Analysis
-
max time kernel
568s -
max time network
506s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
23-12-2022 15:40
Behavioral task
behavioral1
Sample
windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
Resource
win7-20221111-en
General
-
Target
windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
-
Size
884KB
-
MD5
da13022097518d123a91a3958be326da
-
SHA1
24a71ab462594d5a159bbf176588af951aba1381
-
SHA256
25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5
-
SHA512
a82aa97a92cd21ee2d4b556448fd3293396eb7c01d3626ebdb6c3816277783578686830c430014b6b2fc3280bc1301df27da079937f88834c2d35641eb5fc26f
-
SSDEEP
12288:Sw41dVZvThPCsM18GLHe7wlDdkPAQEtxr0fflvRmhEBWtdUJiAUtP/T/kAfMvgVt:dod1HDmlDdkZ4YXPpaTTXMw
Malware Config
Extracted
C:\EGdu_HOW_TO_DECRYPT.txt
hive
http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/
http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/
Signatures
-
Hive
A ransomware written in Golang first seen in June 2021.
-
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" reg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" reg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" reg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe -
Modifies security service 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" reg.exe -
Process spawned unexpected child process 2 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 3148 2236 OfficeC2RClient.exe 226 Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 4816 3204 OfficeC2RClient.exe 264 -
Clears Windows event logs 1 TTPs 3 IoCs
pid Process 1284 wevtutil.exe 368 wevtutil.exe 4324 wevtutil.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 4 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File renamed C:\Users\Admin\Pictures\CompressGrant.png => C:\Users\Admin\Pictures\CompressGrant.png.84dSP28BRf5CiZW4kAZXiU3WDZbhvlw3PHQfeXbSh2foFXrnnxjZPWat72zkXtZN.uj1ps windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File opened for modification C:\Users\Admin\Pictures\CompressGrant.png.84dSP28BRf5CiZW4kAZXiU3WDZbhvlw3PHQfeXbSh2foFXrnnxjZPWat72zkXtZN.uj1ps windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File renamed C:\Users\Admin\Pictures\ExpandCompare.raw => C:\Users\Admin\Pictures\ExpandCompare.raw.84dSP28BRf5CiZW4kAZXiU3WDZbhvlw3PHQfeXbSh2f_uoobuvuYDLHA4SrNnMge.uj1ps windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File opened for modification C:\Users\Admin\Pictures\ExpandCompare.raw.84dSP28BRf5CiZW4kAZXiU3WDZbhvlw3PHQfeXbSh2f_uoobuvuYDLHA4SrNnMge.uj1ps windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe -
resource yara_rule behavioral2/memory/5060-132-0x0000000000A20000-0x0000000000D32000-memory.dmp upx behavioral2/memory/5060-133-0x0000000000A20000-0x0000000000D32000-memory.dmp upx behavioral2/memory/5060-224-0x0000000000A20000-0x0000000000D32000-memory.dmp upx -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\StoreLogo.scale-125_contrast-white.png windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\ca-ES\View3d\3DViewerProductDescription-universal.xml windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\StoreLogo.scale-100.png windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_filter-hover_32.svg.84dSP28BRf5CiZW4kAZXiU3WDZbhvlw3PHQfeXbSh2cGc90dIWs1CheYw9aItsRT.uj1ps windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp-ul-oob.xrm-ms.84dSP28BRf5CiZW4kAZXiU3WDZbhvlw3PHQfeXbSh2fu1nFWckTQb4tF1XmAOXML.uj1ps windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\GamesXboxHubBadgeLogo.scale-125_contrast-high.png windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303\EGdu_HOW_TO_DECRYPT.txt windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-80_contrast-black.png windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\da-dk\ui-strings.js.84dSP28BRf5CiZW4kAZXiU3WDZbhvlw3PHQfeXbSh2e8vldLkx_ZbsbZ1LpJw-4q.uj1ps windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\themes\dark\A12_Roundrect_White@1x.png.84dSP28BRf5CiZW4kAZXiU3WDZbhvlw3PHQfeXbSh2fX6GRTM6rZN_6XfqbArL8_.uj1ps windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\nb-no\EGdu_HOW_TO_DECRYPT.txt windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\security\cacerts.84dSP28BRf5CiZW4kAZXiU3WDZbhvlw3PHQfeXbSh2f_sCHrh3oLWENiiEpp6vcM.uj1ps windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART1.BDR.84dSP28BRf5CiZW4kAZXiU3WDZbhvlw3PHQfeXbSh2d6KrfIQE7wW3PPuPAaFU4T.uj1ps windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\LTR\contrast-white\LargeTile.scale-100.png windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Snippets\ShouldExist.snippets.ps1xml windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File opened for modification C:\Program Files (x86)\Windows Media Player\es-ES\mpvis.dll.mui windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019VL_MAK_AE-ul-phn.xrm-ms.84dSP28BRf5CiZW4kAZXiU3WDZbhvlw3PHQfeXbSh2cyXi-O-LADVk129kvAFjpq.uj1ps windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\82.jpg windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ro-ro\ui-strings.js.84dSP28BRf5CiZW4kAZXiU3WDZbhvlw3PHQfeXbSh2e5eY-33ASgdmHyeMfQR3ME.uj1ps windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Unlock.White@2x.png.84dSP28BRf5CiZW4kAZXiU3WDZbhvlw3PHQfeXbSh2dqi3fvh95TCLrlseZ8PAZw.uj1ps windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SplashScreen.scale-125.png windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-20_altform-lightunplated.png windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-36_contrast-white.png windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageAppList.targetsize-24_altform-unplated.png windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Fonts\BhaiMDL2.2.52.ttf windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxAccountsSplashLogo.scale-100.png windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\ui-strings.js.84dSP28BRf5CiZW4kAZXiU3WDZbhvlw3PHQfeXbSh2eKGfKrRUx8J0GNUyF8o915.uj1ps windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\es-es\EGdu_HOW_TO_DECRYPT.txt windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\PeopleAppAssets\Videos\people_fre_motionAsset_p2.mp4 windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-256_altform-lightunplated.png windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\LTR\contrast-white\SmallTile.scale-125.png windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Sticker_Sunglasses.png windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\GenericMailWideTile.scale-400.png windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File opened for modification C:\Program Files\Common Files\System\msadc\de-DE\msaddsr.dll.mui.84dSP28BRf5CiZW4kAZXiU3WDZbhvlw3PHQfeXbSh2elGLLCFlGlLsyEUlopAr9y.uj1ps windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\CHICAGO.XSL.84dSP28BRf5CiZW4kAZXiU3WDZbhvlw3PHQfeXbSh2c1_ZYSaqy0ZgjgpO3HumRl.uj1ps windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsAppList.targetsize-24_altform-lightunplated.png windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailAppList.targetsize-80.png windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Audio\Skype_Dtmf_6.m4a windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Google.scale-150.png windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\en-gb\ui-strings.js.84dSP28BRf5CiZW4kAZXiU3WDZbhvlw3PHQfeXbSh2e-HS3a4N5Mds5sQnpkS8pg.uj1ps windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File opened for modification C:\Program Files (x86)\Common Files\System\msadc\fr-FR\msdaremr.dll.mui windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\en-gb\EGdu_HOW_TO_DECRYPT.txt windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\tr-tr\EGdu_HOW_TO_DECRYPT.txt windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench_1.2.1.v20140901-1244.jar.84dSP28BRf5CiZW4kAZXiU3WDZbhvlw3PHQfeXbSh2cUMDXB93liUeJ7pfTRdkR4.uj1ps windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\AppIcon.targetsize-32_contrast-white.png windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ja-jp\ui-strings.js.84dSP28BRf5CiZW4kAZXiU3WDZbhvlw3PHQfeXbSh2dATjI99p-7AsiEErCgTz8r.uj1ps windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\fr-fr\EGdu_HOW_TO_DECRYPT.txt windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\RTL\contrast-black\LargeTile.scale-200.png windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\LibrarySquare150x150Logo.scale-200_contrast-black.png windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\splash.gif.84dSP28BRf5CiZW4kAZXiU3WDZbhvlw3PHQfeXbSh2cwfe1CQDA6bC8z2gaOwrpi.uj1ps windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-white_targetsize-60.png windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\nl-nl\ui-strings.js.84dSP28BRf5CiZW4kAZXiU3WDZbhvlw3PHQfeXbSh2fCeW1fBHTNdQh5vWAQ81B4.uj1ps windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\fi-fi\ui-strings.js.84dSP28BRf5CiZW4kAZXiU3WDZbhvlw3PHQfeXbSh2dBzy7Ks22fAMSJdpvw14NW.uj1ps windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File created C:\Program Files\Microsoft Office\PackageManifests\EGdu_HOW_TO_DECRYPT.txt windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\en-il\EGdu_HOW_TO_DECRYPT.txt windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.scale-125_contrast-white.png windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\FileExtension.targetsize-256.png windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxAccountsSplashLogo.scale-180.png windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Audio\Skype_Shutter.m4a windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\AppIcon.scale-100_contrast-black.png windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-40_contrast-high.png windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File opened for modification C:\Program Files (x86)\Common Files\System\msadc\de-DE\msdaremr.dll.mui windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File created C:\Program Files\VideoLAN\VLC\locale\tet\LC_MESSAGES\EGdu_HOW_TO_DECRYPT.txt windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-125_kzf8qxf38zg5c\Assets\Images\LockScreenBadgeLogo.scale-125.png windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe -
Launches sc.exe 8 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 4828 sc.exe 4584 sc.exe 1184 sc.exe 4744 sc.exe 2184 sc.exe 1536 sc.exe 3528 sc.exe 4228 sc.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 996 3012 WerFault.exe 249 -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 taskmgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString taskmgr.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings OpenWith.exe -
Opens file in notepad (likely ransom note) 5 IoCs
pid Process 3704 NOTEPAD.EXE 3672 NOTEPAD.EXE 1716 NOTEPAD.EXE 4732 notepad.exe 4968 NOTEPAD.EXE -
Runs net.exe
-
Runs ping.exe 1 TTPs 1 IoCs
pid Process 4696 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3464 powershell.exe 3464 powershell.exe 3020 powershell.exe 3020 powershell.exe 5060 windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe 5060 windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe 2332 taskmgr.exe 2332 taskmgr.exe 2332 taskmgr.exe 2332 taskmgr.exe 2332 taskmgr.exe 2332 taskmgr.exe 2332 taskmgr.exe 2332 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 3 IoCs
pid Process 4204 OpenWith.exe 4040 taskmgr.exe 4008 OpenWith.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
pid Process 3700 chrome.exe 3700 chrome.exe 3700 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeSecurityPrivilege 4324 wevtutil.exe Token: SeBackupPrivilege 4324 wevtutil.exe Token: SeSecurityPrivilege 1284 wevtutil.exe Token: SeBackupPrivilege 1284 wevtutil.exe Token: SeSecurityPrivilege 368 wevtutil.exe Token: SeBackupPrivilege 368 wevtutil.exe Token: SeIncreaseQuotaPrivilege 3988 wmic.exe Token: SeSecurityPrivilege 3988 wmic.exe Token: SeTakeOwnershipPrivilege 3988 wmic.exe Token: SeLoadDriverPrivilege 3988 wmic.exe Token: SeSystemProfilePrivilege 3988 wmic.exe Token: SeSystemtimePrivilege 3988 wmic.exe Token: SeProfSingleProcessPrivilege 3988 wmic.exe Token: SeIncBasePriorityPrivilege 3988 wmic.exe Token: SeCreatePagefilePrivilege 3988 wmic.exe Token: SeBackupPrivilege 3988 wmic.exe Token: SeRestorePrivilege 3988 wmic.exe Token: SeShutdownPrivilege 3988 wmic.exe Token: SeDebugPrivilege 3988 wmic.exe Token: SeSystemEnvironmentPrivilege 3988 wmic.exe Token: SeRemoteShutdownPrivilege 3988 wmic.exe Token: SeUndockPrivilege 3988 wmic.exe Token: SeManageVolumePrivilege 3988 wmic.exe Token: 33 3988 wmic.exe Token: 34 3988 wmic.exe Token: 35 3988 wmic.exe Token: 36 3988 wmic.exe Token: SeIncreaseQuotaPrivilege 2144 wmic.exe Token: SeSecurityPrivilege 2144 wmic.exe Token: SeTakeOwnershipPrivilege 2144 wmic.exe Token: SeLoadDriverPrivilege 2144 wmic.exe Token: SeSystemProfilePrivilege 2144 wmic.exe Token: SeSystemtimePrivilege 2144 wmic.exe Token: SeProfSingleProcessPrivilege 2144 wmic.exe Token: SeIncBasePriorityPrivilege 2144 wmic.exe Token: SeCreatePagefilePrivilege 2144 wmic.exe Token: SeBackupPrivilege 2144 wmic.exe Token: SeRestorePrivilege 2144 wmic.exe Token: SeShutdownPrivilege 2144 wmic.exe Token: SeDebugPrivilege 2144 wmic.exe Token: SeSystemEnvironmentPrivilege 2144 wmic.exe Token: SeRemoteShutdownPrivilege 2144 wmic.exe Token: SeUndockPrivilege 2144 wmic.exe Token: SeManageVolumePrivilege 2144 wmic.exe Token: 33 2144 wmic.exe Token: 34 2144 wmic.exe Token: 35 2144 wmic.exe Token: 36 2144 wmic.exe Token: SeIncreaseQuotaPrivilege 2144 wmic.exe Token: SeSecurityPrivilege 2144 wmic.exe Token: SeTakeOwnershipPrivilege 2144 wmic.exe Token: SeLoadDriverPrivilege 2144 wmic.exe Token: SeSystemProfilePrivilege 2144 wmic.exe Token: SeSystemtimePrivilege 2144 wmic.exe Token: SeProfSingleProcessPrivilege 2144 wmic.exe Token: SeIncBasePriorityPrivilege 2144 wmic.exe Token: SeCreatePagefilePrivilege 2144 wmic.exe Token: SeBackupPrivilege 2144 wmic.exe Token: SeRestorePrivilege 2144 wmic.exe Token: SeShutdownPrivilege 2144 wmic.exe Token: SeDebugPrivilege 2144 wmic.exe Token: SeSystemEnvironmentPrivilege 2144 wmic.exe Token: SeRemoteShutdownPrivilege 2144 wmic.exe Token: SeUndockPrivilege 2144 wmic.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2332 taskmgr.exe 2332 taskmgr.exe 2332 taskmgr.exe 2332 taskmgr.exe 2332 taskmgr.exe 2332 taskmgr.exe 2332 taskmgr.exe 2332 taskmgr.exe 2332 taskmgr.exe 2332 taskmgr.exe 2332 taskmgr.exe 2332 taskmgr.exe 2332 taskmgr.exe 2332 taskmgr.exe 2332 taskmgr.exe 2332 taskmgr.exe 2332 taskmgr.exe 2332 taskmgr.exe 2332 taskmgr.exe 2332 taskmgr.exe 2332 taskmgr.exe 2332 taskmgr.exe 2332 taskmgr.exe 2332 taskmgr.exe 2332 taskmgr.exe 2332 taskmgr.exe 2332 taskmgr.exe 2332 taskmgr.exe 2332 taskmgr.exe 2332 taskmgr.exe 2332 taskmgr.exe 2332 taskmgr.exe 2332 taskmgr.exe 2332 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 2332 taskmgr.exe 2332 taskmgr.exe 2332 taskmgr.exe 2332 taskmgr.exe 2332 taskmgr.exe 2332 taskmgr.exe 2332 taskmgr.exe 2332 taskmgr.exe 2332 taskmgr.exe 2332 taskmgr.exe 2332 taskmgr.exe 2332 taskmgr.exe 2332 taskmgr.exe 2332 taskmgr.exe 2332 taskmgr.exe 2332 taskmgr.exe 2332 taskmgr.exe 2332 taskmgr.exe 2332 taskmgr.exe 2332 taskmgr.exe 2332 taskmgr.exe 2332 taskmgr.exe 2332 taskmgr.exe 2332 taskmgr.exe 2332 taskmgr.exe 2332 taskmgr.exe 2332 taskmgr.exe 2332 taskmgr.exe 2332 taskmgr.exe 2332 taskmgr.exe 2332 taskmgr.exe 2332 taskmgr.exe 2332 taskmgr.exe 2332 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe -
Suspicious use of SetWindowsHookEx 22 IoCs
pid Process 3148 OfficeC2RClient.exe 4204 OpenWith.exe 4204 OpenWith.exe 4204 OpenWith.exe 4204 OpenWith.exe 4204 OpenWith.exe 4204 OpenWith.exe 4204 OpenWith.exe 4204 OpenWith.exe 4204 OpenWith.exe 4204 OpenWith.exe 4204 OpenWith.exe 4204 OpenWith.exe 4204 OpenWith.exe 4204 OpenWith.exe 4204 OpenWith.exe 4008 OpenWith.exe 4008 OpenWith.exe 4008 OpenWith.exe 4008 OpenWith.exe 4008 OpenWith.exe 4816 OfficeC2RClient.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5060 wrote to memory of 2608 5060 windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe 91 PID 5060 wrote to memory of 2608 5060 windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe 91 PID 5060 wrote to memory of 2608 5060 windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe 91 PID 2608 wrote to memory of 3184 2608 net.exe 93 PID 2608 wrote to memory of 3184 2608 net.exe 93 PID 2608 wrote to memory of 3184 2608 net.exe 93 PID 5060 wrote to memory of 1936 5060 windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe 94 PID 5060 wrote to memory of 1936 5060 windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe 94 PID 5060 wrote to memory of 1936 5060 windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe 94 PID 1936 wrote to memory of 3856 1936 net.exe 96 PID 1936 wrote to memory of 3856 1936 net.exe 96 PID 1936 wrote to memory of 3856 1936 net.exe 96 PID 5060 wrote to memory of 4808 5060 windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe 97 PID 5060 wrote to memory of 4808 5060 windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe 97 PID 5060 wrote to memory of 4808 5060 windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe 97 PID 4808 wrote to memory of 4092 4808 net.exe 99 PID 4808 wrote to memory of 4092 4808 net.exe 99 PID 4808 wrote to memory of 4092 4808 net.exe 99 PID 5060 wrote to memory of 3100 5060 windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe 100 PID 5060 wrote to memory of 3100 5060 windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe 100 PID 5060 wrote to memory of 3100 5060 windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe 100 PID 3100 wrote to memory of 3996 3100 net.exe 102 PID 3100 wrote to memory of 3996 3100 net.exe 102 PID 3100 wrote to memory of 3996 3100 net.exe 102 PID 5060 wrote to memory of 4084 5060 windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe 103 PID 5060 wrote to memory of 4084 5060 windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe 103 PID 5060 wrote to memory of 4084 5060 windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe 103 PID 4084 wrote to memory of 3428 4084 net.exe 105 PID 4084 wrote to memory of 3428 4084 net.exe 105 PID 4084 wrote to memory of 3428 4084 net.exe 105 PID 5060 wrote to memory of 1560 5060 windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe 106 PID 5060 wrote to memory of 1560 5060 windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe 106 PID 5060 wrote to memory of 1560 5060 windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe 106 PID 1560 wrote to memory of 1496 1560 net.exe 108 PID 1560 wrote to memory of 1496 1560 net.exe 108 PID 1560 wrote to memory of 1496 1560 net.exe 108 PID 5060 wrote to memory of 3264 5060 windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe 109 PID 5060 wrote to memory of 3264 5060 windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe 109 PID 5060 wrote to memory of 3264 5060 windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe 109 PID 3264 wrote to memory of 3404 3264 net.exe 111 PID 3264 wrote to memory of 3404 3264 net.exe 111 PID 3264 wrote to memory of 3404 3264 net.exe 111 PID 5060 wrote to memory of 3396 5060 windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe 112 PID 5060 wrote to memory of 3396 5060 windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe 112 PID 5060 wrote to memory of 3396 5060 windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe 112 PID 3396 wrote to memory of 3684 3396 net.exe 114 PID 3396 wrote to memory of 3684 3396 net.exe 114 PID 3396 wrote to memory of 3684 3396 net.exe 114 PID 5060 wrote to memory of 1536 5060 windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe 115 PID 5060 wrote to memory of 1536 5060 windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe 115 PID 5060 wrote to memory of 1536 5060 windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe 115 PID 5060 wrote to memory of 3528 5060 windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe 117 PID 5060 wrote to memory of 3528 5060 windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe 117 PID 5060 wrote to memory of 3528 5060 windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe 117 PID 5060 wrote to memory of 4228 5060 windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe 119 PID 5060 wrote to memory of 4228 5060 windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe 119 PID 5060 wrote to memory of 4228 5060 windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe 119 PID 5060 wrote to memory of 4828 5060 windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe 121 PID 5060 wrote to memory of 4828 5060 windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe 121 PID 5060 wrote to memory of 4828 5060 windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe 121 PID 5060 wrote to memory of 4584 5060 windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe 123 PID 5060 wrote to memory of 4584 5060 windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe 123 PID 5060 wrote to memory of 4584 5060 windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe 123 PID 5060 wrote to memory of 1184 5060 windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe 125
Processes
-
C:\Users\Admin\AppData\Local\Temp\windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe"C:\Users\Admin\AppData\Local\Temp\windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe"1⤵
- Modifies extensions of user files
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5060 -
C:\Windows\SysWOW64\net.exenet.exe stop "SamSs" /y2⤵
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "SamSs" /y3⤵PID:3184
-
-
-
C:\Windows\SysWOW64\net.exenet.exe stop "SDRSVC" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1936 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "SDRSVC" /y3⤵PID:3856
-
-
-
C:\Windows\SysWOW64\net.exenet.exe stop "SstpSvc" /y2⤵
- Suspicious use of WriteProcessMemory
PID:4808 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "SstpSvc" /y3⤵PID:4092
-
-
-
C:\Windows\SysWOW64\net.exenet.exe stop "vmicvss" /y2⤵
- Suspicious use of WriteProcessMemory
PID:3100 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "vmicvss" /y3⤵PID:3996
-
-
-
C:\Windows\SysWOW64\net.exenet.exe stop "VSS" /y2⤵
- Suspicious use of WriteProcessMemory
PID:4084 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "VSS" /y3⤵PID:3428
-
-
-
C:\Windows\SysWOW64\net.exenet.exe stop "wbengine" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1560 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "wbengine" /y3⤵PID:1496
-
-
-
C:\Windows\SysWOW64\net.exenet.exe stop "WebClient" /y2⤵
- Suspicious use of WriteProcessMemory
PID:3264 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "WebClient" /y3⤵PID:3404
-
-
-
C:\Windows\SysWOW64\net.exenet.exe stop "UnistoreSvc_1a529" /y2⤵
- Suspicious use of WriteProcessMemory
PID:3396 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "UnistoreSvc_1a529" /y3⤵PID:3684
-
-
-
C:\Windows\SysWOW64\sc.exesc.exe config "SamSs" start= disabled2⤵
- Launches sc.exe
PID:1536
-
-
C:\Windows\SysWOW64\sc.exesc.exe config "SDRSVC" start= disabled2⤵
- Launches sc.exe
PID:3528
-
-
C:\Windows\SysWOW64\sc.exesc.exe config "SstpSvc" start= disabled2⤵
- Launches sc.exe
PID:4228
-
-
C:\Windows\SysWOW64\sc.exesc.exe config "vmicvss" start= disabled2⤵
- Launches sc.exe
PID:4828
-
-
C:\Windows\SysWOW64\sc.exesc.exe config "VSS" start= disabled2⤵
- Launches sc.exe
PID:4584
-
-
C:\Windows\SysWOW64\sc.exesc.exe config "wbengine" start= disabled2⤵
- Launches sc.exe
PID:1184
-
-
C:\Windows\SysWOW64\sc.exesc.exe config "WebClient" start= disabled2⤵
- Launches sc.exe
PID:4744
-
-
C:\Windows\SysWOW64\sc.exesc.exe config "UnistoreSvc_1a529" start= disabled2⤵
- Launches sc.exe
PID:2184
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1324
-
-
C:\Windows\SysWOW64\reg.exereg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f2⤵PID:4940
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f2⤵PID:5076
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f2⤵PID:2592
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f2⤵PID:4212
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f2⤵
- Modifies Windows Defender Real-time Protection settings
PID:508
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f2⤵
- Modifies Windows Defender Real-time Protection settings
PID:1928
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f2⤵
- Modifies Windows Defender Real-time Protection settings
PID:2444
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f2⤵
- Modifies Windows Defender Real-time Protection settings
PID:2008
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f2⤵
- Modifies Windows Defender Real-time Protection settings
PID:3604
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f2⤵PID:4964
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f2⤵PID:2956
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f2⤵PID:4948
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f2⤵PID:3868
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f2⤵PID:2440
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f2⤵PID:3404
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable2⤵PID:2136
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable2⤵PID:4108
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable2⤵PID:5112
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable2⤵PID:2004
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable2⤵PID:3776
-
-
C:\Windows\SysWOW64\reg.exereg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f2⤵PID:1188
-
-
C:\Windows\SysWOW64\reg.exereg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f2⤵PID:408
-
-
C:\Windows\SysWOW64\reg.exereg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f2⤵PID:2820
-
-
C:\Windows\SysWOW64\reg.exereg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f2⤵PID:2644
-
-
C:\Windows\SysWOW64\reg.exereg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f2⤵PID:4924
-
-
C:\Windows\SysWOW64\reg.exereg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f2⤵PID:1896
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:4880
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:4960
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1028
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:4132
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f2⤵
- Modifies security service
PID:1572
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1812
-
-
C:\Windows\SysWOW64\wevtutil.exewevtutil.exe cl system2⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:4324
-
-
C:\Windows\SysWOW64\wevtutil.exewevtutil.exe cl security2⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:1284
-
-
C:\Windows\SysWOW64\wevtutil.exewevtutil.exe cl application2⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:368
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3988
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2144
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All2⤵PID:1308
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true2⤵PID:3912
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableIOAVProtection $true3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3464
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true2⤵PID:220
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableRealtimeMonitoring $true3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3020
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad.exe C:\EGdu_HOW_TO_DECRYPT.txt2⤵
- Opens file in notepad (likely ransom note)
PID:4732
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /D /C ping.exe -n 5 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe"2⤵PID:4568
-
C:\Windows\SysWOW64\PING.EXEping.exe -n 5 127.0.0.13⤵
- Runs ping.exe
PID:4696
-
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\EGdu_HOW_TO_DECRYPT.txt1⤵
- Opens file in notepad (likely ransom note)
PID:3704
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2332
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Documents\These.docx" /o ""1⤵PID:2236
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exeOfficeC2RClient.exe /error PID=2236 ProcessName="Microsoft Word" UIType=3 ErrorSource=0x8b10082a ErrorCode=0x80004005 ShowUI=12⤵
- Process spawned unexpected child process
- Suspicious use of SetWindowsHookEx
PID:3148
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:724
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4204 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\odt\config.xml.84dSP28BRf5CiZW4kAZXiU3WDZbhvlw3PHQfeXbSh2eqxSmyZJzKLvhvcOgAU3h3.uj1ps2⤵
- Opens file in notepad (likely ransom note)
PID:3672
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\odt\EGdu_HOW_TO_DECRYPT.txt1⤵
- Opens file in notepad (likely ransom note)
PID:1716
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4040
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
PID:3700 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffc96f74f50,0x7ffc96f74f60,0x7ffc96f74f702⤵PID:4264
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1660,7777057964558561597,7035302755072284462,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1648 /prefetch:22⤵PID:2260
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1660,7777057964558561597,7035302755072284462,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2044 /prefetch:82⤵PID:3716
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1660,7777057964558561597,7035302755072284462,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2296 /prefetch:82⤵PID:2604
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1660,7777057964558561597,7035302755072284462,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2988 /prefetch:12⤵PID:4812
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1660,7777057964558561597,7035302755072284462,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3184 /prefetch:12⤵PID:4804
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1660,7777057964558561597,7035302755072284462,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3664 /prefetch:12⤵PID:3336
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1660,7777057964558561597,7035302755072284462,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4544 /prefetch:82⤵PID:3284
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1660,7777057964558561597,7035302755072284462,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4688 /prefetch:82⤵PID:2112
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1660,7777057964558561597,7035302755072284462,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4736 /prefetch:82⤵PID:548
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4488
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 424 -p 3012 -ip 30121⤵PID:3476
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3012 -s 29201⤵
- Program crash
PID:996
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4008 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\odt\config.xml.84dSP28BRf5CiZW4kAZXiU3WDZbhvlw3PHQfeXbSh2eqxSmyZJzKLvhvcOgAU3h3.uj1ps2⤵
- Opens file in notepad (likely ransom note)
PID:4968
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Documents\Files.docx" /o ""1⤵PID:3204
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exeOfficeC2RClient.exe /error PID=3204 ProcessName="Microsoft Word" UIType=3 ErrorSource=0x8b10082a ErrorCode=0x80004005 ShowUI=12⤵
- Process spawned unexpected child process
- Suspicious use of SetWindowsHookEx
PID:4816
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD54e68cfad3f3cbef5406c90fd9e9d7931
SHA1504d53957bbed8e1a612c791eec7abdd17bd15bc
SHA25651dc299391f9b3eca411936a0d01781ad68799d282655e0d20c8c8521aa8e014
SHA51278c89847c3a7c128e5d54c3fff0e41c89a61722730b9d02d9c7e0b6985ce8188c3c37b6357a71c30f7e34c8b78f94599a186be6c189e56f6ccb832033e77172a
-
Filesize
64KB
MD5d2fb266b97caff2086bf0fa74eddb6b2
SHA12f0061ce9c51b5b4fbab76b37fc6a540be7f805d
SHA256b09f68b61d9ff5a7c7c8b10eee9447d4813ee0e866346e629e788cd4adecb66a
SHA512c3ba95a538c1d266beb83334af755c34ce642a4178ab0f2e5f7822fd6821d3b68862a8b58f167a9294e6d913b08c1054a69b5d7aec2efdb3cf9796ed84de21a8
-
Filesize
4B
MD5f49655f856acb8884cc0ace29216f511
SHA1cb0f1f87ec0455ec349aaa950c600475ac7b7b6b
SHA2567852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba
SHA512599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8
-
Filesize
944B
MD56bd369f7c74a28194c991ed1404da30f
SHA10f8e3f8ab822c9374409fe399b6bfe5d68cbd643
SHA256878947d0ec814fe7c343cdebc05eebf00eb14f3023bdb3809a559e17f399fe5d
SHA5128fc5f073dc9fa1e1ae47c60a5f06e0a48709fd6a4302dffaa721858409e7bde64bc6856d3fb28891090516d1a7afc542579de287778b5755eafe75cc67d45d93
-
Filesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
Filesize
97KB
MD5b5f9de02e0d3b909bba32d4c29449e8e
SHA1af14db9dc20f5fdfa51b69c25045295ca104bc13
SHA25637f395557650b4cf0bf46721bede87af5b759952de35c63ca8509dc68a5c8f15
SHA5121b131741d427cb147f7ac09fd03237f05ca4e1317fe4dbfd4564eb8a71d886a840e267adc3689c98ee15e7321ea0c547fabc85d6d6f1970236db214832fe62e8
-
Filesize
24KB
MD5a6064fc9ce640751e063d9af443990da
SHA1367a3a7d57bfb3e9a6ec356dfc411a5f14dfde2a
SHA2565f72c11fd2fa88d8b8bfae1214551f8d5ee07b8895df824fa717ebbcec118a6c
SHA5120e42dd8e341e2334eda1e19e1a344475ed3a0539a21c70ba2247f480c706ab8e2ff6dbeb790614cbde9fb547699b24e69c85c54e99ed77a08fe7e1d1b4b488d0
-
Filesize
18KB
MD52b1280525223d429609fbe4da77a8d1c
SHA16f6d009c6270e0a107f609d0de4bbd5a86ae6b47
SHA256e6df05fec03d814b59604816e16027b9b5f2b1a2d17c8dd5276eda9ed914186c
SHA51220e17307d389d002bcc7555a0e3dcdff530b120091cce8e3cf2823d0613495703f4fcf7726d7947648f8e09fbaeb3187d6543b814d8af8115fb9a473147e92db
-
Filesize
1KB
MD54e68cfad3f3cbef5406c90fd9e9d7931
SHA1504d53957bbed8e1a612c791eec7abdd17bd15bc
SHA25651dc299391f9b3eca411936a0d01781ad68799d282655e0d20c8c8521aa8e014
SHA51278c89847c3a7c128e5d54c3fff0e41c89a61722730b9d02d9c7e0b6985ce8188c3c37b6357a71c30f7e34c8b78f94599a186be6c189e56f6ccb832033e77172a
-
Filesize
688B
MD5f062848d9ab634339d6322ff8ea96529
SHA122bd4f28f87d327f9a7cecb940f37dbfbe2ac2fe
SHA256983c08f4586debbc1f8e2f5a35e5a25b857cf7084f25b0c1222eaa9d13d18731
SHA512ef6b8aad7617ddf14b75a161dd058a723aa50625fed40ecaff4cfb314aa09d19ba1e7e32afeb1df3bc9bf1996bac50df7e646f5b7cdf336e602f7746e5a05835