2854a7b5364b83bf42aa39a7366d0b1c84114d9d2f8e01b5616bcfa17a7178cd

Analysis

max time kernel
99s
max time network
103s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
24/08/2023, 08:39

Sharing

Copy URL Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

folder-lock-en.exe
Size

9.3MB
MD5

e0f2d7f6e55f8f858fe77854e5b3d373
SHA1

f5032bc8d01d0b1d03e8dd89d1b4ab0994ee7480
SHA256

2854a7b5364b83bf42aa39a7366d0b1c84114d9d2f8e01b5616bcfa17a7178cd
SHA512

e8f7b381e5d21caae1ca6f03567a519b25d818fc685e847e935600fd09b2b821cee21bf5093af93831433f1f3e19fe393bd44e101d54f634a63a4eb3d75fafc6
SSDEEP

196608:XDKlIUeFGUubcC3hB8+bo6Rbsd8wPa1MablCkptsoJuFQ/asESY1/R4zL3:XDuIOUugZ+tC8wPQFL/ssuFQ/wS

Score

7^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1276	WinFLService.exe
2212	WinFLService.exe
2924	WinFLMsgService.exe

Loads dropped DLL 6 IoCs

pid	Process
2080	folder-lock-en.exe
2080	folder-lock-en.exe
2080	folder-lock-en.exe
2080	folder-lock-en.exe
2080	folder-lock-en.exe
2080	folder-lock-en.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2080-0-0x0000000001370000-0x00000000022DE000-memory.dmp	upx
behavioral1/memory/2080-1-0x0000000001370000-0x00000000022DE000-memory.dmp	upx
behavioral1/memory/2080-5-0x0000000001370000-0x00000000022DE000-memory.dmp	upx
behavioral1/memory/2080-12-0x0000000001370000-0x00000000022DE000-memory.dmp	upx
behavioral1/files/0x0009000000016375-53.dat	upx
behavioral1/memory/2080-58-0x0000000001370000-0x00000000022DE000-memory.dmp	upx
behavioral1/memory/2080-1392-0x0000000001370000-0x00000000022DE000-memory.dmp	upx
behavioral1/memory/2080-1441-0x0000000001370000-0x00000000022DE000-memory.dmp	upx
behavioral1/memory/2080-1444-0x0000000001370000-0x00000000022DE000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o"	rundll32.exe

Drops file in System32 directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWow64\WinVDEdrv6.sys	folder-lock-en.exe
File opened for modification	C:\Windows\SysWow64\WinFLTrayShred.exe	folder-lock-en.exe
File opened for modification	C:\Windows\SysWow64\nwsftUninstall.exe	folder-lock-en.exe
File opened for modification	C:\Windows\SysWow64\WinFLMsgService.exe	folder-lock-en.exe
File opened for modification	C:\Windows\SysWow64\WinFLService.exe	folder-lock-en.exe
File opened for modification	C:\Windows\SysWow64\FolderLockAdrv.inf	folder-lock-en.exe
File opened for modification	C:\Windows\SysWow64\WinFLCtxMenu.dll	folder-lock-en.exe
File opened for modification	C:\Windows\SysWow64\WinFLTray.exe	folder-lock-en.exe
File opened for modification	C:\Windows\SysWow64\WinVDEdrv.sys	folder-lock-en.exe
File opened for modification	C:\Windows\SysWow64\WinFLAdrv.sys	folder-lock-en.exe

Drops file in Program Files directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\NewSoftware's\Folder Lock\htmlayout.dll	folder-lock-en.exe
File opened for modification	C:\Program Files (x86)\NewSoftware's\Folder Lock\FLComServCtrl.exe	folder-lock-en.exe
File opened for modification	C:\Program Files (x86)\NewSoftware's\Folder Lock\FLComServ.exe	folder-lock-en.exe
File opened for modification	C:\Program Files (x86)\NewSoftware's\Folder Lock\flk.ico	folder-lock-en.exe
File opened for modification	C:\Program Files (x86)\NewSoftware's\Folder Lock\flka.ico	folder-lock-en.exe
File opened for modification	C:\Program Files (x86)\NewSoftware's	folder-lock-en.exe
File created	C:\Program Files (x86)\NewSoftware's\Folder Lock\uninstall.exe	folder-lock-en.exe
File opened for modification	C:\Program Files (x86)\NewSoftware's\Folder Lock\uninstall.exe	folder-lock-en.exe
File opened for modification	C:\Program Files (x86)\NewSoftware's\Folder Lock\flwa.ico	folder-lock-en.exe
File opened for modification	C:\Program Files (x86)\NewSoftware's\Folder Lock\Folder Lock.exe	folder-lock-en.exe
File opened for modification	C:\Program Files (x86)\NewSoftware's\Folder Lock	folder-lock-en.exe
File opened for modification	C:\Program Files (x86)\NewSoftware's\Folder Lock\flkb.ico	folder-lock-en.exe
File opened for modification	C:\Program Files (x86)\NewSoftware's\Folder Lock\EnglishHelp.chm	folder-lock-en.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.app.log	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c7eaec47cb7afa4887efc5e3f3ae1d8c0000000002000000000010660000000100002000000018a08ad944c0288a90e1bd06a13ae1b0089d0c3063960eaec1119ffa7688dfaa000000000e80000000020000200000004ed3f95bfd7964d71f25802266f24adc429d163f484acc66feb07b8c255691c820000000fb4507bef5adf979e94d825ff3ae6cbdb433492ab3299ae565d38adb111c3a86400000007d9f1f35fd203addf0561c0c8916903b1badd9afc4f378f8cae261641a93f256db41735603c294a669162890b8190ca57fe25a94a799d2be0d45acd05a748740	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 805eda3a69d6d901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\DOMStorage\newsoftwares.net\Total = "185"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.newsoftwares.net\ = "161"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.newsoftwares.net	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\DOMStorage\newsoftwares.net\Total = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.newsoftwares.net\ = "185"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{5EEC4131-425C-11EE-B524-CEADDBC12225} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\DOMStorage\newsoftwares.net\Total = "161"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\DOMStorage\newsoftwares.net\Total = "287"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "185"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\DOMStorage\newsoftwares.net	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\DOMStorage\newsoftwares.net\Total = "86"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "13"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "116"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "161"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.newsoftwares.net\ = "13"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.newsoftwares.net\ = "287"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\DOMStorage\newsoftwares.net\Total = "127"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\DOMStorage\newsoftwares.net\Total = "13"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "287"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.newsoftwares.net\ = "116"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\DOMStorage\newsoftwares.net\NumberOfSubdomains = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.newsoftwares.net\ = "86"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.newsoftwares.net\ = "127"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c7eaec47cb7afa4887efc5e3f3ae1d8c000000000200000000001066000000010000200000008dfb2fe32cafbabae4ba62161d45a82e53218e65b1a6f8983f64ba6fb96783ee000000000e8000000002000020000000873b0580d5d99caf7cfaf6b1339704c7f1ceda57a47b4b8a8437f3f356e76907900000002542cc54bb3d4d2cec3d8b61af9c482d7ac9b4e4de030bafa5011375fe14c1ad9c44811c090d7c5f6c354d7a6134bad7590b514da2ae2a926c4c12bdd9fa184feffe230f2bcfcf30affa28a2c8f96df36cd1f30e133c9e2cae0d0e89c11e5759a98c5a7a879a98c3b05c21c9c58505c767c4f1a650903bb2c6444a2571465c5866f72f51ceaa73a6a36390cf67c7f22c40000000aa5d3f051b266a66f2cdde6353c232aa2d3d0e73845d1bd15de41c2d285711cf16fe4ef62918134f0670d77d10e7d07dcf77ea15beba9f061ee3b3c767340f28	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.newsoftwares.net\ = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "86"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\DOMStorage\newsoftwares.net\Total = "116"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "127"	IEXPLORE.EXE

Modifies registry class 36 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.flkb	folder-lock-en.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FolderLockFileB	folder-lock-en.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FolderLockFile\Shell\open\command	folder-lock-en.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FolderLockFileB\Shell\open\command\ = "C:\\Program Files (x86)\\NewSoftware's\\Folder Lock\\Folder Lock.exe /EncryptWindow,%1"	folder-lock-en.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.flk\ = "flkfile"	folder-lock-en.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WalletFile\DefaultIcon	folder-lock-en.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.flka\ = "FolderLockFile"	folder-lock-en.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\flkfile	folder-lock-en.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\flkfile\Shell\open	folder-lock-en.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WalletFile	folder-lock-en.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WalletFile\DefaultIcon\ = "C:\\Program Files (x86)\\NewSoftware's\\Folder Lock\\flwa.ico"	folder-lock-en.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WalletFile\Shell\open	folder-lock-en.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FolderLockFile\Shell\open\command\ = "C:\\Program Files (x86)\\NewSoftware's\\Folder Lock\\Folder Lock.exe /EncryptWindow,%1"	folder-lock-en.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FolderLockFileB\Shell\open\command	folder-lock-en.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FolderLockFileB\Shell	folder-lock-en.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\flkfile\DefaultIcon	folder-lock-en.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WalletFile\Shell\open\command\ = "C:\\Program Files (x86)\\NewSoftware's\\Folder Lock\\Folder Lock.exe /SaveWallet,%1"	folder-lock-en.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FolderLockFile\DefaultIcon	folder-lock-en.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FolderLockFileB\DefaultIcon	folder-lock-en.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FolderLockFileB\DefaultIcon\ = "C:\\Program Files (x86)\\NewSoftware's\\Folder Lock\\flkb.ico"	folder-lock-en.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\flkfile\Shell\open\command\ = "C:\\Program Files (x86)\\NewSoftware's\\Folder Lock\\Folder Lock.exe /EncryptWindow,%1"	folder-lock-en.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.flwa	folder-lock-en.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WalletFile\Shell\open\command	folder-lock-en.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FolderLockFile	folder-lock-en.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\flkfile\Shell\open\command	folder-lock-en.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\flkfile\Shell	folder-lock-en.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.flwa\ = "WalletFile"	folder-lock-en.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WalletFile\Shell	folder-lock-en.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.flk	folder-lock-en.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\flkfile\DefaultIcon\ = "C:\\Program Files (x86)\\NewSoftware's\\Folder Lock\\flk.ico"	folder-lock-en.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.flka	folder-lock-en.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FolderLockFile\DefaultIcon\ = "C:\\Program Files (x86)\\NewSoftware's\\Folder Lock\\flka.ico"	folder-lock-en.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FolderLockFile\Shell	folder-lock-en.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FolderLockFile\Shell\open	folder-lock-en.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.flkb\ = "FolderLockFileB"	folder-lock-en.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FolderLockFileB\Shell\open	folder-lock-en.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2080	folder-lock-en.exe
2080	folder-lock-en.exe
2080	folder-lock-en.exe
2080	folder-lock-en.exe

Suspicious behavior: LoadsDriver 3 IoCs

pid	Process
464	Process not Found
464	Process not Found
464	Process not Found

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeRestorePrivilege	2840	rundll32.exe
Token: SeRestorePrivilege	2840	rundll32.exe
Token: SeRestorePrivilege	2840	rundll32.exe
Token: SeRestorePrivilege	2840	rundll32.exe
Token: SeRestorePrivilege	2840	rundll32.exe
Token: SeRestorePrivilege	2840	rundll32.exe
Token: SeRestorePrivilege	2840	rundll32.exe
Token: SeShutdownPrivilege	1716	shutdown.exe
Token: SeRemoteShutdownPrivilege	1716	shutdown.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
832	iexplore.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
2080	folder-lock-en.exe
2080	folder-lock-en.exe
832	iexplore.exe
832	iexplore.exe
1184	IEXPLORE.EXE
1184	IEXPLORE.EXE
1184	IEXPLORE.EXE
1184	IEXPLORE.EXE
832	iexplore.exe

