39b74b2fb057e8c78a2ba6639cf3d58ae91685e6ac13b57b70d2afb158cf742d

Resubmissions

05-10-2022 11:39

221005-nsrtyaedfm 9

05-10-2022 08:12

221005-j3wtesdfg7 9

05-10-2022 06:56

221005-hqhwcsdeg8 9

Analysis

max time kernel
155s
max time network
151s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
05-10-2022 06:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

830004.exe
Size

691KB
MD5

58aea2aac89947773dfae8e3859e20b0
SHA1

be17c41c65703f9475e36dff55fd3de220e395f3
SHA256

39b74b2fb057e8c78a2ba6639cf3d58ae91685e6ac13b57b70d2afb158cf742d
SHA512

f3d43c0759b05b949498cc63084b54b869c228a427f1590a1010007b4bdbebf760145a29e5f1a7c5585133ed76a3c1a5d7bf2ace46858ac9a48ff5c05eafa6eb
SSDEEP

12288:i0iads6yn93ySQDWYgeWYg955/155/m6q5iKn3zMCO342FoqdXS:dicFyn93ySQJ5f34Jo2Fi

Score

9^/10

persistence ransomware spyware stealer

Malware Config

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies extensions of user files 18 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

830004.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\RestoreClear.raw => C:\Users\Admin\Pictures\RestoreClear.raw.crypt	830004.exe
File renamed	C:\Users\Admin\Pictures\UnregisterConnect.png => C:\Users\Admin\Pictures\UnregisterConnect.png.crypt	830004.exe
File opened for modification	C:\Users\Admin\Pictures\ConvertFromDisconnect.png.crypt	830004.exe
File opened for modification	C:\Users\Admin\Pictures\NewBackup.tif.crypt	830004.exe
File renamed	C:\Users\Admin\Pictures\NewSuspend.tiff => C:\Users\Admin\Pictures\NewSuspend.tiff.crypt	830004.exe
File renamed	C:\Users\Admin\Pictures\AssertConvert.png => C:\Users\Admin\Pictures\AssertConvert.png.crypt	830004.exe
File opened for modification	C:\Users\Admin\Pictures\UnregisterConnect.png.crypt	830004.exe
File opened for modification	C:\Users\Admin\Pictures\RestoreClear.raw.crypt	830004.exe
File renamed	C:\Users\Admin\Pictures\TestWait.crw => C:\Users\Admin\Pictures\TestWait.crw.crypt	830004.exe
File renamed	C:\Users\Admin\Pictures\ConvertFromDisconnect.png => C:\Users\Admin\Pictures\ConvertFromDisconnect.png.crypt	830004.exe
File renamed	C:\Users\Admin\Pictures\NewBackup.tif => C:\Users\Admin\Pictures\NewBackup.tif.crypt	830004.exe
File opened for modification	C:\Users\Admin\Pictures\NewSuspend.tiff.crypt	830004.exe
File renamed	C:\Users\Admin\Pictures\RestoreFind.crw => C:\Users\Admin\Pictures\RestoreFind.crw.crypt	830004.exe
File opened for modification	C:\Users\Admin\Pictures\RestoreFind.crw.crypt	830004.exe
File opened for modification	C:\Users\Admin\Pictures\AssertConvert.png.crypt	830004.exe
File renamed	C:\Users\Admin\Pictures\ConfirmCompress.tiff => C:\Users\Admin\Pictures\ConfirmCompress.tiff.crypt	830004.exe
File opened for modification	C:\Users\Admin\Pictures\ConfirmCompress.tiff.crypt	830004.exe
File opened for modification	C:\Users\Admin\Pictures\TestWait.crw.crypt	830004.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SecurityUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\830004.exe"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

830004.exe

description	ioc	process
File opened (read-only)	\??\L:	830004.exe
File opened (read-only)	\??\M:	830004.exe
File opened (read-only)	\??\R:	830004.exe
File opened (read-only)	\??\W:	830004.exe
File opened (read-only)	\??\Y:	830004.exe
File opened (read-only)	\??\A:	830004.exe
File opened (read-only)	\??\G:	830004.exe
File opened (read-only)	\??\K:	830004.exe
File opened (read-only)	\??\Z:	830004.exe
File opened (read-only)	\??\U:	830004.exe
File opened (read-only)	\??\V:	830004.exe
File opened (read-only)	\??\X:	830004.exe
File opened (read-only)	\??\I:	830004.exe
File opened (read-only)	\??\N:	830004.exe
File opened (read-only)	\??\T:	830004.exe
File opened (read-only)	\??\O:	830004.exe
File opened (read-only)	\??\P:	830004.exe
File opened (read-only)	\??\S:	830004.exe
File opened (read-only)	\??\B:	830004.exe
File opened (read-only)	\??\E:	830004.exe
File opened (read-only)	\??\H:	830004.exe
File opened (read-only)	\??\F:	830004.exe
File opened (read-only)	\??\J:	830004.exe
File opened (read-only)	\??\Q:	830004.exe

Drops file in Program Files directory 64 IoCs

Processes:

830004.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE02296_.WMF.crypt	830004.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\RECL.ICO.crypt	830004.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\FrameworkList.xml.crypt	830004.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\TableTextServiceSimplifiedShuangPin.txt.crypt	830004.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-lib-profiler-ui.xml.crypt	830004.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\calendar.html.crypt	830004.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\Ole DB\en-US\sqlxmlx.rll.mui.crypt	830004.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0287641.JPG.crypt	830004.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_FormsHomePageBlank.gif.crypt	830004.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Slate.css.crypt	830004.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-progress-ui.xml.crypt	830004.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\GMT.crypt	830004.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\js\picturePuzzle.js.crypt	830004.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\ROGERS.COM.XML.crypt	830004.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\ORIG98.POC.crypt	830004.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\external_extensions.json.crypt	830004.exe
File opened for modification	C:\Program Files\Java\jre7\lib\jfr.jar.crypt	830004.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105246.WMF.crypt	830004.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Solutions\Person.gif.crypt	830004.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\INCOMING.ICO.crypt	830004.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OneNote\SendToOneNote-PipelineConfig.xml.crypt	830004.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Part\2 Top.accdt.crypt	830004.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\js\settings.js.crypt	830004.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\rtscom.dll.mui.crypt	830004.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-javahelp_zh_CN.jar.crypt	830004.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\css\RSSFeeds.css.crypt	830004.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00194_.WMF.crypt	830004.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Composite.eftx.crypt	830004.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_Country.gif.crypt	830004.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Americana.css.crypt	830004.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\GREET11.POC.crypt	830004.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\TipTsf.dll.mui.crypt	830004.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Rome.crypt	830004.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\smtp.jar.crypt	830004.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD06200_.WMF.crypt	830004.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Black Tie.xml.crypt	830004.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\system.png.crypt	830004.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\SAVE.GIF.crypt	830004.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\SCANPST.EXE.crypt	830004.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\25.png.crypt	830004.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\FBIBLIO.DLL.crypt	830004.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0386485.JPG.crypt	830004.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\CommsIncomingImageMask.bmp.crypt	830004.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\bg-dock.png.crypt	830004.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\cacerts.crypt	830004.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-jvmstat.jar.crypt	830004.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\js\weather.js.crypt	830004.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00135_.WMF.crypt	830004.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00564_.WMF.crypt	830004.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0187647.WMF.crypt	830004.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\icon.png.crypt	830004.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE03236_.WMF.crypt	830004.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\SoftBlue\background.gif.crypt	830004.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\St_Johns.crypt	830004.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\js\service.js.crypt	830004.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\QUAD\PREVIEW.GIF.crypt	830004.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB00780L.GIF.crypt	830004.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14794_.GIF.crypt	830004.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\js\localizedStrings.js.crypt	830004.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE.crypt	830004.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\btn-previous-static.png.crypt	830004.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\MANIFEST.MF.crypt	830004.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.filesystem_1.4.100.v20140514-1614.jar.crypt	830004.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\skins\winamp2.xml.crypt	830004.exe

Delays execution with timeout.exe 61 IoCs

evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid	process
1924	timeout.exe
892	timeout.exe
820	timeout.exe
1328	timeout.exe
1664	timeout.exe
828	timeout.exe
580	timeout.exe
1752	timeout.exe
2040	timeout.exe
1568	timeout.exe
1776	timeout.exe
1600	timeout.exe
1732	timeout.exe
1248	timeout.exe
1396	timeout.exe
1344	timeout.exe
1108	timeout.exe
1924	timeout.exe
1320	timeout.exe
1152	timeout.exe
872	timeout.exe
1612	timeout.exe
1328	timeout.exe
1844	timeout.exe
1112	timeout.exe
1612	timeout.exe
1420	timeout.exe
156	timeout.exe
1380	timeout.exe
820	timeout.exe
1320	timeout.exe
1176	timeout.exe
1904	timeout.exe
1460	timeout.exe
1540	timeout.exe
1180	timeout.exe
1008	timeout.exe
1748	timeout.exe
576	timeout.exe
540	timeout.exe
1720	timeout.exe
1532	timeout.exe
752	timeout.exe
1700	timeout.exe
692	timeout.exe
972	timeout.exe
1348	timeout.exe
2016	timeout.exe
1172	timeout.exe
1732	timeout.exe
1908	timeout.exe
1488	timeout.exe
1472	timeout.exe
1988	timeout.exe
1000	timeout.exe
1704	timeout.exe
752	timeout.exe
308	timeout.exe
552	timeout.exe
2028	timeout.exe
328	timeout.exe

Enumerates processes with tasklist 1 TTPs 61 IoCs

Process Discovery

T1057

Processes:

tasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exe

pid	process
1504	tasklist.exe
1504	tasklist.exe
1372	tasklist.exe
1728	tasklist.exe
1212	tasklist.exe
1744	tasklist.exe
1612	tasklist.exe
1628	tasklist.exe
1540	tasklist.exe
2032	tasklist.exe
1484	tasklist.exe
1336	tasklist.exe
1332	tasklist.exe
960	tasklist.exe
108	tasklist.exe
1328	tasklist.exe
2032	tasklist.exe
1704	tasklist.exe
1236	tasklist.exe
1396	tasklist.exe
1096	tasklist.exe
1636	tasklist.exe
1652	tasklist.exe
364	tasklist.exe
1488	tasklist.exe
1064	tasklist.exe
1932	tasklist.exe
2016	tasklist.exe
1232	tasklist.exe
1232	tasklist.exe
1704	tasklist.exe
1176	tasklist.exe
1124	tasklist.exe
892	tasklist.exe
960	tasklist.exe
560	tasklist.exe
1668	tasklist.exe
1124	tasklist.exe
1344	tasklist.exe
1372	tasklist.exe
1476	tasklist.exe
800	tasklist.exe
1588	tasklist.exe
1756	tasklist.exe
800	tasklist.exe
900	tasklist.exe
1552	tasklist.exe
1324	tasklist.exe
1924	tasklist.exe
1776	tasklist.exe
1668	tasklist.exe
1892	tasklist.exe
1396	tasklist.exe
1644	tasklist.exe
1316	tasklist.exe
896	tasklist.exe
2028	tasklist.exe
744	tasklist.exe
1540	tasklist.exe
1676	tasklist.exe
2040	tasklist.exe

Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1624 vssadmin.exe

pid	process
1624	vssadmin.exe

Kills process with taskkill 10 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
1320	taskkill.exe
1928	taskkill.exe
756	taskkill.exe
680	taskkill.exe
828	taskkill.exe
1936	taskkill.exe
1532	taskkill.exe
1180	taskkill.exe
1772	taskkill.exe
204	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe

Modifies registry class 18 IoCs

Processes:

explorer.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 200000001a00eebbfe2300001000d09ad3fd8f23af46adb46c85480369c700000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000	explorer.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

1596 reg.exe
Runs net.exe

pid	process
1596	reg.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

830004.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exe

description	pid	process
Token: SeDebugPrivilege	1076	830004.exe
Token: SeBackupPrivilege	1076	830004.exe
Token: SeRestorePrivilege	1076	830004.exe
Token: 35	1076	830004.exe
Token: SeSecurityPrivilege	1076	830004.exe
Token: SeManageVolumePrivilege	1076	830004.exe
Token: 32	1076	830004.exe
Token: SeTcbPrivilege	1076	830004.exe
Token: SeSystemProfilePrivilege	1076	830004.exe
Token: SeTakeOwnershipPrivilege	1076	830004.exe
Token: SeDebugPrivilege	1396	tasklist.exe
Token: SeDebugPrivilege	1644	tasklist.exe
Token: SeDebugPrivilege	1668	tasklist.exe
Token: SeDebugPrivilege	1232	tasklist.exe
Token: SeDebugPrivilege	744	tasklist.exe
Token: SeDebugPrivilege	1124	tasklist.exe
Token: SeDebugPrivilege	2032	tasklist.exe
Token: SeDebugPrivilege	1504	tasklist.exe
Token: SeDebugPrivilege	1704	tasklist.exe
Token: SeDebugPrivilege	364	tasklist.exe
Token: SeDebugPrivilege	1744	tasklist.exe
Token: SeDebugPrivilege	1316	tasklist.exe
Token: SeDebugPrivilege	800	tasklist.exe
Token: SeDebugPrivilege	1612	tasklist.exe
Token: SeDebugPrivilege	1484	tasklist.exe
Token: SeDebugPrivilege	1628	tasklist.exe
Token: SeDebugPrivilege	1504	tasklist.exe
Token: SeDebugPrivilege	1488	tasklist.exe
Token: SeDebugPrivilege	900	tasklist.exe
Token: SeDebugPrivilege	1932	tasklist.exe
Token: SeDebugPrivilege	1728	tasklist.exe
Token: SeDebugPrivilege	1176	tasklist.exe
Token: SeDebugPrivilege	1540	tasklist.exe
Token: SeDebugPrivilege	1328	tasklist.exe
Token: SeDebugPrivilege	1124	tasklist.exe
Token: SeDebugPrivilege	2032	tasklist.exe
Token: SeDebugPrivilege	1552	tasklist.exe
Token: SeDebugPrivilege	1324	tasklist.exe
Token: SeDebugPrivilege	892	tasklist.exe
Token: SeDebugPrivilege	1652	tasklist.exe
Token: SeDebugPrivilege	896	tasklist.exe
Token: SeDebugPrivilege	1212	tasklist.exe
Token: SeDebugPrivilege	1924	tasklist.exe
Token: SeDebugPrivilege	2028	tasklist.exe
Token: SeDebugPrivilege	1344	tasklist.exe
Token: SeDebugPrivilege	1336	tasklist.exe
Token: SeDebugPrivilege	2016	tasklist.exe
Token: SeDebugPrivilege	1372	tasklist.exe
Token: SeDebugPrivilege	1704	tasklist.exe
Token: SeDebugPrivilege	1476	tasklist.exe
Token: SeDebugPrivilege	960	tasklist.exe
Token: SeDebugPrivilege	1776	tasklist.exe
Token: SeDebugPrivilege	1676	tasklist.exe
Token: SeDebugPrivilege	800	tasklist.exe
Token: SeDebugPrivilege	1064	tasklist.exe
Token: SeDebugPrivilege	1332	tasklist.exe
Token: SeDebugPrivilege	2040	tasklist.exe
Token: SeDebugPrivilege	1892	tasklist.exe
Token: SeDebugPrivilege	1372	tasklist.exe
Token: SeDebugPrivilege	1236	tasklist.exe
Token: SeDebugPrivilege	1396	tasklist.exe
Token: SeDebugPrivilege	560	tasklist.exe
Token: SeDebugPrivilege	1588	tasklist.exe
Token: SeDebugPrivilege	1096	tasklist.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

830004.execmd.execmd.execmd.exenet.exe

description	pid	process	target process
PID 1076 wrote to memory of 1420	1076	830004.exe	cmd.exe
PID 1076 wrote to memory of 1420	1076	830004.exe	cmd.exe
PID 1076 wrote to memory of 1420	1076	830004.exe	cmd.exe
PID 1076 wrote to memory of 1556	1076	830004.exe	cmd.exe
PID 1076 wrote to memory of 1556	1076	830004.exe	cmd.exe
PID 1076 wrote to memory of 1556	1076	830004.exe	cmd.exe
PID 1076 wrote to memory of 1752	1076	830004.exe	cmd.exe
PID 1076 wrote to memory of 1752	1076	830004.exe	cmd.exe
PID 1076 wrote to memory of 1752	1076	830004.exe	cmd.exe
PID 1556 wrote to memory of 1396	1556	cmd.exe	tasklist.exe
PID 1556 wrote to memory of 1396	1556	cmd.exe	tasklist.exe
PID 1556 wrote to memory of 1396	1556	cmd.exe	tasklist.exe
PID 1420 wrote to memory of 1596	1420	cmd.exe	reg.exe
PID 1420 wrote to memory of 1596	1420	cmd.exe	reg.exe
PID 1420 wrote to memory of 1596	1420	cmd.exe	reg.exe
PID 1556 wrote to memory of 960	1556	cmd.exe	findstr.exe
PID 1556 wrote to memory of 960	1556	cmd.exe	findstr.exe
PID 1556 wrote to memory of 960	1556	cmd.exe	findstr.exe
PID 1752 wrote to memory of 1432	1752	cmd.exe	net.exe
PID 1752 wrote to memory of 1432	1752	cmd.exe	net.exe
PID 1752 wrote to memory of 1432	1752	cmd.exe	net.exe
PID 1432 wrote to memory of 892	1432	net.exe	net1.exe
PID 1432 wrote to memory of 892	1432	net.exe	net1.exe
PID 1432 wrote to memory of 892	1432	net.exe	net1.exe
PID 1556 wrote to memory of 1320	1556	cmd.exe	timeout.exe
PID 1556 wrote to memory of 1320	1556	cmd.exe	timeout.exe
PID 1556 wrote to memory of 1320	1556	cmd.exe	timeout.exe
PID 1556 wrote to memory of 1644	1556	cmd.exe	tasklist.exe
PID 1556 wrote to memory of 1644	1556	cmd.exe	tasklist.exe
PID 1556 wrote to memory of 1644	1556	cmd.exe	tasklist.exe
PID 1556 wrote to memory of 1568	1556	cmd.exe	findstr.exe
PID 1556 wrote to memory of 1568	1556	cmd.exe	findstr.exe
PID 1556 wrote to memory of 1568	1556	cmd.exe	findstr.exe
PID 1556 wrote to memory of 1348	1556	cmd.exe	timeout.exe
PID 1556 wrote to memory of 1348	1556	cmd.exe	timeout.exe
PID 1556 wrote to memory of 1348	1556	cmd.exe	timeout.exe
PID 1556 wrote to memory of 1668	1556	cmd.exe	tasklist.exe
PID 1556 wrote to memory of 1668	1556	cmd.exe	tasklist.exe
PID 1556 wrote to memory of 1668	1556	cmd.exe	tasklist.exe
PID 1556 wrote to memory of 1748	1556	cmd.exe	findstr.exe
PID 1556 wrote to memory of 1748	1556	cmd.exe	findstr.exe
PID 1556 wrote to memory of 1748	1556	cmd.exe	findstr.exe
PID 1556 wrote to memory of 1924	1556	cmd.exe	timeout.exe
PID 1556 wrote to memory of 1924	1556	cmd.exe	timeout.exe
PID 1556 wrote to memory of 1924	1556	cmd.exe	timeout.exe
PID 1556 wrote to memory of 1232	1556	cmd.exe	tasklist.exe
PID 1556 wrote to memory of 1232	1556	cmd.exe	tasklist.exe
PID 1556 wrote to memory of 1232	1556	cmd.exe	tasklist.exe
PID 1556 wrote to memory of 1720	1556	cmd.exe	findstr.exe
PID 1556 wrote to memory of 1720	1556	cmd.exe	findstr.exe
PID 1556 wrote to memory of 1720	1556	cmd.exe	findstr.exe
PID 1556 wrote to memory of 1176	1556	cmd.exe	timeout.exe
PID 1556 wrote to memory of 1176	1556	cmd.exe	timeout.exe
PID 1556 wrote to memory of 1176	1556	cmd.exe	timeout.exe
PID 1556 wrote to memory of 744	1556	cmd.exe	tasklist.exe
PID 1556 wrote to memory of 744	1556	cmd.exe	tasklist.exe
PID 1556 wrote to memory of 744	1556	cmd.exe	tasklist.exe
PID 1556 wrote to memory of 108	1556	cmd.exe	findstr.exe
PID 1556 wrote to memory of 108	1556	cmd.exe	findstr.exe
PID 1556 wrote to memory of 108	1556	cmd.exe	findstr.exe
PID 1556 wrote to memory of 1000	1556	cmd.exe	timeout.exe
PID 1556 wrote to memory of 1000	1556	cmd.exe	timeout.exe
PID 1556 wrote to memory of 1000	1556	cmd.exe	timeout.exe
PID 1556 wrote to memory of 1124	1556	cmd.exe	tasklist.exe

C:\Users\Admin\AppData\Local\Temp\830004.exe
"C:\Users\Admin\AppData\Local\Temp\830004.exe"
1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1076

C:\Windows\system32\cmd.exe
cmd /c C:\ProgramData\Microsoft\Settings\4g8D6x6k9.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:1556

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1396

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:960

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:1320

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1644

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1568

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:1348

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1668

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1748

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:1924

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1232

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1720

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:1176

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:744

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:108

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:1000

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1124

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1988

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:2016

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2032

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:688

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:1732

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1504

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1836

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:1248

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1704

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1488

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:1752

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:364

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:900

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:1320

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1744

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1932

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:1844

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1316

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1756

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:1924

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:800

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:2028

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:1540

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1612

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1328

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:2040

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1484

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:2036

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:1112

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1628

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1572

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:1172

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1504

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1248

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:892

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1488

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1652

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:1396

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:900

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1320

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:1568

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1932

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1700

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:1776

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1728

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1668

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:1180

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1176

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1980

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:692

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1540

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:108

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:1612

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1328

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1416

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:1008

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1124

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1484

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:1600

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:624

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2032

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:1904

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1552

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1532

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:1420

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1324

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:828

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:1704

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:892

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1472

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:972

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1652

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:960

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:1152

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:900

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:896

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:1748

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1212

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1844

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:752

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1924

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1316

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:820

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2028

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:452

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:308

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1344

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:748

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:540

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:2040

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1336

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:1732

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2016

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1484

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:1908

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1372

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1036

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:828

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1704

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1456

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:1472

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1476

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:972

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:1460

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:960

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1152

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:552

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1776

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1772

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:1720

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1676

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1668

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:580

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:800

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1980

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:2028

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:744

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1064

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:1344

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1332

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:540

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:1328

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2040

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1732

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:1664

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1892

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1908

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:1380

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1372

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1632

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:156

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1236

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1704

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:1488

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1396

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:316

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:328

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:560

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1480

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:1532

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1588

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1568

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:752

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1096

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1932

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:576

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
PID:1756

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:680

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:872

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
PID:1232

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1636

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:1108

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
PID:1540

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:108

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:1988

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
PID:960

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1568

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:1700

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
PID:1668

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1756

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:820

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
PID:1636

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1108

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:1612

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
PID:108

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1736

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:1328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add hklm\Software\Microsoft\Windows\CurrentVersion\Run /v SecurityUpdate /t REG_EXPAND_SZ /d C:\Users\Admin\AppData\Local\Temp\830004.exe /f
2⤵
- Suspicious use of WriteProcessMemory
PID:1420

C:\Windows\system32\reg.exe
reg add hklm\Software\Microsoft\Windows\CurrentVersion\Run /v SecurityUpdate /t REG_EXPAND_SZ /d C:\Users\Admin\AppData\Local\Temp\830004.exe /f
3⤵
- Adds Run key to start application
- Modifies registry key
PID:1596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net config server /autodisconnect:-1
2⤵
- Suspicious use of WriteProcessMemory
PID:1752

C:\Windows\system32\net.exe
net config server /autodisconnect:-1
3⤵
- Suspicious use of WriteProcessMemory
PID:1432

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 config server /autodisconnect:-1
4⤵
PID:892

C:\Windows\explorer.exe
explorer.exe .\readme_for_unlock.txt
2⤵
PID:1416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vssadmin delete shadows /All /quiet
2⤵
PID:844

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /All /quiet
3⤵
- Interacts with shadow copies
PID:1624

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\5n7Q5j3t3.bat
2⤵
PID:688

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM 830004.exe.exe
3⤵
- Kills process with taskkill
PID:828

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM 830004.exe.exe
3⤵
- Kills process with taskkill
PID:1936

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM 830004.exe.exe
3⤵
- Kills process with taskkill
PID:1320

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM 830004.exe.exe
3⤵
- Kills process with taskkill
PID:1532

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM 830004.exe.exe
3⤵
- Kills process with taskkill
PID:1928

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM 830004.exe.exe
3⤵
- Kills process with taskkill
PID:1180

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM 830004.exe.exe
3⤵
- Kills process with taskkill
PID:756

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM 830004.exe.exe
3⤵
- Kills process with taskkill
PID:1772

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM 830004.exe.exe
3⤵
- Kills process with taskkill
PID:680

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM 830004.exe.exe
3⤵
- Kills process with taskkill
PID:204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\6a9I6o3y5.bat
3⤵
PID:232

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:1904

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:1600

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:1908

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Process Discovery

T1057

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Settings\4g8D6x6k9.bat
Filesize
163B

MD5
3578e838f655c9bd9426651cc13f6a84

SHA1
10b312cca508e1958507cd3f8a6feae72f6a3a3d

SHA256
42f5a94a41364f4ab334ab6bf3638b1861d3a10b7684df6e5968567ca5027bde

SHA512
4ccd6320fe0eb7dccd3b322ffbb94b9f718123dec2781f9f9404e3c520628f8f9d544b88189dda079a8f431cebdecc7a3cd94e37d21eb9257fdc65408465a995

Download Submit
C:\Users\Admin\AppData\Local\Temp\5n7Q5j3t3.bat
Filesize
1.0MB

MD5
8be4f44d1ff4adadd6eb288744075886

SHA1
9f7e1ab5de532eb3ce683a7ec9e63ceda9577a36

SHA256
53fabf81e4db5654817bcdfbbe6cac96ec763ae1e9692e0f01f0e768f52478dc

SHA512
8ca0226335cad5dce101a88032a8203c7dd5b574a8acdb416c05b26ada4988a13d904fc956af89469cabe92b350948a327d8509eaf757a5fcb020d3c8cb8e6a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\6a9I6o3y5.bat
Filesize
56B

MD5
c1c96250e2d9b4b03a0a805952467b3d

SHA1
c7d3e1d97525e29245735acddcf290835dfe0e89

SHA256
142deb583f865af0134063d85ad5a1742a29748617d5200c40f6473ec047252a

SHA512
225ac0d6a190c74c0a05abea5a34c9abcc299da7db69a333449d04dfc6b66c6e6952137b6ed992626e2cdee69016e35f7099506e633bd0b5124c58b7b8d46323

Download Submit
C:\Users\Admin\Documents\Are.docx.crypt
Filesize
11KB

MD5
c8e603fda2594edb44d562541cebeaf5

SHA1
8fce177f4fc54125d7d6e47330d50d0361820b54

SHA256
2748219fdbd283dcf9360030b9b129c262d1b9db0a2d99f7ef57bcd4dd309f32

SHA512
6f15b2fd8a3041365fa7f2b14fb9a49571b133f09097062762f6b4dc3d77dce33f951348fbd80f60d38650620c414e7313fbae65c29ea93c7f016eb779bb8998

Download Submit
C:\Users\Admin\Documents\AssertEnter.odt.crypt
Filesize
604KB

MD5
a453fe04a1ea92bc5da93b7cbd634310

SHA1
3cb473f91c54ba19de52851d1ffa0072c6e87ca1

SHA256
76f5735764445b15b09a48ae8e8f7e70bce3559c65d8ae5fc88acf62acac0288

SHA512
1bff73a1547b8860e93a72a5129e5c5e9c1303cd7de909e76da3f9802e284fd611b8fa96782ef2936661630b57ad4fa28d0f5383cbb10474b6576c03fe74c278

Download Submit
C:\Users\Admin\Documents\BackupGroup.vdw.crypt
Filesize
698KB

MD5
38fb1538a0a8340c82b1643baa9357c5

SHA1
fdf4172765a9b7a382862dc86d8caf0299cb7ab6

SHA256
45067a0c67dba5480bbeda5a3730194276cdccdcf1b83f3bedd2b659c5aaf579

SHA512
6aca60fc0f5597acbf59aa4edc62478cf40e6e5879ae7500826b20c5f4f9c65500aea8df90379593f90537a7a4207ccb263297a684e68e42d3bad9fcd3448da0

Download Submit
C:\Users\Admin\Documents\CheckpointMeasure.pot.crypt
Filesize
954KB

MD5
a239cd8b78daa94b70710a5f6444551d

SHA1
4485a15a3bce9bb36e3d815433697da086a1bec1

SHA256
d820a91e86e0ce62f25b534c04bea8fe9dc16f2ceaaf9b40dd25875121897f25

SHA512
75d3e23853a7a3d7f1da7dfe9b3af67431401a969de3687b8ecbaae956b983435a0189e5aca645e473f6042df0002225822775984276080ff1e409cd5210b6e4

Download Submit
C:\Users\Admin\Documents\CompleteInvoke.vst.crypt
Filesize
644KB

MD5
2e206f28caaafc621d4506b77487ccb1

SHA1
f91579f942570d2815618b10b295f15f132287e5

SHA256
18b54e373086d8a4018183ad8f30b278e759160b944cfb0d3b7fdcf64641d94b

SHA512
8a328fe286b6bbee46f396255ff55ea02125ccef59c9476c53e0fe3667d84c493b4351e6034c5ca0d293374f5597e30427ddb104a1f21f9fc792f72bf04b1660

Download Submit
C:\Users\Admin\Documents\CompleteSuspend.pptm.crypt
Filesize
403KB

MD5
6a772b6ed60888b6376730f9e8e647e5

SHA1
240ec734b20d800194bc17f302778997c244d8a6

SHA256
aaddcbfc90e283dfbd7e156acce77eefff9f8d52d2935f3c3139982cd419cbb0

SHA512
266eb823081b0554b76bef03cbdbebe0bc9b6f02dc07803d08a75b0c0bc869fe524c5ada327b0c2d9d8bad259eb3148dd84f94a1edd9170270d400d78955dc44

Download Submit
C:\Users\Admin\Documents\ConvertCheckpoint.ppt.crypt
Filesize
685KB

MD5
2a62ae04624f5ea50aa7615adecdbad0

SHA1
c2ccfac8e076fbe6fcddd0d54ecb0ab8a7eaa95b

SHA256
36ce22f7db1f6226f9964f6714e79e6578704493e99304c7b94ab55b6c5097b1

SHA512
9fb6b591a8c482acc911cf8c0629993c5de805a846821b9f3c975fdf6ef48d280d040f291eb0f627f381493c26d7acb406662024c691a8d5d7d2231de195b8f3

Download Submit
C:\Users\Admin\Documents\ConvertInstall.vsx.crypt
Filesize
309KB

MD5
2d41fb82d6772eb43b584668db1c21bd

SHA1
fb8cd769a9075f399fe7460b67e956e656f7ec65

SHA256
4dfa9090c216dc37ef075a16006e72d4741486031392125c6f8f66d9fb9b00d5

SHA512
2897c467ba242f75b726f473396d5f77ffb37865809a68f361246dc9fd8e0bf67c4a86e2fde8ce395b5bf90a7cefbafc751ed0cb2e2f6f54f8cc7f8fe20025d7

Download Submit
C:\Users\Admin\Documents\ConvertUse.vstm.crypt
Filesize
550KB

MD5
d6d15f8e000991e8b02dd8de6eef4a18

SHA1
8f173b724c56a0610ba66002babdbb4c99723c7b

SHA256
1312ab2ada863fe0cb4ce465124e0f2d7902a8e47b20883e2137d3c36f9baf6c

SHA512
d0701fa254d7390e6cb7efe611e6f5f818c8f3976782f85c130bff8f5d210aaf0e3c3bdabce272d3520e9bc34ab8f79cac048a21c7162de4347b2722b1d62557

Download Submit
C:\Users\Admin\Documents\DebugEdit.ods.crypt
Filesize
510KB

MD5
daf80d0fb3d68e5f80cec49c5acb3655

SHA1
9969ea0dad9e122a783c317d1c5837d0101a7735

SHA256
ae6af4b27adc53297824aeb6f33867b8600c3d2bee4f10f4e976a674344c1055

SHA512
b5c772688f0ff30864efe2a031ba61b629bb678c0c3b63ea05235bf24ce40ea6242d53af387da3fe299b890ce9ef80f05bae23c8f08d81e95e112eef7f998b1f

Download Submit
C:\Users\Admin\Documents\DisableSearch.vstm.crypt
Filesize
658KB

MD5
196fcce82c2ccfb3a1b5dd1d7fc6691c

SHA1
2f2d133a771a884d6ccf6ca24a6f467777825b1a

SHA256
812d4f424a9e112df028016d281cae022cdb9a8428b4c6f504f6521689628b4a

SHA512
ab622d2303f75b4f1caf30d2b604b5f1e4d0fa1150e5b7abbc97ab0c65a72af7fe3bb5443931cb76d34baec0061984dbf0af94b7d1679d9aac8f02b4112cfe92

Download Submit
C:\Users\Admin\Documents\EditReset.potm.crypt
Filesize
430KB

MD5
c79acb7024fa87f80a675d4a6dc651ee

SHA1
42728cfa3c76077d11067a82225183ed5fb28fe0

SHA256
6bf4a4ac1096831ad9de60e2ba5eafa929e4e7c671efadf83f0f0febdb42d3ea

SHA512
c8596684086cb8e3d6b44cc6211ae3c4d1bb36ce8a85aa1976f09445111e096e562166f73a9082d52b1cd656174c6915f34970852b7a677b67c48df6d91da629

Download Submit
C:\Users\Admin\Documents\EnableInvoke.xltx.crypt
Filesize
591KB

MD5
522ac0f596445019c1ca49fb2db8e89d

SHA1
46e8acd62ef5487798e403c273bfffa344c1d176

SHA256
6eb97568c28b36f0a587346b9e709e0f5015485e205e8e1dcdbbb0fa3d064d86

SHA512
11a76b307f027b2389124a188d8ced3fbf32792363cd1af317544e489e0d08e39041e9c7ffbdec457602bcf2048c42e9d75505fb2cac010fde4cd99855873e1b

Download Submit
C:\Users\Admin\Documents\ExportSet.pot.crypt
Filesize
389KB

MD5
720a6eb48245cbf72518f42cf27ad09a

SHA1
e3fb3e6e3a1b42ec56a595e62cdd16be086e5c84

SHA256
d768d7422324ec7305db1069c2691c64d72caa745f9642d030b8b7104598a467

SHA512
92c86c84697774d5ec0c951007a2640915ea320c8b971b9fc86147f8490a25dbad5b91e5eb1a8a1e869d4c68baabf484c87516e4be369571c61edacbe5bd9b2f

Download Submit
C:\Users\Admin\Documents\Files.docx.crypt
Filesize
11KB

MD5
2791e5353408c88ce5b929cca41bc6b9

SHA1
1886e91df1b2c65bea65a7e84148b2b172a9e36a

SHA256
356c8153c1c99570141b88990b29a1e84b9b9b7153940f96bb810b7ff233bae0

SHA512
7235cbc35b9e1bdc63d7aa8c3f1fb33c1c50b775605e0a6f3754d1bed8ae21f11f93255e25f60d986f9bdad620ecde0a774206b6285e23d7cb8abcc813b316f0

Download Submit
C:\Users\Admin\Documents\FindDebug.pptm.crypt
Filesize
671KB

MD5
4b7fad7bd97104250fc8f0ef2f56a879

SHA1
e46f9726d253064f0a442d476ee032386a1e57c1

SHA256
2147b846898a84242019d8beca738473833770f82ece1df7c9a836daa1b9a825

SHA512
4fc36453008d6a4046daa9c2280dc4e6ea5a93b88701263b00d720c16369420601cd385ec7685f2ba6e59fbc19bac1fb3f4a24c54c2c48021a5e0ce968bb3b6d

Download Submit
C:\Users\Admin\Documents\InvokeSelect.vstm.crypt
Filesize
631KB

MD5
0f778d5c0ce8c6c9fc5f65403fd30754

SHA1
01034c9b4427d46c4db1c47a9fd6e4c8f42f3e11

SHA256
6bc8b92411512ac23b0db2b081cdc73d5a3c67c87bff9e6dac5a9c72e27f80b3

SHA512
ea48f23e4f33611fba5b155fa0e4b5059b4c08c75ec8ad9b3606b6ec57401cba39bbca5803e804ddb1ec5021ab064073cb88b3ebd4531cb7e4f9d335fa79b077

Download Submit
C:\Users\Admin\Documents\MergeHide.vsd.crypt
Filesize
497KB

MD5
37902dccc80f1691c3c814c62e73e6ab

SHA1
63bc2289b2dd3affc576e405546aa90d54d899e7

SHA256
6fe7bedca7f9d63bacef6718b811e21cdca5ade89761ade9603d234c3249662b

SHA512
5488c3cbdc5b0f6d821122108db6f3d15fd66881295293286db0ee75fa2a0422790e21399c4fc0c5eaf1d651a1f94c0d8dde388dd7a57e260e6ba5d095f2771f

Download Submit
C:\Users\Admin\Documents\MoveWrite.xltx.crypt
Filesize
242KB

MD5
def90c8bff650d031c4bec2e95a817c6

SHA1
7f3f25a00ea12c49d9d002b8858013ccf9a539c8

SHA256
11ba2261e3b5fee0c535697f814cab8eed9161a762cb5a9953dfad24b4ace653

SHA512
0f5096d02c8d8e6222e664e76226f23e1d0fbb9598701ed097c9d2735662f031e18cfcf889d518e7077fd27a5218dc4569fdcdbf119676b9a444bdfdf459cd58

Download Submit
C:\Users\Admin\Documents\Opened.docx.crypt
Filesize
11KB

MD5
ef00530de236ee697255e04a737e023b

SHA1
f1d10dd4375dcf4a1a6043c8c72d8babd7e5bb1a

SHA256
888cab7fbd16f62c025afa9e54fe069520c505fc3b57d3872ff66c2c1ceb9069

SHA512
5e009e92f914e5a5800e5a29b0bfeb3bd7caa7749433d32c9bbe2dceae79ab05a1b7598491938f245aed95730b7414c64f33af089bbf783d217bcf2d8f8d6c3e

Download Submit
memory/108-74-0x0000000000000000-mapping.dmp

Download
memory/364-88-0x0000000000000000-mapping.dmp

Download
memory/688-80-0x0000000000000000-mapping.dmp

Download
memory/744-73-0x0000000000000000-mapping.dmp

Download
memory/800-97-0x0000000000000000-mapping.dmp

Download
memory/892-111-0x0000000000000000-mapping.dmp

Download
memory/892-62-0x0000000000000000-mapping.dmp

Download
memory/900-115-0x0000000000000000-mapping.dmp

Download
memory/900-89-0x0000000000000000-mapping.dmp

Download
memory/960-60-0x0000000000000000-mapping.dmp

Download
memory/1000-75-0x0000000000000000-mapping.dmp

Download
memory/1112-105-0x0000000000000000-mapping.dmp

Download
memory/1124-76-0x0000000000000000-mapping.dmp

Download
memory/1172-108-0x0000000000000000-mapping.dmp

Download
memory/1176-72-0x0000000000000000-mapping.dmp

Download
memory/1232-70-0x0000000000000000-mapping.dmp

Download
memory/1248-110-0x0000000000000000-mapping.dmp

Download
memory/1248-84-0x0000000000000000-mapping.dmp

Download
memory/1316-94-0x0000000000000000-mapping.dmp

Download
memory/1320-90-0x0000000000000000-mapping.dmp

Download
memory/1320-116-0x0000000000000000-mapping.dmp

Download
memory/1320-63-0x0000000000000000-mapping.dmp

Download
memory/1328-101-0x0000000000000000-mapping.dmp

Download
memory/1348-66-0x0000000000000000-mapping.dmp

Download
memory/1396-114-0x0000000000000000-mapping.dmp

Download
memory/1396-58-0x0000000000000000-mapping.dmp

Download
memory/1416-119-0x000007FEFB901000-0x000007FEFB903000-memory.dmp

Filesize
8KB

Download
memory/1420-54-0x0000000000000000-mapping.dmp

Download
memory/1432-61-0x0000000000000000-mapping.dmp

Download
memory/1484-103-0x0000000000000000-mapping.dmp

Download
memory/1488-112-0x0000000000000000-mapping.dmp

Download
memory/1488-86-0x0000000000000000-mapping.dmp

Download
memory/1504-82-0x0000000000000000-mapping.dmp

Download
memory/1504-109-0x0000000000000000-mapping.dmp

Download
memory/1540-99-0x0000000000000000-mapping.dmp

Download
memory/1556-55-0x0000000000000000-mapping.dmp

Download
memory/1568-65-0x0000000000000000-mapping.dmp

Download
memory/1568-117-0x0000000000000000-mapping.dmp

Download
memory/1572-107-0x0000000000000000-mapping.dmp

Download
memory/1596-59-0x0000000000000000-mapping.dmp

Download
memory/1600-121-0x0000000003690000-0x00000000036A0000-memory.dmp

Filesize
64KB

Download
memory/1612-100-0x0000000000000000-mapping.dmp

Download
memory/1628-106-0x0000000000000000-mapping.dmp

Download
memory/1644-64-0x0000000000000000-mapping.dmp

Download
memory/1652-113-0x0000000000000000-mapping.dmp

Download
memory/1668-67-0x0000000000000000-mapping.dmp

Download
memory/1704-85-0x0000000000000000-mapping.dmp

Download
memory/1720-71-0x0000000000000000-mapping.dmp

Download
memory/1732-81-0x0000000000000000-mapping.dmp

Download
memory/1744-91-0x0000000000000000-mapping.dmp

Download
memory/1748-68-0x0000000000000000-mapping.dmp

Download
memory/1752-56-0x0000000000000000-mapping.dmp

Download
memory/1752-87-0x0000000000000000-mapping.dmp

Download
memory/1756-95-0x0000000000000000-mapping.dmp

Download
memory/1836-83-0x0000000000000000-mapping.dmp

Download
memory/1844-93-0x0000000000000000-mapping.dmp

Download
memory/1924-96-0x0000000000000000-mapping.dmp

Download
memory/1924-69-0x0000000000000000-mapping.dmp

Download
memory/1932-92-0x0000000000000000-mapping.dmp

Download
memory/1932-118-0x0000000000000000-mapping.dmp

Download
memory/1988-77-0x0000000000000000-mapping.dmp

Download
memory/2016-78-0x0000000000000000-mapping.dmp

Download
memory/2028-98-0x0000000000000000-mapping.dmp

Download
memory/2032-79-0x0000000000000000-mapping.dmp

Download
memory/2036-104-0x0000000000000000-mapping.dmp

Download
memory/2040-102-0x0000000000000000-mapping.dmp

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads