c3f3659442a27afa1a9e8cbc18479f9c88e209b0429b30b695085746f1edb39e

Analysis

max time kernel
150s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
27/12/2022, 15:58

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

c3f3659442a27afa1a9e8cbc18479f9c88e209b0429b30b695085746f1edb39e.exe
Size

563KB
MD5

fb8898216510c6af50a7aa81e23c35cb
SHA1

41d42f120ba66bc69efb3a2e1af47e197242f3a2
SHA256

c3f3659442a27afa1a9e8cbc18479f9c88e209b0429b30b695085746f1edb39e
SHA512

bd91d17213daa08918998e1352893cf94e36e1c2d7e6008b59c71bbdcbd7b7b58c1c8accc7b561c0e9421c0fe133fa3af131bc2f9ccbc411c38a7c4680851402
SSDEEP

12288:jXLRoysOFO0XmyVNpCwSnDTWm2kqvqSfyqMFIoiBrRR0GPJT1QxC:jXLRhFC8m2v5GIoiVRRnuxC

Score

10^/10

persistence ransomware spyware stealer upx

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\!_INFO.txt

Ransom Note

WARNING! YOUR FILES ARE ENCRYPTED! Don’t worry, your files are safe, provided that you are willing to pay the ransom. Any forced shutdown or attempts to restore your files with the thrid-party software will be damage your files permanently! Do not rename your files. It will damage it. The only way to decrypt your files safely is to buy the special decryption software from us. Before paying you can send us up to 2 files for free decryption as guarantee. No database files for test. Send pictures, text, doc files. (files no more than 1mb) You can contact us with the following email [email protected] [email protected] Send us this ID or this file in first email ID: 6D9MiVj3OUgdbSbS1Y/yKUUB7EeaZB3wVFPbGe+j1OI=:b169ebacc1fdf8cb1c9ed4d8f083b48dc29218ea8c94090465563c3d36c3600f

Emails

[email protected]

Signatures

Modifies extensions of user files 8 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\StartConvert.tiff.360	c3f3659442a27afa1a9e8cbc18479f9c88e209b0429b30b695085746f1edb39e.exe
File renamed	C:\Users\Admin\Pictures\OptimizeRestart.raw => C:\Users\Admin\Pictures\OptimizeRestart.raw.360	c3f3659442a27afa1a9e8cbc18479f9c88e209b0429b30b695085746f1edb39e.exe
File opened for modification	C:\Users\Admin\Pictures\OptimizeRestart.raw.360	c3f3659442a27afa1a9e8cbc18479f9c88e209b0429b30b695085746f1edb39e.exe
File renamed	C:\Users\Admin\Pictures\ResetRevoke.png => C:\Users\Admin\Pictures\ResetRevoke.png.360	c3f3659442a27afa1a9e8cbc18479f9c88e209b0429b30b695085746f1edb39e.exe
File opened for modification	C:\Users\Admin\Pictures\ResetRevoke.png.360	c3f3659442a27afa1a9e8cbc18479f9c88e209b0429b30b695085746f1edb39e.exe
File renamed	C:\Users\Admin\Pictures\SearchPop.tif => C:\Users\Admin\Pictures\SearchPop.tif.360	c3f3659442a27afa1a9e8cbc18479f9c88e209b0429b30b695085746f1edb39e.exe
File opened for modification	C:\Users\Admin\Pictures\SearchPop.tif.360	c3f3659442a27afa1a9e8cbc18479f9c88e209b0429b30b695085746f1edb39e.exe
File renamed	C:\Users\Admin\Pictures\StartConvert.tiff => C:\Users\Admin\Pictures\StartConvert.tiff.360	c3f3659442a27afa1a9e8cbc18479f9c88e209b0429b30b695085746f1edb39e.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/988-132-0x0000000000010000-0x00000000001A7000-memory.dmp	upx
behavioral2/memory/988-133-0x0000000000010000-0x00000000001A7000-memory.dmp	upx

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	c3f3659442a27afa1a9e8cbc18479f9c88e209b0429b30b695085746f1edb39e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\74c5cfb018507a06e9f3970aa4272a93c8517826016cd635354fe8d7109f7d5b = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\c3f3659442a27afa1a9e8cbc18479f9c88e209b0429b30b695085746f1edb39e.exe\" b169ebacc1fdf8cb1c9ed4d8f083b48dc29218ea8c94090465563c3d36c3600f"	c3f3659442a27afa1a9e8cbc18479f9c88e209b0429b30b695085746f1edb39e.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run	c3f3659442a27afa1a9e8cbc18479f9c88e209b0429b30b695085746f1edb39e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\74c5cfb018507a06e9f3970aa4272a93c8517826016cd635354fe8d7109f7d5b = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\c3f3659442a27afa1a9e8cbc18479f9c88e209b0429b30b695085746f1edb39e.exe\" b169ebacc1fdf8cb1c9ed4d8f083b48dc29218ea8c94090465563c3d36c3600f"	c3f3659442a27afa1a9e8cbc18479f9c88e209b0429b30b695085746f1edb39e.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\zh-tw\ui-strings.js.360	c3f3659442a27afa1a9e8cbc18479f9c88e209b0429b30b695085746f1edb39e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\measure_poster.jpg.360	c3f3659442a27afa1a9e8cbc18479f9c88e209b0429b30b695085746f1edb39e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\__lock_XXX__	c3f3659442a27afa1a9e8cbc18479f9c88e209b0429b30b695085746f1edb39e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PersonaSpy\__lock_XXX__	c3f3659442a27afa1a9e8cbc18479f9c88e209b0429b30b695085746f1edb39e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-snaptracer.xml.360	c3f3659442a27afa1a9e8cbc18479f9c88e209b0429b30b695085746f1edb39e.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ca-es\__lock_XXX__	c3f3659442a27afa1a9e8cbc18479f9c88e209b0429b30b695085746f1edb39e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\es-es\ui-strings.js.360	c3f3659442a27afa1a9e8cbc18479f9c88e209b0429b30b695085746f1edb39e.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\it-it\!_INFO.txt	c3f3659442a27afa1a9e8cbc18479f9c88e209b0429b30b695085746f1edb39e.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\104.0.1293.47\Locales\!_INFO.txt	c3f3659442a27afa1a9e8cbc18479f9c88e209b0429b30b695085746f1edb39e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\fontconfig.properties.src.360	c3f3659442a27afa1a9e8cbc18479f9c88e209b0429b30b695085746f1edb39e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_replace_signer_18.svg.360	c3f3659442a27afa1a9e8cbc18479f9c88e209b0429b30b695085746f1edb39e.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\!_INFO.txt	c3f3659442a27afa1a9e8cbc18479f9c88e209b0429b30b695085746f1edb39e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\en-gb\ui-strings.js.360	c3f3659442a27afa1a9e8cbc18479f9c88e209b0429b30b695085746f1edb39e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\ru-ru\__lock_XXX__	c3f3659442a27afa1a9e8cbc18479f9c88e209b0429b30b695085746f1edb39e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\ro-ro\__lock_XXX__	c3f3659442a27afa1a9e8cbc18479f9c88e209b0429b30b695085746f1edb39e.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\pl-pl\!_INFO.txt	c3f3659442a27afa1a9e8cbc18479f9c88e209b0429b30b695085746f1edb39e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\ca-es\__lock_XXX__	c3f3659442a27afa1a9e8cbc18479f9c88e209b0429b30b695085746f1edb39e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\META-INF\ECLIPSE_.SF.360	c3f3659442a27afa1a9e8cbc18479f9c88e209b0429b30b695085746f1edb39e.exe
File created	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\__lock_XXX__	c3f3659442a27afa1a9e8cbc18479f9c88e209b0429b30b695085746f1edb39e.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\__lock_XXX__	c3f3659442a27afa1a9e8cbc18479f9c88e209b0429b30b695085746f1edb39e.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\fi-fi\__lock_XXX__	c3f3659442a27afa1a9e8cbc18479f9c88e209b0429b30b695085746f1edb39e.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Trust Protection Lists\Mu\Cryptomining.360	c3f3659442a27afa1a9e8cbc18479f9c88e209b0429b30b695085746f1edb39e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdVL_MAK-ul-phn.xrm-ms.360	c3f3659442a27afa1a9e8cbc18479f9c88e209b0429b30b695085746f1edb39e.exe
File created	C:\Program Files\VideoLAN\VLC\locale\it\LC_MESSAGES\!_INFO.txt	c3f3659442a27afa1a9e8cbc18479f9c88e209b0429b30b695085746f1edb39e.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\de-de\!_INFO.txt	c3f3659442a27afa1a9e8cbc18479f9c88e209b0429b30b695085746f1edb39e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\jfxrt.jar.360	c3f3659442a27afa1a9e8cbc18479f9c88e209b0429b30b695085746f1edb39e.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\!_INFO.txt	c3f3659442a27afa1a9e8cbc18479f9c88e209b0429b30b695085746f1edb39e.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe.360	c3f3659442a27afa1a9e8cbc18479f9c88e209b0429b30b695085746f1edb39e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\de-de\__lock_XXX__	c3f3659442a27afa1a9e8cbc18479f9c88e209b0429b30b695085746f1edb39e.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\104.0.1293.47\ResiliencyLinks\Locales\bg.pak.DATA	c3f3659442a27afa1a9e8cbc18479f9c88e209b0429b30b695085746f1edb39e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProVL_KMS_Client-ul-oob.xrm-ms.360	c3f3659442a27afa1a9e8cbc18479f9c88e209b0429b30b695085746f1edb39e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\GRAPH.EXE.360	c3f3659442a27afa1a9e8cbc18479f9c88e209b0429b30b695085746f1edb39e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\__lock_XXX__	c3f3659442a27afa1a9e8cbc18479f9c88e209b0429b30b695085746f1edb39e.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\__lock_XXX__	c3f3659442a27afa1a9e8cbc18479f9c88e209b0429b30b695085746f1edb39e.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\104.0.1293.47\Trust Protection Lists\!_INFO.txt	c3f3659442a27afa1a9e8cbc18479f9c88e209b0429b30b695085746f1edb39e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Calibri Light-Constantia.xml.360	c3f3659442a27afa1a9e8cbc18479f9c88e209b0429b30b695085746f1edb39e.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\playlist\appletrailers.luac.360	c3f3659442a27afa1a9e8cbc18479f9c88e209b0429b30b695085746f1edb39e.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\tr-tr\__lock_XXX__	c3f3659442a27afa1a9e8cbc18479f9c88e209b0429b30b695085746f1edb39e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	c3f3659442a27afa1a9e8cbc18479f9c88e209b0429b30b695085746f1edb39e.exe
File opened for modification	C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\6B6C8198-C317-45C5-B53E-F1BE51486918\root\vfs\__lock_XXX__	c3f3659442a27afa1a9e8cbc18479f9c88e209b0429b30b695085746f1edb39e.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\104.0.1293.47\MLModels\autofill_labeling_features_email.txt	c3f3659442a27afa1a9e8cbc18479f9c88e209b0429b30b695085746f1edb39e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.forms.nl_ja_4.4.0.v20140623020002.jar.360	c3f3659442a27afa1a9e8cbc18479f9c88e209b0429b30b695085746f1edb39e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CAPSULES\__lock_XXX__	c3f3659442a27afa1a9e8cbc18479f9c88e209b0429b30b695085746f1edb39e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\Shared\__lock_XXX__	c3f3659442a27afa1a9e8cbc18479f9c88e209b0429b30b695085746f1edb39e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\eu-es\__lock_XXX__	c3f3659442a27afa1a9e8cbc18479f9c88e209b0429b30b695085746f1edb39e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\da-dk\__lock_XXX__	c3f3659442a27afa1a9e8cbc18479f9c88e209b0429b30b695085746f1edb39e.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\104.0.1293.47\ResiliencyLinks\Locales\it.pak.DATA.360	c3f3659442a27afa1a9e8cbc18479f9c88e209b0429b30b695085746f1edb39e.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\WidevineCdm\_platform_specific\__lock_XXX__	c3f3659442a27afa1a9e8cbc18479f9c88e209b0429b30b695085746f1edb39e.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\104.0.1293.47\Trust Protection Lists\manifest.json.360	c3f3659442a27afa1a9e8cbc18479f9c88e209b0429b30b695085746f1edb39e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\it-it\ui-strings.js.360	c3f3659442a27afa1a9e8cbc18479f9c88e209b0429b30b695085746f1edb39e.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\themes\dark\!_INFO.txt	c3f3659442a27afa1a9e8cbc18479f9c88e209b0429b30b695085746f1edb39e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\themes\dark\Info.png.360	c3f3659442a27afa1a9e8cbc18479f9c88e209b0429b30b695085746f1edb39e.exe
File created	C:\Program Files\Microsoft Office\root\vfs\SystemX86\!_INFO.txt	c3f3659442a27afa1a9e8cbc18479f9c88e209b0429b30b695085746f1edb39e.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\meta_engine\__lock_XXX__	c3f3659442a27afa1a9e8cbc18479f9c88e209b0429b30b695085746f1edb39e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\__lock_XXX__	c3f3659442a27afa1a9e8cbc18479f9c88e209b0429b30b695085746f1edb39e.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\plugins\__lock_XXX__	c3f3659442a27afa1a9e8cbc18479f9c88e209b0429b30b695085746f1edb39e.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\de-de\!_INFO.txt	c3f3659442a27afa1a9e8cbc18479f9c88e209b0429b30b695085746f1edb39e.exe
File created	C:\Program Files\Java\jdk1.8.0_66\include\!_INFO.txt	c3f3659442a27afa1a9e8cbc18479f9c88e209b0429b30b695085746f1edb39e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-spi-quicksearch.xml.360	c3f3659442a27afa1a9e8cbc18479f9c88e209b0429b30b695085746f1edb39e.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\mn\__lock_XXX__	c3f3659442a27afa1a9e8cbc18479f9c88e209b0429b30b695085746f1edb39e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\sk-sk\ui-strings.js.360	c3f3659442a27afa1a9e8cbc18479f9c88e209b0429b30b695085746f1edb39e.exe
File created	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\89.0.4389.114\!_INFO.txt	c3f3659442a27afa1a9e8cbc18479f9c88e209b0429b30b695085746f1edb39e.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\104.0.1293.47\Locales\zh-TW.pak	c3f3659442a27afa1a9e8cbc18479f9c88e209b0429b30b695085746f1edb39e.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\__lock_XXX__	c3f3659442a27afa1a9e8cbc18479f9c88e209b0429b30b695085746f1edb39e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
988	c3f3659442a27afa1a9e8cbc18479f9c88e209b0429b30b695085746f1edb39e.exe
988	c3f3659442a27afa1a9e8cbc18479f9c88e209b0429b30b695085746f1edb39e.exe
988	c3f3659442a27afa1a9e8cbc18479f9c88e209b0429b30b695085746f1edb39e.exe
988	c3f3659442a27afa1a9e8cbc18479f9c88e209b0429b30b695085746f1edb39e.exe
988	c3f3659442a27afa1a9e8cbc18479f9c88e209b0429b30b695085746f1edb39e.exe
988	c3f3659442a27afa1a9e8cbc18479f9c88e209b0429b30b695085746f1edb39e.exe
988	c3f3659442a27afa1a9e8cbc18479f9c88e209b0429b30b695085746f1edb39e.exe
988	c3f3659442a27afa1a9e8cbc18479f9c88e209b0429b30b695085746f1edb39e.exe
988	c3f3659442a27afa1a9e8cbc18479f9c88e209b0429b30b695085746f1edb39e.exe
988	c3f3659442a27afa1a9e8cbc18479f9c88e209b0429b30b695085746f1edb39e.exe
988	c3f3659442a27afa1a9e8cbc18479f9c88e209b0429b30b695085746f1edb39e.exe
988	c3f3659442a27afa1a9e8cbc18479f9c88e209b0429b30b695085746f1edb39e.exe
988	c3f3659442a27afa1a9e8cbc18479f9c88e209b0429b30b695085746f1edb39e.exe
988	c3f3659442a27afa1a9e8cbc18479f9c88e209b0429b30b695085746f1edb39e.exe
988	c3f3659442a27afa1a9e8cbc18479f9c88e209b0429b30b695085746f1edb39e.exe
988	c3f3659442a27afa1a9e8cbc18479f9c88e209b0429b30b695085746f1edb39e.exe
988	c3f3659442a27afa1a9e8cbc18479f9c88e209b0429b30b695085746f1edb39e.exe
988	c3f3659442a27afa1a9e8cbc18479f9c88e209b0429b30b695085746f1edb39e.exe
988	c3f3659442a27afa1a9e8cbc18479f9c88e209b0429b30b695085746f1edb39e.exe
988	c3f3659442a27afa1a9e8cbc18479f9c88e209b0429b30b695085746f1edb39e.exe
988	c3f3659442a27afa1a9e8cbc18479f9c88e209b0429b30b695085746f1edb39e.exe
988	c3f3659442a27afa1a9e8cbc18479f9c88e209b0429b30b695085746f1edb39e.exe
988	c3f3659442a27afa1a9e8cbc18479f9c88e209b0429b30b695085746f1edb39e.exe
988	c3f3659442a27afa1a9e8cbc18479f9c88e209b0429b30b695085746f1edb39e.exe
988	c3f3659442a27afa1a9e8cbc18479f9c88e209b0429b30b695085746f1edb39e.exe
988	c3f3659442a27afa1a9e8cbc18479f9c88e209b0429b30b695085746f1edb39e.exe
988	c3f3659442a27afa1a9e8cbc18479f9c88e209b0429b30b695085746f1edb39e.exe
988	c3f3659442a27afa1a9e8cbc18479f9c88e209b0429b30b695085746f1edb39e.exe
988	c3f3659442a27afa1a9e8cbc18479f9c88e209b0429b30b695085746f1edb39e.exe
988	c3f3659442a27afa1a9e8cbc18479f9c88e209b0429b30b695085746f1edb39e.exe
988	c3f3659442a27afa1a9e8cbc18479f9c88e209b0429b30b695085746f1edb39e.exe
988	c3f3659442a27afa1a9e8cbc18479f9c88e209b0429b30b695085746f1edb39e.exe
988	c3f3659442a27afa1a9e8cbc18479f9c88e209b0429b30b695085746f1edb39e.exe
988	c3f3659442a27afa1a9e8cbc18479f9c88e209b0429b30b695085746f1edb39e.exe
988	c3f3659442a27afa1a9e8cbc18479f9c88e209b0429b30b695085746f1edb39e.exe
988	c3f3659442a27afa1a9e8cbc18479f9c88e209b0429b30b695085746f1edb39e.exe
988	c3f3659442a27afa1a9e8cbc18479f9c88e209b0429b30b695085746f1edb39e.exe
988	c3f3659442a27afa1a9e8cbc18479f9c88e209b0429b30b695085746f1edb39e.exe
988	c3f3659442a27afa1a9e8cbc18479f9c88e209b0429b30b695085746f1edb39e.exe
988	c3f3659442a27afa1a9e8cbc18479f9c88e209b0429b30b695085746f1edb39e.exe
988	c3f3659442a27afa1a9e8cbc18479f9c88e209b0429b30b695085746f1edb39e.exe
988	c3f3659442a27afa1a9e8cbc18479f9c88e209b0429b30b695085746f1edb39e.exe
988	c3f3659442a27afa1a9e8cbc18479f9c88e209b0429b30b695085746f1edb39e.exe
988	c3f3659442a27afa1a9e8cbc18479f9c88e209b0429b30b695085746f1edb39e.exe
988	c3f3659442a27afa1a9e8cbc18479f9c88e209b0429b30b695085746f1edb39e.exe
988	c3f3659442a27afa1a9e8cbc18479f9c88e209b0429b30b695085746f1edb39e.exe
988	c3f3659442a27afa1a9e8cbc18479f9c88e209b0429b30b695085746f1edb39e.exe
988	c3f3659442a27afa1a9e8cbc18479f9c88e209b0429b30b695085746f1edb39e.exe
988	c3f3659442a27afa1a9e8cbc18479f9c88e209b0429b30b695085746f1edb39e.exe
988	c3f3659442a27afa1a9e8cbc18479f9c88e209b0429b30b695085746f1edb39e.exe
988	c3f3659442a27afa1a9e8cbc18479f9c88e209b0429b30b695085746f1edb39e.exe
988	c3f3659442a27afa1a9e8cbc18479f9c88e209b0429b30b695085746f1edb39e.exe
988	c3f3659442a27afa1a9e8cbc18479f9c88e209b0429b30b695085746f1edb39e.exe
988	c3f3659442a27afa1a9e8cbc18479f9c88e209b0429b30b695085746f1edb39e.exe
988	c3f3659442a27afa1a9e8cbc18479f9c88e209b0429b30b695085746f1edb39e.exe
988	c3f3659442a27afa1a9e8cbc18479f9c88e209b0429b30b695085746f1edb39e.exe
988	c3f3659442a27afa1a9e8cbc18479f9c88e209b0429b30b695085746f1edb39e.exe
988	c3f3659442a27afa1a9e8cbc18479f9c88e209b0429b30b695085746f1edb39e.exe
988	c3f3659442a27afa1a9e8cbc18479f9c88e209b0429b30b695085746f1edb39e.exe
988	c3f3659442a27afa1a9e8cbc18479f9c88e209b0429b30b695085746f1edb39e.exe
988	c3f3659442a27afa1a9e8cbc18479f9c88e209b0429b30b695085746f1edb39e.exe
988	c3f3659442a27afa1a9e8cbc18479f9c88e209b0429b30b695085746f1edb39e.exe
988	c3f3659442a27afa1a9e8cbc18479f9c88e209b0429b30b695085746f1edb39e.exe
988	c3f3659442a27afa1a9e8cbc18479f9c88e209b0429b30b695085746f1edb39e.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3640	StartMenuExperienceHost.exe

C:\Users\Admin\AppData\Local\Temp\c3f3659442a27afa1a9e8cbc18479f9c88e209b0429b30b695085746f1edb39e.exe
"C:\Users\Admin\AppData\Local\Temp\c3f3659442a27afa1a9e8cbc18479f9c88e209b0429b30b695085746f1edb39e.exe"
1⤵
- Modifies extensions of user files
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:988

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3640

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2891029575-1462575-1165213807-1000\desktop.ini

Filesize
129B

MD5
a526b9e7c716b3489d8cc062fbce4005

SHA1
2df502a944ff721241be20a9e449d2acd07e0312

SHA256
e1b9ce9b57957b1a0607a72a057d6b7a9b34ea60f3f8aa8f38a3af979bd23066

SHA512
d83d4c656c96c3d1809ad06ce78fa09a77781461c99109e4b81d1a186fc533a7e72d65a4cb7edf689eeccda8f687a13d3276f1111a1e72f7c3cd92a49bce0f88

Download Submit
memory/988-132-0x0000000000010000-0x00000000001A7000-memory.dmp

Filesize
1.6MB

Download
memory/988-133-0x0000000000010000-0x00000000001A7000-memory.dmp

Filesize
1.6MB

Download