Suspicious use of WriteProcessMemory 46 IoCs

description	pid	Process	procid_target
PID 2080 wrote to memory of 2216	2080	folder-lock-en.exe	30
PID 2080 wrote to memory of 2216	2080	folder-lock-en.exe	30
PID 2080 wrote to memory of 2216	2080	folder-lock-en.exe	30
PID 2080 wrote to memory of 2216	2080	folder-lock-en.exe	30
PID 2080 wrote to memory of 2216	2080	folder-lock-en.exe	30
PID 2080 wrote to memory of 2216	2080	folder-lock-en.exe	30
PID 2080 wrote to memory of 2216	2080	folder-lock-en.exe	30
PID 2080 wrote to memory of 1276	2080	folder-lock-en.exe	31
PID 2080 wrote to memory of 1276	2080	folder-lock-en.exe	31
PID 2080 wrote to memory of 1276	2080	folder-lock-en.exe	31
PID 2080 wrote to memory of 1276	2080	folder-lock-en.exe	31
PID 2080 wrote to memory of 2924	2080	folder-lock-en.exe	34
PID 2080 wrote to memory of 2924	2080	folder-lock-en.exe	34
PID 2080 wrote to memory of 2924	2080	folder-lock-en.exe	34
PID 2080 wrote to memory of 2924	2080	folder-lock-en.exe	34
PID 2080 wrote to memory of 2840	2080	folder-lock-en.exe	36
PID 2080 wrote to memory of 2840	2080	folder-lock-en.exe	36
PID 2080 wrote to memory of 2840	2080	folder-lock-en.exe	36
PID 2080 wrote to memory of 2840	2080	folder-lock-en.exe	36
PID 2080 wrote to memory of 2840	2080	folder-lock-en.exe	36
PID 2080 wrote to memory of 2840	2080	folder-lock-en.exe	36
PID 2080 wrote to memory of 2840	2080	folder-lock-en.exe	36
PID 2840 wrote to memory of 2144	2840	rundll32.exe	37
PID 2840 wrote to memory of 2144	2840	rundll32.exe	37
PID 2840 wrote to memory of 2144	2840	rundll32.exe	37
PID 2840 wrote to memory of 2144	2840	rundll32.exe	37
PID 2144 wrote to memory of 2740	2144	runonce.exe	38
PID 2144 wrote to memory of 2740	2144	runonce.exe	38
PID 2144 wrote to memory of 2740	2144	runonce.exe	38
PID 2144 wrote to memory of 2740	2144	runonce.exe	38
PID 2080 wrote to memory of 832	2080	folder-lock-en.exe	41
PID 2080 wrote to memory of 832	2080	folder-lock-en.exe	41
PID 2080 wrote to memory of 832	2080	folder-lock-en.exe	41
PID 2080 wrote to memory of 832	2080	folder-lock-en.exe	41
PID 832 wrote to memory of 1184	832	iexplore.exe	43
PID 832 wrote to memory of 1184	832	iexplore.exe	43
PID 832 wrote to memory of 1184	832	iexplore.exe	43
PID 832 wrote to memory of 1184	832	iexplore.exe	43
PID 2080 wrote to memory of 1680	2080	folder-lock-en.exe	45
PID 2080 wrote to memory of 1680	2080	folder-lock-en.exe	45
PID 2080 wrote to memory of 1680	2080	folder-lock-en.exe	45
PID 2080 wrote to memory of 1680	2080	folder-lock-en.exe	45
PID 1680 wrote to memory of 1716	1680	cmd.exe	47
PID 1680 wrote to memory of 1716	1680	cmd.exe	47
PID 1680 wrote to memory of 1716	1680	cmd.exe	47
PID 1680 wrote to memory of 1716	1680	cmd.exe	47

C:\Users\Admin\AppData\Local\Temp\folder-lock-en.exe
"C:\Users\Admin\AppData\Local\Temp\folder-lock-en.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2080
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /s /u "C:\Windows\SysWow64\WinFLCtxMenu.dll"
  2⤵
  PID:2216
- C:\Windows\SysWow64\WinFLService.exe
  "C:\Windows\SysWow64\WinFLService.exe" -i
  2⤵
  - Executes dropped EXE
  PID:1276
- C:\Windows\SysWOW64\WinFLMsgService.exe
  "C:\Windows\system32\WinFLMsgService.exe" AntiCracking
  2⤵
  - Executes dropped EXE
  PID:2924
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\system32\rundll32.exe" setupapi,InstallHinfSection DefaultInstall 132 C:\Windows\SysWow64\FolderLockAdrv.inf
  2⤵
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2840
- - C:\Windows\SysWOW64\runonce.exe
    "C:\Windows\system32\runonce.exe" -r
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2144
  - - C:\Windows\SysWOW64\grpconv.exe
      "C:\Windows\System32\grpconv.exe" -o
      4⤵
      PID:2740
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.newsoftwares.net/thanks.php?action=install
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:832
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:832 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1184
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c shutdown -r -t 1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1680
- - C:\Windows\SysWOW64\shutdown.exe
    shutdown -r -t 1
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1716

C:\Windows\SysWow64\WinFLService.exe
C:\Windows\SysWow64\WinFLService.exe
1⤵
- Executes dropped EXE
PID:2212

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:2896

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:2260

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:1448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\NewSoftware's\Folder Lock\Folder Lock.exe

Filesize
5.5MB

MD5
72c39ed3c2a0850f77eb95b42fa7bc41

SHA1
e914c212bb934aa4ecbb9849504e7ce811661758

SHA256
a4dcb34a89713a52a311d8b1989deaa6148ceb7ceda6071eae019acf54890b5d

SHA512
8490a98b3fcaf989f326a2ab4ca45f120c8e054235e83710f879cbc27a2bf2058a08b4d6a912e773b791a224cb47a6fe0ec8a4523aecbb67580ecb4b0aeefc20

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

Filesize
2KB

MD5
4849ded5f45cec7e511d14847c702399

SHA1
c91f233dd80fbdbf3eec4917a1289b6ce94cb3ee

SHA256
2481d98926336d63129e6b28c64fd1beee1e411c5dccb5919027f8a01fe5dd51

SHA512
5932d462f714fa61c80351bad47af51601985450627afa1fb938f9187168dd9ceee993716c0a3fa26b82ef244c9ca0794b7bf49dee238c738039c5c1f6c4acab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\245FCEA921D53F4F3A22A570E8B6613D

Filesize
472B

MD5
6899252fc6331e50d87941c473431e2f

SHA1
7cc56d649d68c97b0e730ddf4ac5e77de76ca9b5

SHA256
310cfccf50aa9e836e72f1a7ea70261df2344438f472e328369d3029ef8d64cf

SHA512
98c5e0436e3555d539849d3416330e5d95cb51d215b9d0d5a75419d43f85fe903dd9ce66d510192c04ae4174f489467f76623fd84db2e399846a33b925787fdb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
61KB

MD5
e56ec378251cd65923ad88c1e14d0b6e

SHA1
7f5d986e0a34dd81487f6439fb0446ffa52a712e

SHA256
32ccf567c07b62b6078cf03d097e21cbf7ef67a4ce312c9c34a47f865b3ad0a0

SHA512
2737a622ca45b532aebc202184b3e35cde8684e5296cb1f008e7831921be2895a43f952c1df88d33011a7b9586aafbd88483f6c134cb5e8e98c236f5abb5f3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
1KB

MD5
1f94d4d280ff409d554abab350d17ef1

SHA1
6df310f84e1b99164310b7324996b71a3cb3fe24

SHA256
047a1f77bd04d3b566fe9f71e653e788ba99ecfa954cd169fde5b70517350a11

SHA512
25e67e76e011e6cb6bfd4654daef6a7c30d67db62006519549b209b3e0f6714437e08ce5ff2f26a8da54e9f0b37482ceb1ad0c2e15ee7cdb4d79347d7e0309fd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_BA96BD9FC830FD81762DCCA1F680DCB6

Filesize
472B

MD5
d9b624cc08ed83319f5b4e930dd6f73e

SHA1
b6a20c446be2795a049d7aa3769c4d8152cee2ea

SHA256
24dbc611d7a1a7ab4c2d77849c82033650fa308b427d79fa2e75df9f3de9d330

SHA512
f3ece75b1a153025d83969a45f0bb9cbf0c4155f74e22c4ed2b7fcf9a3ad8142f95cae69c56a10b22ab8798f81f450ab0fb99c88cd736cecc0fc7d2e5d53a223

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

Filesize
488B

MD5
8f5797b6b76419754eee10dd52d313c4

SHA1
6a450456a192c21814b10583372a1ba18dacbe43

SHA256
69288c9a2c1b0741fa36d0bedac93873ed02cd807da4790fac0d5ee34124264e

SHA512
57d819a6c88ccf44463a477975cafee254c0663585fb59a8bc606ed30f391cffe52cb3e3caf7ccca9f91fe2a27120bdeee6f0cf19145c9d507d8476f3362e810

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

Filesize
488B

MD5
3b4aede70468f7d6ab00215f29febefc

SHA1
8981f0c8cea89f06b747834fc2b0535a9fc3283c

SHA256
01e8f1a3a41fa739b2fd79afd842da3c19ba155034a5b48c6c5d2a35c86204ac

SHA512
6ed7486f0cfee827fb73da38e28c098d1d1ba2bb54f51d076ca60a98b52c7b3f728b65cbb2cfed02e730297336b8f7695f6537ca9ac58430bbe5c9e1e19920c6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\245FCEA921D53F4F3A22A570E8B6613D

Filesize
476B

MD5
6299f6c8f343ff55954a9adb1be6cc77

SHA1
839e9b1c6c131ab598dca9b75c76a76e2278720c

SHA256
e40fe81b995daa6700f2021c1366c45588eff2c0655c4d22ca55e6dc71e5765e

SHA512
b3e89efa60ec1fe74c799f03f24c31ec92d8c18a7e4369330b5b503b7ac802457a4e827825fa0197401ed07cdb01390cbfbd3e5709e73aad0666e41fffcd5726

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\245FCEA921D53F4F3A22A570E8B6613D

Filesize
476B

MD5
16f8d36be207994b931f82db049daead

SHA1
84679e7b5979f622f861e1a04cd399df774e0bd3

SHA256
8f9651575e5e99e82ac11ecccf5bb3312dd2dfe88f02a707543f181da2cab348

SHA512
85ed67078a59c62104dc6067bd1f52c6ca892cd55f85d50b24cdb3440222f0d7826ec7b5f072fa1c1847884c8a0b0f9f763b4049495ce635162152324e125a81

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
abcfb7662c1db5e51dce10dbe1389d7d

SHA1
3659d13f0e07eb7afda40e4ae0244db518edc5a4

SHA256
31932c1547b21cf27d5b7e6992b35c51355473e6f161257cff748944497b30c9

SHA512
191c39199503b0347034752bf2afa6cc909d063ba03a75bc1f2be704bbe01fe28b3b8f520b75099268fc719b513ea2421a0d379c89b0e3cb3c885242af4f5504

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
26607134f2d6a756d7acb8e018c47298

SHA1
37f6310ff1138f39e56427884eda54a2a71ca68d

SHA256
046dca79a7059037da5fd0612aa691255fd07c84f1eff0dbfc8394763c609220

SHA512
d0ddaeb50be3037a485ba8adff0c7415c3551febe374fa5d3cac3e6efa3f3b1af11f186222c278f0f1703c5bf54110a3bacb0905471cdc6ca07bcafd5ef54dc4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d3e18aaa309ae3bb0b5ceda5d5dcccb1

SHA1
cc66ba3d37b10e2811c7cd51b48aba9316bbac60

SHA256
f244348b42343ded34aff1d4760cff376e6e97247db07cae3e66bb1002c9e13a

SHA512
d00f71cc432b160e1310b4909cfe2d406507c6e638ea1e89fa376d35b93cc00a423c49e07c24cd1977f19076fc50de6eb40d2e5237685cefe6c1406bdd3d3d9d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
fb8808de8705c45cd57383cf03558a10

SHA1
15f254758a65a66eab9e769ad3b56469e8d068b8

SHA256
11a73a44f5d0c17259e86e250e609b02b3307b9d32ef82ff4e002c4ec3aef125

SHA512
affc12ca1152767362a0114f1d2e0a76df49737a6dfaebf36f91838c0e5b53a6fc039f8e255f35d96e6e854676b37b7ce7cbe5a2e101cd085f267703409b5e7d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
da1672bee22b37ae6a3d23840625798b

SHA1
3ba1bd3a09618fce1803edfc36719709f495b2e5

SHA256
a6d7ef97ef20e5a6db70899d0e1de332aa9b4769627a47d5d4d44e639979c133

SHA512
09f732562a9b37d26efe2324c95b6d8ff9de2c7f3bceb215a42ff84a932014a5431b48eaee24f723141a695179f2f1942b3ab75ffcf4b86844ccdae46f8a17d2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c2d69fab2308d37f97d2dbb0a59e70c5

SHA1
c848153e30accd1aaab444cde6b17daf2e87fb1b

SHA256
a077e4562c95b196b8fd36f185e375d519c90bcf1f49fb5ba064136fd566ec3c

SHA512
61d0e19fd09b38e70a6cb6f4dab2942a32642089a5bdd57560438244417dc704bafd2e2b7a4cc8932d2a3a66495e705eb425c3140d2d4d68f577c79845b003c2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9c20f5ded2d189604ca14638c3c7ddca

SHA1
cbde1776cdd9fab8446764a488c81acea64e4f2c

SHA256
d050d288e4363987691aa636d4987dee2a2ca9a2651617d5661abaf10723fd63

SHA512
f27389b97449e4247011667f904525a7404f5a0708cb3540e5c8c4e0669772ed7c475d4f6abc1e92246828cbf5ca0297b79287a4d16f95599671c2f2421f610f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a34a0ab8c834f9b58778e855f070aea9

SHA1
005174e281bef9bbc50df1fd34c1c782ec4374c2

SHA256
f48dfff6aa4cec38435dda3043374a21fc1ca0e78315c7ede1427272dc73dbfd

SHA512
d7572f87c66467eadd1914c356984cf1270c2479aed5d4bd0c79a62bf9cd380d18777eb221199ebda5d6ba303d81fcb206caf730583f3b8a6c8224a09c469b52

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e52ea6dddfee7dff26a577d99be61d62

SHA1
f5ea16138bc3c5554f2325b269f0975aea0cdb39

SHA256
cf13096193fa5dd5af0df7c104d85ea13cb76fc9b7c59d4ad8ad9c1711df01d5

SHA512
be4503970b3b086a1f0b3854bbb2ddfe8efe474e313e31e008303b7451c18b3d3eccc3417c1ff143e3f7ce434067439595fbd04bc15ff0dbb637fcbaea9a0f1b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
eb8868b75abb38daa3b8c88031b1f9ed

SHA1
e2a152957b3de0198c608485bc46762b7150dd5a

SHA256
5a818f796799b41b88f5b0e243ebd619fb86b768e286dbb0600b49d93c10c377

SHA512
6a98784e5db6d821ff14d80d16d7035ecd7bed6a90cac4f679b6092d330e49d88fc6e14f9de0c4703ce971a0046789a0a6822932bd56c09e7bac4c3340299c9e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b25b639e7caf2f9d4387a8e0faa3480a

SHA1
536c4221ced6f80be38a9bb27284f86eaa52cdac

SHA256
af9b8c4d7a20592dba22373eb8e3360d781db9179321acd92a4b12ec88880e3a

SHA512
94c8cf0e36101da7117c424101432f04869dc7ea29e6c39c73281c32734f283293adcfd231908802315ee77b4578b23ff914f2fa17d37d0a5543e290e6d70536

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3d7e63bed781ea678ce7b81c968649a7

SHA1
3f265fe6d5f287950d7c9b684d7aa23127731e0d

SHA256
c6c0881063360723a1aa60d1b0c1f7780331d3ec466c1be49657a0080d0e1a4c

SHA512
ad70aa0beccc0a9f2a7d95a9bac0bb56b49735a992425da96516dc75bc75524621cbfa80bf1b57ec81f62890b6d1e58f4c19d9c66af9d584dc37f62da3726cae

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ac521811f805d361d5c7eabc97fedeb2

SHA1
35612dbc8b09b124f8972e8a2bb1281e4e476ea7

SHA256
3c481fc3311490b0941e36d5d3abf1668b1a3427844d5ac16b0316e07f045ed2

SHA512
c97786d54916aade1aeb6f54e17898f52ddc175f7f00f1000053c52d5e7986c4c028a4c23dcbedb6c724ac1331ce29c716ec206ed626515d508c925c34e576a4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ec1c8917a0f4b179bc195ca1f9134a92

SHA1
5f9864dc6b9f56df8ca019bba898d6e9d52b9c16

SHA256
7d4bab53fa4d2a7f09fcd860fcaaa2296d0cc0cf1aad86b9e2adaa3ef8688d77

SHA512
5c0e302cda42cc4041cdcd5532b4598975c56d498099002447cf78260a0bf377fc75d1a3fd37bf485cb13ff8a9bf1c08ce6acab78f6460a50a44b91f1e56a992

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
74402968da1e40f5e4cfbc01a53e2b90

SHA1
8d98e7ad96b253e901270bfb0042b3df2504aa53

SHA256
7b5718e95f55936600aca4243fc616b3b141dda3c0aad94a89c58edc66591fd9

SHA512
0e51ce04b1ead1ba09a7574d87254f24d9c13cd0378813327e124c0c014b7852440e8a045e709318221e44643c05a432768a84690ed27dd2133e85606966a06a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b5ab81e7615a36b82f6d05e305b1e2dd

SHA1
5d08fde33283d110cc5218071a7dda97dcf523de

SHA256
8630f02f7e9daf00313631aea49ea5b0b00125f859d6951883b4404d42f35ebb

SHA512
cf405eda8e2fcb36e1fa22a2ec2bfab53ffe94157500770e37d4f15ce2b5111fd573d8742b4aad4b236dd7aa44267959723eec44a59175a6589f3514e875bdb7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
482B

MD5
94f655ecc5cbe0090995ddfce3545128

SHA1
ae5bfa2250bacd3deff9bfa9dee5bd341afcbacb

SHA256
a4b3a3b8e427f13bc1a7618c9c34d6e7937112687fe388a6a705ebe983441718

SHA512
b88df61fdb42cbe3d22389be6f44007c8b2d30bc904afbfecebd7e6d6b5781e3c44b9b52ecc9f02bd3a96f7bd1429f90736545adc8f383757870e47bf860436a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_BA96BD9FC830FD81762DCCA1F680DCB6

Filesize
402B

MD5
2fb6f002e01a3883d44d552fc8a8276b

SHA1
9b3a7f45cecf5d8cc4e3d3b53a3e7bb779420405

SHA256
15b838312b1126fd6a35decddd3557cd7ecded57380c0a6109ce04b869becdca

SHA512
c2f7bd3a68b1ff4c1f24bdd8ab0fbd4c306824f035161e5ccd37b6ee9965fedeb0fb4d5de76f20ae1de17654d1cbec61d72eafb2182972252468c7e81528aec5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2DDCD2B5F37625B82E81F4976CEE400_1A6D0BD6D02BDDC07B8F860BB4D46AEE

Filesize
410B

MD5
633311481925fc88b2b8f7952b5119a7

SHA1
20be7060d4710f5fe587b326023ed10f691ae19c

SHA256
08c557b371de2078df64890ae6cf4c96a4cb34c9731b52c2a6000ec8efe7abbc

SHA512
76e0d130cfe51eead3661cafee9f22dfc7704df88e09a4170f4381ce657e43915892c4e018d702f17db5a4c80d7d36dbe520bd8fd05ff293f4e09ffca18e4383

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\23I2702C\www.newsoftwares[1].xml

Filesize
320B

MD5
0f95fb075aa3e4ae4559c735bbc5b857

SHA1
5439d48f872594fb25b39b3562d3c74ab3813bcf

SHA256
aee1ff73d4cc41fe014f594141ca9f0489d7443a8ef33019cd2c6fb1549a80c3

SHA512
a397a0fb12d6fa611a675cc95955b251420abcc74e8c91932e87b785093da626ce735a06f22bef8ac860653ddcb652164bb75a3cc0c8fa6db1ce76a4a7bdd36f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\23I2702C\www.newsoftwares[1].xml

Filesize
320B

MD5
4f33b7d1473b27eab44bfa12ee0e287e

SHA1
e8a890281810fdb824cb5d19430839b33f6de0a8

SHA256
777b8ce60eccd667813a94d613e3d2e6aef4297421c2e0148c33e30ad7f24760

SHA512
d2eeee88a87c95fef6cec4b78556a925ffc47d24d1d513ad4eaebb9b48c934b92636217f2d7a2908ace9e5cb80be6fd62507f956bbe40f037f74d888c015ee46

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\23I2702C\www.newsoftwares[1].xml

Filesize
320B

MD5
9aadf3156f82d139fc8f703901c1eb3f

SHA1
08d3fff9bdb1683b5ddae75bfda37d89657cd0c4

SHA256
904ca96fcfa8c34dc8da968d54b64ecf4425a6ed71cc9d634692f3487d399638

SHA512
313ac18369248b2e6fcdae17d029208636a2dc1909e01e0f804545c6b64790c73117156f45929b47dae171bb49474dfd3cfae97afdfbbb0ddfab72b1d1384a8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\23I2702C\www.newsoftwares[1].xml

Filesize
320B

MD5
b37ebb66f5584e9fef52d8a54df04fbc

SHA1
99076ac152f4bbdb1083ded21bec0ceb5a1de9a7

SHA256
c34b80edfaa3be41a0ea6793f8df4f99ec12be1e35780fa7d8638db09a30ebc6

SHA512
17e3de33bdd07f7368257e66d1f8c258ccab8408a301f6a868e5b589b53a06dfd575bd0ea3b04449aa8a80460d23f635d6f223b66c88db3c8f7a9f89f54ceea4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\23I2702C\www.newsoftwares[1].xml

Filesize
320B

MD5
96db62bd94aa0ccaa649969ee78f0bca

SHA1
63fcf5855821d6a943d8eab27a2052231467a165

SHA256
7d75a3f593d8ce07e04863c7b346dcdb563aa01b8b29607faf7e8e3daa4fae0a

SHA512
7cb3a4ba8df498dd6f4cf92571cbded815d413a32a2f79f85dea67d6d8a929cc83b9779df95c589141e15b7c07d8adb6afb7ce7dcdf09562e4b6ac02041d815f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\23I2702C\www.newsoftwares[1].xml

Filesize
13B

MD5
c1ddea3ef6bbef3e7060a1a9ad89e4c5

SHA1
35e3224fcbd3e1af306f2b6a2c6bbea9b0867966

SHA256
b71e4d17274636b97179ba2d97c742735b6510eb54f22893d3a2daff2ceb28db

SHA512
6be8cec7c862afae5b37aa32dc5bb45912881a3276606da41bf808a4ef92c318b355e616bf45a257b995520d72b7c08752c0be445dceade5cf79f73480910fed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\23I2702C\www.newsoftwares[1].xml

Filesize
259B

MD5
d6d87ce2351b880e4d49e3985ba28ada

SHA1
7d1d6b01aabe09f3e8cd5a29d81d7176d9021d05

SHA256
b8d02444ab88da41e313fcce386249e8f7ff777ad7d53f8ed33e7395644933c4

SHA512
dafef6a99663ccd365c1f7805d6ed2557b21d1d61fb98c7a24ea37fabd080d2d6acdcce7f2d8e640c6cc922d4246df003b8e8c7b174e1533b601aed8d835acc2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\grebiyy\imagestore.dat

Filesize
5KB

MD5
54b70808dc29c1077487260c7931fe89

SHA1
6d9914628233f760d3c5018847a00d0acd6e23b7

SHA256
1faaa962e35b2b2032f7217ce9266c7e581f8ad6344a46e42b67c8e61c225a0f

SHA512
9ee0313c491c8174b7fc54699d8cf8da3081da2b69f4eac4c22cc47eda1c261a89b81846bdf6a86dba17217283b217d290b4c1ddcc376ff31f9ea051142da5c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DIFCPV5U\favicon1[1].png

Filesize
822B

MD5
b11f8c1b5d15bc4e99eb0922974eee11

SHA1
1e22bf3002e16e13d963d10947d7b0aebe207f92

SHA256
21eb356ed8559497f8bc83facc3b1f6c5b48ff0a85815c6d760fdd3d74c5bcf5

SHA512
d01c927763cd617850d0cab836af8788f052aedbba6adfa931a27be8d6342c488b6caaf700626107be2bce87f5e95cc3801d5b4a1b5535c570c1848723448598

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H1823X4Y\fontawesome-webfont[1].eot

Filesize
161KB

MD5
674f50d287a8c48dc19ba404d20fe713

SHA1
d980c2ce873dc43af460d4d572d441304499f400

SHA256
7bfcab6db99d5cfbf1705ca0536ddc78585432cc5fa41bbd7ad0f009033b2979

SHA512
c160d3d77e67eff986043461693b2a831e1175f579490d7f0b411005ea81bd4f5850ff534f6721b727c002973f3f9027ea960fac4317d37db1d4cb53ec9d343a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab91D6.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab929A.tmp

Filesize
61KB

MD5
e56ec378251cd65923ad88c1e14d0b6e

SHA1
7f5d986e0a34dd81487f6439fb0446ffa52a712e

SHA256
32ccf567c07b62b6078cf03d097e21cbf7ef67a4ce312c9c34a47f865b3ad0a0

SHA512
2737a622ca45b532aebc202184b3e35cde8684e5296cb1f008e7831921be2895a43f952c1df88d33011a7b9586aafbd88483f6c134cb5e8e98c236f5abb5f3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar91E8.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar930B.tmp

Filesize
163KB

MD5
19399ab248018076e27957e772bcfbab

SHA1
faef897e02d9501146beb49f75da1caf12967b88

SHA256
326842dd8731e37c8c27a08373c7ac341e6c72226cc850084e3a17d26675f3c9

SHA512
6d5b12ec637ef4223fdd0e271cdc9f860b060ff08d380bba546ac6962b1d672003f9ae9556d65282d8083e830d4277bad8d16443720716077e542ab0262b0103

Download Submit
C:\Windows\SysWOW64\WinFLMsgService.exe

Filesize
15KB

MD5
e0a02098997ac684db3f2c949f7e0302

SHA1
bc03a68267f4693bc1dc0f172daded193a1a2865

SHA256
27a92f0345ec9fc75fc347ac328daf748815825622a577ed579e0f18b7f24bd8

SHA512
40244530eb184b6c95c80967d547787ee8138b41ec4eb4ff090a35595fd5960996c4f9e26faf3db7a2d97c3becaed42cd6c355427a248dbff75ccd7522ce7cac

Download Submit
C:\Windows\SysWOW64\WinFLMsgService.exe

Filesize
15KB

MD5
e0a02098997ac684db3f2c949f7e0302

SHA1
bc03a68267f4693bc1dc0f172daded193a1a2865

SHA256
27a92f0345ec9fc75fc347ac328daf748815825622a577ed579e0f18b7f24bd8

SHA512
40244530eb184b6c95c80967d547787ee8138b41ec4eb4ff090a35595fd5960996c4f9e26faf3db7a2d97c3becaed42cd6c355427a248dbff75ccd7522ce7cac

Download Submit
C:\Windows\SysWOW64\WinFLService.exe

Filesize
95KB

MD5
d108a830673fe477857e62ba9707376b

SHA1
c3255e8e532d96b59d82a639f1192f6a64ba7973

SHA256
ce37588bccb656a1289d7647316bb3527d0714332cea848a66a63b3856cac938

SHA512
f73f81f27536d6123fedd438f05be921ac6e572a56c3d5890408e63c3f665447199230a9685a0a0e9579553fed8e0a43477b755525074d4cac0be97d53e36d74

Download Submit
C:\Windows\SysWOW64\WinFLService.exe

Filesize
95KB

MD5
d108a830673fe477857e62ba9707376b

SHA1
c3255e8e532d96b59d82a639f1192f6a64ba7973

SHA256
ce37588bccb656a1289d7647316bb3527d0714332cea848a66a63b3856cac938

SHA512
f73f81f27536d6123fedd438f05be921ac6e572a56c3d5890408e63c3f665447199230a9685a0a0e9579553fed8e0a43477b755525074d4cac0be97d53e36d74

Download Submit
C:\Windows\SysWow64\FolderLockAdrv.inf

Filesize
2KB

MD5
5a3bcfcceaa2c9950532bce313bab55c

SHA1
0ad1fc0eac2abae3b8d9517778c3284859c318f6

SHA256
88a2f0796398995833cf645a44f4cd6a7f414aec3a27bd2c3b9b2bd2d2158e58

SHA512
ab2d598430a33593dd9d8d0159a4471a621464a038475ae87a2cacd9a8de83229de6056c6567b03dd3c6a9e79713ef260b151155dd1e3893907b58f8409510f0

Download Submit
\Program Files (x86)\NewSoftware's\Folder Lock\Folder Lock.exe

Filesize
5.5MB

MD5
72c39ed3c2a0850f77eb95b42fa7bc41

SHA1
e914c212bb934aa4ecbb9849504e7ce811661758

SHA256
a4dcb34a89713a52a311d8b1989deaa6148ceb7ceda6071eae019acf54890b5d

SHA512
8490a98b3fcaf989f326a2ab4ca45f120c8e054235e83710f879cbc27a2bf2058a08b4d6a912e773b791a224cb47a6fe0ec8a4523aecbb67580ecb4b0aeefc20

Download Submit
\Program Files (x86)\NewSoftware's\Folder Lock\Folder Lock.exe

Filesize
5.5MB

MD5
72c39ed3c2a0850f77eb95b42fa7bc41

SHA1
e914c212bb934aa4ecbb9849504e7ce811661758

SHA256
a4dcb34a89713a52a311d8b1989deaa6148ceb7ceda6071eae019acf54890b5d

SHA512
8490a98b3fcaf989f326a2ab4ca45f120c8e054235e83710f879cbc27a2bf2058a08b4d6a912e773b791a224cb47a6fe0ec8a4523aecbb67580ecb4b0aeefc20

Download Submit
\Program Files (x86)\NewSoftware's\Folder Lock\uninstall.exe

Filesize
9.3MB

MD5
e0f2d7f6e55f8f858fe77854e5b3d373

SHA1
f5032bc8d01d0b1d03e8dd89d1b4ab0994ee7480

SHA256
2854a7b5364b83bf42aa39a7366d0b1c84114d9d2f8e01b5616bcfa17a7178cd

SHA512
e8f7b381e5d21caae1ca6f03567a519b25d818fc685e847e935600fd09b2b821cee21bf5093af93831433f1f3e19fe393bd44e101d54f634a63a4eb3d75fafc6

Download Submit
\Windows\SysWOW64\WinFLMsgService.exe

Filesize
15KB

MD5
e0a02098997ac684db3f2c949f7e0302

SHA1
bc03a68267f4693bc1dc0f172daded193a1a2865

SHA256
27a92f0345ec9fc75fc347ac328daf748815825622a577ed579e0f18b7f24bd8

SHA512
40244530eb184b6c95c80967d547787ee8138b41ec4eb4ff090a35595fd5960996c4f9e26faf3db7a2d97c3becaed42cd6c355427a248dbff75ccd7522ce7cac

Download Submit
\Windows\SysWOW64\WinFLMsgService.exe

Filesize
15KB

MD5
e0a02098997ac684db3f2c949f7e0302

SHA1
bc03a68267f4693bc1dc0f172daded193a1a2865

SHA256
27a92f0345ec9fc75fc347ac328daf748815825622a577ed579e0f18b7f24bd8

SHA512
40244530eb184b6c95c80967d547787ee8138b41ec4eb4ff090a35595fd5960996c4f9e26faf3db7a2d97c3becaed42cd6c355427a248dbff75ccd7522ce7cac

Download Submit
\Windows\SysWOW64\WinFLService.exe

Filesize
95KB

MD5
d108a830673fe477857e62ba9707376b

SHA1
c3255e8e532d96b59d82a639f1192f6a64ba7973

SHA256
ce37588bccb656a1289d7647316bb3527d0714332cea848a66a63b3856cac938

SHA512
f73f81f27536d6123fedd438f05be921ac6e572a56c3d5890408e63c3f665447199230a9685a0a0e9579553fed8e0a43477b755525074d4cac0be97d53e36d74

Download Submit
memory/1448-1446-0x00000000026A0000-0x00000000026A1000-memory.dmp

Filesize
4KB

Download
memory/2080-58-0x0000000001370000-0x00000000022DE000-memory.dmp

Filesize
15.4MB

Download
memory/2080-1392-0x0000000001370000-0x00000000022DE000-memory.dmp

Filesize
15.4MB

Download
memory/2080-5-0x0000000001370000-0x00000000022DE000-memory.dmp

Filesize
15.4MB

Download
memory/2080-49-0x0000000000780000-0x0000000000790000-memory.dmp

Filesize
64KB

Download
memory/2080-44-0x0000000000780000-0x0000000000790000-memory.dmp

Filesize
64KB

Download
memory/2080-535-0x0000000000780000-0x0000000000790000-memory.dmp

Filesize
64KB

Download
memory/2080-0-0x0000000001370000-0x00000000022DE000-memory.dmp

Filesize
15.4MB

Download
memory/2080-1-0x0000000001370000-0x00000000022DE000-memory.dmp

Filesize
15.4MB

Download
memory/2080-593-0x0000000000780000-0x0000000000790000-memory.dmp

Filesize
64KB

Download
memory/2080-12-0x0000000001370000-0x00000000022DE000-memory.dmp

Filesize
15.4MB

Download
memory/2080-498-0x0000000000780000-0x0000000000790000-memory.dmp

Filesize
64KB

Download
memory/2080-1441-0x0000000001370000-0x00000000022DE000-memory.dmp

Filesize
15.4MB

Download
memory/2080-55-0x0000000000780000-0x0000000000790000-memory.dmp

Filesize
64KB

Download
memory/2080-1444-0x0000000001370000-0x00000000022DE000-memory.dmp

Filesize
15.4MB

Download
memory/2080-1445-0x0000000000780000-0x0000000000782000-memory.dmp

Filesize
8KB

Download
memory/2260-1443-0x0000000002BD0000-0x0000000002BD1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads