39b74b2fb057e8c78a2ba6639cf3d58ae91685e6ac13b57b70d2afb158cf742d

Resubmissions

05-10-2022 11:39

221005-nsrtyaedfm 9

05-10-2022 08:12

221005-j3wtesdfg7 9

05-10-2022 06:56

221005-hqhwcsdeg8 9

Analysis

max time kernel
604s
max time network
493s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
05-10-2022 08:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

830004.exe
Size

691KB
MD5

58aea2aac89947773dfae8e3859e20b0
SHA1

be17c41c65703f9475e36dff55fd3de220e395f3
SHA256

39b74b2fb057e8c78a2ba6639cf3d58ae91685e6ac13b57b70d2afb158cf742d
SHA512

f3d43c0759b05b949498cc63084b54b869c228a427f1590a1010007b4bdbebf760145a29e5f1a7c5585133ed76a3c1a5d7bf2ace46858ac9a48ff5c05eafa6eb
SSDEEP

12288:i0iads6yn93ySQDWYgeWYg955/155/m6q5iKn3zMCO342FoqdXS:dicFyn93ySQJ5f34Jo2Fi

Score

9^/10

persistence ransomware spyware stealer

Malware Config

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies extensions of user files 10 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

830004.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\SelectSearch.tif => C:\Users\Admin\Pictures\SelectSearch.tif.crypt	830004.exe
File opened for modification	C:\Users\Admin\Pictures\SelectSearch.tif.crypt	830004.exe
File renamed	C:\Users\Admin\Pictures\ExitTrace.png => C:\Users\Admin\Pictures\ExitTrace.png.crypt	830004.exe
File opened for modification	C:\Users\Admin\Pictures\ExitTrace.png.crypt	830004.exe
File renamed	C:\Users\Admin\Pictures\ExportSearch.tiff => C:\Users\Admin\Pictures\ExportSearch.tiff.crypt	830004.exe
File renamed	C:\Users\Admin\Pictures\WaitExit.raw => C:\Users\Admin\Pictures\WaitExit.raw.crypt	830004.exe
File opened for modification	C:\Users\Admin\Pictures\WaitExit.raw.crypt	830004.exe
File opened for modification	C:\Users\Admin\Pictures\ExportSearch.tiff.crypt	830004.exe
File renamed	C:\Users\Admin\Pictures\InstallUnregister.tiff => C:\Users\Admin\Pictures\InstallUnregister.tiff.crypt	830004.exe
File opened for modification	C:\Users\Admin\Pictures\InstallUnregister.tiff.crypt	830004.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SecurityUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\830004.exe"	reg.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

830004.exe

description	ioc	process
File opened (read-only)	\??\B:	830004.exe
File opened (read-only)	\??\E:	830004.exe
File opened (read-only)	\??\L:	830004.exe
File opened (read-only)	\??\P:	830004.exe
File opened (read-only)	\??\Q:	830004.exe
File opened (read-only)	\??\X:	830004.exe
File opened (read-only)	\??\G:	830004.exe
File opened (read-only)	\??\H:	830004.exe
File opened (read-only)	\??\J:	830004.exe
File opened (read-only)	\??\M:	830004.exe
File opened (read-only)	\??\N:	830004.exe
File opened (read-only)	\??\R:	830004.exe
File opened (read-only)	\??\S:	830004.exe
File opened (read-only)	\??\U:	830004.exe
File opened (read-only)	\??\W:	830004.exe
File opened (read-only)	\??\K:	830004.exe
File opened (read-only)	\??\T:	830004.exe
File opened (read-only)	\??\A:	830004.exe
File opened (read-only)	\??\F:	830004.exe
File opened (read-only)	\??\I:	830004.exe
File opened (read-only)	\??\O:	830004.exe
File opened (read-only)	\??\V:	830004.exe
File opened (read-only)	\??\Y:	830004.exe
File opened (read-only)	\??\Z:	830004.exe

Drops file in Program Files directory 64 IoCs

Processes:

830004.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21504_.GIF.crypt	830004.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pa-in.txt.crypt	830004.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\tipresx.dll.mui.crypt	830004.exe
File opened for modification	C:\Program Files\Windows Media Player\es-ES\WMPDMC.exe.mui.crypt	830004.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\STUDIO\STUDIO.INF.crypt	830004.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099176.WMF.crypt	830004.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105276.WMF.crypt	830004.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02439_.WMF.crypt	830004.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\EXCEL.DEV_F_COL.HXK.crypt	830004.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\images\dial.png.crypt	830004.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\cronometer.png.crypt	830004.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\AFTRNOON\AFTRNOON.ELM.crypt	830004.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME47.CSS.crypt	830004.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\LOGO98.POC.crypt	830004.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0285698.WMF.crypt	830004.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hwrenclm.dat.crypt	830004.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Vladivostok.crypt	830004.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Australia\Adelaide.crypt	830004.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\js\clock.js.crypt	830004.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SUMIPNTG\SUMIPNTG.INF.crypt	830004.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0287645.JPG.crypt	830004.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02270_.WMF.crypt	830004.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\SoftBlue\tab_off.gif.crypt	830004.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Sts2.css.crypt	830004.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBBA\MSPUB1B.BDR.crypt	830004.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\js\weather.js.crypt	830004.exe
File opened for modification	C:\Program Files\Windows Journal\ja-JP\Journal.exe.mui.crypt	830004.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02958_.WMF.crypt	830004.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\TASKREQ.CFG.crypt	830004.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\EMAILMOD.POC.crypt	830004.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\SYMBOL.TXT	830004.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler_ja.jar.crypt	830004.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-application-views_zh_CN.jar.crypt	830004.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01740_.GIF.crypt	830004.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsViewAttachmentIconsMask.bmp.crypt	830004.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SoftBlue.css.crypt	830004.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.COM.SG.XML.crypt	830004.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\MainMenuButtonIcon.png.crypt	830004.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationLeft_SelectionSubpicture.png.crypt	830004.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\plugin.properties.crypt	830004.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\SystemV\PST8.crypt	830004.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00135_.GIF.crypt	830004.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_thunderstorm.png.crypt	830004.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\SmallLogoBeta.png.crypt	830004.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Mazatlan.crypt	830004.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\LAYERS\LAYERS.INF.crypt	830004.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02441_.WMF.crypt	830004.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB02039_.GIF.crypt	830004.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\shuffle_over.png.crypt	830004.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-javahelp_zh_CN.jar.crypt	830004.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\css\slideShow.css.crypt	830004.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107266.WMF.crypt	830004.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21520_.GIF.crypt	830004.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\viewSelectionChanged.js.crypt	830004.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft.Office.InfoPath.targets.crypt	830004.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.net.win32.x86_64.nl_zh_4.4.0.v20140623020002.jar.crypt	830004.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN04134_.WMF.crypt	830004.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341653.JPG.crypt	830004.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382931.JPG.crypt	830004.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00633_.WMF.crypt	830004.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ADDINS\PMAILEXT.ECF.crypt	830004.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\rtf_choosecolor.gif.crypt	830004.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\msadc\fr-FR\msdaremr.dll.mui.crypt	830004.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0196142.WMF.crypt	830004.exe

Delays execution with timeout.exe 64 IoCs

evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid	process
1988	timeout.exe
1948	timeout.exe
2004	timeout.exe
2040	timeout.exe
1136	timeout.exe
1968	timeout.exe
1968	timeout.exe
156	timeout.exe
1556	timeout.exe
972	timeout.exe
1964	timeout.exe
1984	timeout.exe
1552	timeout.exe
1056	timeout.exe
2032	timeout.exe
1304	timeout.exe
1660	timeout.exe
948	timeout.exe
960	timeout.exe
864	timeout.exe
668	timeout.exe
1196	timeout.exe
580	timeout.exe
1660	timeout.exe
1152	timeout.exe
624	timeout.exe
688	timeout.exe
1384	timeout.exe
544	timeout.exe
1956	timeout.exe
688	timeout.exe
524	timeout.exe
1536	timeout.exe
1376	timeout.exe
1508	timeout.exe
1912	timeout.exe
900	timeout.exe
1840	timeout.exe
1736	timeout.exe
1372	timeout.exe
1836	timeout.exe
1836	timeout.exe
544	timeout.exe
1840	timeout.exe
2044	timeout.exe
836	timeout.exe
588	timeout.exe
524	timeout.exe
1636	timeout.exe
1764	timeout.exe
1000	timeout.exe
2032	timeout.exe
1828	timeout.exe
1528	timeout.exe
692	timeout.exe
1636	timeout.exe
916	timeout.exe
788	timeout.exe
156	timeout.exe
972	timeout.exe
1624	timeout.exe
1136	timeout.exe
1584	timeout.exe
2032	timeout.exe

Enumerates processes with tasklist 1 TTPs 64 IoCs

Process Discovery

T1057

Processes:

tasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exe

pid	process
992	tasklist.exe
1948	tasklist.exe
1584	tasklist.exe
1956	tasklist.exe
1196	tasklist.exe
1592	tasklist.exe
2032	tasklist.exe
836	tasklist.exe
692	tasklist.exe
1252	tasklist.exe
1320	tasklist.exe
1604	tasklist.exe
768	tasklist.exe
1148	tasklist.exe
768	tasklist.exe
1476	tasklist.exe
1496	tasklist.exe
108	tasklist.exe
692	tasklist.exe
1940	tasklist.exe
692	tasklist.exe
1720	tasklist.exe
320	tasklist.exe
1080	tasklist.exe
1720	tasklist.exe
1576	tasklist.exe
896	tasklist.exe
1748	tasklist.exe
916	tasklist.exe
2020	tasklist.exe
560	tasklist.exe
320	tasklist.exe
1772	tasklist.exe
1592	tasklist.exe
1956	tasklist.exe
1732	tasklist.exe
1000	tasklist.exe
1696	tasklist.exe
552	tasklist.exe
1840	tasklist.exe
1252	tasklist.exe
1952	tasklist.exe
1112	tasklist.exe
1304	tasklist.exe
1476	tasklist.exe
588	tasklist.exe
1112	tasklist.exe
1140	tasklist.exe
548	tasklist.exe
2024	tasklist.exe
1348	tasklist.exe
972	tasklist.exe
768	tasklist.exe
1956	tasklist.exe
992	tasklist.exe
1772	tasklist.exe
1592	tasklist.exe
1152	tasklist.exe
1908	tasklist.exe
824	tasklist.exe
808	tasklist.exe
1940	tasklist.exe
1252	tasklist.exe
1272	tasklist.exe

Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1476 vssadmin.exe

pid	process
1476	vssadmin.exe

Kills process with taskkill 10 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
1624	taskkill.exe
376	taskkill.exe
1556	taskkill.exe
624	taskkill.exe
2008	taskkill.exe
1724	taskkill.exe
1804	taskkill.exe
1404	taskkill.exe
1280	taskkill.exe
1148	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe

Modifies registry class 18 IoCs

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 200000001a00eebbfe2300001000d09ad3fd8f23af46adb46c85480369c700000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

1376 reg.exe
Runs net.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

explorer.exe

pid process

1508 explorer.exe

pid	process
1376	reg.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

830004.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetimeout.exetimeout.exetimeout.exetasklist.exetasklist.exetasklist.exefindstr.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetaskkill.exetasklist.exeexplorer.exevssadmin.exetasklist.exetasklist.exetasklist.exetasklist.exe

description	pid	process
Token: SeDebugPrivilege	1352	830004.exe
Token: SeBackupPrivilege	1352	830004.exe
Token: SeRestorePrivilege	1352	830004.exe
Token: 35	1352	830004.exe
Token: SeSecurityPrivilege	1352	830004.exe
Token: SeManageVolumePrivilege	1352	830004.exe
Token: 32	1352	830004.exe
Token: SeTcbPrivilege	1352	830004.exe
Token: SeSystemProfilePrivilege	1352	830004.exe
Token: SeTakeOwnershipPrivilege	1352	830004.exe
Token: SeDebugPrivilege	808	tasklist.exe
Token: SeDebugPrivilege	1840	tasklist.exe
Token: SeDebugPrivilege	1476	tasklist.exe
Token: SeDebugPrivilege	1772	tasklist.exe
Token: SeDebugPrivilege	1252	tasklist.exe
Token: SeDebugPrivilege	692	tasklist.exe
Token: SeDebugPrivilege	1592	tasklist.exe
Token: SeDebugPrivilege	824	tasklist.exe
Token: SeDebugPrivilege	992	tasklist.exe
Token: SeDebugPrivilege	2024	tasklist.exe
Token: SeDebugPrivilege	1576	tasklist.exe
Token: SeDebugPrivilege	1940	tasklist.exe
Token: SeDebugPrivilege	896	tasklist.exe
Token: SeDebugPrivilege	1772	tasklist.exe
Token: SeDebugPrivilege	1252	tasklist.exe
Token: SeDebugPrivilege	692	tasklist.exe
Token: SeDebugPrivilege	1592	tasklist.exe
Token: SeDebugPrivilege	1320	tasklist.exe
Token: SeDebugPrivilege	992	tasklist.exe
Token: SeDebugPrivilege	108	tasklist.exe
Token: SeDebugPrivilege	1348	tasklist.exe
Token: SeDebugPrivilege	1748	tasklist.exe
Token: SeDebugPrivilege	1956	tasklist.exe
Token: SeDebugPrivilege	1720	tasklist.exe
Token: SeDebugPrivilege	1196	tasklist.exe
Token: SeDebugPrivilege	972	tasklist.exe
Token: SeDebugPrivilege	1952	tasklist.exe
Token: SeDebugPrivilege	1732	tasklist.exe
Token: SeDebugPrivilege	1592	tasklist.exe
Token: SeDebugPrivilege	1112	tasklist.exe
Token: SeDebugPrivilege	320	tasklist.exe
Token: SeDebugPrivilege	1604	tasklist.exe
Token: SeDebugPrivilege	768	tasklist.exe
Token: SeDebugPrivilege	1940	tasklist.exe
Token: SeDebugPrivilege	2032	timeout.exe
Token: SeDebugPrivilege	1948	timeout.exe
Token: SeDebugPrivilege	1000	timeout.exe
Token: SeDebugPrivilege	1080	tasklist.exe
Token: SeDebugPrivilege	1304	tasklist.exe
Token: SeDebugPrivilege	692	tasklist.exe
Token: SeDebugPrivilege	916	findstr.exe
Token: SeDebugPrivilege	1152	tasklist.exe
Token: SeDebugPrivilege	1696	tasklist.exe
Token: SeDebugPrivilege	2020	tasklist.exe
Token: SeDebugPrivilege	768	tasklist.exe
Token: SeDebugPrivilege	1584	tasklist.exe
Token: SeDebugPrivilege	1148	taskkill.exe
Token: SeDebugPrivilege	836	tasklist.exe
Token: SeDebugPrivilege	1252	explorer.exe
Token: SeDebugPrivilege	1476	vssadmin.exe
Token: SeDebugPrivilege	560	tasklist.exe
Token: SeDebugPrivilege	1496	tasklist.exe
Token: SeDebugPrivilege	588	tasklist.exe
Token: SeDebugPrivilege	548	tasklist.exe

Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

explorer.exe

pid	process
1508	explorer.exe
1508	explorer.exe
1508	explorer.exe
1508	explorer.exe
1508	explorer.exe
1508	explorer.exe
1508	explorer.exe
1508	explorer.exe
1508	explorer.exe
1508	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

830004.execmd.execmd.execmd.exenet.exe

description	pid	process	target process
PID 1352 wrote to memory of 1684	1352	830004.exe	cmd.exe
PID 1352 wrote to memory of 1684	1352	830004.exe	cmd.exe
PID 1352 wrote to memory of 1684	1352	830004.exe	cmd.exe
PID 1352 wrote to memory of 1328	1352	830004.exe	cmd.exe
PID 1352 wrote to memory of 1328	1352	830004.exe	cmd.exe
PID 1352 wrote to memory of 1328	1352	830004.exe	cmd.exe
PID 1352 wrote to memory of 2024	1352	830004.exe	cmd.exe
PID 1352 wrote to memory of 2024	1352	830004.exe	cmd.exe
PID 1352 wrote to memory of 2024	1352	830004.exe	cmd.exe
PID 2024 wrote to memory of 376	2024	cmd.exe	net.exe
PID 2024 wrote to memory of 376	2024	cmd.exe	net.exe
PID 2024 wrote to memory of 376	2024	cmd.exe	net.exe
PID 1684 wrote to memory of 1376	1684	cmd.exe	reg.exe
PID 1684 wrote to memory of 1376	1684	cmd.exe	reg.exe
PID 1684 wrote to memory of 1376	1684	cmd.exe	reg.exe
PID 1328 wrote to memory of 808	1328	cmd.exe	tasklist.exe
PID 1328 wrote to memory of 808	1328	cmd.exe	tasklist.exe
PID 1328 wrote to memory of 808	1328	cmd.exe	tasklist.exe
PID 1328 wrote to memory of 864	1328	cmd.exe	findstr.exe
PID 1328 wrote to memory of 864	1328	cmd.exe	findstr.exe
PID 1328 wrote to memory of 864	1328	cmd.exe	findstr.exe
PID 376 wrote to memory of 1168	376	net.exe	net1.exe
PID 376 wrote to memory of 1168	376	net.exe	net1.exe
PID 376 wrote to memory of 1168	376	net.exe	net1.exe
PID 1328 wrote to memory of 1828	1328	cmd.exe	timeout.exe
PID 1328 wrote to memory of 1828	1328	cmd.exe	timeout.exe
PID 1328 wrote to memory of 1828	1328	cmd.exe	timeout.exe
PID 1328 wrote to memory of 1840	1328	cmd.exe	tasklist.exe
PID 1328 wrote to memory of 1840	1328	cmd.exe	tasklist.exe
PID 1328 wrote to memory of 1840	1328	cmd.exe	tasklist.exe
PID 1328 wrote to memory of 1836	1328	cmd.exe	findstr.exe
PID 1328 wrote to memory of 1836	1328	cmd.exe	findstr.exe
PID 1328 wrote to memory of 1836	1328	cmd.exe	findstr.exe
PID 1328 wrote to memory of 1584	1328	cmd.exe	timeout.exe
PID 1328 wrote to memory of 1584	1328	cmd.exe	timeout.exe
PID 1328 wrote to memory of 1584	1328	cmd.exe	timeout.exe
PID 1328 wrote to memory of 1476	1328	cmd.exe	tasklist.exe
PID 1328 wrote to memory of 1476	1328	cmd.exe	tasklist.exe
PID 1328 wrote to memory of 1476	1328	cmd.exe	tasklist.exe
PID 1328 wrote to memory of 1752	1328	cmd.exe	findstr.exe
PID 1328 wrote to memory of 1752	1328	cmd.exe	findstr.exe
PID 1328 wrote to memory of 1752	1328	cmd.exe	findstr.exe
PID 1328 wrote to memory of 2032	1328	cmd.exe	timeout.exe
PID 1328 wrote to memory of 2032	1328	cmd.exe	timeout.exe
PID 1328 wrote to memory of 2032	1328	cmd.exe	timeout.exe
PID 1328 wrote to memory of 1772	1328	cmd.exe	tasklist.exe
PID 1328 wrote to memory of 1772	1328	cmd.exe	tasklist.exe
PID 1328 wrote to memory of 1772	1328	cmd.exe	tasklist.exe
PID 1328 wrote to memory of 1196	1328	cmd.exe	findstr.exe
PID 1328 wrote to memory of 1196	1328	cmd.exe	findstr.exe
PID 1328 wrote to memory of 1196	1328	cmd.exe	findstr.exe
PID 1328 wrote to memory of 960	1328	cmd.exe	timeout.exe
PID 1328 wrote to memory of 960	1328	cmd.exe	timeout.exe
PID 1328 wrote to memory of 960	1328	cmd.exe	timeout.exe
PID 1328 wrote to memory of 1252	1328	cmd.exe	tasklist.exe
PID 1328 wrote to memory of 1252	1328	cmd.exe	tasklist.exe
PID 1328 wrote to memory of 1252	1328	cmd.exe	tasklist.exe
PID 1328 wrote to memory of 1000	1328	cmd.exe	findstr.exe
PID 1328 wrote to memory of 1000	1328	cmd.exe	findstr.exe
PID 1328 wrote to memory of 1000	1328	cmd.exe	findstr.exe
PID 1328 wrote to memory of 544	1328	cmd.exe	timeout.exe
PID 1328 wrote to memory of 544	1328	cmd.exe	timeout.exe
PID 1328 wrote to memory of 544	1328	cmd.exe	timeout.exe
PID 1328 wrote to memory of 692	1328	cmd.exe	tasklist.exe

C:\Users\Admin\AppData\Local\Temp\830004.exe
"C:\Users\Admin\AppData\Local\Temp\830004.exe"
1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add hklm\Software\Microsoft\Windows\CurrentVersion\Run /v SecurityUpdate /t REG_EXPAND_SZ /d C:\Users\Admin\AppData\Local\Temp\830004.exe /f
2⤵
- Suspicious use of WriteProcessMemory
PID:1684

C:\Windows\system32\reg.exe
reg add hklm\Software\Microsoft\Windows\CurrentVersion\Run /v SecurityUpdate /t REG_EXPAND_SZ /d C:\Users\Admin\AppData\Local\Temp\830004.exe /f
3⤵
- Adds Run key to start application
- Modifies registry key
PID:1376

C:\Windows\system32\cmd.exe
cmd /c C:\ProgramData\Microsoft\Settings\3i4I4e3o4.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:1328

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:808

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:864

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:1828

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1840

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1836

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:1584

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1476

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1752

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:2032

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1772

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1196

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:960

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1252

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1000

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:544

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:692

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:976

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:688

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1592

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:2012

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:1528

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:824

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:2004

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:1376

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:952

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:992

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:1372

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2024

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:108

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:864

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1576

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1600

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:1964

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1940

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:240

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:1956

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:896

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1720

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:2040

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1772

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1504

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:836

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1252

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1020

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:1508

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:692

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1656

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:1984

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1592

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1768

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:588

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1320

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:2004

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:668

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:992

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:376

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:524

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:108

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1700

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:1968

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1348

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1600

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:1836

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1748

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1180

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:156

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1956

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1280

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:1636

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1720

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:840

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:1660

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1196

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:700

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:544

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:972

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1924

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:1304

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1952

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1912

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:692

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1732

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1988

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:916

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1592

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:580

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:1152

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1112

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1320

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:1136

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:320

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:952

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:524

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1604

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1828

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:1968

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1004

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
PID:768

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:1836

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1940

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1584

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:156

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
PID:2032

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:2008

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:1636

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
PID:1948

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1736

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:1660

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1504

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
PID:1000

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:544

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1080

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1020

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:1056

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1304

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:976

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:1912

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:692

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1528

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:1988

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
PID:916

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1176

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:1764

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1152

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1060

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:900

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1696

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1644

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:948

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2020

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1372

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:1536

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:768

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1724

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:1840

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1584

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1752

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
- Suspicious use of AdjustPrivilegeToken
PID:2032

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
PID:1148

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:840

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
- Suspicious use of AdjustPrivilegeToken
PID:1948

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:836

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:700

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
- Suspicious use of AdjustPrivilegeToken
PID:1000

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
PID:1252

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1108

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:972

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
PID:1476

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:288

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:688

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:976

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:560

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:1384

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1496

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1528

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:1624

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:588

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:916

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:1552

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:548

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:436

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:2004

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
PID:1112

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1320

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:1556

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
PID:320

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:808

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:624

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
PID:552

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1004

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:1840

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
PID:1956

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1280

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:788

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
PID:1720

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:840

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:1196

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
PID:1908

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1660

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:2044

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
PID:1272

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:668

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:1136

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:768

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1724

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:2032

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
PID:1956

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1672

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:1736

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
PID:1140

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1000

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:972

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
PID:1952

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1928

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net config server /autodisconnect:-1
2⤵
- Suspicious use of WriteProcessMemory
PID:2024

C:\Windows\system32\net.exe
net config server /autodisconnect:-1
3⤵
- Suspicious use of WriteProcessMemory
PID:376

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 config server /autodisconnect:-1
4⤵
PID:1168

C:\Windows\explorer.exe
explorer.exe .\readme_for_unlock.txt
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vssadmin delete shadows /All /quiet
2⤵
PID:1080

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /All /quiet
3⤵
- Interacts with shadow copies
- Suspicious use of AdjustPrivilegeToken
PID:1476

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\2y8B5o9q5.bat
2⤵
PID:2012

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM 830004.exe.exe
3⤵
- Kills process with taskkill
PID:1624

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM 830004.exe.exe
3⤵
- Kills process with taskkill
PID:376

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM 830004.exe.exe
3⤵
- Kills process with taskkill
PID:1404

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM 830004.exe.exe
3⤵
- Kills process with taskkill
PID:1556

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM 830004.exe.exe
3⤵
- Kills process with taskkill
PID:624

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM 830004.exe.exe
3⤵
- Kills process with taskkill
PID:2008

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM 830004.exe.exe
3⤵
- Kills process with taskkill
PID:1724

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM 830004.exe.exe
3⤵
- Kills process with taskkill
PID:1804

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM 830004.exe.exe
3⤵
- Kills process with taskkill
PID:1280

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM 830004.exe.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\3m7T9l8d7.bat
3⤵
PID:1772

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1508

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:1912

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Process Discovery

T1057

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Settings\3i4I4e3o4.bat
Filesize
163B

MD5
3578e838f655c9bd9426651cc13f6a84

SHA1
10b312cca508e1958507cd3f8a6feae72f6a3a3d

SHA256
42f5a94a41364f4ab334ab6bf3638b1861d3a10b7684df6e5968567ca5027bde

SHA512
4ccd6320fe0eb7dccd3b322ffbb94b9f718123dec2781f9f9404e3c520628f8f9d544b88189dda079a8f431cebdecc7a3cd94e37d21eb9257fdc65408465a995

Download Submit
C:\Users\Admin\AppData\Local\Temp\2y8B5o9q5.bat
Filesize
1.0MB

MD5
5e3324fb8772756821daec99828223a9

SHA1
a9133f8aa6a78af210983103274a8498d9148730

SHA256
d84c112348725078feb9723f9b50384ba0da88971c509096b51c42593779a58e

SHA512
de6bc0ec59882aba76df200bcfbc74f4e6acc9b8872dc2bc832b39e4533e7857d8f7f8676fc1f00b50808b162bfe0b88e72a855d0a99186e33a7dd08dfcaab66

Download Submit
C:\Users\Admin\AppData\Local\Temp\3m7T9l8d7.bat
Filesize
56B

MD5
b8558713fae63af5fd7f187fd54b055f

SHA1
0b41f4e197ce57aff24d64479233dd1533e864f7

SHA256
16862092262c2201b8d1516ec73b0cc6670c2d453b08613316a63da7307bc4a3

SHA512
c44c3cb79bb9b1e3df9516ed2cea6dedd7744a74a8fcf1cf2b6b7d175b1d5c8a1551810a072b04f91e6d69271191210d544fc91d17421abb1dfe9207b140bc27

Download Submit
C:\Users\Admin\Documents\Are.docx.crypt
Filesize
11KB

MD5
184e216a73b88496a6762b2b385cc72c

SHA1
44384075c15dd23998bb5fe9676eb97c6f1076e3

SHA256
08bfd1442e10dac6cf82ea5435755691360442839068adb89665842202354718

SHA512
38ed40de8fb59b34533a22de84b688a895396b59a60780542a9c9a848f6271da9cb0520815d96e4b62adeddd43b5c39b2805aac1ab7339008d39c66d806cae40

Download Submit
C:\Users\Admin\Documents\CompressProtect.potm.crypt
Filesize
652KB

MD5
fda6348cdcb37d38d8eb6361f0d0d14c

SHA1
bd625658e104fe77c9f8609cdc397558927e435a

SHA256
a2e81dbaf7846001c9167149f5b515e5c4cb82fc32f7195a40b5ce595be5215f

SHA512
35b1f76bca7edf0566a128cc3eb7d232dc4632d75c3f4cc5ab5b1b984ae1b92fc97d0da9f005627093cf7f13a2e8c691d8db8e1bc67caa1fb27db177152cf0d6

Download Submit
C:\Users\Admin\Documents\ConfirmLimit.dot.crypt
Filesize
491KB

MD5
eb4fc82ca67971ae37c1ab3c260f0392

SHA1
7947da510b3bce6e87e0e9b023340deeeb106925

SHA256
4785c26b2b61621a5f1df091916c55a1cb5a9d724b3d9b97f02366d1f8059c39

SHA512
3bb91e5e380bfde543ca60c7553870f03995a6f1901c550276356e239c3ad71869393d7ff8ea119386dc47bad681c793a3c75bacd2e791e117f4edac4d700f10

Download Submit
C:\Users\Admin\Documents\CopyAssert.dot.crypt
Filesize
509KB

MD5
0e3f55a7e4355233f5d4309e10e0d502

SHA1
485bb4da4dbd7fe4ce4a99bc51efed14ac76e548

SHA256
dd387a0aac488afc338452280959a87c7d84e22a854c4f3ff1946e9b3d79eb50

SHA512
956cf0948fbc909dbbef52c799ef6432aa19bd4209add4ef874f4f294ae57849e63f3d5fbe5942df00c34695a01a2da335ec9d6aa8b092785c82a863a58200be

Download Submit
C:\Users\Admin\Documents\CopyEnter.dotm.crypt
Filesize
295KB

MD5
43fd6d863a4bca2a7e42b372410929a6

SHA1
44a7a4e09de4395be0aa28cef789c2d771c6e7e2

SHA256
dc26b91dc4bad6ee00aff9852c50f92a8fd20ca9d7aa83131fefa35acc653cba

SHA512
27bf73b3c7a44e05849156779af247f1287ca0c97b7ae69231e6de1541c059dc92f421869cefd020cfa9db85943a1ced97b3796e1a6a1946702780715d2b9af6

Download Submit
C:\Users\Admin\Documents\CopyMount.htm.crypt
Filesize
473KB

MD5
79103b1684150745fc8c0ea3de44feaa

SHA1
3d9bde9c8454f3fd5886ae48906a692754b282c9

SHA256
7c78bcc6f72f4a6e0cb48f1c42032d4e94b89234114e71ec18903c54a914441f

SHA512
3aa54783cc5fe667359be25e83c0e99736bf989a73107fa14a9a559b6fe20204ed78476a6ef47fb3ae72bf3e5ebea3a384598cf878f9de08f65d9d238f34cd82

Download Submit
C:\Users\Admin\Documents\DebugStart.xla.crypt
Filesize
777KB

MD5
746b0021a65c7f29af373cf4b84bfdca

SHA1
ec135192bbd8464a073494e5eaaa04c3b1ad5811

SHA256
85f41324ea39137dbd6affbd6e849be53a2eda681fdaac47041c4694a150fc8a

SHA512
d00cfd2439d65e0b5f086df52553fedff60dae5ee789d52e1bf9e5813cc7d3c385bf45472a39fec89d72e0a960658b78f59cf55008067c3e267f0860e8995182

Download Submit
C:\Users\Admin\Documents\DenyOpen.potx.crypt
Filesize
527KB

MD5
0f6fd756df30a2cd0d062b1e630ffed8

SHA1
f91e4832197684270a63c9a07c8f6ea27e0aa307

SHA256
55704e167ec4052ea3f3a1f594acda2c6d206fbdeae0976fd3491b19ad80306b

SHA512
e40a6e0309f23ec312e5b1a25729cbd2f7801329a1f39c0c348a10ca7151fe5e7274d5fc46d63accf165b7fc8ed6cd8acd365cc993c0b2765ea4f940e42a289e

Download Submit
C:\Users\Admin\Documents\DisableSet.rtf.crypt
Filesize
420KB

MD5
bd279eca3306b84f6786df13df5164e8

SHA1
edaae52fe71ee282f40ec38e7337f82c126eeb3a

SHA256
80b8dc8587048e17efbbb07fbad7b5654886491be2d31ac903637c2bb526cb6f

SHA512
2887cb17a72df3b6b1e9262ad6636c7e95ff5479b7d34b0b6f66277411c15db5c95f995e29c80effa68157adc8c9b61b8452d15d7f29c8401d12a205ec470ce4

Download Submit
C:\Users\Admin\Documents\DismountLimit.dotm.crypt
Filesize
759KB

MD5
12e292c40f7ec8b2edede06540cfed1c

SHA1
87b42b32aef06a297bddcc3d29ab6bec8e973060

SHA256
3df5a1232f5a2c72ded4492ba6da1985481b9f23e11c41696cbf7a35cda1999b

SHA512
cc5df21c5490743660112100a0d7fdc3692e9bdebf6d967ee058c8b3197e0cb93ba129b195d00639f7611135f4523e19592159da8405e9964d2097b4f6dadca8

Download Submit
C:\Users\Admin\Documents\EnterMeasure.potm.crypt
Filesize
616KB

MD5
8890297b580e1c7557dd5f5538642d17

SHA1
4cbcefd837c2686f0d439ead14828dfe23bd1355

SHA256
b7080d79e6d0b618f477965c58630a1e2d77f37ef50ddb39407fd3ed39d116b0

SHA512
f685d280f0e81618734e60a2b1d5a773cfbaa9ebd30b2143d778d537342ae9c6c44657645a35d5714a80968275bec8089cba065db64f00358f8756fa9a5080e2

Download Submit
C:\Users\Admin\Documents\Files.docx.crypt
Filesize
11KB

MD5
2eb2cd2d5f900d020014b6be59949381

SHA1
c06e150084cecdac30aa533a6c6ecc45ee91e9d5

SHA256
08c004be2e3f71c687d0314e717ecfc0f4f90faef71cab4fa6f9a35bd197c0c0

SHA512
6368ee5547da5730e24e7b31ba3171eefc459c3b4f239ea516ad5fd951f3c74ce8bcb3fdc09b260621e84ded405761ad299af00cdfc1fab70fc62a4a2f101c1a

Download Submit
C:\Users\Admin\Documents\FindDisable.xltm.crypt
Filesize
723KB

MD5
9c99e527956e0a1c894959fad06a36a7

SHA1
4ad0e8250539711083490e7192fe2cd3b1388844

SHA256
77852d63846cffa43db1a810b6fc41f91a8c378110f95106077904ccda9e7cb0

SHA512
d9c35e1438d8cba7a69db280de37b5b6ac2b47a3215b48c139447765e7196d1dd6212c5dd9b98551b0410d0701c3ae0009b7ad26111a40b648f0d2dfb0b4945d

Download Submit
C:\Users\Admin\Documents\FormatAdd.xml.crypt
Filesize
312KB

MD5
4393dc134d39f52606fd2fe5082ee9a7

SHA1
59b86d69a941b2ee7c0133b943cdbb2582b1430e

SHA256
f4ea14a74322d95933b3ddb5031b039010df31747da6a32845a6bf5605e19ff7

SHA512
554237a8061c3b77dbf335f70de3ef5287aa6ea5d63ad511e7065df974678fb6afe8982ebf8a1dafe7394137b6d814bab761d7b6378b2e95d5f6c34fa460064a

Download Submit
C:\Users\Admin\Documents\GroupEnable.txt.crypt
Filesize
563KB

MD5
ca670ea869147c73047ec97f3e2a2b06

SHA1
b684fcd3ea0e54d1f79d67b0d97649b246f1d0eb

SHA256
9777473843c2a9f22adef37fa8259dca34f0c20db9c0947697ed1cf213be7cca

SHA512
5acb6ef00a2184466acaf3a1f7435f295577c97ab1963770543ebc49c19f583813840fa1443979374d12edd5c211269c9212dd7e7ef8541134c6fb6c0fa56328

Download Submit
C:\Users\Admin\Documents\ImportComplete.vsx.crypt
Filesize
831KB

MD5
d5c117a24767c40f9b24578fffea2e69

SHA1
afaaf6582afe90f8569f09259a684a67e2ad2ab2

SHA256
e0be02c4bfa1a01370d54681c5d813bf1a39049b8cc30d82fbd91077e4493ae6

SHA512
5d5a573a84f06f13dbe8f45da211d4c1b0c1fc6bc1f898e190f241eb1eea8a8e7af9b7e7fcef54461698b2d7826a577982b8bc478d1631466b5b4fa215d66c83

Download Submit
C:\Users\Admin\Documents\InitializeSync.vsd.crypt
Filesize
402KB

MD5
4423fa4b6cce11670171f0c39576e45c

SHA1
140d986fb27833cf53bf3f0aafb9ba705e8331c9

SHA256
a643866123a20b39730eccd18114f84896a790ca9cd423c11ab027aae2758cc2

SHA512
be43257a6b08dcd3f3cabcdae09c770a6fac1504d0414998acbf1b738487afa6a884c241d44649981de9b8d49d678d2c08e382fa1fe044ee5291c3ec260eee4c

Download Submit
C:\Users\Admin\Documents\Opened.docx.crypt
Filesize
11KB

MD5
ab02b7c2c1108fd5d3615fe2bf73d579

SHA1
83c59f608bc6f1ba1fee73c082735f1f2707ba27

SHA256
6621fd1137f756528363e42cf8109ac0abc4fdc459460e9b3b55cb7066a85726

SHA512
7f9ac14fc0614eaf454307b3fff330585b5c3c6089b7c4403454ffb29aa526e94cf1140d1235698c28beab989e49f2e19386d377bec25338bbb2adf1baa9a308

Download Submit
C:\Users\Admin\Documents\PingClear.vdx.crypt
Filesize
437KB

MD5
e81a7eb75a77962d993b3f50b73b507c

SHA1
74609d56bfbbf75edc51f68fe26db4712d191cc2

SHA256
acb3e06a7cc435625c29671fd276aa796b08dd1acd1a68cf51d4c922107963ef

SHA512
2d6e0b1fdfabf134ebd9f3cda7bb4e5ee6c27ab75bc44c338f529173ac5c6fd2e1d8b2ac0b5253b9cf075b37e9627a16ffdf7185f07dd44adbfc6f04aad9b500

Download Submit
C:\Users\Admin\Documents\PopRequest.pps.crypt
Filesize
384KB

MD5
60cafd6df24d831cdff27e35c0981487

SHA1
29165d89572a21d3fabbeb59d896532393a2b6c1

SHA256
1c8592410bd88c2e79482c967ae3f62ae5f89104a1367519f43c17a43ca3ecd9

SHA512
4cefa3aa51f54219e123ffca171e928c0683e8d33ccab4ddbe0da1dc2eedbc752563f338f93042bcc4a4fb8cd2ab73453d2a4dec6946d3068ac93a93572ec376

Download Submit
memory/108-89-0x0000000000000000-mapping.dmp

Download
memory/108-118-0x0000000000000000-mapping.dmp

Download
memory/240-95-0x0000000000000000-mapping.dmp

Download
memory/376-116-0x0000000000000000-mapping.dmp

Download
memory/376-57-0x0000000000000000-mapping.dmp

Download
memory/524-117-0x0000000000000000-mapping.dmp

Download
memory/544-75-0x0000000000000000-mapping.dmp

Download
memory/588-111-0x0000000000000000-mapping.dmp

Download
memory/668-114-0x0000000000000000-mapping.dmp

Download
memory/688-78-0x0000000000000000-mapping.dmp

Download
memory/692-76-0x0000000000000000-mapping.dmp

Download
memory/692-106-0x0000000000000000-mapping.dmp

Download
memory/808-60-0x0000000000000000-mapping.dmp

Download
memory/824-82-0x0000000000000000-mapping.dmp

Download
memory/836-102-0x0000000000000000-mapping.dmp

Download
memory/864-90-0x0000000000000000-mapping.dmp

Download
memory/864-61-0x0000000000000000-mapping.dmp

Download
memory/896-97-0x0000000000000000-mapping.dmp

Download
memory/952-86-0x0000000000000000-mapping.dmp

Download
memory/960-72-0x0000000000000000-mapping.dmp

Download
memory/976-77-0x0000000000000000-mapping.dmp

Download
memory/992-115-0x0000000000000000-mapping.dmp

Download
memory/992-85-0x0000000000000000-mapping.dmp

Download
memory/1000-74-0x0000000000000000-mapping.dmp

Download
memory/1020-104-0x0000000000000000-mapping.dmp

Download
memory/1168-62-0x0000000000000000-mapping.dmp

Download
memory/1196-71-0x0000000000000000-mapping.dmp

Download
memory/1252-119-0x000007FEFB5E1000-0x000007FEFB5E3000-memory.dmp

Filesize
8KB

Download
memory/1252-103-0x0000000000000000-mapping.dmp

Download
memory/1252-73-0x0000000000000000-mapping.dmp

Download
memory/1320-112-0x0000000000000000-mapping.dmp

Download
memory/1328-55-0x0000000000000000-mapping.dmp

Download
memory/1372-87-0x0000000000000000-mapping.dmp

Download
memory/1376-59-0x0000000000000000-mapping.dmp

Download
memory/1376-84-0x0000000000000000-mapping.dmp

Download
memory/1476-67-0x0000000000000000-mapping.dmp

Download
memory/1504-101-0x0000000000000000-mapping.dmp

Download
memory/1508-105-0x0000000000000000-mapping.dmp

Download
memory/1508-121-0x0000000003690000-0x00000000036A0000-memory.dmp

Filesize
64KB

Download
memory/1528-81-0x0000000000000000-mapping.dmp

Download
memory/1576-91-0x0000000000000000-mapping.dmp

Download
memory/1584-66-0x0000000000000000-mapping.dmp

Download
memory/1592-109-0x0000000000000000-mapping.dmp

Download
memory/1592-79-0x0000000000000000-mapping.dmp

Download
memory/1600-92-0x0000000000000000-mapping.dmp

Download
memory/1656-107-0x0000000000000000-mapping.dmp

Download
memory/1684-54-0x0000000000000000-mapping.dmp

Download
memory/1720-98-0x0000000000000000-mapping.dmp

Download
memory/1752-68-0x0000000000000000-mapping.dmp

Download
memory/1768-110-0x0000000000000000-mapping.dmp

Download
memory/1772-100-0x0000000000000000-mapping.dmp

Download
memory/1772-70-0x0000000000000000-mapping.dmp

Download
memory/1828-63-0x0000000000000000-mapping.dmp

Download
memory/1836-65-0x0000000000000000-mapping.dmp

Download
memory/1840-64-0x0000000000000000-mapping.dmp

Download
memory/1940-94-0x0000000000000000-mapping.dmp

Download
memory/1956-96-0x0000000000000000-mapping.dmp

Download
memory/1964-93-0x0000000000000000-mapping.dmp

Download
memory/1984-108-0x0000000000000000-mapping.dmp

Download
memory/2004-83-0x0000000000000000-mapping.dmp

Download
memory/2004-113-0x0000000000000000-mapping.dmp

Download
memory/2012-80-0x0000000000000000-mapping.dmp

Download
memory/2024-88-0x0000000000000000-mapping.dmp

Download
memory/2024-56-0x0000000000000000-mapping.dmp

Download
memory/2032-69-0x0000000000000000-mapping.dmp

Download
memory/2040-99-0x0000000000000000-mapping.dmp

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads