locky | 2a879d3004b7f21eef468c9adcd280664a9646389e789aa7c2cbac0cf95538b4

Analysis

max time kernel
105s
max time network
111s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
21-07-2023 08:39

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

client_demo.exe
Size

10.8MB
MD5

9dfa6f391ccc098025b00eb281797e4d
SHA1

43d61d407480fe89bb6c38e50899ba4e43186ab3
SHA256

2a879d3004b7f21eef468c9adcd280664a9646389e789aa7c2cbac0cf95538b4
SHA512

5c5c60f547d97d46b6e689425f38f69df97c40b737b5ebb6ccd8bc89866b1c5bc0b05b68ab38d0cc60c99723e6ac87376cd0a9acdb3da7535a8696b25f8eec74
SSDEEP

98304:Y5s5qBrcvlcYhVA/lCwguUEIPzMcMnD7vd8rVwfcCLOmDsh:Y5scBrcvunNCjEIPzMcMD7F8hyDsh

Score

10^/10

locky ransomware

Malware Config

Signatures

Locky
Ransomware strain released in 2016, with advanced features like anti-analysis.
ransomware locky
Downloads MZ/PE file
Drops startup file 1 IoCs

Processes:

client_demo.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file_ck.exe client_demo.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file_ck.exe	client_demo.exe

Executes dropped EXE 23 IoCs

Processes:

ck_409640377.execk_2780776757.execk_4109583628.execk_2676529173.execk_1156931877.execk_2527578229.execk_549462622.execk_1902308368.execk_904351612.execk_937675831.execk_2082028056.execk_1792095423.execk_579856306.execk_3034821015.execk_1914045969.execk_2463977110.execk_3948902481.execk_1714726935.execk_1940533012.execk_2943239775.execk_2419060754.exesysmon64.exesysmon64.exe

pid	process
2820	ck_409640377.exe
2924	ck_2780776757.exe
2444	ck_4109583628.exe
2676	ck_2676529173.exe
2472	ck_1156931877.exe
1896	ck_2527578229.exe
3056	ck_549462622.exe
1884	ck_1902308368.exe
1680	ck_904351612.exe
2652	ck_937675831.exe
528	ck_2082028056.exe
572	ck_1792095423.exe
2596	ck_579856306.exe
708	ck_3034821015.exe
2524	ck_1914045969.exe
1764	ck_2463977110.exe
908	ck_3948902481.exe
1712	ck_1714726935.exe
1728	ck_1940533012.exe
1736	ck_2943239775.exe
2344	ck_2419060754.exe
2444	sysmon64.exe
2772	sysmon64.exe

Loads dropped DLL 43 IoCs

Processes:

client_demo.execk_409640377.execk_2780776757.execk_4109583628.execk_2676529173.execk_1156931877.execk_2527578229.execk_549462622.execk_1902308368.execk_904351612.execk_937675831.exe

pid	process
1148	client_demo.exe
1148	client_demo.exe
2820	ck_409640377.exe
2820	ck_409640377.exe
2924	ck_2780776757.exe
2924	ck_2780776757.exe
2444	ck_4109583628.exe
2444	ck_4109583628.exe
2676	ck_2676529173.exe
2676	ck_2676529173.exe
2472	ck_1156931877.exe
2472	ck_1156931877.exe
1896	ck_2527578229.exe
1896	ck_2527578229.exe
3056	ck_549462622.exe
3056	ck_549462622.exe
1884	ck_1902308368.exe
1884	ck_1902308368.exe
1680	ck_904351612.exe
1680	ck_904351612.exe
2652	ck_937675831.exe
2652	ck_937675831.exe
1148	client_demo.exe
1148	client_demo.exe
1148	client_demo.exe
1148	client_demo.exe
1148	client_demo.exe
1148	client_demo.exe
1148	client_demo.exe
1148	client_demo.exe
1148	client_demo.exe
1148	client_demo.exe
1148	client_demo.exe
1148	client_demo.exe
1148	client_demo.exe
1148	client_demo.exe
1148	client_demo.exe
1148	client_demo.exe
1148	client_demo.exe
1148	client_demo.exe
1148	client_demo.exe
1148	client_demo.exe
1148	client_demo.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

client_demo.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	client_demo.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\Count	client_demo.exe

Drops file in Windows directory 4 IoCs

Processes:

WINWORD.EXEsysmon64.exe

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE
File created	C:\Windows\sysmon64.exe	sysmon64.exe
File opened for modification	C:\Windows\sysmon64.exe	sysmon64.exe
File created	C:\Windows\SysmonDrv.sys	sysmon64.exe

Checks SCSI registry key(s) 3 TTPs 1 IoCs
SCSI information is often read in order to detect sandboxing environments.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

client_demo.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI client_demo.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2016 schtasks.exe
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE
GoLang User-Agent 3 IoCs
Uses default user-agent string defined by GoLang HTTP packages.

Processes:

description flow ioc

HTTP User-Agent header 4 Go-http-client/1.1
HTTP User-Agent header 6 Go-http-client/1.1
HTTP User-Agent header 7 Go-http-client/1.1
Suspicious behavior: AddClipboardFormatListener 3 IoCs

Processes:

WINWORD.EXEPOWERPNT.EXEEXCEL.EXE

pid process

2292 WINWORD.EXE
2412 POWERPNT.EXE
780 EXCEL.EXE
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

2484 powershell.exe
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

468

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	client_demo.exe

pid	process
2016	schtasks.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

description	flow	ioc
HTTP User-Agent header	4	Go-http-client/1.1
HTTP User-Agent header	6	Go-http-client/1.1
HTTP User-Agent header	7	Go-http-client/1.1

pid	process
2292	WINWORD.EXE
2412	POWERPNT.EXE
780	EXCEL.EXE

pid	process
2484	powershell.exe

pid	process
468

Suspicious use of AdjustPrivilegeToken 28 IoCs

Processes:

client_demo.execk_409640377.execk_2780776757.execk_4109583628.execk_2676529173.execk_1156931877.execk_2527578229.execk_549462622.execk_1902308368.execk_904351612.execk_937675831.execk_2082028056.execk_1792095423.execk_579856306.execk_3034821015.execk_1914045969.execk_2463977110.execk_3948902481.execk_1714726935.execk_1940533012.execk_2943239775.execk_2419060754.exepowershell.exewevtutil.exewevtutil.exe

description	pid	process
Token: SeDebugPrivilege	1148	client_demo.exe
Token: SeDebugPrivilege	2820	ck_409640377.exe
Token: SeDebugPrivilege	2924	ck_2780776757.exe
Token: SeDebugPrivilege	2444	ck_4109583628.exe
Token: SeDebugPrivilege	2676	ck_2676529173.exe
Token: SeDebugPrivilege	2472	ck_1156931877.exe
Token: SeDebugPrivilege	1896	ck_2527578229.exe
Token: SeDebugPrivilege	3056	ck_549462622.exe
Token: SeDebugPrivilege	1884	ck_1902308368.exe
Token: SeDebugPrivilege	1680	ck_904351612.exe
Token: SeDebugPrivilege	2652	ck_937675831.exe
Token: SeDebugPrivilege	528	ck_2082028056.exe
Token: SeDebugPrivilege	572	ck_1792095423.exe
Token: SeDebugPrivilege	2596	ck_579856306.exe
Token: SeDebugPrivilege	708	ck_3034821015.exe
Token: SeDebugPrivilege	2524	ck_1914045969.exe
Token: SeDebugPrivilege	1764	ck_2463977110.exe
Token: SeDebugPrivilege	908	ck_3948902481.exe
Token: SeDebugPrivilege	1712	ck_1714726935.exe
Token: SeDebugPrivilege	1728	ck_1940533012.exe
Token: SeDebugPrivilege	1736	ck_2943239775.exe
Token: SeDebugPrivilege	2344	ck_2419060754.exe
Token: SeDebugPrivilege	2484	powershell.exe
Token: SeSecurityPrivilege	2872	wevtutil.exe
Token: SeBackupPrivilege	2872	wevtutil.exe
Token: SeSecurityPrivilege	2820	wevtutil.exe
Token: SeBackupPrivilege	2820	wevtutil.exe
Token: SeShutdownPrivilege	1148	client_demo.exe

Suspicious use of SetWindowsHookEx 9 IoCs

Processes:

WINWORD.EXEEXCEL.EXEAcroRd32.exe

pid process

2292 WINWORD.EXE
2292 WINWORD.EXE
780 EXCEL.EXE
780 EXCEL.EXE
780 EXCEL.EXE
1876 AcroRd32.exe
1876 AcroRd32.exe
1876 AcroRd32.exe
1876 AcroRd32.exe

pid	process
2292	WINWORD.EXE
2292	WINWORD.EXE
780	EXCEL.EXE
780	EXCEL.EXE
780	EXCEL.EXE
1876	AcroRd32.exe
1876	AcroRd32.exe
1876	AcroRd32.exe
1876	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

client_demo.execk_409640377.execk_2780776757.execk_4109583628.execk_2676529173.execk_1156931877.execk_2527578229.execk_549462622.execk_1902308368.execk_904351612.execk_937675831.exe

description	pid	process	target process
PID 1148 wrote to memory of 2820	1148	client_demo.exe	ck_409640377.exe
PID 1148 wrote to memory of 2820	1148	client_demo.exe	ck_409640377.exe
PID 1148 wrote to memory of 2820	1148	client_demo.exe	ck_409640377.exe
PID 2820 wrote to memory of 2924	2820	ck_409640377.exe	ck_2780776757.exe
PID 2820 wrote to memory of 2924	2820	ck_409640377.exe	ck_2780776757.exe
PID 2820 wrote to memory of 2924	2820	ck_409640377.exe	ck_2780776757.exe
PID 2924 wrote to memory of 2444	2924	ck_2780776757.exe	ck_4109583628.exe
PID 2924 wrote to memory of 2444	2924	ck_2780776757.exe	ck_4109583628.exe
PID 2924 wrote to memory of 2444	2924	ck_2780776757.exe	ck_4109583628.exe
PID 2444 wrote to memory of 2676	2444	ck_4109583628.exe	ck_2676529173.exe
PID 2444 wrote to memory of 2676	2444	ck_4109583628.exe	ck_2676529173.exe
PID 2444 wrote to memory of 2676	2444	ck_4109583628.exe	ck_2676529173.exe
PID 2676 wrote to memory of 2472	2676	ck_2676529173.exe	ck_1156931877.exe
PID 2676 wrote to memory of 2472	2676	ck_2676529173.exe	ck_1156931877.exe
PID 2676 wrote to memory of 2472	2676	ck_2676529173.exe	ck_1156931877.exe
PID 2472 wrote to memory of 1896	2472	ck_1156931877.exe	ck_2527578229.exe
PID 2472 wrote to memory of 1896	2472	ck_1156931877.exe	ck_2527578229.exe
PID 2472 wrote to memory of 1896	2472	ck_1156931877.exe	ck_2527578229.exe
PID 1896 wrote to memory of 3056	1896	ck_2527578229.exe	ck_549462622.exe
PID 1896 wrote to memory of 3056	1896	ck_2527578229.exe	ck_549462622.exe
PID 1896 wrote to memory of 3056	1896	ck_2527578229.exe	ck_549462622.exe
PID 3056 wrote to memory of 1884	3056	ck_549462622.exe	ck_1902308368.exe
PID 3056 wrote to memory of 1884	3056	ck_549462622.exe	ck_1902308368.exe
PID 3056 wrote to memory of 1884	3056	ck_549462622.exe	ck_1902308368.exe
PID 1884 wrote to memory of 1680	1884	ck_1902308368.exe	ck_904351612.exe
PID 1884 wrote to memory of 1680	1884	ck_1902308368.exe	ck_904351612.exe
PID 1884 wrote to memory of 1680	1884	ck_1902308368.exe	ck_904351612.exe
PID 1680 wrote to memory of 2652	1680	ck_904351612.exe	ck_937675831.exe
PID 1680 wrote to memory of 2652	1680	ck_904351612.exe	ck_937675831.exe
PID 1680 wrote to memory of 2652	1680	ck_904351612.exe	ck_937675831.exe
PID 2652 wrote to memory of 528	2652	ck_937675831.exe	ck_2082028056.exe
PID 2652 wrote to memory of 528	2652	ck_937675831.exe	ck_2082028056.exe
PID 2652 wrote to memory of 528	2652	ck_937675831.exe	ck_2082028056.exe
PID 1148 wrote to memory of 572	1148	client_demo.exe	ck_1792095423.exe
PID 1148 wrote to memory of 572	1148	client_demo.exe	ck_1792095423.exe
PID 1148 wrote to memory of 572	1148	client_demo.exe	ck_1792095423.exe
PID 1148 wrote to memory of 2596	1148	client_demo.exe	ck_579856306.exe
PID 1148 wrote to memory of 2596	1148	client_demo.exe	ck_579856306.exe
PID 1148 wrote to memory of 2596	1148	client_demo.exe	ck_579856306.exe
PID 1148 wrote to memory of 708	1148	client_demo.exe	ck_3034821015.exe
PID 1148 wrote to memory of 708	1148	client_demo.exe	ck_3034821015.exe
PID 1148 wrote to memory of 708	1148	client_demo.exe	ck_3034821015.exe
PID 1148 wrote to memory of 2524	1148	client_demo.exe	ck_1914045969.exe
PID 1148 wrote to memory of 2524	1148	client_demo.exe	ck_1914045969.exe
PID 1148 wrote to memory of 2524	1148	client_demo.exe	ck_1914045969.exe
PID 1148 wrote to memory of 1764	1148	client_demo.exe	ck_2463977110.exe
PID 1148 wrote to memory of 1764	1148	client_demo.exe	ck_2463977110.exe
PID 1148 wrote to memory of 1764	1148	client_demo.exe	ck_2463977110.exe
PID 1148 wrote to memory of 908	1148	client_demo.exe	ck_3948902481.exe
PID 1148 wrote to memory of 908	1148	client_demo.exe	ck_3948902481.exe
PID 1148 wrote to memory of 908	1148	client_demo.exe	ck_3948902481.exe
PID 1148 wrote to memory of 1712	1148	client_demo.exe	ck_1714726935.exe
PID 1148 wrote to memory of 1712	1148	client_demo.exe	ck_1714726935.exe
PID 1148 wrote to memory of 1712	1148	client_demo.exe	ck_1714726935.exe
PID 1148 wrote to memory of 1728	1148	client_demo.exe	ck_1940533012.exe
PID 1148 wrote to memory of 1728	1148	client_demo.exe	ck_1940533012.exe
PID 1148 wrote to memory of 1728	1148	client_demo.exe	ck_1940533012.exe
PID 1148 wrote to memory of 1736	1148	client_demo.exe	ck_2943239775.exe
PID 1148 wrote to memory of 1736	1148	client_demo.exe	ck_2943239775.exe
PID 1148 wrote to memory of 1736	1148	client_demo.exe	ck_2943239775.exe
PID 1148 wrote to memory of 2344	1148	client_demo.exe	ck_2419060754.exe
PID 1148 wrote to memory of 2344	1148	client_demo.exe	ck_2419060754.exe
PID 1148 wrote to memory of 2344	1148	client_demo.exe	ck_2419060754.exe
PID 1148 wrote to memory of 2484	1148	client_demo.exe	powershell.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\client_demo.exe
"C:\Users\Admin\AppData\Local\Temp\client_demo.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1148

C:\Users\Admin\checklist\ck_409640377.exe
C:\Users\Admin/checklist\ck_409640377.exe --subprocess=true --depth=10
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2820

C:\Users\Admin\checklist\ck_2780776757.exe
C:\Users\Admin/checklist\ck_2780776757.exe --subprocess=true --depth=9
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2924

C:\Users\Admin\checklist\ck_4109583628.exe
C:\Users\Admin/checklist\ck_4109583628.exe --subprocess=true --depth=8
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2444

C:\Users\Admin\checklist\ck_2676529173.exe
C:\Users\Admin/checklist\ck_2676529173.exe --subprocess=true --depth=7
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2676

C:\Users\Admin\checklist\ck_1156931877.exe
C:\Users\Admin/checklist\ck_1156931877.exe --subprocess=true --depth=6
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2472

C:\Users\Admin\checklist\ck_2527578229.exe
C:\Users\Admin/checklist\ck_2527578229.exe --subprocess=true --depth=5
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1896

C:\Users\Admin\checklist\ck_549462622.exe
C:\Users\Admin/checklist\ck_549462622.exe --subprocess=true --depth=4
8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3056

C:\Users\Admin\checklist\ck_1902308368.exe
C:\Users\Admin/checklist\ck_1902308368.exe --subprocess=true --depth=3
9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1884

C:\Users\Admin\checklist\ck_904351612.exe
C:\Users\Admin/checklist\ck_904351612.exe --subprocess=true --depth=2
10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1680

C:\Users\Admin\checklist\ck_937675831.exe
C:\Users\Admin/checklist\ck_937675831.exe --subprocess=true --depth=1
11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2652

C:\Users\Admin\checklist\ck_2082028056.exe
C:\Users\Admin/checklist\ck_2082028056.exe --subprocess=true --depth=0
12⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:528

C:\Users\Admin\checklist\ck_1792095423.exe
C:\Users\Admin/checklist\ck_1792095423.exe --subprocess=true --depth=0
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:572

C:\Users\Admin\checklist\ck_579856306.exe
C:\Users\Admin/checklist\ck_579856306.exe --subprocess=true --depth=0
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2596

C:\Users\Admin\checklist\ck_3034821015.exe
C:\Users\Admin/checklist\ck_3034821015.exe --subprocess=true --depth=0
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:708

C:\Users\Admin\checklist\ck_1914045969.exe
C:\Users\Admin/checklist\ck_1914045969.exe --subprocess=true --depth=0
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2524

C:\Users\Admin\checklist\ck_2463977110.exe
C:\Users\Admin/checklist\ck_2463977110.exe --subprocess=true --depth=0
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1764

C:\Users\Admin\checklist\ck_3948902481.exe
C:\Users\Admin/checklist\ck_3948902481.exe --subprocess=true --depth=0
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:908

C:\Users\Admin\checklist\ck_1714726935.exe
C:\Users\Admin/checklist\ck_1714726935.exe --subprocess=true --depth=0
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1712

C:\Users\Admin\checklist\ck_1940533012.exe
C:\Users\Admin/checklist\ck_1940533012.exe --subprocess=true --depth=0
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1728

C:\Users\Admin\checklist\ck_2943239775.exe
C:\Users\Admin/checklist\ck_2943239775.exe --subprocess=true --depth=0
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1736

C:\Users\Admin\checklist\ck_2419060754.exe
C:\Users\Admin/checklist\ck_2419060754.exe --subprocess=true --depth=0
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2344

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -f C:\Users\Admin/checklist\ps_3055677789.ps1
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2484

C:\Windows\system32\cscript.exe
cscript C:\Users\Admin/checklist\vb_2622932296.vbs
2⤵
PID:1936

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" C:\Users\Admin\AppData\Local\Temp\testdoc.doc
2⤵
- Drops file in Windows directory
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2292

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin/checklist\bat_2477148739.bat
2⤵
PID:2576

C:\Windows\system32\wscript.exe
wscript C:\Users\Admin/checklist\js_1596166775.js
2⤵
PID:2544

C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE" C:\Users\Admin\AppData\Local\Temp\testppt.ppt
2⤵
- Suspicious behavior: AddClipboardFormatListener
PID:2412

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
3⤵
PID:1892

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" C:\Users\Admin\AppData\Local\Temp\testxls.xls
2⤵
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:780

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" C:\Users\Admin\AppData\Local\Temp\testpdf.pdf
2⤵
- Suspicious use of SetWindowsHookEx
PID:1876

C:\Users\Admin\AppData\Local\Temp\sysmon64.exe
sysmon64.exe -i -accepteula
2⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2444

C:\Windows\sysmon64.exe
"C:\Windows\sysmon64.exe" -nologo -accepteula -m
3⤵
- Executes dropped EXE
PID:2772

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" um "C:\Users\Admin\AppData\Local\Temp\MAN8B8.tmp"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2872

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" im "C:\Users\Admin\AppData\Local\Temp\MAN9D1.tmp"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn windowsChecklistTasks /tr "\"C:\Users\Admin\AppData\Local\Temp\client_demo.exe\" --taskscheduler=true" /sc onstart /ru System /F
2⤵
- Creates scheduled task(s)
PID:2016

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:2240

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:2384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\logs\msg-2023072100.log

Filesize
5KB

MD5
c78206d5fa6453a2f02e3225885a4251

SHA1
7e1554416fae998a2d1fd2959777afa1e7c903fd

SHA256
60748b287c452ee2aab075ad4357f8c3901f8d5ecdc4a35977170a16c73a929f

SHA512
bddc258ca073fc26df5a54434b207fb677bb528f38334d774dbbf96313606ada50dcb81781947e54eb0344e426e3267eb6600b90d86cbf5559c970cd6eecc79a

Download Submit
C:\Users\Admin\AppData\Local\Temp\logs\msg-2023072100.log

Filesize
5KB

MD5
c78206d5fa6453a2f02e3225885a4251

SHA1
7e1554416fae998a2d1fd2959777afa1e7c903fd

SHA256
60748b287c452ee2aab075ad4357f8c3901f8d5ecdc4a35977170a16c73a929f

SHA512
bddc258ca073fc26df5a54434b207fb677bb528f38334d774dbbf96313606ada50dcb81781947e54eb0344e426e3267eb6600b90d86cbf5559c970cd6eecc79a

Download Submit
C:\Users\Admin\AppData\Local\Temp\logs\msg-2023072100.log

Filesize
6KB

MD5
1f70380c0e38d6088861361705ea516d

SHA1
29275ca0b6c550b6bbbdbf5cf29fa46d4ff93012

SHA256
58f750a7a68b836700699ea53d1c9daee4585eea7ba761f33560dbadcacaff8a

SHA512
98471245fb384926ed1f8f57ac4c0ee6df2300e3aa9ee4b80a6602ac0942dc2d17ef072e632285dc3db422641a270567d90d9177944f1dd187ab1c8b69fab5e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\logs\msg-2023072100.log

Filesize
6KB

MD5
17ab5da32a1bba4bf86de545161298fa

SHA1
9f8171044db89b3a2aa17ac2f240c37e5166777e

SHA256
ba48432bfe86de75b4ff128f9af9d6f5c89950ffd2b6ea5ea8da2bc4ce704a4a

SHA512
10633ed56e08a91199ddbea86b71241e10af17e613dd05475defb248940ff49a549c9e45f9867849e89cd032eaf21bcbd339213a6d3b0d4233033afbd749e0c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\logs\msg-2023072100.log

Filesize
6KB

MD5
17ab5da32a1bba4bf86de545161298fa

SHA1
9f8171044db89b3a2aa17ac2f240c37e5166777e

SHA256
ba48432bfe86de75b4ff128f9af9d6f5c89950ffd2b6ea5ea8da2bc4ce704a4a

SHA512
10633ed56e08a91199ddbea86b71241e10af17e613dd05475defb248940ff49a549c9e45f9867849e89cd032eaf21bcbd339213a6d3b0d4233033afbd749e0c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\logs\msg-2023072100.log

Filesize
6KB

MD5
17ab5da32a1bba4bf86de545161298fa

SHA1
9f8171044db89b3a2aa17ac2f240c37e5166777e

SHA256
ba48432bfe86de75b4ff128f9af9d6f5c89950ffd2b6ea5ea8da2bc4ce704a4a

SHA512
10633ed56e08a91199ddbea86b71241e10af17e613dd05475defb248940ff49a549c9e45f9867849e89cd032eaf21bcbd339213a6d3b0d4233033afbd749e0c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\logs\msg-2023072100.log

Filesize
6KB

MD5
c8360363861a536867dafb9d818c327e

SHA1
a0ac2bb7f658e1007a82d3e8038316e620b41d28

SHA256
210aa4dd7f6e0780400e7910c822761d85b88e7a15e69993b31edd3f5c55489e

SHA512
732d430d8bca83dd4ce65ddd392365d44d15d09fa3b949a08af68327b2b676b3a112d5957fc78a23801797951548264236aac0717e524e70bfc006d767aef44c

Download Submit
C:\Users\Admin\AppData\Local\Temp\logs\msg-2023072100.log

Filesize
6KB

MD5
c8360363861a536867dafb9d818c327e

SHA1
a0ac2bb7f658e1007a82d3e8038316e620b41d28

SHA256
210aa4dd7f6e0780400e7910c822761d85b88e7a15e69993b31edd3f5c55489e

SHA512
732d430d8bca83dd4ce65ddd392365d44d15d09fa3b949a08af68327b2b676b3a112d5957fc78a23801797951548264236aac0717e524e70bfc006d767aef44c

Download Submit
C:\Users\Admin\AppData\Local\Temp\logs\msg-2023072100.log

Filesize
5KB

MD5
73f2846e150377ac9eef97aa6cfd1e82

SHA1
bbd71ea32f915bc787558365efabbb8ace5590a8

SHA256
4ea0ed3df8fea706fd6c78db979e84e31a94c804663b3ce2ea6f31ddc6d858b8

SHA512
22d5318aa4e39b9cfd9809b874039c22155b0330ec7ec4d7674a476429f5828fa19a1946904209e22ee926faddcc0bdb2a98da746a6133db2a7dedb000d7007c

Download Submit
C:\Users\Admin\AppData\Local\Temp\logs\msg-2023072100.log

Filesize
5KB

MD5
ac6e051d36f3a1a969a015a16a11f75e

SHA1
483bc115d80d6b380c51d763b76fb823529f3735

SHA256
a97958b155adb5689a7053fbf07002a4229a2590bcc87318d3cb789620630efd

SHA512
cc839c0a04dfd5bb118a46563d2cd81d87661258ee40301300274d93491e5b72b55488b92ae7f22d0ce5db2f637a9d1ac4d227709bf01d425af5cf0be06f8aca

Download Submit
C:\Users\Admin\AppData\Local\Temp\test1.txt

Filesize
26B

MD5
fcde0c914569a9efcb7c76bfd785b3ce

SHA1
f4e5dae15dcec506cce6c829cc3ea51ef253453b

SHA256
a9937ff2b99ba53aea4fe272d795eb0647a8495af8fc35cddbef9db792764ac4

SHA512
00c3b13b2df5b6418123cdd7314a1164a6520382e906f503afc669ad51218d58ec7b1bc8697a8a045c26e93629fe82979b6511e562e0a8e83187ba99928cd4d5

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
a9b965c1e1d4b3813dbd036f755358b2

SHA1
69b3df9d0945c6cc15d6bd53a04aae62fa468e59

SHA256
f3ef0d65cc1c364e700a4057dc7ed8377a0cabd44b9a993618424d994efb154c

SHA512
62f1484931664306a685b89031968ae2306836c31532c0ac3c98f931f6746cc62815cb06610d097e01da3a1d19c1c8eeffce0ad01be9864c52ba14ecaafb442f

Download Submit
C:\Users\Admin\checklist\ck_1156931877.exe

Filesize
10.8MB

MD5
9dfa6f391ccc098025b00eb281797e4d

SHA1
43d61d407480fe89bb6c38e50899ba4e43186ab3

SHA256
2a879d3004b7f21eef468c9adcd280664a9646389e789aa7c2cbac0cf95538b4

SHA512
5c5c60f547d97d46b6e689425f38f69df97c40b737b5ebb6ccd8bc89866b1c5bc0b05b68ab38d0cc60c99723e6ac87376cd0a9acdb3da7535a8696b25f8eec74

Download Submit
C:\Users\Admin\checklist\ck_1156931877.exe

Filesize
10.8MB

MD5
9dfa6f391ccc098025b00eb281797e4d

SHA1
43d61d407480fe89bb6c38e50899ba4e43186ab3

SHA256
2a879d3004b7f21eef468c9adcd280664a9646389e789aa7c2cbac0cf95538b4

SHA512
5c5c60f547d97d46b6e689425f38f69df97c40b737b5ebb6ccd8bc89866b1c5bc0b05b68ab38d0cc60c99723e6ac87376cd0a9acdb3da7535a8696b25f8eec74

Download Submit
C:\Users\Admin\checklist\ck_1792095423.exe

Filesize
10.8MB

MD5
9dfa6f391ccc098025b00eb281797e4d

SHA1
43d61d407480fe89bb6c38e50899ba4e43186ab3

SHA256
2a879d3004b7f21eef468c9adcd280664a9646389e789aa7c2cbac0cf95538b4

SHA512
5c5c60f547d97d46b6e689425f38f69df97c40b737b5ebb6ccd8bc89866b1c5bc0b05b68ab38d0cc60c99723e6ac87376cd0a9acdb3da7535a8696b25f8eec74

Download Submit
C:\Users\Admin\checklist\ck_1792095423.exe

Filesize
10.8MB

MD5
9dfa6f391ccc098025b00eb281797e4d

SHA1
43d61d407480fe89bb6c38e50899ba4e43186ab3

SHA256
2a879d3004b7f21eef468c9adcd280664a9646389e789aa7c2cbac0cf95538b4

SHA512
5c5c60f547d97d46b6e689425f38f69df97c40b737b5ebb6ccd8bc89866b1c5bc0b05b68ab38d0cc60c99723e6ac87376cd0a9acdb3da7535a8696b25f8eec74

Download Submit
C:\Users\Admin\checklist\ck_1902308368.exe

Filesize
10.8MB

MD5
9dfa6f391ccc098025b00eb281797e4d

SHA1
43d61d407480fe89bb6c38e50899ba4e43186ab3

SHA256
2a879d3004b7f21eef468c9adcd280664a9646389e789aa7c2cbac0cf95538b4

SHA512
5c5c60f547d97d46b6e689425f38f69df97c40b737b5ebb6ccd8bc89866b1c5bc0b05b68ab38d0cc60c99723e6ac87376cd0a9acdb3da7535a8696b25f8eec74

Download Submit
C:\Users\Admin\checklist\ck_1902308368.exe

Filesize
10.8MB

MD5
9dfa6f391ccc098025b00eb281797e4d

SHA1
43d61d407480fe89bb6c38e50899ba4e43186ab3

SHA256
2a879d3004b7f21eef468c9adcd280664a9646389e789aa7c2cbac0cf95538b4

SHA512
5c5c60f547d97d46b6e689425f38f69df97c40b737b5ebb6ccd8bc89866b1c5bc0b05b68ab38d0cc60c99723e6ac87376cd0a9acdb3da7535a8696b25f8eec74

Download Submit
C:\Users\Admin\checklist\ck_2082028056.exe

Filesize
10.8MB

MD5
9dfa6f391ccc098025b00eb281797e4d

SHA1
43d61d407480fe89bb6c38e50899ba4e43186ab3

SHA256
2a879d3004b7f21eef468c9adcd280664a9646389e789aa7c2cbac0cf95538b4

SHA512
5c5c60f547d97d46b6e689425f38f69df97c40b737b5ebb6ccd8bc89866b1c5bc0b05b68ab38d0cc60c99723e6ac87376cd0a9acdb3da7535a8696b25f8eec74

Download Submit
C:\Users\Admin\checklist\ck_2082028056.exe

Filesize
10.8MB

MD5
9dfa6f391ccc098025b00eb281797e4d

SHA1
43d61d407480fe89bb6c38e50899ba4e43186ab3

SHA256
2a879d3004b7f21eef468c9adcd280664a9646389e789aa7c2cbac0cf95538b4

SHA512
5c5c60f547d97d46b6e689425f38f69df97c40b737b5ebb6ccd8bc89866b1c5bc0b05b68ab38d0cc60c99723e6ac87376cd0a9acdb3da7535a8696b25f8eec74

Download Submit
C:\Users\Admin\checklist\ck_2527578229.exe

Filesize
10.8MB

MD5
9dfa6f391ccc098025b00eb281797e4d

SHA1
43d61d407480fe89bb6c38e50899ba4e43186ab3

SHA256
2a879d3004b7f21eef468c9adcd280664a9646389e789aa7c2cbac0cf95538b4

SHA512
5c5c60f547d97d46b6e689425f38f69df97c40b737b5ebb6ccd8bc89866b1c5bc0b05b68ab38d0cc60c99723e6ac87376cd0a9acdb3da7535a8696b25f8eec74

Download Submit
C:\Users\Admin\checklist\ck_2527578229.exe

Filesize
10.8MB

MD5
9dfa6f391ccc098025b00eb281797e4d

SHA1
43d61d407480fe89bb6c38e50899ba4e43186ab3

SHA256
2a879d3004b7f21eef468c9adcd280664a9646389e789aa7c2cbac0cf95538b4

SHA512
5c5c60f547d97d46b6e689425f38f69df97c40b737b5ebb6ccd8bc89866b1c5bc0b05b68ab38d0cc60c99723e6ac87376cd0a9acdb3da7535a8696b25f8eec74

Download Submit
C:\Users\Admin\checklist\ck_2676529173.exe

Filesize
10.8MB

MD5
9dfa6f391ccc098025b00eb281797e4d

SHA1
43d61d407480fe89bb6c38e50899ba4e43186ab3

SHA256
2a879d3004b7f21eef468c9adcd280664a9646389e789aa7c2cbac0cf95538b4

SHA512
5c5c60f547d97d46b6e689425f38f69df97c40b737b5ebb6ccd8bc89866b1c5bc0b05b68ab38d0cc60c99723e6ac87376cd0a9acdb3da7535a8696b25f8eec74

Download Submit
C:\Users\Admin\checklist\ck_2676529173.exe

Filesize
10.8MB

MD5
9dfa6f391ccc098025b00eb281797e4d

SHA1
43d61d407480fe89bb6c38e50899ba4e43186ab3

SHA256
2a879d3004b7f21eef468c9adcd280664a9646389e789aa7c2cbac0cf95538b4

SHA512
5c5c60f547d97d46b6e689425f38f69df97c40b737b5ebb6ccd8bc89866b1c5bc0b05b68ab38d0cc60c99723e6ac87376cd0a9acdb3da7535a8696b25f8eec74

Download Submit
C:\Users\Admin\checklist\ck_2780776757.exe

Filesize
10.8MB

MD5
9dfa6f391ccc098025b00eb281797e4d

SHA1
43d61d407480fe89bb6c38e50899ba4e43186ab3

SHA256
2a879d3004b7f21eef468c9adcd280664a9646389e789aa7c2cbac0cf95538b4

SHA512
5c5c60f547d97d46b6e689425f38f69df97c40b737b5ebb6ccd8bc89866b1c5bc0b05b68ab38d0cc60c99723e6ac87376cd0a9acdb3da7535a8696b25f8eec74

Download Submit
C:\Users\Admin\checklist\ck_2780776757.exe

Filesize
10.8MB

MD5
9dfa6f391ccc098025b00eb281797e4d

SHA1
43d61d407480fe89bb6c38e50899ba4e43186ab3

SHA256
2a879d3004b7f21eef468c9adcd280664a9646389e789aa7c2cbac0cf95538b4

SHA512
5c5c60f547d97d46b6e689425f38f69df97c40b737b5ebb6ccd8bc89866b1c5bc0b05b68ab38d0cc60c99723e6ac87376cd0a9acdb3da7535a8696b25f8eec74

Download Submit
C:\Users\Admin\checklist\ck_2780776757.exe

Filesize
10.8MB

MD5
9dfa6f391ccc098025b00eb281797e4d

SHA1
43d61d407480fe89bb6c38e50899ba4e43186ab3

SHA256
2a879d3004b7f21eef468c9adcd280664a9646389e789aa7c2cbac0cf95538b4

SHA512
5c5c60f547d97d46b6e689425f38f69df97c40b737b5ebb6ccd8bc89866b1c5bc0b05b68ab38d0cc60c99723e6ac87376cd0a9acdb3da7535a8696b25f8eec74

Download Submit
C:\Users\Admin\checklist\ck_409640377.exe

Filesize
10.8MB

MD5
9dfa6f391ccc098025b00eb281797e4d

SHA1
43d61d407480fe89bb6c38e50899ba4e43186ab3

SHA256
2a879d3004b7f21eef468c9adcd280664a9646389e789aa7c2cbac0cf95538b4

SHA512
5c5c60f547d97d46b6e689425f38f69df97c40b737b5ebb6ccd8bc89866b1c5bc0b05b68ab38d0cc60c99723e6ac87376cd0a9acdb3da7535a8696b25f8eec74

Download Submit
C:\Users\Admin\checklist\ck_409640377.exe

Filesize
10.8MB

MD5
9dfa6f391ccc098025b00eb281797e4d

SHA1
43d61d407480fe89bb6c38e50899ba4e43186ab3

SHA256
2a879d3004b7f21eef468c9adcd280664a9646389e789aa7c2cbac0cf95538b4

SHA512
5c5c60f547d97d46b6e689425f38f69df97c40b737b5ebb6ccd8bc89866b1c5bc0b05b68ab38d0cc60c99723e6ac87376cd0a9acdb3da7535a8696b25f8eec74

Download Submit
C:\Users\Admin\checklist\ck_4109583628.exe

Filesize
10.8MB

MD5
9dfa6f391ccc098025b00eb281797e4d

SHA1
43d61d407480fe89bb6c38e50899ba4e43186ab3

SHA256
2a879d3004b7f21eef468c9adcd280664a9646389e789aa7c2cbac0cf95538b4

SHA512
5c5c60f547d97d46b6e689425f38f69df97c40b737b5ebb6ccd8bc89866b1c5bc0b05b68ab38d0cc60c99723e6ac87376cd0a9acdb3da7535a8696b25f8eec74

Download Submit
C:\Users\Admin\checklist\ck_4109583628.exe

Filesize
10.8MB

MD5
9dfa6f391ccc098025b00eb281797e4d

SHA1
43d61d407480fe89bb6c38e50899ba4e43186ab3

SHA256
2a879d3004b7f21eef468c9adcd280664a9646389e789aa7c2cbac0cf95538b4

SHA512
5c5c60f547d97d46b6e689425f38f69df97c40b737b5ebb6ccd8bc89866b1c5bc0b05b68ab38d0cc60c99723e6ac87376cd0a9acdb3da7535a8696b25f8eec74

Download Submit
C:\Users\Admin\checklist\ck_549462622.exe

Filesize
10.8MB

MD5
9dfa6f391ccc098025b00eb281797e4d

SHA1
43d61d407480fe89bb6c38e50899ba4e43186ab3

SHA256
2a879d3004b7f21eef468c9adcd280664a9646389e789aa7c2cbac0cf95538b4

SHA512
5c5c60f547d97d46b6e689425f38f69df97c40b737b5ebb6ccd8bc89866b1c5bc0b05b68ab38d0cc60c99723e6ac87376cd0a9acdb3da7535a8696b25f8eec74

Download Submit
C:\Users\Admin\checklist\ck_549462622.exe

Filesize
10.8MB

MD5
9dfa6f391ccc098025b00eb281797e4d

SHA1
43d61d407480fe89bb6c38e50899ba4e43186ab3

SHA256
2a879d3004b7f21eef468c9adcd280664a9646389e789aa7c2cbac0cf95538b4

SHA512
5c5c60f547d97d46b6e689425f38f69df97c40b737b5ebb6ccd8bc89866b1c5bc0b05b68ab38d0cc60c99723e6ac87376cd0a9acdb3da7535a8696b25f8eec74

Download Submit
C:\Users\Admin\checklist\ck_579856306.exe

Filesize
10.8MB

MD5
9dfa6f391ccc098025b00eb281797e4d

SHA1
43d61d407480fe89bb6c38e50899ba4e43186ab3

SHA256
2a879d3004b7f21eef468c9adcd280664a9646389e789aa7c2cbac0cf95538b4

SHA512
5c5c60f547d97d46b6e689425f38f69df97c40b737b5ebb6ccd8bc89866b1c5bc0b05b68ab38d0cc60c99723e6ac87376cd0a9acdb3da7535a8696b25f8eec74

Download Submit
C:\Users\Admin\checklist\ck_579856306.exe

Filesize
10.8MB

MD5
9dfa6f391ccc098025b00eb281797e4d

SHA1
43d61d407480fe89bb6c38e50899ba4e43186ab3

SHA256
2a879d3004b7f21eef468c9adcd280664a9646389e789aa7c2cbac0cf95538b4

SHA512
5c5c60f547d97d46b6e689425f38f69df97c40b737b5ebb6ccd8bc89866b1c5bc0b05b68ab38d0cc60c99723e6ac87376cd0a9acdb3da7535a8696b25f8eec74

Download Submit
C:\Users\Admin\checklist\ck_904351612.exe

Filesize
10.8MB

MD5
9dfa6f391ccc098025b00eb281797e4d

SHA1
43d61d407480fe89bb6c38e50899ba4e43186ab3

SHA256
2a879d3004b7f21eef468c9adcd280664a9646389e789aa7c2cbac0cf95538b4

SHA512
5c5c60f547d97d46b6e689425f38f69df97c40b737b5ebb6ccd8bc89866b1c5bc0b05b68ab38d0cc60c99723e6ac87376cd0a9acdb3da7535a8696b25f8eec74

Download Submit
C:\Users\Admin\checklist\ck_904351612.exe

Filesize
10.8MB

MD5
9dfa6f391ccc098025b00eb281797e4d

SHA1
43d61d407480fe89bb6c38e50899ba4e43186ab3

SHA256
2a879d3004b7f21eef468c9adcd280664a9646389e789aa7c2cbac0cf95538b4

SHA512
5c5c60f547d97d46b6e689425f38f69df97c40b737b5ebb6ccd8bc89866b1c5bc0b05b68ab38d0cc60c99723e6ac87376cd0a9acdb3da7535a8696b25f8eec74

Download Submit
C:\Users\Admin\checklist\ck_937675831.exe

Filesize
10.8MB

MD5
9dfa6f391ccc098025b00eb281797e4d

SHA1
43d61d407480fe89bb6c38e50899ba4e43186ab3

SHA256
2a879d3004b7f21eef468c9adcd280664a9646389e789aa7c2cbac0cf95538b4

SHA512
5c5c60f547d97d46b6e689425f38f69df97c40b737b5ebb6ccd8bc89866b1c5bc0b05b68ab38d0cc60c99723e6ac87376cd0a9acdb3da7535a8696b25f8eec74

Download Submit
C:\Users\Admin\checklist\ck_937675831.exe

Filesize
10.8MB

MD5
9dfa6f391ccc098025b00eb281797e4d

SHA1
43d61d407480fe89bb6c38e50899ba4e43186ab3

SHA256
2a879d3004b7f21eef468c9adcd280664a9646389e789aa7c2cbac0cf95538b4

SHA512
5c5c60f547d97d46b6e689425f38f69df97c40b737b5ebb6ccd8bc89866b1c5bc0b05b68ab38d0cc60c99723e6ac87376cd0a9acdb3da7535a8696b25f8eec74

Download Submit
C:\Windows\sysmon64.exe

Filesize
3.6MB

MD5
59f94eaaf3ae40b33fead8babe81df54

SHA1
ff4d7e583b3cabb2a3574be67d29820db29f20dd

SHA256
72a0cac1f83027188837b227763ee0688396a29d989504a1394568d509df4153

SHA512
5113f1cd675d2597b2ab120391121061e21d6639c1b7e02d73bafd5902649a8b3f999dc3d5b5a206dd25b15d95cb07f3d0ac510eeb3e580d89f092b0433cbb35

Download Submit
\Users\Admin\checklist\ck_1156931877.exe

Filesize
10.8MB

MD5
9dfa6f391ccc098025b00eb281797e4d

SHA1
43d61d407480fe89bb6c38e50899ba4e43186ab3

SHA256
2a879d3004b7f21eef468c9adcd280664a9646389e789aa7c2cbac0cf95538b4

SHA512
5c5c60f547d97d46b6e689425f38f69df97c40b737b5ebb6ccd8bc89866b1c5bc0b05b68ab38d0cc60c99723e6ac87376cd0a9acdb3da7535a8696b25f8eec74

Download Submit
\Users\Admin\checklist\ck_1156931877.exe

Filesize
10.8MB

MD5
9dfa6f391ccc098025b00eb281797e4d

SHA1
43d61d407480fe89bb6c38e50899ba4e43186ab3

SHA256
2a879d3004b7f21eef468c9adcd280664a9646389e789aa7c2cbac0cf95538b4

SHA512
5c5c60f547d97d46b6e689425f38f69df97c40b737b5ebb6ccd8bc89866b1c5bc0b05b68ab38d0cc60c99723e6ac87376cd0a9acdb3da7535a8696b25f8eec74

Download Submit
\Users\Admin\checklist\ck_1792095423.exe

Filesize
10.8MB

MD5
9dfa6f391ccc098025b00eb281797e4d

SHA1
43d61d407480fe89bb6c38e50899ba4e43186ab3

SHA256
2a879d3004b7f21eef468c9adcd280664a9646389e789aa7c2cbac0cf95538b4

SHA512
5c5c60f547d97d46b6e689425f38f69df97c40b737b5ebb6ccd8bc89866b1c5bc0b05b68ab38d0cc60c99723e6ac87376cd0a9acdb3da7535a8696b25f8eec74

Download Submit
\Users\Admin\checklist\ck_1792095423.exe

Filesize
10.8MB

MD5
9dfa6f391ccc098025b00eb281797e4d

SHA1
43d61d407480fe89bb6c38e50899ba4e43186ab3

SHA256
2a879d3004b7f21eef468c9adcd280664a9646389e789aa7c2cbac0cf95538b4

SHA512
5c5c60f547d97d46b6e689425f38f69df97c40b737b5ebb6ccd8bc89866b1c5bc0b05b68ab38d0cc60c99723e6ac87376cd0a9acdb3da7535a8696b25f8eec74

Download Submit
\Users\Admin\checklist\ck_1902308368.exe

Filesize
10.8MB

MD5
9dfa6f391ccc098025b00eb281797e4d

SHA1
43d61d407480fe89bb6c38e50899ba4e43186ab3

SHA256
2a879d3004b7f21eef468c9adcd280664a9646389e789aa7c2cbac0cf95538b4

SHA512
5c5c60f547d97d46b6e689425f38f69df97c40b737b5ebb6ccd8bc89866b1c5bc0b05b68ab38d0cc60c99723e6ac87376cd0a9acdb3da7535a8696b25f8eec74

Download Submit
\Users\Admin\checklist\ck_1902308368.exe

Filesize
10.8MB

MD5
9dfa6f391ccc098025b00eb281797e4d

SHA1
43d61d407480fe89bb6c38e50899ba4e43186ab3

SHA256
2a879d3004b7f21eef468c9adcd280664a9646389e789aa7c2cbac0cf95538b4

SHA512
5c5c60f547d97d46b6e689425f38f69df97c40b737b5ebb6ccd8bc89866b1c5bc0b05b68ab38d0cc60c99723e6ac87376cd0a9acdb3da7535a8696b25f8eec74

Download Submit
\Users\Admin\checklist\ck_2082028056.exe

Filesize
10.8MB

MD5
9dfa6f391ccc098025b00eb281797e4d

SHA1
43d61d407480fe89bb6c38e50899ba4e43186ab3

SHA256
2a879d3004b7f21eef468c9adcd280664a9646389e789aa7c2cbac0cf95538b4

SHA512
5c5c60f547d97d46b6e689425f38f69df97c40b737b5ebb6ccd8bc89866b1c5bc0b05b68ab38d0cc60c99723e6ac87376cd0a9acdb3da7535a8696b25f8eec74

Download Submit
\Users\Admin\checklist\ck_2082028056.exe

Filesize
10.8MB

MD5
9dfa6f391ccc098025b00eb281797e4d

SHA1
43d61d407480fe89bb6c38e50899ba4e43186ab3

SHA256
2a879d3004b7f21eef468c9adcd280664a9646389e789aa7c2cbac0cf95538b4

SHA512
5c5c60f547d97d46b6e689425f38f69df97c40b737b5ebb6ccd8bc89866b1c5bc0b05b68ab38d0cc60c99723e6ac87376cd0a9acdb3da7535a8696b25f8eec74

Download Submit
\Users\Admin\checklist\ck_2527578229.exe

Filesize
10.8MB

MD5
9dfa6f391ccc098025b00eb281797e4d

SHA1
43d61d407480fe89bb6c38e50899ba4e43186ab3

SHA256
2a879d3004b7f21eef468c9adcd280664a9646389e789aa7c2cbac0cf95538b4

SHA512
5c5c60f547d97d46b6e689425f38f69df97c40b737b5ebb6ccd8bc89866b1c5bc0b05b68ab38d0cc60c99723e6ac87376cd0a9acdb3da7535a8696b25f8eec74

Download Submit
\Users\Admin\checklist\ck_2527578229.exe

Filesize
10.8MB

MD5
9dfa6f391ccc098025b00eb281797e4d

SHA1
43d61d407480fe89bb6c38e50899ba4e43186ab3

SHA256
2a879d3004b7f21eef468c9adcd280664a9646389e789aa7c2cbac0cf95538b4

SHA512
5c5c60f547d97d46b6e689425f38f69df97c40b737b5ebb6ccd8bc89866b1c5bc0b05b68ab38d0cc60c99723e6ac87376cd0a9acdb3da7535a8696b25f8eec74

Download Submit
\Users\Admin\checklist\ck_2676529173.exe

Filesize
10.8MB

MD5
9dfa6f391ccc098025b00eb281797e4d

SHA1
43d61d407480fe89bb6c38e50899ba4e43186ab3

SHA256
2a879d3004b7f21eef468c9adcd280664a9646389e789aa7c2cbac0cf95538b4

SHA512
5c5c60f547d97d46b6e689425f38f69df97c40b737b5ebb6ccd8bc89866b1c5bc0b05b68ab38d0cc60c99723e6ac87376cd0a9acdb3da7535a8696b25f8eec74

Download Submit
\Users\Admin\checklist\ck_2676529173.exe

Filesize
10.8MB

MD5
9dfa6f391ccc098025b00eb281797e4d

SHA1
43d61d407480fe89bb6c38e50899ba4e43186ab3

SHA256
2a879d3004b7f21eef468c9adcd280664a9646389e789aa7c2cbac0cf95538b4

SHA512
5c5c60f547d97d46b6e689425f38f69df97c40b737b5ebb6ccd8bc89866b1c5bc0b05b68ab38d0cc60c99723e6ac87376cd0a9acdb3da7535a8696b25f8eec74

Download Submit
\Users\Admin\checklist\ck_2780776757.exe

Filesize
10.8MB

MD5
9dfa6f391ccc098025b00eb281797e4d

SHA1
43d61d407480fe89bb6c38e50899ba4e43186ab3

SHA256
2a879d3004b7f21eef468c9adcd280664a9646389e789aa7c2cbac0cf95538b4

SHA512
5c5c60f547d97d46b6e689425f38f69df97c40b737b5ebb6ccd8bc89866b1c5bc0b05b68ab38d0cc60c99723e6ac87376cd0a9acdb3da7535a8696b25f8eec74

Download Submit
\Users\Admin\checklist\ck_2780776757.exe

Filesize
10.8MB

MD5
9dfa6f391ccc098025b00eb281797e4d

SHA1
43d61d407480fe89bb6c38e50899ba4e43186ab3

SHA256
2a879d3004b7f21eef468c9adcd280664a9646389e789aa7c2cbac0cf95538b4

SHA512
5c5c60f547d97d46b6e689425f38f69df97c40b737b5ebb6ccd8bc89866b1c5bc0b05b68ab38d0cc60c99723e6ac87376cd0a9acdb3da7535a8696b25f8eec74

Download Submit
\Users\Admin\checklist\ck_3034821015.exe

Filesize
10.8MB

MD5
9dfa6f391ccc098025b00eb281797e4d

SHA1
43d61d407480fe89bb6c38e50899ba4e43186ab3

SHA256
2a879d3004b7f21eef468c9adcd280664a9646389e789aa7c2cbac0cf95538b4

SHA512
5c5c60f547d97d46b6e689425f38f69df97c40b737b5ebb6ccd8bc89866b1c5bc0b05b68ab38d0cc60c99723e6ac87376cd0a9acdb3da7535a8696b25f8eec74

Download Submit
\Users\Admin\checklist\ck_3034821015.exe

Filesize
10.8MB

MD5
9dfa6f391ccc098025b00eb281797e4d

SHA1
43d61d407480fe89bb6c38e50899ba4e43186ab3

SHA256
2a879d3004b7f21eef468c9adcd280664a9646389e789aa7c2cbac0cf95538b4

SHA512
5c5c60f547d97d46b6e689425f38f69df97c40b737b5ebb6ccd8bc89866b1c5bc0b05b68ab38d0cc60c99723e6ac87376cd0a9acdb3da7535a8696b25f8eec74

Download Submit
\Users\Admin\checklist\ck_409640377.exe

Filesize
10.8MB

MD5
9dfa6f391ccc098025b00eb281797e4d

SHA1
43d61d407480fe89bb6c38e50899ba4e43186ab3

SHA256
2a879d3004b7f21eef468c9adcd280664a9646389e789aa7c2cbac0cf95538b4

SHA512
5c5c60f547d97d46b6e689425f38f69df97c40b737b5ebb6ccd8bc89866b1c5bc0b05b68ab38d0cc60c99723e6ac87376cd0a9acdb3da7535a8696b25f8eec74

Download Submit
\Users\Admin\checklist\ck_409640377.exe

Filesize
10.8MB

MD5
9dfa6f391ccc098025b00eb281797e4d

SHA1
43d61d407480fe89bb6c38e50899ba4e43186ab3

SHA256
2a879d3004b7f21eef468c9adcd280664a9646389e789aa7c2cbac0cf95538b4

SHA512
5c5c60f547d97d46b6e689425f38f69df97c40b737b5ebb6ccd8bc89866b1c5bc0b05b68ab38d0cc60c99723e6ac87376cd0a9acdb3da7535a8696b25f8eec74

Download Submit
\Users\Admin\checklist\ck_4109583628.exe

Filesize
10.8MB

MD5
9dfa6f391ccc098025b00eb281797e4d

SHA1
43d61d407480fe89bb6c38e50899ba4e43186ab3

SHA256
2a879d3004b7f21eef468c9adcd280664a9646389e789aa7c2cbac0cf95538b4

SHA512
5c5c60f547d97d46b6e689425f38f69df97c40b737b5ebb6ccd8bc89866b1c5bc0b05b68ab38d0cc60c99723e6ac87376cd0a9acdb3da7535a8696b25f8eec74

Download Submit
\Users\Admin\checklist\ck_4109583628.exe

Filesize
10.8MB

MD5
9dfa6f391ccc098025b00eb281797e4d

SHA1
43d61d407480fe89bb6c38e50899ba4e43186ab3

SHA256
2a879d3004b7f21eef468c9adcd280664a9646389e789aa7c2cbac0cf95538b4

SHA512
5c5c60f547d97d46b6e689425f38f69df97c40b737b5ebb6ccd8bc89866b1c5bc0b05b68ab38d0cc60c99723e6ac87376cd0a9acdb3da7535a8696b25f8eec74

Download Submit
\Users\Admin\checklist\ck_549462622.exe

Filesize
10.8MB

MD5
9dfa6f391ccc098025b00eb281797e4d

SHA1
43d61d407480fe89bb6c38e50899ba4e43186ab3

SHA256
2a879d3004b7f21eef468c9adcd280664a9646389e789aa7c2cbac0cf95538b4

SHA512
5c5c60f547d97d46b6e689425f38f69df97c40b737b5ebb6ccd8bc89866b1c5bc0b05b68ab38d0cc60c99723e6ac87376cd0a9acdb3da7535a8696b25f8eec74

Download Submit
\Users\Admin\checklist\ck_549462622.exe

Filesize
10.8MB

MD5
9dfa6f391ccc098025b00eb281797e4d

SHA1
43d61d407480fe89bb6c38e50899ba4e43186ab3

SHA256
2a879d3004b7f21eef468c9adcd280664a9646389e789aa7c2cbac0cf95538b4

SHA512
5c5c60f547d97d46b6e689425f38f69df97c40b737b5ebb6ccd8bc89866b1c5bc0b05b68ab38d0cc60c99723e6ac87376cd0a9acdb3da7535a8696b25f8eec74

Download Submit
\Users\Admin\checklist\ck_579856306.exe

Filesize
10.8MB

MD5
9dfa6f391ccc098025b00eb281797e4d

SHA1
43d61d407480fe89bb6c38e50899ba4e43186ab3

SHA256
2a879d3004b7f21eef468c9adcd280664a9646389e789aa7c2cbac0cf95538b4

SHA512
5c5c60f547d97d46b6e689425f38f69df97c40b737b5ebb6ccd8bc89866b1c5bc0b05b68ab38d0cc60c99723e6ac87376cd0a9acdb3da7535a8696b25f8eec74

Download Submit
\Users\Admin\checklist\ck_579856306.exe

Filesize
10.8MB

MD5
9dfa6f391ccc098025b00eb281797e4d

SHA1
43d61d407480fe89bb6c38e50899ba4e43186ab3

SHA256
2a879d3004b7f21eef468c9adcd280664a9646389e789aa7c2cbac0cf95538b4

SHA512
5c5c60f547d97d46b6e689425f38f69df97c40b737b5ebb6ccd8bc89866b1c5bc0b05b68ab38d0cc60c99723e6ac87376cd0a9acdb3da7535a8696b25f8eec74

Download Submit
\Users\Admin\checklist\ck_904351612.exe

Filesize
10.8MB

MD5
9dfa6f391ccc098025b00eb281797e4d

SHA1
43d61d407480fe89bb6c38e50899ba4e43186ab3

SHA256
2a879d3004b7f21eef468c9adcd280664a9646389e789aa7c2cbac0cf95538b4

SHA512
5c5c60f547d97d46b6e689425f38f69df97c40b737b5ebb6ccd8bc89866b1c5bc0b05b68ab38d0cc60c99723e6ac87376cd0a9acdb3da7535a8696b25f8eec74

Download Submit
\Users\Admin\checklist\ck_904351612.exe

Filesize
10.8MB

MD5
9dfa6f391ccc098025b00eb281797e4d

SHA1
43d61d407480fe89bb6c38e50899ba4e43186ab3

SHA256
2a879d3004b7f21eef468c9adcd280664a9646389e789aa7c2cbac0cf95538b4

SHA512
5c5c60f547d97d46b6e689425f38f69df97c40b737b5ebb6ccd8bc89866b1c5bc0b05b68ab38d0cc60c99723e6ac87376cd0a9acdb3da7535a8696b25f8eec74

Download Submit
\Users\Admin\checklist\ck_937675831.exe

Filesize
10.8MB

MD5
9dfa6f391ccc098025b00eb281797e4d

SHA1
43d61d407480fe89bb6c38e50899ba4e43186ab3

SHA256
2a879d3004b7f21eef468c9adcd280664a9646389e789aa7c2cbac0cf95538b4

SHA512
5c5c60f547d97d46b6e689425f38f69df97c40b737b5ebb6ccd8bc89866b1c5bc0b05b68ab38d0cc60c99723e6ac87376cd0a9acdb3da7535a8696b25f8eec74

Download Submit
\Users\Admin\checklist\ck_937675831.exe

Filesize
10.8MB

MD5
9dfa6f391ccc098025b00eb281797e4d

SHA1
43d61d407480fe89bb6c38e50899ba4e43186ab3

SHA256
2a879d3004b7f21eef468c9adcd280664a9646389e789aa7c2cbac0cf95538b4

SHA512
5c5c60f547d97d46b6e689425f38f69df97c40b737b5ebb6ccd8bc89866b1c5bc0b05b68ab38d0cc60c99723e6ac87376cd0a9acdb3da7535a8696b25f8eec74

Download Submit
memory/780-265-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/780-266-0x0000000073AED000-0x0000000073AF8000-memory.dmp

Filesize
44KB

Download
memory/780-267-0x0000000073AED000-0x0000000073AF8000-memory.dmp

Filesize
44KB

Download
memory/2240-293-0x0000000002A40000-0x0000000002A41000-memory.dmp

Filesize
4KB

Download
memory/2292-258-0x000000002F430000-0x000000002F58D000-memory.dmp

Filesize
1.4MB

Download
memory/2292-248-0x000000002F430000-0x000000002F58D000-memory.dmp

Filesize
1.4MB

Download
memory/2292-250-0x00000000714CD000-0x00000000714D8000-memory.dmp

Filesize
44KB

Download
memory/2292-249-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2292-259-0x00000000714CD000-0x00000000714D8000-memory.dmp

Filesize
44KB

Download
memory/2384-294-0x00000000026E0000-0x00000000026E1000-memory.dmp

Filesize
4KB

Download
memory/2412-264-0x000000007274D000-0x0000000072758000-memory.dmp

Filesize
44KB

Download
memory/2412-261-0x000000002D560000-0x000000002D772000-memory.dmp

Filesize
2.1MB

Download
memory/2412-260-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2412-262-0x000000007274D000-0x0000000072758000-memory.dmp

Filesize
44KB

Download
memory/2484-232-0x000007FEF56B0000-0x000007FEF604D000-memory.dmp

Filesize
9.6MB

Download
memory/2484-233-0x00000000026E0000-0x0000000002760000-memory.dmp

Filesize
512KB

Download
memory/2484-234-0x00000000026E0000-0x0000000002760000-memory.dmp

Filesize
512KB

Download
memory/2484-236-0x000007FEF56B0000-0x000007FEF604D000-memory.dmp

Filesize
9.6MB

Download
memory/2484-235-0x00000000026E0000-0x0000000002760000-memory.dmp

Filesize
512KB

Download
memory/2484-231-0x0000000002420000-0x0000000002428000-memory.dmp

Filesize
32KB

Download
memory/2484-230-0x000000001B230000-0x000000001B512000-memory.dmp

Filesize
2.9MB

Download
memory/2484-237-0x000007FEF56B0000-0x000007FEF604D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads