Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
25/04/2023, 15:04
230425-sfwdtacg8x 125/04/2023, 14:56
230425-sa76esah89 425/04/2023, 14:53
230425-r9k99sah77 125/04/2023, 14:49
230425-r67zvscg4s 625/04/2023, 14:42
230425-r28qlaah48 5Analysis
-
max time kernel
146s -
max time network
144s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system -
submitted
25/04/2023, 14:49
Static task
static1
Behavioral task
behavioral1
Sample
NoEscape.zip
Resource
win10-20230220-en
General
-
Target
NoEscape.zip
-
Size
616KB
-
MD5
ef4fdf65fc90bfda8d1d2ae6d20aff60
-
SHA1
9431227836440c78f12bfb2cb3247d59f4d4640b
-
SHA256
47f6d3a11ffd015413ffb96432ec1f980fba5dd084990dd61a00342c5f6da7f8
-
SHA512
6f560fa6dc34bfe508f03dabbc395d46a7b5ba9d398e03d27dbacce7451a3494fbf48ccb1234d40746ac7fe960a265776cb6474cf513adb8ccef36206a20cbe9
-
SSDEEP
12288:1PQuO1JLx2auoA82iqOxdOc7XPkmpOw6mqc5m937hnTMktj1H:1PVqJx2auYqw7dOw6mql3nNBd
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\A: unregmp2.exe File opened (read-only) \??\B: unregmp2.exe File opened (read-only) \??\K: unregmp2.exe File opened (read-only) \??\S: unregmp2.exe File opened (read-only) \??\U: unregmp2.exe File opened (read-only) \??\X: unregmp2.exe File opened (read-only) \??\E: unregmp2.exe File opened (read-only) \??\P: unregmp2.exe File opened (read-only) \??\T: unregmp2.exe File opened (read-only) \??\Z: unregmp2.exe File opened (read-only) \??\H: unregmp2.exe File opened (read-only) \??\I: unregmp2.exe File opened (read-only) \??\L: unregmp2.exe File opened (read-only) \??\V: unregmp2.exe File opened (read-only) \??\F: unregmp2.exe File opened (read-only) \??\G: unregmp2.exe File opened (read-only) \??\J: unregmp2.exe File opened (read-only) \??\M: unregmp2.exe File opened (read-only) \??\N: unregmp2.exe File opened (read-only) \??\O: unregmp2.exe File opened (read-only) \??\Q: unregmp2.exe File opened (read-only) \??\R: unregmp2.exe File opened (read-only) \??\W: unregmp2.exe File opened (read-only) \??\Y: unregmp2.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\Debug\WIA\wiatrace.log mspaint.exe File opened for modification C:\Windows\Debug\WIA\wiatrace.log mspaint.exe File opened for modification C:\Windows\Debug\WIA\wiatrace.log mspaint.exe File opened for modification C:\Windows\Debug\WIA\wiatrace.log mspaint.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{669F618B-E378-11ED-9346-7E4DEDD3F78C} = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\MINIE iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "996999463" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "997009587" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{668C4E9B-E378-11ED-9346-7E4DEDD3F78C} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000af653a432a26840a7b5ec4575ca9dcc00000000020000000000106600000001000020000000d7e88b80d7c6ad687544e8ba1217f91fdb1ca4de829bc1a95804ce42eae901a4000000000e80000000020000200000008a3c52d79f20349453a197483c4e5eeb8b0b30404289c107fa3949eb1492a50d200000009949d0664c4b1e2cf48438bd9d4228960b5a38449f1f9d47b15e4db045bf51d8400000001c9a01592202f76adb92cd35fd5338b63aee5bd21a6b4d7ee4198a541cf81a5a786f94f0130d74cdaa088d6059699be2f06725418463c97b5443cf708432a4c5 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\MINIE iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31029125" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 207c9d2a8577d901 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31029125" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 3984 NOTEPAD.EXE -
Suspicious behavior: AddClipboardFormatListener 4 IoCs
pid Process 3144 WINWORD.EXE 3144 WINWORD.EXE 4900 vlc.exe 2496 vlc.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 816 mspaint.exe 816 mspaint.exe 1852 mspaint.exe 1852 mspaint.exe 2540 mspaint.exe 2540 mspaint.exe 2288 mspaint.exe 2288 mspaint.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 4900 vlc.exe 2496 vlc.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeShutdownPrivilege 1020 unregmp2.exe Token: SeCreatePagefilePrivilege 1020 unregmp2.exe -
Suspicious use of FindShellTrayWindow 19 IoCs
pid Process 3440 iexplore.exe 5008 iexplore.exe 4900 vlc.exe 4900 vlc.exe 4900 vlc.exe 2496 vlc.exe 2496 vlc.exe 2496 vlc.exe 2496 vlc.exe 2496 vlc.exe 2496 vlc.exe 2496 vlc.exe 2496 vlc.exe 2496 vlc.exe 2496 vlc.exe 2496 vlc.exe 2496 vlc.exe 2496 vlc.exe 2496 vlc.exe -
Suspicious use of SendNotifyMessage 15 IoCs
pid Process 4900 vlc.exe 4900 vlc.exe 2496 vlc.exe 2496 vlc.exe 2496 vlc.exe 2496 vlc.exe 2496 vlc.exe 2496 vlc.exe 2496 vlc.exe 2496 vlc.exe 2496 vlc.exe 2496 vlc.exe 2496 vlc.exe 2496 vlc.exe 2496 vlc.exe -
Suspicious use of SetWindowsHookEx 47 IoCs
pid Process 3440 iexplore.exe 3440 iexplore.exe 5008 iexplore.exe 5008 iexplore.exe 4400 IEXPLORE.EXE 4400 IEXPLORE.EXE 4624 IEXPLORE.EXE 4624 IEXPLORE.EXE 3144 WINWORD.EXE 3144 WINWORD.EXE 3144 WINWORD.EXE 3144 WINWORD.EXE 3144 WINWORD.EXE 3144 WINWORD.EXE 3144 WINWORD.EXE 3144 WINWORD.EXE 3144 WINWORD.EXE 3144 WINWORD.EXE 3144 WINWORD.EXE 3144 WINWORD.EXE 3144 WINWORD.EXE 4900 vlc.exe 816 mspaint.exe 1852 mspaint.exe 2540 mspaint.exe 816 mspaint.exe 816 mspaint.exe 816 mspaint.exe 2540 mspaint.exe 2540 mspaint.exe 2540 mspaint.exe 2288 mspaint.exe 1852 mspaint.exe 1852 mspaint.exe 1852 mspaint.exe 2288 mspaint.exe 2288 mspaint.exe 2288 mspaint.exe 2496 vlc.exe 1408 xpsrchvw.exe 1408 xpsrchvw.exe 1408 xpsrchvw.exe 1408 xpsrchvw.exe 3556 xpsrchvw.exe 3556 xpsrchvw.exe 3556 xpsrchvw.exe 3556 xpsrchvw.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 3440 wrote to memory of 4400 3440 iexplore.exe 70 PID 3440 wrote to memory of 4400 3440 iexplore.exe 70 PID 3440 wrote to memory of 4400 3440 iexplore.exe 70 PID 5008 wrote to memory of 4624 5008 iexplore.exe 69 PID 5008 wrote to memory of 4624 5008 iexplore.exe 69 PID 5008 wrote to memory of 4624 5008 iexplore.exe 69 PID 4540 wrote to memory of 520 4540 wmplayer.exe 79 PID 4540 wrote to memory of 520 4540 wmplayer.exe 79 PID 4540 wrote to memory of 520 4540 wmplayer.exe 79 PID 4540 wrote to memory of 4464 4540 wmplayer.exe 80 PID 4540 wrote to memory of 4464 4540 wmplayer.exe 80 PID 4540 wrote to memory of 4464 4540 wmplayer.exe 80 PID 4464 wrote to memory of 1020 4464 unregmp2.exe 81 PID 4464 wrote to memory of 1020 4464 unregmp2.exe 81
Processes
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\NoEscape.zip1⤵PID:4024
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\BackupJoin.xhtml1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3440 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3440 CREDAT:82945 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4400
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\BackupJoin.xhtml1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5008 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5008 CREDAT:82945 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4624
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Desktop\InitializeWrite.odt"1⤵PID:1104
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Desktop\InitializeWrite.odt"1⤵PID:4528
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Desktop\InitializeWrite.odt"1⤵PID:4828
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Desktop\InitializeWrite.odt"1⤵PID:4952
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Desktop\InitializeWrite.odt"1⤵PID:4960
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Desktop\InitializeWrite.odt"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3144
-
C:\Program Files (x86)\Windows Media Player\wmplayer.exe"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding1⤵
- Suspicious use of WriteProcessMemory
PID:4540 -
C:\Program Files (x86)\Windows Media Player\setup_wm.exe"C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding2⤵PID:520
-
-
C:\Windows\SysWOW64\unregmp2.exe"C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon2⤵
- Suspicious use of WriteProcessMemory
PID:4464 -
C:\Windows\System32\unregmp2.exe"C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT3⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:1020
-
-
-
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe"1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4900
-
C:\Windows\system32\mspaint.exe"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\DisconnectMove.rle"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:816
-
C:\Windows\system32\mspaint.exe"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\DisconnectMove.rle"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1852
-
C:\Windows\system32\mspaint.exe"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\DisconnectMove.rle"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2540
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s DeviceAssociationService1⤵PID:3232
-
C:\Windows\system32\mspaint.exe"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\DisconnectMove.rle"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2288
-
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\PushConvertTo.aif"1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2496
-
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\PushConvertTo.aif"1⤵PID:1548
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\OpenPublish.ini1⤵
- Opens file in notepad (likely ransom note)
PID:3984
-
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\CompressClear.M2T"1⤵PID:1592
-
C:\Windows\System32\xpsrchvw.exe"C:\Windows\System32\xpsrchvw.exe" "C:\Users\Admin\Desktop\EnableWait.eprtx"1⤵
- Suspicious use of SetWindowsHookEx
PID:1408
-
C:\Windows\System32\xpsrchvw.exe"C:\Windows\System32\xpsrchvw.exe" "C:\Users\Admin\Desktop\EnableWait.eprtx"1⤵
- Suspicious use of SetWindowsHookEx
PID:3556
-
C:\Windows\System32\fontview.exe"C:\Windows\System32\fontview.exe" C:\Users\Admin\Desktop\ClearApprove.fon1⤵PID:2060
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{668C4E9B-E378-11ED-9346-7E4DEDD3F78C}.dat
Filesize3KB
MD52f84c1fc8d3f0143cb9572a151396001
SHA10a61594d9a79ef57b454acd27c07d3daeb431ccf
SHA2560bc91389043239807a8aa9ad35209d43b46dbf5e05f5ce8f1f0ac5c79e20af0f
SHA512c82b270468485b834996a4971491d83182751ddaac4a76ddf106e3d7caedc383a17dc2c971e46f974e260cd8bf8524ab7ce711fe8c1c887b2855df150237cfd2
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{669F618B-E378-11ED-9346-7E4DEDD3F78C}.dat
Filesize5KB
MD58a49c6ea0120746ae4f2165939f45a34
SHA16649db86ffc782eedfbb0d6cc666414f5ef6c3c6
SHA256e0e35e4e1b023896bd0665861cba345e8dc70d2ba9ac7666c6b6df9d2a1e6b71
SHA5122b40652ed401acc7ae4e0650b2ee97ff28cb3d4cfc6fd56034d5d2c94e0731563769abdb08e91d98ff9ab0069db0b43a302aac4b53614a2619b30b8635943c8a
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Last Active\RecoveryStore.{DD985BA9-B146-11ED-933F-7A8F0EDDD75F}.dat
Filesize5KB
MD5977ba23e5fc3a876c2b2aaa351c9e0c6
SHA15473757efa83f270414f7944f3058338050f8969
SHA2561a97d0bac4f128edd02fa546946b4c19d328c080ffa9a819459649f80e13a44f
SHA5120dea4f897f9c222087629b50462884b1bd5b2f11600780cbfb77c42d9a2b8228cda10619c7f89001186c95ddd8514ef1e166513467a928c0225275253a8b9adb
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Last Active\{668C4E9E-E378-11ED-9346-7E4DEDD3F78C}.dat
Filesize6KB
MD53f00a2d0c3ddedef75639cb1907f0df2
SHA1316e44604c327c7bcd83bb2441052282fc9d9491
SHA256f1ec536246d724ec3f5edbee02415cdd3231adff63b4db0919af250a3949a932
SHA512c49f5f3f2405ed4fc85f99a4a6a1b7131685becd177368cd9570850e47b501a6da7923712eece912315dcda7fed9bfb10fa5e54f8616909de9ac2eacb20ea61d
-
Filesize
15KB
MD51a545d0052b581fbb2ab4c52133846bc
SHA162f3266a9b9925cd6d98658b92adec673cbe3dd3
SHA256557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1
SHA512bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d
-
Filesize
384KB
MD59574d26ecc89d8ef027e51b9e47f2bc9
SHA11d6e6c558321dde60102ba63accf08b0a7d74cc5
SHA2566dc988b85852834380f897e1b13c9a6e4f3f9bb6ae63ed3974b1005a979d6ebe
SHA51260d552bcecc6c46d4e4c0c8f514cdcd9afde6256002ecb54342a2118ed496694485f1d2cda7082560f9a94b9ba1fb8da9bdd47f69a761a54873b51ad88e4ba7e
-
Filesize
9KB
MD57050d5ae8acfbe560fa11073fef8185d
SHA15bc38e77ff06785fe0aec5a345c4ccd15752560e
SHA256cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b
SHA512a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b
-
Filesize
546B
MD5df03e65b8e082f24dab09c57bc9c6241
SHA16b0dacbf38744c9a381830e6a5dc4c71bd7cedbf
SHA256155b9c588061c71832af329fafa5678835d9153b8fbb7592195ae953d0c455ba
SHA512ef1cc8d27fbc5da5daab854c933d3914b84ee539d4d2f0126dc1a04a830c5599e39a923c80257653638b1b99b0073a7174cc164be5887181730883c752ba2f99
-
Filesize
523B
MD5d58da90d6dc51f97cb84dfbffe2b2300
SHA15f86b06b992a3146cb698a99932ead57a5ec4666
SHA25693acdb79543d9248ca3fca661f3ac287e6004e4b3dafd79d4c4070794ffbf2ad
SHA5127f1e95e5aa4c8a0e4c967135c78f22f4505f2a48bbc619924d0096bf4a94d469389b9e8488c12edacfba819517b8376546687d1145660ad1f49d8c20a744e636
-
Filesize
1KB
MD5770da23a42f01fbc7b10b0204d9d72ec
SHA17e4e8e8059d29088c886835da55d2dbe0fdff8d8
SHA256ce520676b20981509a9ccaa100ee7df8266338a771ed92a8f83b319a6f9013b6
SHA512165ad1caf989546c7d122578533732fe94a74fe927d713bc0390a4d38c6fe257da32b2d16b10e53d30f530cf79e55fac713d0abcd5811fc90dfea2efa1a8426e
-
Filesize
16KB
MD5fc8b9e48bd82401d03b323be8db39847
SHA12352cd2041e886f7023c3ffe27ab92ce1a21acbb
SHA256743f8a30682bbf219bed9babed65c73805fdf0037c7e181a2eaf288668968d71
SHA5128275d5c8ea6e3c9f2ae37e5c5221b07c84f8dda5a22d40b1e2f2f61aff0c2f9b04044190d52edf0e8fa8aa2e4ecc34806e729e4d7dd6c8621a4a5907ccae62af
-
Filesize
4KB
MD5b6c7877d8aa3c9650a1994d4a05b83ca
SHA1bf81dfd367b0c5009346fcf51aafae974bd6bdf6
SHA2565aba3263768b3199f71aa9982d9eb8eb82374c79c6b2fc3162226d3fb83004ea
SHA512ea43b5ce762cf9019e682028428f162815d38335e4e1f294ba265aa9f2166a13637e2c5c6c52030dfed55f3c546bf74886505fcffb44944083b9bdf37f53f86a