39b74b2fb057e8c78a2ba6639cf3d58ae91685e6ac13b57b70d2afb158cf742d

Resubmissions

05-10-2022 11:39

221005-nsrtyaedfm 9

05-10-2022 08:12

221005-j3wtesdfg7 9

05-10-2022 06:56

221005-hqhwcsdeg8 9

Analysis

max time kernel
1691s
max time network
1695s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
05-10-2022 11:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

830004.exe
Size

691KB
MD5

58aea2aac89947773dfae8e3859e20b0
SHA1

be17c41c65703f9475e36dff55fd3de220e395f3
SHA256

39b74b2fb057e8c78a2ba6639cf3d58ae91685e6ac13b57b70d2afb158cf742d
SHA512

f3d43c0759b05b949498cc63084b54b869c228a427f1590a1010007b4bdbebf760145a29e5f1a7c5585133ed76a3c1a5d7bf2ace46858ac9a48ff5c05eafa6eb
SSDEEP

12288:i0iads6yn93ySQDWYgeWYg955/155/m6q5iKn3zMCO342FoqdXS:dicFyn93ySQJ5f34Jo2Fi

Score

9^/10

persistence ransomware spyware stealer

Malware Config

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies extensions of user files 16 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

830004.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\CopyCheckpoint.raw.crypt	830004.exe
File opened for modification	C:\Users\Admin\Pictures\DenyAssert.crw.crypt	830004.exe
File renamed	C:\Users\Admin\Pictures\ExpandImport.crw => C:\Users\Admin\Pictures\ExpandImport.crw.crypt	830004.exe
File opened for modification	C:\Users\Admin\Pictures\MergeReset.crw.crypt	830004.exe
File opened for modification	C:\Users\Admin\Pictures\SkipBackup.tif.crypt	830004.exe
File renamed	C:\Users\Admin\Pictures\DenyAssert.crw => C:\Users\Admin\Pictures\DenyAssert.crw.crypt	830004.exe
File renamed	C:\Users\Admin\Pictures\SetMove.png => C:\Users\Admin\Pictures\SetMove.png.crypt	830004.exe
File opened for modification	C:\Users\Admin\Pictures\ProtectEnable.png.crypt	830004.exe
File opened for modification	C:\Users\Admin\Pictures\SetMove.png.crypt	830004.exe
File renamed	C:\Users\Admin\Pictures\CopyCheckpoint.raw => C:\Users\Admin\Pictures\CopyCheckpoint.raw.crypt	830004.exe
File opened for modification	C:\Users\Admin\Pictures\ExpandImport.crw.crypt	830004.exe
File renamed	C:\Users\Admin\Pictures\ExportUnblock.png => C:\Users\Admin\Pictures\ExportUnblock.png.crypt	830004.exe
File opened for modification	C:\Users\Admin\Pictures\ExportUnblock.png.crypt	830004.exe
File renamed	C:\Users\Admin\Pictures\MergeReset.crw => C:\Users\Admin\Pictures\MergeReset.crw.crypt	830004.exe
File renamed	C:\Users\Admin\Pictures\ProtectEnable.png => C:\Users\Admin\Pictures\ProtectEnable.png.crypt	830004.exe
File renamed	C:\Users\Admin\Pictures\SkipBackup.tif => C:\Users\Admin\Pictures\SkipBackup.tif.crypt	830004.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SecurityUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\830004.exe"	reg.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

830004.exe

description	ioc	process
File opened (read-only)	\??\V:	830004.exe
File opened (read-only)	\??\B:	830004.exe
File opened (read-only)	\??\I:	830004.exe
File opened (read-only)	\??\K:	830004.exe
File opened (read-only)	\??\P:	830004.exe
File opened (read-only)	\??\R:	830004.exe
File opened (read-only)	\??\S:	830004.exe
File opened (read-only)	\??\T:	830004.exe
File opened (read-only)	\??\H:	830004.exe
File opened (read-only)	\??\M:	830004.exe
File opened (read-only)	\??\O:	830004.exe
File opened (read-only)	\??\Q:	830004.exe
File opened (read-only)	\??\A:	830004.exe
File opened (read-only)	\??\N:	830004.exe
File opened (read-only)	\??\L:	830004.exe
File opened (read-only)	\??\U:	830004.exe
File opened (read-only)	\??\W:	830004.exe
File opened (read-only)	\??\X:	830004.exe
File opened (read-only)	\??\E:	830004.exe
File opened (read-only)	\??\F:	830004.exe
File opened (read-only)	\??\G:	830004.exe
File opened (read-only)	\??\J:	830004.exe
File opened (read-only)	\??\Y:	830004.exe
File opened (read-only)	\??\Z:	830004.exe

Drops file in Program Files directory 64 IoCs

Processes:

830004.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Choibalsan.crypt	830004.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\toc.gif.crypt	830004.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-host-remote.jar.crypt	830004.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACEREP.DLL.crypt	830004.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01473_.WMF.crypt	830004.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Skins\Revert.wmz.crypt	830004.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXEV.DLL.crypt	830004.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0102594.WMF.crypt	830004.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21505_.GIF.crypt	830004.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME06.CSS.crypt	830004.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SECRECS.ICO.crypt	830004.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\15.png.crypt	830004.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_FormsHomePageSlice.gif.crypt	830004.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectStatusIcons.jpg.crypt	830004.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\EquityMergeLetter.Dotx.crypt	830004.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Magadan.crypt	830004.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\GrayCheck\TAB_ON.GIF.crypt	830004.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\OnLineIdle.ico.crypt	830004.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jface.nl_zh_4.4.0.v20140623020002.jar.crypt	830004.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-attach.xml.crypt	830004.exe
File opened for modification	C:\Program Files\Windows Journal\Templates\Seyes.jtp.crypt	830004.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\cpu.html.crypt	830004.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\NOTEL.ICO.crypt	830004.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\eclipse.inf.crypt	830004.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\doclib.gif.crypt	830004.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\js\RSSFeeds.js.crypt	830004.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\DigSig.api.crypt	830004.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0102002.WMF.crypt	830004.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\js\localizedStrings.js.crypt	830004.exe
File opened for modification	C:\Program Files\7-Zip\License.txt.crypt	830004.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\MANIFEST.MF.crypt	830004.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0215710.WMF.crypt	830004.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightOrange\BUTTON.GIF.crypt	830004.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\AdjacencyResume.dotx.crypt	830004.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationRight_ButtonGraphic.png.crypt	830004.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\Shared24x24ImagesMask.bmp.crypt	830004.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\WORDIRMV.XML.crypt	830004.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\de-DE\wmlaunch.exe.mui.crypt	830004.exe
File opened for modification	C:\Program Files\Windows Journal\it-IT\MSPVWCTL.DLL.mui.crypt	830004.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\css\settings.css.crypt	830004.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\ado\msado26.tlb.crypt	830004.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\msadc\ja-JP\msadcfr.dll.mui.crypt	830004.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\AUDIOSEARCHSAPIFE.DLL.crypt	830004.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DVDHM.POC.crypt	830004.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\GreenBubbles.jpg.crypt	830004.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0186346.WMF.crypt	830004.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14581_.GIF.crypt	830004.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Desert\TAB_ON.GIF.crypt	830004.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\STSUCRES.DLL.crypt	830004.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\navSubpicture.png.crypt	830004.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationUp_ButtonGraphic.png.crypt	830004.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\gadget.xml.crypt	830004.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\WebToolImagesMask16x16.bmp.crypt	830004.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\js\settings.js.crypt	830004.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR48F.GIF.crypt	830004.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\1033\OLR.SAM.crypt	830004.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\userContent_16x9_imagemask.png.crypt	830004.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\gtkTSFrame.png.crypt	830004.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Tbilisi.crypt	830004.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\fr-FR\Solitaire.exe.mui.crypt	830004.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0188679.WMF.crypt	830004.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_FileHigh.jpg.crypt	830004.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\css\slideShow.css.crypt	830004.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\PYCC.pf.crypt	830004.exe

Delays execution with timeout.exe 64 IoCs

evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid	process
632	timeout.exe
1288	timeout.exe
576	timeout.exe
1552	timeout.exe
952	timeout.exe
924	timeout.exe
1072	timeout.exe
1692	timeout.exe
1744	timeout.exe
1756	timeout.exe
1988	timeout.exe
1160	timeout.exe
240	timeout.exe
2036	timeout.exe
1600	timeout.exe
1752	timeout.exe
1604	timeout.exe
792	timeout.exe
1876	timeout.exe
1736	timeout.exe
1688	timeout.exe
1520	timeout.exe
1860	timeout.exe
1924	timeout.exe
156	timeout.exe
1632	timeout.exe
1860	timeout.exe
860	timeout.exe
1172	timeout.exe
1744	timeout.exe
1916	timeout.exe
1976	timeout.exe
976	timeout.exe
1588	timeout.exe
1008	timeout.exe
624	timeout.exe
892	timeout.exe
1088	timeout.exe
1172	timeout.exe
1284	timeout.exe
1072	timeout.exe
968	timeout.exe
568	timeout.exe
632	timeout.exe
1488	timeout.exe
576	timeout.exe
1516	timeout.exe
1212	timeout.exe
948	timeout.exe
1212	timeout.exe
888	timeout.exe
1812	timeout.exe
1768	timeout.exe
1660	timeout.exe
364	timeout.exe
1092	timeout.exe
1692	timeout.exe
1764	timeout.exe
576	timeout.exe
836	timeout.exe
1768	timeout.exe
856	timeout.exe
1388	timeout.exe
836	timeout.exe

Enumerates processes with tasklist 1 TTPs 64 IoCs

Process Discovery

T1057

Processes:

tasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exe

pid	process
272	tasklist.exe
740	tasklist.exe
1592	tasklist.exe
1672	tasklist.exe
860	tasklist.exe
532	tasklist.exe
1764	tasklist.exe
1680	tasklist.exe
452	tasklist.exe
776	tasklist.exe
1996	tasklist.exe
1648	tasklist.exe
972	tasklist.exe
1124	tasklist.exe
1620	tasklist.exe
1216	tasklist.exe
1624	tasklist.exe
888	tasklist.exe
1996	tasklist.exe
1712	tasklist.exe
800	tasklist.exe
900	tasklist.exe
1224	tasklist.exe
1608	tasklist.exe
800	tasklist.exe
1464	tasklist.exe
1464	tasklist.exe
1616	tasklist.exe
764	tasklist.exe
1516	tasklist.exe
1624	tasklist.exe
1620	tasklist.exe
1800	tasklist.exe
1284	tasklist.exe
1164	tasklist.exe
1996	tasklist.exe
1748	tasklist.exe
1092	tasklist.exe
952	tasklist.exe
900	tasklist.exe
1120	tasklist.exe
1580	tasklist.exe
1716	tasklist.exe
1728	tasklist.exe
1660	tasklist.exe
1600	tasklist.exe
1572	tasklist.exe
1308	tasklist.exe
1620	tasklist.exe
1772	tasklist.exe
992	tasklist.exe
1552	tasklist.exe
652	tasklist.exe
1916	tasklist.exe
1308	tasklist.exe
1308	tasklist.exe
1472	tasklist.exe
1608	tasklist.exe
1736	tasklist.exe
1988	tasklist.exe
568	tasklist.exe
1128	tasklist.exe
112	tasklist.exe
1736	tasklist.exe

Enumerates system info in registry 2 TTPs 32 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

csrss.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Component Information	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Component Information	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Configuration Data	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Configuration Data	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Configuration Data	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Component Information	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Identifier	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Component Information	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter	csrss.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter	csrss.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Configuration Data	csrss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Identifier	csrss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral	csrss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Component Information	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2	csrss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Identifier	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\1\KeyboardController	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Identifier	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Identifier	csrss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0	csrss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Configuration Data	csrss.exe

Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1876 vssadmin.exe

pid	process
1876	vssadmin.exe

Kills process with taskkill 10 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
964	taskkill.exe
1696	taskkill.exe
1376	taskkill.exe
740	taskkill.exe
1972	taskkill.exe
156	taskkill.exe
1728	taskkill.exe
1324	taskkill.exe
1552	taskkill.exe
1680	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe

Modifies data under HKEY_USERS 9 IoCs

Processes:

winlogon.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ThemeManager\SizeName = "NormalSize"	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ThemeManager\ThemeActive = "1"	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ThemeManager\LoadedBefore = "1"	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ThemeManager\LastUserLangID = "1033"	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ThemeManager\LastLoadedDPI = "96"	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ThemeManager\DllName = "%SystemRoot%\\resources\\themes\\Aero\\Aero.msstyles"	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ThemeManager\ColorName = "NormalColor"	winlogon.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\MuiCached\MachinePreferredUILanguages = 65006e002d00550053000000	winlogon.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ThemeManager	winlogon.exe

Modifies registry class 45 IoCs

Processes:

explorer.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616193"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\MaxPos1280x720x96(1).x = "4294967295"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\HotKey = "0"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1280x720x96(1).bottom = "650"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\ShowCmd = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1280x720x96(1).top = "50"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\MaxPos1280x720x96(1).y = "4294967295"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616209"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 200000001a00eebbfe2300001000d09ad3fd8f23af46adb46c85480369c700000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\MinPos1280x720x96(1).y = "4294935296"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1280x720x96(1).right = "1050"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1280x720x96(1).left = "250"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WFlags = "0"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Rev = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\MinPos1280x720x96(1).x = "4294935296"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0"	explorer.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

792 reg.exe
Runs net.exe

pid	process
792	reg.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

830004.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exe

description	pid	process
Token: SeDebugPrivilege	1456	830004.exe
Token: SeBackupPrivilege	1456	830004.exe
Token: SeRestorePrivilege	1456	830004.exe
Token: 35	1456	830004.exe
Token: SeSecurityPrivilege	1456	830004.exe
Token: SeManageVolumePrivilege	1456	830004.exe
Token: 32	1456	830004.exe
Token: SeTcbPrivilege	1456	830004.exe
Token: SeSystemProfilePrivilege	1456	830004.exe
Token: SeTakeOwnershipPrivilege	1456	830004.exe
Token: SeDebugPrivilege	1620	tasklist.exe
Token: SeDebugPrivilege	776	tasklist.exe
Token: SeDebugPrivilege	1092	tasklist.exe
Token: SeDebugPrivilege	1580	tasklist.exe
Token: SeDebugPrivilege	1248	tasklist.exe
Token: SeDebugPrivilege	1308	tasklist.exe
Token: SeDebugPrivilege	1464	tasklist.exe
Token: SeDebugPrivilege	1128	tasklist.exe
Token: SeDebugPrivilege	1712	tasklist.exe
Token: SeDebugPrivilege	1472	tasklist.exe
Token: SeDebugPrivilege	112	tasklist.exe
Token: SeDebugPrivilege	272	tasklist.exe
Token: SeDebugPrivilege	452	tasklist.exe
Token: SeDebugPrivilege	1736	tasklist.exe
Token: SeDebugPrivilege	1640	tasklist.exe
Token: SeDebugPrivilege	532	tasklist.exe
Token: SeDebugPrivilege	1996	tasklist.exe
Token: SeDebugPrivilege	1460	tasklist.exe
Token: SeDebugPrivilege	1764	tasklist.exe
Token: SeDebugPrivilege	1732	tasklist.exe
Token: SeDebugPrivilege	952	tasklist.exe
Token: SeDebugPrivilege	1600	tasklist.exe
Token: SeDebugPrivilege	272	tasklist.exe
Token: SeDebugPrivilege	900	tasklist.exe
Token: SeDebugPrivilege	1284	tasklist.exe
Token: SeDebugPrivilege	1680	tasklist.exe
Token: SeDebugPrivilege	1624	tasklist.exe
Token: SeDebugPrivilege	1072	tasklist.exe
Token: SeDebugPrivilege	1812	tasklist.exe
Token: SeDebugPrivilege	1572	tasklist.exe
Token: SeDebugPrivilege	1764	tasklist.exe
Token: SeDebugPrivilege	760	tasklist.exe
Token: SeDebugPrivilege	1620	tasklist.exe
Token: SeDebugPrivilege	976	tasklist.exe
Token: SeDebugPrivilege	740	tasklist.exe
Token: SeDebugPrivilege	452	tasklist.exe
Token: SeDebugPrivilege	1580	tasklist.exe
Token: SeDebugPrivilege	1648	tasklist.exe
Token: SeDebugPrivilege	1308	tasklist.exe
Token: SeDebugPrivilege	1364	tasklist.exe
Token: SeDebugPrivilege	1464	tasklist.exe
Token: SeDebugPrivilege	1716	tasklist.exe
Token: SeDebugPrivilege	800	tasklist.exe
Token: SeDebugPrivilege	1568	tasklist.exe
Token: SeDebugPrivilege	948	tasklist.exe
Token: SeDebugPrivilege	1620	tasklist.exe
Token: SeDebugPrivilege	1216	tasklist.exe
Token: SeDebugPrivilege	1800	tasklist.exe
Token: SeDebugPrivilege	900	tasklist.exe
Token: SeDebugPrivilege	1608	tasklist.exe
Token: SeDebugPrivilege	360	tasklist.exe
Token: SeDebugPrivilege	1624	tasklist.exe
Token: SeDebugPrivilege	1224	tasklist.exe
Token: SeDebugPrivilege	1592	tasklist.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

830004.execmd.execmd.execmd.exenet.exe

description	pid	process	target process
PID 1456 wrote to memory of 968	1456	830004.exe	cmd.exe
PID 1456 wrote to memory of 968	1456	830004.exe	cmd.exe
PID 1456 wrote to memory of 968	1456	830004.exe	cmd.exe
PID 1456 wrote to memory of 760	1456	830004.exe	cmd.exe
PID 1456 wrote to memory of 760	1456	830004.exe	cmd.exe
PID 1456 wrote to memory of 760	1456	830004.exe	cmd.exe
PID 1456 wrote to memory of 1936	1456	830004.exe	cmd.exe
PID 1456 wrote to memory of 1936	1456	830004.exe	cmd.exe
PID 1456 wrote to memory of 1936	1456	830004.exe	cmd.exe
PID 968 wrote to memory of 792	968	cmd.exe	reg.exe
PID 968 wrote to memory of 792	968	cmd.exe	reg.exe
PID 968 wrote to memory of 792	968	cmd.exe	reg.exe
PID 1936 wrote to memory of 1620	1936	cmd.exe	tasklist.exe
PID 1936 wrote to memory of 1620	1936	cmd.exe	tasklist.exe
PID 1936 wrote to memory of 1620	1936	cmd.exe	tasklist.exe
PID 760 wrote to memory of 1752	760	cmd.exe	net.exe
PID 760 wrote to memory of 1752	760	cmd.exe	net.exe
PID 760 wrote to memory of 1752	760	cmd.exe	net.exe
PID 1936 wrote to memory of 952	1936	cmd.exe	findstr.exe
PID 1936 wrote to memory of 952	1936	cmd.exe	findstr.exe
PID 1936 wrote to memory of 952	1936	cmd.exe	findstr.exe
PID 1752 wrote to memory of 1172	1752	net.exe	net1.exe
PID 1752 wrote to memory of 1172	1752	net.exe	net1.exe
PID 1752 wrote to memory of 1172	1752	net.exe	net1.exe
PID 1936 wrote to memory of 1600	1936	cmd.exe	timeout.exe
PID 1936 wrote to memory of 1600	1936	cmd.exe	timeout.exe
PID 1936 wrote to memory of 1600	1936	cmd.exe	timeout.exe
PID 1936 wrote to memory of 776	1936	cmd.exe	tasklist.exe
PID 1936 wrote to memory of 776	1936	cmd.exe	tasklist.exe
PID 1936 wrote to memory of 776	1936	cmd.exe	tasklist.exe
PID 1936 wrote to memory of 1084	1936	cmd.exe	findstr.exe
PID 1936 wrote to memory of 1084	1936	cmd.exe	findstr.exe
PID 1936 wrote to memory of 1084	1936	cmd.exe	findstr.exe
PID 1936 wrote to memory of 1800	1936	cmd.exe	timeout.exe
PID 1936 wrote to memory of 1800	1936	cmd.exe	timeout.exe
PID 1936 wrote to memory of 1800	1936	cmd.exe	timeout.exe
PID 1936 wrote to memory of 1092	1936	cmd.exe	tasklist.exe
PID 1936 wrote to memory of 1092	1936	cmd.exe	tasklist.exe
PID 1936 wrote to memory of 1092	1936	cmd.exe	tasklist.exe
PID 1936 wrote to memory of 1008	1936	cmd.exe	findstr.exe
PID 1936 wrote to memory of 1008	1936	cmd.exe	findstr.exe
PID 1936 wrote to memory of 1008	1936	cmd.exe	findstr.exe
PID 1936 wrote to memory of 1168	1936	cmd.exe	timeout.exe
PID 1936 wrote to memory of 1168	1936	cmd.exe	timeout.exe
PID 1936 wrote to memory of 1168	1936	cmd.exe	timeout.exe
PID 1936 wrote to memory of 1580	1936	cmd.exe	tasklist.exe
PID 1936 wrote to memory of 1580	1936	cmd.exe	tasklist.exe
PID 1936 wrote to memory of 1580	1936	cmd.exe	tasklist.exe
PID 1936 wrote to memory of 1320	1936	cmd.exe	findstr.exe
PID 1936 wrote to memory of 1320	1936	cmd.exe	findstr.exe
PID 1936 wrote to memory of 1320	1936	cmd.exe	findstr.exe
PID 1936 wrote to memory of 856	1936	cmd.exe	timeout.exe
PID 1936 wrote to memory of 856	1936	cmd.exe	timeout.exe
PID 1936 wrote to memory of 856	1936	cmd.exe	timeout.exe
PID 1936 wrote to memory of 1248	1936	cmd.exe	tasklist.exe
PID 1936 wrote to memory of 1248	1936	cmd.exe	tasklist.exe
PID 1936 wrote to memory of 1248	1936	cmd.exe	tasklist.exe
PID 1936 wrote to memory of 1608	1936	cmd.exe	findstr.exe
PID 1936 wrote to memory of 1608	1936	cmd.exe	findstr.exe
PID 1936 wrote to memory of 1608	1936	cmd.exe	findstr.exe
PID 1936 wrote to memory of 1648	1936	cmd.exe	timeout.exe
PID 1936 wrote to memory of 1648	1936	cmd.exe	timeout.exe
PID 1936 wrote to memory of 1648	1936	cmd.exe	timeout.exe
PID 1936 wrote to memory of 1308	1936	cmd.exe	tasklist.exe

C:\Users\Admin\AppData\Local\Temp\830004.exe
"C:\Users\Admin\AppData\Local\Temp\830004.exe"
1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add hklm\Software\Microsoft\Windows\CurrentVersion\Run /v SecurityUpdate /t REG_EXPAND_SZ /d C:\Users\Admin\AppData\Local\Temp\830004.exe /f
2⤵
- Suspicious use of WriteProcessMemory
PID:968

C:\Windows\system32\reg.exe
reg add hklm\Software\Microsoft\Windows\CurrentVersion\Run /v SecurityUpdate /t REG_EXPAND_SZ /d C:\Users\Admin\AppData\Local\Temp\830004.exe /f
3⤵
- Adds Run key to start application
- Modifies registry key
PID:792

C:\Windows\system32\cmd.exe
cmd /c C:\ProgramData\Microsoft\Settings\4v0C3a9i6.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:1936

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1620

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:952

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:1600

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:776

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1084

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:1800

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1092

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1008

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:1168

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1580

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1320

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:856

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1248

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1608

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:1648

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1308

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1660

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:1072

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1464

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1224

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:240

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1128

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1120

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:1588

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1712

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1564

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:792

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1472

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1352

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:1752

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:112

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1188

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:1208

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:272

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1204

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:1540

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:452

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:960

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:1552

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1736

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1516

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:1680

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1640

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1624

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:1604

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:532

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:892

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:1756

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1996

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:860

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:1388

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1460

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1520

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:1744

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1764

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1568

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:1772

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1732

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1336

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:1816

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:952

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1700

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:2028

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1600

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1532

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:1844

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:272

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1800

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:1008

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:900

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1876

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:1512

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1284

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:856

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:1768

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1680

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:692

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:828

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1624

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1612

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:1660

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1072

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1000

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:1224

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1812

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1464

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:1988

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
PID:1120

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1716

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:1520

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1572

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:800

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:624

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1764

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1724

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:1144

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:760

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1732

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:1740

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1620

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1672

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:632

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:976

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1600

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:932

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:740

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:272

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:1288

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:452

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1544

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:576

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1580

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1616

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:364

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1648

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1748

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:1160

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1308

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1832

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:1488

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1364

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1000

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:240

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1464

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1988

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:1692

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1716

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1460

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:1744

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:800

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1376

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:1172

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1724

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1568

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:2036

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:948

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1732

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:952

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1620

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1636

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:992

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1216

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1924

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:1552

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1800

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1164

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:1516

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1728

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:900

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:576

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1608

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1284

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:1212

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:360

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1680

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:836

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1624

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1660

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:1860

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1224

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:860

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:240

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1592

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:888

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:1692

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
PID:1564

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1712

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:1744

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
PID:1772

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:972

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:1172

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:112

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
PID:1352

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:1916

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
PID:1964

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:776

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:632

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
PID:1672

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:652

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:1976

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:932

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
PID:992

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:1924

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
PID:1552

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1288

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:1164

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
PID:1736

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1528

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:1876

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
PID:1728

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:576

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:1284

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
PID:1608

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1212

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:692

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
PID:1680

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:836

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:1632

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
PID:1660

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1860

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:1072

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:240

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
PID:860

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:1388

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1692

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
PID:888

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:968

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
PID:1712

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1744

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:1776

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1172

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
PID:972

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:1764

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
PID:112

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1916

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:948

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
PID:1964

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1952

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:568

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
PID:652

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1976

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:1540

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
PID:932

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1924

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:272

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
PID:1124

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1512

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:1736

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
PID:900

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1580

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:576

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
PID:1284

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1648

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:1212

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
PID:692

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1832

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:836

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
PID:1632

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1000

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:1860

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
PID:1072

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1464

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:240

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
PID:1592

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1004

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:888

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
PID:800

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1376

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:1724

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1740

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
PID:1916

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:976

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1600

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
PID:1092

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:1688

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
PID:1800

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:156

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:1516

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
PID:1164

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:924

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:1768

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
PID:1616

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:364

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:1604

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
PID:1748

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1648

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:892

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
PID:1308

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1100

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:1088

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
PID:1996

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1364

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:860

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
PID:1988

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1588

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:792

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
PID:764

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:964

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:1772

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
PID:1568

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1112

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:1724

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
PID:568

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:268

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:976

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
PID:1540

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1208

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:1812

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
PID:1688

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1544

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:156

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:856

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
PID:1516

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:924

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
PID:860

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:240

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:1588

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
PID:1916

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:268

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:1092

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1544

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
PID:1552

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:452

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
PID:1768

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1052

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:1620

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
PID:1996

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1120

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:1464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net config server /autodisconnect:-1
2⤵
- Suspicious use of WriteProcessMemory
PID:760

C:\Windows\system32\net.exe
net config server /autodisconnect:-1
3⤵
- Suspicious use of WriteProcessMemory
PID:1752

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 config server /autodisconnect:-1
4⤵
PID:1172

C:\Windows\explorer.exe
explorer.exe .\readme_for_unlock.txt
2⤵
PID:1580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vssadmin delete shadows /All /quiet
2⤵
PID:1480

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /All /quiet
3⤵
- Interacts with shadow copies
PID:1876

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\9x3G9z0z0.bat
2⤵
PID:1072

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM 830004.exe.exe
3⤵
- Kills process with taskkill
PID:964

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM 830004.exe.exe
3⤵
- Kills process with taskkill
PID:1696

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM 830004.exe.exe
3⤵
- Kills process with taskkill
PID:1376

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM 830004.exe.exe
3⤵
- Kills process with taskkill
PID:1324

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM 830004.exe.exe
3⤵
- Kills process with taskkill
PID:740

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM 830004.exe.exe
3⤵
- Kills process with taskkill
PID:1972

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM 830004.exe.exe
3⤵
- Kills process with taskkill
PID:156

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM 830004.exe.exe
3⤵
- Kills process with taskkill
PID:1552

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM 830004.exe.exe
3⤵
- Kills process with taskkill
PID:1728

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM 830004.exe.exe
3⤵
- Kills process with taskkill
PID:1680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\0l4Y1w9m0.bat
3⤵
PID:208

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:576

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:1284

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:1580

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2f0
1⤵
PID:240

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
- Enumerates system info in registry
PID:1092

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
- Modifies data under HKEY_USERS
PID:1688

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
2⤵
PID:960

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Process Discovery

T1057

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Settings\4v0C3a9i6.bat
Filesize
163B

MD5
3578e838f655c9bd9426651cc13f6a84

SHA1
10b312cca508e1958507cd3f8a6feae72f6a3a3d

SHA256
42f5a94a41364f4ab334ab6bf3638b1861d3a10b7684df6e5968567ca5027bde

SHA512
4ccd6320fe0eb7dccd3b322ffbb94b9f718123dec2781f9f9404e3c520628f8f9d544b88189dda079a8f431cebdecc7a3cd94e37d21eb9257fdc65408465a995

Download Submit
C:\Users\Admin\AppData\Local\Temp\0l4Y1w9m0.bat
Filesize
56B

MD5
e9fa74f7ede2a6b66313b807ecf49050

SHA1
0f714800825d7af405e632aadfb88c6ba1493c84

SHA256
c8173352274ac3041a120e58d54c7fef922ab99fe637f737368ec55225c9f316

SHA512
a62fb664092ef86a48ca9a085889a6a77213f3ed3a18d099d58bb0f121c6eacae7f48c7b4994814113ace02b1270c7c9c40e14ba6ef75165fae9711747e45f78

Download Submit
C:\Users\Admin\AppData\Local\Temp\9x3G9z0z0.bat
Filesize
1.0MB

MD5
22f2738bcd88757c6f214b6cb7cb1ea2

SHA1
cf6f1c494ebbabc01fd042e5d0160b901cf54f2d

SHA256
f1d74ab247de8287c8e6ed7bc756b875fd746bb8321426ed327969675f0f6d15

SHA512
163620f7641f989e9f58ed5dd5d8ac61f5d59d026d7728659acb1c78b2881c3f9ea874ab21afc1b986b59ebc2129a748d6c906574a58e53611512d1f44d5e4a9

Download Submit
C:\Users\Admin\Documents\ApproveUnprotect.docm.crypt
Filesize
253KB

MD5
5daf97bbe411a49968997677da59442f

SHA1
81849bbf19789041bc988c98eb4165e52ebd3e6c

SHA256
b97dc0712300fe9048351cd5c3ad8fe6ae49b26e761e657ae1cbbfe989da73a2

SHA512
d36ce5b3ec47b52d61384aa7c8a51d8de4d91ea7e38743b8ed1de4fa5bda6bf8fd3d239f34d546ccb0f9253dd3219805a90cd90d64e8de5f971783e1cdaded8a

Download Submit
C:\Users\Admin\Documents\Are.docx.crypt
Filesize
11KB

MD5
5c76a1849ccdbbee066a7c9b020fb446

SHA1
e8d979ac63962fb828e558cde4a486aa25785cc5

SHA256
8e1a6adf07dd1e9437a63879210bc0267c2017f75b1dbdc692019bb92d30c899

SHA512
a9432d9aff0b77a2fed0dd4e6d04f6063d44f270090cad54424d4d80785af38d980a051177a51a652d778e02510f92bd371d8e88670d37c32e1d61b2ae64c7b3

Download Submit
C:\Users\Admin\Documents\AssertFind.xltx.crypt
Filesize
399KB

MD5
06ebaca10bb37067f4c31f05b65ec06d

SHA1
4ab2208ff7c789d4c37e7cb4d34111c48aa5a3c1

SHA256
854244f1bc000b76499c73b891931167610b845ce3db2618064a442966e33766

SHA512
f776b73755b956462c35b0d194216e924b8f217a7b928fade9bb6672e1704d3fe25e7ea602b75736fd7bbc646c0555941630402f8edd706103b7504f7d9f57f7

Download Submit
C:\Users\Admin\Documents\CheckpointRemove.pot.crypt
Filesize
331KB

MD5
f3bb9307f6f8cfdf9182f09bed9fc66b

SHA1
f56d66b7e55077e4e38052d2113b91309d41e445

SHA256
4f6b593236e57d0d5c3864fa87b29d4a63a84abf8ba59c4b652ebaf5d9590d1d

SHA512
61790215a487d12e78573d848099740340e900dc284700af2b98e59a2ad45d25cb0489bcf382501d8d64a1a29da6409e6436ea36d290ae31fd3543b307f8251c

Download Submit
C:\Users\Admin\Documents\CompleteDismount.ppsm.crypt
Filesize
175KB

MD5
e8c77f63d4524ac9217905eef195e2ba

SHA1
5a156cc68fc63e39af272e7f676a5015a82c012d

SHA256
83794b5f21d7aeeab3d1edf55428602d4a0b0dd2d9af01b7326097d2f9a557ed

SHA512
bf57e46f68626942f8e18d466f431e486e32dcea0059f245b0dd4975b399b5e615a47cedacf9f24eebbb36cf9fe8320bff40fabb6637b7e3f034dbb7fd0d4558

Download Submit
C:\Users\Admin\Documents\CompleteDismount.vssx.crypt
Filesize
214KB

MD5
b8d884409485e059621c679894a94202

SHA1
bc4fb9251e6cd9a9d07683a70373ab2e35356509

SHA256
954d3b36eacbfcce71c42bac58e4acadccb4694b64b0c4b21c3daa592e8b6f35

SHA512
da628a73442ca79f38b4f326a346797caba03efae2dc5fb2d9d4275b46e1ed08eee9deea38d2bb9e28210cece1bd85109f97c8482abf8562afcf6d5b0e8cbfde

Download Submit
C:\Users\Admin\Documents\ConvertFromCompare.xml.crypt
Filesize
234KB

MD5
8b4b5fbef3b0b45b6de1b8bb0e39780a

SHA1
07e32aff9531a08baeda8a07d6c3fc031d85b193

SHA256
2443d8b6fc8b60e785bed535c020e5bcb9830b4bba04fab70328d72994ea3ab5

SHA512
1c7388d3738fe057393a937dd44423d9accc5efa186adb220732ff8926780bad00e49bbb0e40cd054da16073fb54c8fbe7473161db3022fccdc99a49b3d62d01

Download Submit
C:\Users\Admin\Documents\ConvertFromSwitch.mpp.crypt
Filesize
380KB

MD5
fcfc848604285d30cf98cff0f2c9488e

SHA1
d8b593d4dc0132fdc26445ff5a301e4a001306e4

SHA256
b6a270a46be6159b3b5011735e16208b8fb41b93c3e2156dd26a9c8cd990ad3a

SHA512
1aa557a2c10c6ce09cab93e20e920763402774e02a4b8c64db6330119cdd9a6882d05bf517403558b3a9699f6b47063b59b7b785ee3b58a89a0fae1d5397135a

Download Submit
C:\Users\Admin\Documents\DebugSelect.xla.crypt
Filesize
165KB

MD5
41e5e8fdede09539c3bcd2518b7d5ea4

SHA1
c0b524efbf338ead1d33c864201cfb7e92b4ce4b

SHA256
915a69b957c8399c8495eeccbff299c8ac3e0f9b01c6233b02db8b07a822b9a3

SHA512
4641e16a5458ed119eb5682feaa839c4168140884f5d715bc88d89d6dfbbb9b9d707810828b7ecfcf78da3efac6f0e41de6744d8b108bf11b7fcae262381b739

Download Submit
C:\Users\Admin\Documents\DenyMeasure.xltx.crypt
Filesize
195KB

MD5
66384ade4438030fdbdd42c4d0b9a4be

SHA1
41f69fa011aed8f5e91ad02d6724d4e1816fb988

SHA256
85094759e2054ec2b84bc9855f5dc7bc176a5ae4e6b93215b52fa3801570d021

SHA512
cdc793e6d92300d0109c41b62d14a8eaeea1fc19e3d1fa76f648447536a0f0332f5bf86245dae730bcecafa918ea261e929bf2e18d1492fda4563a454d4a4cf6

Download Submit
C:\Users\Admin\Documents\ExitRemove.pub.crypt
Filesize
448KB

MD5
aea8ec80ca2c75c15e92e4991d656af0

SHA1
2621fa76f32533bc639e4005e9b225550f63becf

SHA256
d0a126b39995312192878f157b6fa8339c7f4a0cfb0c750bc1899971bf59c7d2

SHA512
d86f8c1c57882d33bffd0e8e31207ce59c491d28a33201aafc1cf808341505958bcb5e5e6ff03c383aaf86f1230d06267aca0f87c9732ea17b14bcabce65d2ca

Download Submit
C:\Users\Admin\Documents\ExpandSuspend.html.crypt
Filesize
263KB

MD5
fbc89375c392279b0fa2ba959c6c5914

SHA1
60744130d0bb0170caf436ef2a91fd3daa52cc74

SHA256
480279e49ddc97dcadf935f514b8ee155ed53d45fa4ac957faa66b71ba41bda6

SHA512
fb736fec97ad46c8d9db423402df7954d4fd3f4331b9403b107f7a552154109e52ba87e4fe05471193ac800cf35cef7baea7abcd5d34c36c7695ca8601feeb9e

Download Submit
C:\Users\Admin\Documents\Files.docx.crypt
Filesize
11KB

MD5
b0455dc2524315b9bbcca1055cdfe843

SHA1
3ac3fe0ac70d80b8f500ec2a5b38e21e8874f0b5

SHA256
16799a7f4b0827500b80e4f9a22ccdffbe0a24d798060ded96f78eabc95186a0

SHA512
cfaa489b4461ce187b780af91f4362e4f51c767dcd6d3aa8f65ffbf68201f6b54ee6be0f54b4d1d29e5fff04c52d01853d469b296ee14b477e7a36093875be63

Download Submit
C:\Users\Admin\Documents\GetUse.html.crypt
Filesize
370KB

MD5
3f39427f71ffa8154efc29bb00d23373

SHA1
fa39abe1fd99c012670dfdcefe2c8b858bacab99

SHA256
6c8ce90a0fea36fa602eb69a788316b704515a0177b1802500c225e996974ced

SHA512
107c1d0e8effaa5bd2882848106a174e4ef58bc463d6d47483fe0f3cb46d09bfd4b37d79d09fc8c82000858eceb0c1bceb55f41d49f0af43204c100256606cd6

Download Submit
C:\Users\Admin\Documents\GroupMove.vsdx.crypt
Filesize
409KB

MD5
cc8560f02f322b77e5be5481b784e5d0

SHA1
01f9fa2b9fa697a2073bdf8b3236c3c92c033596

SHA256
fea59ab2c8beb6a3eec5257ab03bdce996127570dd0c8ab5081e698392e96b1e

SHA512
771788d946300e02d3d9e996f6a886982cfc60cc7e30c19001b8a35b26e780f29a5ad51819352e78c7c8487d20649b1d14380bcdfd838077523a9402775c46f7

Download Submit
C:\Users\Admin\Documents\GroupStop.xls.crypt
Filesize
360KB

MD5
951e8511be5dc35b738bd254cc1ddcaf

SHA1
cc3960eb19ed78926609efa03ef2a2d4c571067a

SHA256
a4ff8bda23557a0ae9416b2ed227f49a51fd9733c46697f96ed83e827f8f44a0

SHA512
2f422d7589afde33344b0a8e4dda60625e6469a2c816b668f65df4a327496476c72b4ee9c99f4e96e8a93a72394c9277e72446e811e47491c534bda4336c6cf3

Download Submit
C:\Users\Admin\Documents\InvokeRedo.dotm.crypt
Filesize
282KB

MD5
cfc3cd256e86c340cf84745cd439ebc5

SHA1
0a0a4a0467b1660d8a712c050345d609f8c7d877

SHA256
b6443dcfe17f6549b96126ebf8076a36953848726c11d8ddb7f7bf8fdd193667

SHA512
337364551131d73ea6ed2260da60323c96ee300241c57dc4934b799b1d10ae8d834475ce3eb1c13049906cfbd9694b70bca815658b2c124e3e87aaf03f3d0bf5

Download Submit
C:\Users\Admin\Documents\JoinGrant.vdx.crypt
Filesize
351KB

MD5
50f41d2dedf8d279c3061d05fccbf1d8

SHA1
b205957aa4add9167cf9e28293c7e711cd53d58b

SHA256
7c685e7ccd807c5b881c129a1d89441aacc58ee0452e6d9caf45a878915a745b

SHA512
a8de4a0e82ad73e024dd69653de8385a45b08369e62e37e76242560065da7e5f32af901282726268af26dfb6e7349f9f7ad516318c48f96cd84b23f6b28b5850

Download Submit
C:\Users\Admin\Documents\LimitOpen.xla.crypt
Filesize
243KB

MD5
0ae019578ef324d18d6be8f177ea83a7

SHA1
e2af82054b4b920a417c10b09a0e8b1d9c836b13

SHA256
6bfffadb4355dd209ae90e11fb36bd82c9a09972852cb2c9ca510131a9ca7293

SHA512
c7035b089804129de9ab363f05f4b397f3b83ebad69f2d04be62343e21b3c02bfc10a8973a426014184bda44fd86ca870e4e1f197ec6b66c147c811be4259d23

Download Submit
C:\Users\Admin\Documents\LockNew.docx.crypt
Filesize
321KB

MD5
7120ab30c47aaf54047dff5066aaaf2b

SHA1
6d6bfcfe8c8ca322965425936c7563adf3f24118

SHA256
e88891aa4dde41d0baa46cf2e1444dd3e08e10439c5a6b4ac36f6b0ace0e689d

SHA512
4d61e082c2e4498e76a4d45c0d3b85cc21dd278816d6d4b71e64198ea1a258f10e5aa050454f8c6518ebdc06c69633d84149907bf4af78709a15a4453248a72e

Download Submit
memory/112-91-0x0000000000000000-mapping.dmp

Download
memory/240-81-0x0000000000000000-mapping.dmp

Download
memory/272-94-0x0000000000000000-mapping.dmp

Download
memory/452-97-0x0000000000000000-mapping.dmp

Download
memory/532-106-0x0000000000000000-mapping.dmp

Download
memory/576-121-0x00000000032A0000-0x00000000032B0000-memory.dmp

Filesize
64KB

Download
memory/760-55-0x0000000000000000-mapping.dmp

Download
memory/776-64-0x0000000000000000-mapping.dmp

Download
memory/792-58-0x0000000000000000-mapping.dmp

Download
memory/792-87-0x0000000000000000-mapping.dmp

Download
memory/856-72-0x0000000000000000-mapping.dmp

Download
memory/860-110-0x0000000000000000-mapping.dmp

Download
memory/892-107-0x0000000000000000-mapping.dmp

Download
memory/952-61-0x0000000000000000-mapping.dmp

Download
memory/960-98-0x0000000000000000-mapping.dmp

Download
memory/960-145-0x000007FEFBD31000-0x000007FEFBD33000-memory.dmp

Filesize
8KB

Download
memory/968-54-0x0000000000000000-mapping.dmp

Download
memory/1008-68-0x0000000000000000-mapping.dmp

Download
memory/1072-78-0x0000000000000000-mapping.dmp

Download
memory/1084-65-0x0000000000000000-mapping.dmp

Download
memory/1092-67-0x0000000000000000-mapping.dmp

Download
memory/1120-83-0x0000000000000000-mapping.dmp

Download
memory/1128-82-0x0000000000000000-mapping.dmp

Download
memory/1168-69-0x0000000000000000-mapping.dmp

Download
memory/1172-62-0x0000000000000000-mapping.dmp

Download
memory/1188-92-0x0000000000000000-mapping.dmp

Download
memory/1204-95-0x0000000000000000-mapping.dmp

Download
memory/1208-93-0x0000000000000000-mapping.dmp

Download
memory/1224-80-0x0000000000000000-mapping.dmp

Download
memory/1248-73-0x0000000000000000-mapping.dmp

Download
memory/1308-76-0x0000000000000000-mapping.dmp

Download
memory/1320-71-0x0000000000000000-mapping.dmp

Download
memory/1352-89-0x0000000000000000-mapping.dmp

Download
memory/1388-111-0x0000000000000000-mapping.dmp

Download
memory/1460-112-0x0000000000000000-mapping.dmp

Download
memory/1464-79-0x0000000000000000-mapping.dmp

Download
memory/1472-88-0x0000000000000000-mapping.dmp

Download
memory/1516-101-0x0000000000000000-mapping.dmp

Download
memory/1520-113-0x0000000000000000-mapping.dmp

Download
memory/1540-96-0x0000000000000000-mapping.dmp

Download
memory/1552-99-0x0000000000000000-mapping.dmp

Download
memory/1564-86-0x0000000000000000-mapping.dmp

Download
memory/1568-116-0x0000000000000000-mapping.dmp

Download
memory/1580-70-0x0000000000000000-mapping.dmp

Download
memory/1580-119-0x000007FEFC141000-0x000007FEFC143000-memory.dmp

Filesize
8KB

Download
memory/1588-84-0x0000000000000000-mapping.dmp

Download
memory/1600-63-0x0000000000000000-mapping.dmp

Download
memory/1604-105-0x0000000000000000-mapping.dmp

Download
memory/1608-74-0x0000000000000000-mapping.dmp

Download
memory/1620-59-0x0000000000000000-mapping.dmp

Download
memory/1624-104-0x0000000000000000-mapping.dmp

Download
memory/1640-103-0x0000000000000000-mapping.dmp

Download
memory/1648-75-0x0000000000000000-mapping.dmp

Download
memory/1660-77-0x0000000000000000-mapping.dmp

Download
memory/1680-102-0x0000000000000000-mapping.dmp

Download
memory/1712-85-0x0000000000000000-mapping.dmp

Download
memory/1732-118-0x0000000000000000-mapping.dmp

Download
memory/1736-100-0x0000000000000000-mapping.dmp

Download
memory/1744-114-0x0000000000000000-mapping.dmp

Download
memory/1752-60-0x0000000000000000-mapping.dmp

Download
memory/1752-90-0x0000000000000000-mapping.dmp

Download
memory/1756-108-0x0000000000000000-mapping.dmp

Download
memory/1764-115-0x0000000000000000-mapping.dmp

Download
memory/1772-117-0x0000000000000000-mapping.dmp

Download
memory/1800-66-0x0000000000000000-mapping.dmp

Download
memory/1936-56-0x0000000000000000-mapping.dmp

Download
memory/1996-109-0x0000000000000000-mapping.dmp

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads