIC.exe
Token: SeCreatePagefilePrivilege	2848	WMIC.exe
Token: SeBackupPrivilege	2848	WMIC.exe
Token: SeRestorePrivilege	2848	WMIC.exe
Token: SeShutdownPrivilege	2848	WMIC.exe
Token: SeDebugPrivilege	2848	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2848	WMIC.exe
Token: SeRemoteShutdownPrivilege	2848	WMIC.exe
Token: SeUndockPrivilege	2848	WMIC.exe
Token: SeManageVolumePrivilege	2848	WMIC.exe
Token: 33	2848	WMIC.exe
Token: 34	2848	WMIC.exe
Token: 35	2848	WMIC.exe
Token: 36	2848	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2848	WMIC.exe
Token: SeSecurityPrivilege	2848	WMIC.exe
Token: SeTakeOwnershipPrivilege	2848	WMIC.exe
Token: SeLoadDriverPrivilege	2848	WMIC.exe
Token: SeSystemProfilePrivilege	2848	WMIC.exe
Token: SeSystemtimePrivilege	2848	WMIC.exe
Token: SeProfSingleProcessPrivilege	2848	WMIC.exe
Token: SeIncBasePriorityPrivilege	2848	WMIC.exe
Token: SeCreatePagefilePrivilege	2848	WMIC.exe
Token: SeBackupPrivilege	2848	WMIC.exe
Token: SeRestorePrivilege	2848	WMIC.exe
Token: SeShutdownPrivilege	2848	WMIC.exe
Token: SeDebugPrivilege	2848	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2848	WMIC.exe
Token: SeRemoteShutdownPrivilege	2848	WMIC.exe
Token: SeUndockPrivilege	2848	WMIC.exe
Token: SeManageVolumePrivilege	2848	WMIC.exe
Token: 33	2848	WMIC.exe
Token: 34	2848	WMIC.exe
Token: 35	2848	WMIC.exe
Token: 36	2848	WMIC.exe
Token: SeBackupPrivilege	4968	vssvc.exe
Token: SeRestorePrivilege	4968	vssvc.exe
Token: SeAuditPrivilege	4968	vssvc.exe
Token: SeDebugPrivilege	5036	powershell.exe
Token: SeIncreaseQuotaPrivilege	1568	WMIC.exe
Token: SeSecurityPrivilege	1568	WMIC.exe
Token: SeTakeOwnershipPrivilege	1568	WMIC.exe
Token: SeLoadDriverPrivilege	1568	WMIC.exe
Token: SeSystemProfilePrivilege	1568	WMIC.exe
Token: SeSystemtimePrivilege	1568	WMIC.exe
Token: SeProfSingleProcessPrivilege	1568	WMIC.exe
Token: SeIncBasePriorityPrivilege	1568	WMIC.exe
Token: SeCreatePagefilePrivilege	1568	WMIC.exe
Token: SeBackupPrivilege	1568	WMIC.exe
Token: SeRestorePrivilege	1568	WMIC.exe
Token: SeShutdownPrivilege	1568	WMIC.exe
Token: SeDebugPrivilege	1568	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1568	WMIC.exe
Token: SeRemoteShutdownPrivilege	1568	WMIC.exe
Token: SeUndockPrivilege	1568	WMIC.exe
Token: SeManageVolumePrivilege	1568	WMIC.exe
Token: 33	1568	WMIC.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

1.execmd.execmd.exe

description	pid	Process	procid_target
PID 3168 wrote to memory of 2036	3168	1.exe	97
PID 3168 wrote to memory of 2036	3168	1.exe	97
PID 3168 wrote to memory of 2036	3168	1.exe	97
PID 3168 wrote to memory of 460	3168	1.exe	98
PID 3168 wrote to memory of 460	3168	1.exe	98
PID 3168 wrote to memory of 460	3168	1.exe	98
PID 3168 wrote to memory of 4040	3168	1.exe	99
PID 3168 wrote to memory of 4040	3168	1.exe	99
PID 3168 wrote to memory of 4040	3168	1.exe	99
PID 3168 wrote to memory of 3316	3168	1.exe	101
PID 3168 wrote to memory of 3316	3168	1.exe	101
PID 3168 wrote to memory of 3316	3168	1.exe	101
PID 3168 wrote to memory of 1584	3168	1.exe	103
PID 3168 wrote to memory of 1584	3168	1.exe	103
PID 3168 wrote to memory of 1584	3168	1.exe	103
PID 3168 wrote to memory of 5052	3168	1.exe	105
PID 3168 wrote to memory of 5052	3168	1.exe	105
PID 3168 wrote to memory of 5052	3168	1.exe	105
PID 3168 wrote to memory of 4492	3168	1.exe	107
PID 3168 wrote to memory of 4492	3168	1.exe	107
PID 3168 wrote to memory of 4492	3168	1.exe	107
PID 2036 wrote to memory of 2848	2036	cmd.exe	110
PID 2036 wrote to memory of 2848	2036	cmd.exe	110
PID 2036 wrote to memory of 2848	2036	cmd.exe	110
PID 5052 wrote to memory of 5036	5052	cmd.exe	111
PID 5052 wrote to memory of 5036	5052	cmd.exe	111
PID 5052 wrote to memory of 5036	5052	cmd.exe	111
PID 5052 wrote to memory of 1568	5052	cmd.exe	114
PID 5052 wrote to memory of 1568	5052	cmd.exe	114
PID 5052 wrote to memory of 1568	5052	cmd.exe	114
PID 3168 wrote to memory of 4832	3168	1.exe	119
PID 3168 wrote to memory of 4832	3168	1.exe	119
PID 3168 wrote to memory of 4832	3168	1.exe	119
PID 3168 wrote to memory of 4832	3168	1.exe	119
PID 3168 wrote to memory of 4832	3168	1.exe	119
PID 3168 wrote to memory of 4832	3168	1.exe	119

C:\Users\Admin\AppData\Local\Temp\1.exe
"C:\Users\Admin\AppData\Local\Temp\1.exe"
1⤵
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
PID:3168
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2036
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic shadowcopy delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2848
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
  2⤵
  PID:460
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  PID:4040
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
  2⤵
  PID:3316
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
  2⤵
  PID:1584
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5052
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy ByPass -Command "Get-WmiObject Win32_Shadowcopy | ForEach-Object {$_.Delete();}"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5036
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC.exe shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1568
- C:\Users\Admin\AppData\Local\Temp\1.exe
  "C:\Users\Admin\AppData\Local\Temp\1.exe" -agent 0
  2⤵
  - Modifies extensions of user files
  - Drops file in Program Files directory
  - Drops file in Windows directory
  PID:4492
- C:\Windows\SysWOW64\notepad.exe
  notepad.exe
  2⤵
  PID:4832

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4968

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

Web Service

T1102

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~temp001.bat

Filesize
262B

MD5
e6545ccb3660f88529716ed4e647c713

SHA1
ecd628f29985599a24c5c1d23083c689917dd74e

SHA256
e802bf0c4481bef693d4d1f307aba48301e330d3728dd46a4ec97c4a96b4d4a7

SHA512
f745e7d5dd006083234e783dd5dc7fb83043a7d0479ea2a91a2ddbc8c20ca47343516efbd155271768c675a22b32e88febdfe51551ec42dfdb64805c62c3188d

Download Submit
C:\Users\Admin\Desktop\BackupCompare.kix.loplup.839-154-C75

Filesize
531KB

MD5
36fba2b8dbd54c5346f607860720a474

SHA1
2fd17f969a64251e98b6e71903bf96d114a2b206

SHA256
ebbd7b70abd3990cb33342bd078f9287ba544ea45f24ff713a2d818cfed3f58d

SHA512
0d45ea341714f2082b9614578c84244604d6ea2433f7df037f2a286e0ee2f5e17a58f717c6abab71453bb572dc22a46492722059c787627ff9335ef89cd96fcc

Download Submit
C:\Users\Admin\Desktop\ClearAdd.htm.loplup.839-154-C75

Filesize
275KB

MD5
030350247cf3cfa6bc7433f9a1465824

SHA1
6f3a648c94da802d7056a5aab700b1df8cac1508

SHA256
53d3eb177c8e2f18e23ca689dec3ccb74f6c768a6bbcd620330d57162327e312

SHA512
14057c5631043363d144c4eb64ae14b497b46d8faf42bbd29d0b09364a1bc9e6cddc14d40803d0d562a603689883a41079e869703f6790b8a2c210359b33d1a0

Download Submit
C:\Users\Admin\Desktop\CloseMove.scf.loplup.839-154-C75

Filesize
550KB

MD5
97313ffe7b952bb6ca21a088adf284c4

SHA1
0a334bb1c26228bbb1e44b6bd39da45834cd0a96

SHA256
8d2cd1ec72183019c822793385d5bbe3af8a09d580f2d5ecb0305426d22d592c

SHA512
0b52b1b6d31eff3ab25ec3988f46b0474985eaa0d992b76627f7c422dd8405614ddcfcfab38a93ad8f713e25da39d7f7e71d13b6300b99c62650fe074cba52b8

Download Submit
C:\Users\Admin\Desktop\ConvertFromClear.ico.loplup.839-154-C75

Filesize
495KB

MD5
9cc22f0928c145e0f4de1bd01ada6229

SHA1
5a4591a19f6dd84434d486f0cf0455289c4b439e

SHA256
3fa2e16821bb383e966dda6b1a6eb6feba3ad9cb884a6ab2a8764cf73e78183e

SHA512
3e6b2d4cd540196124bddaa0f22af198f80c6de3addc00f5787dbde27eba101936bd520ba6867074230241386d07147195941f11bae05d40bc7c25dcb2487311

Download Submit
C:\Users\Admin\Desktop\ConvertFromEnter.odt.loplup.839-154-C75

Filesize
367KB

MD5
25211af803f765be1fd998d1dcaa5fe6

SHA1
7e438814c3089a9bdb81d2512aaa2659582a3193

SHA256
fc3c54346cc5e9d5ebe639f6ade4d0aeb19f36be234dc09a5fa374b07adf6152

SHA512
9733090998d117ae34ecc4efcefc07afa5e4af29408367514cec0677e859dffd2ccc4a103188b8a938cd31d5f5e318a0b8ba2a5436f6fdcb9b88683616072c9e

Download Submit
C:\Users\Admin\Desktop\DebugSplit.doc.loplup.839-154-C75

Filesize
696KB

MD5
2e3493c1e91d2a9b76162516910e0ba5

SHA1
050744e814e7ecefce66298809f0de8223ff00d1

SHA256
d98c59e379198f6d688cde49377144eb23a76662dd93639ea4ae87294dfc2f84

SHA512
16d0417dd3bb8ea943349c89d18baf6e98de336df93c7f98131481a9b7eb0445a79f875005748d0c37c22a651fdadc8c3e2f87e1af09b67b7942d609e221717c

Download Submit
C:\Users\Admin\Desktop\EnableMerge.ppsm.loplup.839-154-C75

Filesize
257KB

MD5
be6a9154d1ca2bdab05ffb8d3a323d07

SHA1
9d63a1164e9a1f16f6aeaf4a5d98218b98199b65

SHA256
00606d04b8aded1204d37ea4c9d9e6346cedeacf9a9198c80716cf7b71e22365

SHA512
c555e3836aa8e7864d8d600d8b59cfdd7375823cfb78a58bfcf74b03f0e094c381beb18eb3df51e3997b4850f09fe1d75b15153e7b981fc57a7558630f2a8d07

Download Submit
C:\Users\Admin\Desktop\ExitRevoke.cab.loplup.839-154-C75

Filesize
403KB

MD5
e91a9b8c29fcb0e99a7b2ca3e48595a9

SHA1
1deb9cd419cb97cb342d4dfbc44ed4f34d917404

SHA256
ffce2e14ec3ec54ef4c2fb0dbc7b330232fddf6308e97818d63b8998ad95e908

SHA512
684bcb9fc620202807c8404a42d36a6ea258c8da955130b5e735faaf1a480cd5dfba0c526bc609029d41d240b1c967f0a1fd61ab5746adcdb062b511164b43a2

Download Submit
C:\Users\Admin\Desktop\FindGet.reg.loplup.839-154-C75

Filesize
294KB

MD5
2c42d8aac57379408b3a6a088f3ac3a3

SHA1
1814ff5ae525408754f309cb959abad446d32ec3

SHA256
fbbc208e17b77812432ee7f882d31c5332dc989e89776ba5000949c67b99c8d9

SHA512
a8a7e79354a2c5a144f8437e9aaa905fc3369df43eda7828ae7075a397ea139d2d24d7e5269f01bcdb2f2aa06249f4244d81534f957de7830152921748107046

Download Submit
C:\Users\Admin\Desktop\FindSuspend.MOD.loplup.839-154-C75

Filesize
586KB

MD5
1970f211a6a8623a6233fc6a8ed75c41

SHA1
4155c7ccbb35c3a1ece67e524f483867302c120f

SHA256
b4d6c923af3535e5b81a852ca4f5f38f8d0840bf4215cd06b34d94f8f8f166d9

SHA512
e34b5a397291e9aa6465734fd2cd7b78a6866aa6c06da68ac554b200e70e5b9b5ec57c2a5b1eb0c55c82aef3143a9f9a5ff002da0725c400a275e26fdfb18a75

Download Submit
C:\Users\Admin\Desktop\JoinTrace.clr.loplup.839-154-C75

Filesize
440KB

MD5
64c97cf2d08f5338b53c1ae13e588cd7

SHA1
e13799ac3205fd68e924959d93f4073a14357687

SHA256
dc2562372b88485011682254bbf015cf2d687110b6e9d71c0c77d778d9958c2b

SHA512
e40e3e28c85bd4b872c9da792d357374dd97dd77d81954a0ddac70b567dbd2d7c0ab834b54be1b38f72958d3ff104c473bc9c3b3dbb1874fdcdd83a50016672f

Download Submit
C:\Users\Admin\Desktop\LockLimit.m1v.loplup.839-154-C75

Filesize
678KB

MD5
01fdc06b9a1473ecb0dc5382306ceff0

SHA1
3a007a9aa14b97dee3cbdb6650eca88594460891

SHA256
8356789627215c674e1ca336d3253924bc3f508e5eb334ffaf183b2b743da965

SHA512
23d2107b4a890f87963a05c99ebed2ebde3511d3f9ba00ad9fb0f334b02615c27f5538fbf8f2d752e64b1a08699023f50f69acd16efbdf1c26398d2d4220827a

Download Submit
C:\Users\Admin\Desktop\MeasureClear.xla.loplup.839-154-C75

Filesize
641KB

MD5
28030c298bbeceb3336d022347584c50

SHA1
45e43b382d21e25ee9652aab30223ce24b470247

SHA256
64cf4257f59d412b750ec5438c6483e96e3088ac84ab48a381af4fd88d7f5601

SHA512
d267972bf51bcc7a31bdea9984c1a11175ea4fd966736d38eb3267c0d08da004ea63048e001e4014b14d3f081a85b5d25ac9083fee489b3782b812b50ec656ce

Download Submit
C:\Users\Admin\Desktop\MoveEdit.dwfx.loplup.839-154-C75

Filesize
714KB

MD5
63feeef1a1c9f73ec9f36974a0b09f95

SHA1
6182df455c01c7dd857e9575ed062380d29d0546

SHA256
5477d9baa3e3be605f6517454cb70c78a81b5128e62b4daefaeb73a0ecb3d2a4

SHA512
c06b23e79ac5de56999b9ca0f70c222825b070736744bb8b56f7bc983ce6f8c1969712d673fa5543885e200b8085f0e78b68eeb60d65f77af292c938767f63a1

Download Submit
C:\Users\Admin\Desktop\NewCheckpoint.ADTS.loplup.839-154-C75

Filesize
330KB

MD5
7085fa8808ece0016af546a839109bac

SHA1
a099166d2303f270284a923b03900a871ffe46de

SHA256
6a5afd81fba8d0d5615a8a73e9ab10f3f41cf3dbb42d6f08d3f93c1ef4fa4b4d

SHA512
e7f3a30ef1465a6a817f2061e4892df0db792e7ab0ad57b291a3e6ce290127050f9cfdebae2b6ca05f2003daabf8f52783dbd20e592e3ff8c3cff1c2ab6e62ac

Download Submit
C:\Users\Admin\Desktop\OptimizeSubmit.vst.loplup.839-154-C75

Filesize
385KB

MD5
4a07a2bcd207e836182c68fb955f1580

SHA1
c6037947033170798556f0b4cd812dbab88d24a9

SHA256
0191e86be3850f376a7ddfe97a89f7ad31a72dded43dea989d4c19e4fec3f41c

SHA512
24d1524fc5716c61d2c81627425979655055113ab4dba47f74dd2a424fe145f4f429fc4393459ef85fa688dae689ca464c85d25077777827aebedd5f4edb1d42

Download Submit
C:\Users\Admin\Desktop\PublishSuspend.png.loplup.839-154-C75

Filesize
349KB

MD5
a4fc5c850c9568f8cc63b267be6aba02

SHA1
cba191bfdf0d1406e5aff86ec2e0c22d89e5497e

SHA256
77cb6e6cd8640085ce570956c6d47e7a6d0387dc25a56080ac6ca11b6952364f

SHA512
51385be7a2f7842b2c0dc4f8b7415bd215ab81b9c4562c9a6202862103360f76f555396c230235a2bc56a9f0a48b5f66061e6c18a9729307a506ae90edeaa686

Download Submit
C:\Users\Admin\Desktop\PushHide.bin.loplup.839-154-C75

Filesize
733KB

MD5
317d5ea7fedca71d5bed2dbc3e75398b

SHA1
cf0468de68b93fef0ef95f292c7ba5b21470d248

SHA256
23873c20c8e6284d483dc43b1a24fc5e2bb55bb3197f79a7cebf14255c66a5f8

SHA512
e8b86fdddd4bc5e0c531b865cce5aa3ec50522fc012aa380322f4b784b121863000603c29167357a2e03f8b356a372daae7b4557ea2618b73c1fd30ff35df857

Download Submit
C:\Users\Admin\Desktop\ReadResize.mov.loplup.839-154-C75

Filesize
458KB

MD5
3ad19e06b3757d880cf1c75b8046048f

SHA1
9c1a027e5d5979c7ef9afcc9e0393e90cb57e091

SHA256
2bf580a6cb99e2377f93b13bc001da61499c5e4a8133161079d3e89345d87458

SHA512
c5495560d3ae28797300c52f63a60a0a4704c2900e21f223413812ad85dcada01eb554265ac7d5f6a5be44a821cf7854c79fc3eb2d73dff2149f1c8475f8c462

Download Submit
C:\Users\Admin\Desktop\RegisterCopy.avi.loplup.839-154-C75

Filesize
623KB

MD5
d056cc619d3444ba97c63f29ef4698e8

SHA1
c15f4853ee34001a2e0bce9643c68ea6208aeeb2

SHA256
f4f4a54fc4512cb4fe0cd185636a3dac50556439f1906c72e2708c25e5e89c38

SHA512
f4ff76a1539fe3d3679f654a96416517155a63b62ed4b5d7f54805f8cab7552ea9294230d28e392680ff12ab4824b3ba7cc0c44490d050738ccfdecaf75f6bcc

Download Submit
C:\Users\Admin\Desktop\RegisterRequest.ppsx.loplup.839-154-C75

Filesize
659KB

MD5
333a01489d2240ca531692c417ef8b44

SHA1
f800e13890cce9bcc8cfe352dfe7382e98859d8b

SHA256
295b270c4aa85b2799b992432d6e8ab8457fce6fbdef1eff8a42f9b83c50b16d

SHA512
bb342a734b9ce59b53b59cc9995a8d6259428c33053d1db1ca3c95f2e6cefbed250555bfb82f1916f8af3431acda1ac70a72dd5355aced52edd4c6d0234a70c1

Download Submit
C:\Users\Admin\Desktop\RemoveFormat.wdp.loplup.839-154-C75

Filesize
312KB

MD5
1bc079ba2a80d00575867c11279d3b33

SHA1
83192056b0e4cd950762ae445e3007880c1e5792

SHA256
7f08357b3590ae5ab4a9800451f97235eae68a6219bd4da3b12e89f670bf6815

SHA512
018c4188d10f08bc638eb471a9575e9ff50c43564fe31abe498d94b05eb497cb9138af5c03adbbb2ef4e0f2180737b16332341cae20618965018f2ef3dceb425

Download Submit
C:\Users\Admin\Desktop\ResolveRepair.mp4.loplup.839-154-C75

Filesize
513KB

MD5
43281596f4b0890e21fa3e7f8268f4b3

SHA1
5874cc38ae515cce8019cbe1aeb85163938f631b

SHA256
6c14d0849bed706149dd90cc21b5ebaf7789195a7ecd62473dff8dc6055e8e5f

SHA512
1417d9f25b61533c2e75e1aca1eec90a00f2bbc42b4ced672c86953b37d4c686073fe1a8e266ad9c294a7937de25e860e229a37704c33680f1c29559cd7ac9fb

Download Submit
C:\Users\Admin\Desktop\RestartRestore.mp3.loplup.839-154-C75

Filesize
568KB

MD5
ecead761a58af9f4bbddb968cdd0290a

SHA1
37f50610de8a128f2da6098de28e5da541f56b12

SHA256
9828e15a49856ae6dc416863aefc1e32f861ddb9883816fd6cf1e2d01ff9a597

SHA512
f3e3b906df1db36011a576e8ba80a56175857164a13f946d59d7e87904abe3c7f68ccdb320d2b9b95dc31dcb7865bfc211454158453c0bf0a2934984671475a7

Download Submit
C:\Users\Admin\Desktop\SuspendSelect.au.loplup.839-154-C75

Filesize
605KB

MD5
6631785535697213b1823f64b6b97f92

SHA1
3bf09d63743b5442dcb6e024871533a29d3ab10b

SHA256
7770dd7671fdc121fbbf1c979b3fd6829e517d7a206dcdf02739288a9e99b773

SHA512
d669882ab09e89e374afa21ec82abc3840ea86edb44513da8924b6bb5b7cbebdc69f8faa5fced3a2816398923a08e04e2a9e891f57132043eb8b892e2a02f802

Download Submit
C:\Users\Admin\Desktop\SyncCopy.m1v.loplup.839-154-C75

Filesize
422KB

MD5
57fa0206921ea20bd6dd8da79330ab9d

SHA1
07fd403c040182ef7fc36bbf0c403cb7f51823ea

SHA256
5b74c1e295aadd0b347857dc4387615721c48f71d153651dda8cbc8984e98a98

SHA512
c1363f1d2bfb1ce048b0003c5dc37a0de3d48089ac93d00f0bdb2ebc62909caaf26941be9ce77b3d9842f7c92408f49276cdade36f94afae475bfe558d541b29

Download Submit
C:\Users\Admin\Desktop\UnlockReceive.aiff.loplup.839-154-C75

Filesize
477KB

MD5
353ce10d93854824866ccf3e16e287d4

SHA1
984f082225c3e388751ef92f373435b411bf8d47

SHA256
aa191aac3495f7a529788a782c4bb04313373ddc0d0751585296dea7097f7561

SHA512
440e95b73692043e344921b76e0c453db83755956a3ed2fb16cb2eed10132e335562118e52f459162ae86f110247eb5ad599975280cd6eca953326b4f4dcbaf7

Download Submit
C:\Users\Admin\Desktop\WritePop.dxf.loplup.839-154-C75

Filesize
1007KB

MD5
f404cb94c95b09dd3c2c266c0cea5206

SHA1
38efef2c91c9783ebcd7e710edb87a5a199aba51

SHA256
691d3c66b5e2396c272f806792eaf01ca95105ae4d2621e46c6b78f9fa577166

SHA512
ebf584a181fa9e853a840e434355b24046f415a4eb573bc0f4e8336d7f4d8e81e16e0a69dd681842e3b905a3e7d0c0dff262bae08d03710abff2789dea2dae15

Download Submit
memory/460-133-0x0000000000000000-mapping.dmp

Download
memory/1568-152-0x0000000000000000-mapping.dmp

Download
memory/1584-136-0x0000000000000000-mapping.dmp

Download
memory/2036-132-0x0000000000000000-mapping.dmp

Download
memory/2848-139-0x0000000000000000-mapping.dmp

Download
memory/3316-135-0x0000000000000000-mapping.dmp

Download
memory/4040-134-0x0000000000000000-mapping.dmp

Download
memory/4492-138-0x0000000000000000-mapping.dmp

Download
memory/4832-181-0x0000000000000000-mapping.dmp

Download
memory/5036-146-0x0000000005E20000-0x0000000005E86000-memory.dmp

Filesize
408KB

Download
memory/5036-144-0x0000000005BA0000-0x0000000005BC2000-memory.dmp

Filesize
136KB

Download
memory/5036-143-0x0000000005540000-0x0000000005B68000-memory.dmp

Filesize
6.2MB

Download
memory/5036-142-0x0000000002B10000-0x0000000002B46000-memory.dmp

Filesize
216KB

Download
memory/5036-141-0x0000000000000000-mapping.dmp

Download
memory/5036-145-0x0000000005D40000-0x0000000005DA6000-memory.dmp

Filesize
408KB

Download
memory/5036-147-0x0000000006430000-0x000000000644E000-memory.dmp

Filesize
120KB

Download
memory/5036-148-0x0000000007420000-0x00000000074B6000-memory.dmp

Filesize
600KB

Download
memory/5036-149-0x0000000006920000-0x000000000693A000-memory.dmp

Filesize
104KB

Download
memory/5036-150-0x0000000006970000-0x0000000006992000-memory.dmp

Filesize
136KB

Download
memory/5036-151-0x0000000007A70000-0x0000000008014000-memory.dmp

Filesize
5.6MB

Download
memory/5052-137-0x0000000000000000-mapping.dmp

Download