phobos | 32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964

General

Target

32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe
Size

262KB
MD5

5d2b3f808075ab6e605f4242d9c7a398
SHA1

2b0d4edf8ab7b84e7f8b5e05a18b39bf3ee5cf5b
SHA256

32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964
SHA512

901a107dd865c14752cc61cfe9a08c5b50729a49d47b7010a03f44f5f3d51d9909c162bdd330771d9aa27f462f085fb2307543a8a28a62b46ed68ac7c037f797
SSDEEP

6144:kxywx3MS8G0RaN8t/CynGqYVOlmA95LTF4/zc7ldxsOV:gLqS87RaN3yG30vLp4wyO

Score

10^/10

phobos evasion persistence ransomware spyware stealer

Malware Config

Signatures

Phobos
Phobos ransomware appeared at the beginning of 2019.
ransomware phobos
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

2716 bcdedit.exe
1552 bcdedit.exe
Renames multiple (110) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Deletes backup catalog 3 TTPs 1 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command and Scripting Interpreter
T1059

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

wbadmin.exe

pid process

1512 wbadmin.exe
Modifies Windows Firewall 1 TTPs 2 IoCs
evasion

Windows Service
T1543.003

Processes:

netsh.exenetsh.exe

pid process

884 netsh.exe
888 netsh.exe

pid	process
2716	bcdedit.exe
1552	bcdedit.exe

pid	process
1512	wbadmin.exe

pid	process
884	netsh.exe
888	netsh.exe

Drops startup file 1 IoCs

Processes:

32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe

description	ioc	process
File created	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964 = "C:\\Users\\Admin\\AppData\\Local\\32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe"	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Run\32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964 = "C:\\Users\\Admin\\AppData\\Local\\32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe"	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe

Drops desktop.ini file(s) 11 IoCs

Processes:

32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe

description	ioc	process
File opened for modification	C:\Program Files\desktop.ini	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\desktop.ini	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\desktop.ini	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\desktop.ini	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\desktop.ini	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\desktop.ini	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-3513876443-2771975297-1923446376-1000\desktop.ini	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\desktop.ini	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-3513876443-2771975297-1923446376-1000\desktop.ini	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe

description	pid	process	target process
PID 1716 set thread context of 2964	1716	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe
PID 2412 set thread context of 3036	2412	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe

Drops file in Program Files directory 64 IoCs

Processes:

32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\triggerActionExceptionHandlers.exsd	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-netbeans-modules-queries.xml.id[6D8887CC-3483].[[email protected]].8base	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\orb.idl.id[6D8887CC-3483].[[email protected]].8base	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe
File opened for modification	C:\Program Files\Java\jre7\lib\deploy.jar.id[6D8887CC-3483].[[email protected]].8base	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\it-IT\Solitaire.exe.mui	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Kuala_Lumpur	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\London.id[6D8887CC-3483].[[email protected]].8base	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.director.nl_ja_4.4.0.v20140623020002.jar.id[6D8887CC-3483].[[email protected]].8base	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\PST8.id[6D8887CC-3483].[[email protected]].8base	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Cayenne.id[6D8887CC-3483].[[email protected]].8base	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\en-US\SpiderSolitaire.exe.mui.id[6D8887CC-3483].[[email protected]].8base	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VC\msdia100.dll	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationRight_ButtonGraphic.png	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe
File opened for modification	C:\Program Files\Java\jre7\lib\cmm\PYCC.pf	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe
File created	C:\Program Files\Java\jre7\bin\javafx-font.dll.id[6D8887CC-3483].[[email protected]].8base	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.net.nl_zh_4.4.0.v20140623020002.jar	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench3.nl_ja_4.4.0.v20140623020002.jar	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-print_ja.jar.id[6D8887CC-3483].[[email protected]].8base	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\tipresx.dll	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.console_1.0.300.v20131113-1212.jar	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe
File created	C:\Program Files\Java\jdk1.7.0_80\README.html.id[6D8887CC-3483].[[email protected]].8base	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\locale\com-sun-tools-visualvm-modules-startup_zh_CN.jar.id[6D8887CC-3483].[[email protected]].8base	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ru\LC_MESSAGES\vlc.mo	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Bogota.id[6D8887CC-3483].[[email protected]].8base	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-ui.xml.id[6D8887CC-3483].[[email protected]].8base	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-selector-ui.xml.id[6D8887CC-3483].[[email protected]].8base	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.nl_ja_4.4.0.v20140623020002.jar	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe
File created	C:\Program Files\Java\jre7\lib\zi\SystemV\CST6.id[6D8887CC-3483].[[email protected]].8base	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.emf.ecore.change_2.10.0.v20140901-1043.jar.id[6D8887CC-3483].[[email protected]].8base	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jetty.util_8.1.14.v20131031.jar.id[6D8887CC-3483].[[email protected]].8base	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4-dark_mac.css.id[6D8887CC-3483].[[email protected]].8base	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Riyadh87.id[6D8887CC-3483].[[email protected]].8base	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\1047_576black.png	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\bin\setNetworkClientCP	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\sunec.dll.id[6D8887CC-3483].[[email protected]].8base	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_MoveDrop32x32.gif.id[6D8887CC-3483].[[email protected]].8base	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-profiler.jar.id[6D8887CC-3483].[[email protected]].8base	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\feature.properties.id[6D8887CC-3483].[[email protected]].8base	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.ui.ja_5.5.0.165303.jar	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-modules-appui.jar	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-attach_ja.jar.id[6D8887CC-3483].[[email protected]].8base	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsdan.xml	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\Winamac	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\jconsole.jar	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.preferences_3.5.200.v20140224-1527.jar.id[6D8887CC-3483].[[email protected]].8base	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jpeg.dll	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe
File created	C:\Program Files\Java\jre7\lib\zi\Pacific\Nauru.id[6D8887CC-3483].[[email protected]].8base	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ar.pak.id[6D8887CC-3483].[[email protected]].8base	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\bin\sysinfo.bat.id[6D8887CC-3483].[[email protected]].8base	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-application.xml.id[6D8887CC-3483].[[email protected]].8base	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\PresentationCore.resources.dll	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\content-background.png	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\203x8subpicture.png	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\North_Dakota\Center.id[6D8887CC-3483].[[email protected]].8base	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\epl-v10.html	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-sendopts_zh_CN.jar	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler-ui_ja.jar.id[6D8887CC-3483].[[email protected]].8base	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Sofia	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\rightnav.gif	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-netbeans-modules-queries.xml	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-execution.xml	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-editor-mimelookup-impl.jar	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lij.txt	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\external_extensions.json.id[6D8887CC-3483].[[email protected]].8base	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe

Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

2696 vssadmin.exe

pid	process
2696	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe

pid	process
2964	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe
2964	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe
2964	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe
2964	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe
2964	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe
2964	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe
2964	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe
2964	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe
2964	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe
2964	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe
2964	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe
2964	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe
2964	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe
2964	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe
2964	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe
2964	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe
2964	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe
2964	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe
2964	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe
2964	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe
2964	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe
2964	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe
2964	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe
2964	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe
2964	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe
2964	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe
2964	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe
2964	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe
2964	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe
2964	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe
2964	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe
2964	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe
2964	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe
2964	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe
2964	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe
2964	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe
2964	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe
2964	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe
2964	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe
2964	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe
2964	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe
2964	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe
2964	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe
2964	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe
2964	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe
2964	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe
2964	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe
2964	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe
2964	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe
2964	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe
2964	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe
2964	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe
2964	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe
2964	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe
2964	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe
2964	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe
2964	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe
2964	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe
2964	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe
2964	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe
2964	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe
2964	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe
2964	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe
2964	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

Processes:

32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exevssvc.exeWMIC.exewbengine.exe

description	pid	process
Token: SeDebugPrivilege	1716	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe
Token: SeDebugPrivilege	2412	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe
Token: SeDebugPrivilege	2964	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe
Token: SeBackupPrivilege	1700	vssvc.exe
Token: SeRestorePrivilege	1700	vssvc.exe
Token: SeAuditPrivilege	1700	vssvc.exe
Token: SeIncreaseQuotaPrivilege	2132	WMIC.exe
Token: SeSecurityPrivilege	2132	WMIC.exe
Token: SeTakeOwnershipPrivilege	2132	WMIC.exe
Token: SeLoadDriverPrivilege	2132	WMIC.exe
Token: SeSystemProfilePrivilege	2132	WMIC.exe
Token: SeSystemtimePrivilege	2132	WMIC.exe
Token: SeProfSingleProcessPrivilege	2132	WMIC.exe
Token: SeIncBasePriorityPrivilege	2132	WMIC.exe
Token: SeCreatePagefilePrivilege	2132	WMIC.exe
Token: SeBackupPrivilege	2132	WMIC.exe
Token: SeRestorePrivilege	2132	WMIC.exe
Token: SeShutdownPrivilege	2132	WMIC.exe
Token: SeDebugPrivilege	2132	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2132	WMIC.exe
Token: SeRemoteShutdownPrivilege	2132	WMIC.exe
Token: SeUndockPrivilege	2132	WMIC.exe
Token: SeManageVolumePrivilege	2132	WMIC.exe
Token: 33	2132	WMIC.exe
Token: 34	2132	WMIC.exe
Token: 35	2132	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2132	WMIC.exe
Token: SeSecurityPrivilege	2132	WMIC.exe
Token: SeTakeOwnershipPrivilege	2132	WMIC.exe
Token: SeLoadDriverPrivilege	2132	WMIC.exe
Token: SeSystemProfilePrivilege	2132	WMIC.exe
Token: SeSystemtimePrivilege	2132	WMIC.exe
Token: SeProfSingleProcessPrivilege	2132	WMIC.exe
Token: SeIncBasePriorityPrivilege	2132	WMIC.exe
Token: SeCreatePagefilePrivilege	2132	WMIC.exe
Token: SeBackupPrivilege	2132	WMIC.exe
Token: SeRestorePrivilege	2132	WMIC.exe
Token: SeShutdownPrivilege	2132	WMIC.exe
Token: SeDebugPrivilege	2132	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2132	WMIC.exe
Token: SeRemoteShutdownPrivilege	2132	WMIC.exe
Token: SeUndockPrivilege	2132	WMIC.exe
Token: SeManageVolumePrivilege	2132	WMIC.exe
Token: 33	2132	WMIC.exe
Token: 34	2132	WMIC.exe
Token: 35	2132	WMIC.exe
Token: SeBackupPrivilege	400	wbengine.exe
Token: SeRestorePrivilege	400	wbengine.exe
Token: SeSecurityPrivilege	400	wbengine.exe

Suspicious use of WriteProcessMemory 51 IoCs

Processes:

32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.execmd.execmd.exe

description	pid	process	target process
PID 1716 wrote to memory of 2964	1716	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe
PID 1716 wrote to memory of 2964	1716	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe
PID 1716 wrote to memory of 2964	1716	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe
PID 1716 wrote to memory of 2964	1716	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe
PID 1716 wrote to memory of 2964	1716	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe
PID 1716 wrote to memory of 2964	1716	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe
PID 1716 wrote to memory of 2964	1716	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe
PID 1716 wrote to memory of 2964	1716	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe
PID 1716 wrote to memory of 2964	1716	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe
PID 1716 wrote to memory of 2964	1716	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe
PID 1716 wrote to memory of 2964	1716	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe
PID 2412 wrote to memory of 3036	2412	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe
PID 2412 wrote to memory of 3036	2412	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe
PID 2412 wrote to memory of 3036	2412	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe
PID 2412 wrote to memory of 3036	2412	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe
PID 2412 wrote to memory of 3036	2412	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe
PID 2412 wrote to memory of 3036	2412	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe
PID 2412 wrote to memory of 3036	2412	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe
PID 2412 wrote to memory of 3036	2412	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe
PID 2412 wrote to memory of 3036	2412	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe
PID 2412 wrote to memory of 3036	2412	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe
PID 2412 wrote to memory of 3036	2412	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe
PID 2964 wrote to memory of 2972	2964	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe	cmd.exe
PID 2964 wrote to memory of 2972	2964	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe	cmd.exe
PID 2964 wrote to memory of 2972	2964	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe	cmd.exe
PID 2964 wrote to memory of 2972	2964	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe	cmd.exe
PID 2964 wrote to memory of 2472	2964	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe	cmd.exe
PID 2964 wrote to memory of 2472	2964	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe	cmd.exe
PID 2964 wrote to memory of 2472	2964	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe	cmd.exe
PID 2964 wrote to memory of 2472	2964	32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe	cmd.exe
PID 2472 wrote to memory of 884	2472	cmd.exe	netsh.exe
PID 2472 wrote to memory of 884	2472	cmd.exe	netsh.exe
PID 2472 wrote to memory of 884	2472	cmd.exe	netsh.exe
PID 2972 wrote to memory of 2696	2972	cmd.exe	vssadmin.exe
PID 2972 wrote to memory of 2696	2972	cmd.exe	vssadmin.exe
PID 2972 wrote to memory of 2696	2972	cmd.exe	vssadmin.exe
PID 2472 wrote to memory of 888	2472	cmd.exe	netsh.exe
PID 2472 wrote to memory of 888	2472	cmd.exe	netsh.exe
PID 2472 wrote to memory of 888	2472	cmd.exe	netsh.exe
PID 2972 wrote to memory of 2132	2972	cmd.exe	WMIC.exe
PID 2972 wrote to memory of 2132	2972	cmd.exe	WMIC.exe
PID 2972 wrote to memory of 2132	2972	cmd.exe	WMIC.exe
PID 2972 wrote to memory of 2716	2972	cmd.exe	bcdedit.exe
PID 2972 wrote to memory of 2716	2972	cmd.exe	bcdedit.exe
PID 2972 wrote to memory of 2716	2972	cmd.exe	bcdedit.exe
PID 2972 wrote to memory of 1552	2972	cmd.exe	bcdedit.exe
PID 2972 wrote to memory of 1552	2972	cmd.exe	bcdedit.exe
PID 2972 wrote to memory of 1552	2972	cmd.exe	bcdedit.exe
PID 2972 wrote to memory of 1512	2972	cmd.exe	wbadmin.exe
PID 2972 wrote to memory of 1512	2972	cmd.exe	wbadmin.exe
PID 2972 wrote to memory of 1512	2972	cmd.exe	wbadmin.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe
"C:\Users\Admin\AppData\Local\Temp\32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1716

C:\Users\Admin\AppData\Local\Temp\32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe
C:\Users\Admin\AppData\Local\Temp\32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe
2⤵
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2964

C:\Users\Admin\AppData\Local\Temp\32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe
"C:\Users\Admin\AppData\Local\Temp\32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2412

C:\Users\Admin\AppData\Local\Temp\32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe
C:\Users\Admin\AppData\Local\Temp\32d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964.exe
4⤵
PID:3036

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:2972

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
4⤵
- Interacts with shadow copies
PID:2696

C:\Windows\System32\Wbem\WMIC.exe
wmic shadowcopy delete
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2132

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
4⤵
- Modifies boot configuration data using bcdedit
PID:2716

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
4⤵
- Modifies boot configuration data using bcdedit
PID:1552

C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
4⤵
- Deletes backup catalog
PID:1512

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:2472

C:\Windows\system32\netsh.exe
netsh advfirewall set currentprofile state off
4⤵
- Modifies Windows Firewall
PID:884

C:\Windows\system32\netsh.exe
netsh firewall set opmode mode=disable
4⤵
- Modifies Windows Firewall
PID:888

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1700

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:400

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:2268

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
PID:2508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Indicator Removal

3

T1070

File Deletion

Modify Registry

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

4

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPsWW2.cab.id[6D8887CC-3483].[[email protected]].8base

Filesize
189.5MB

MD5
f858a8d8ecbbc5634e4262b35d285aeb

SHA1
06fc21657f33f5aaa0dd22ea9fdf4d9d2f9f6f1a

SHA256
7717ad089a8fd5d72aea287bf9ef733d33a766aed4bda9d8dc02a43862a41ebd

SHA512
2797290a2124e661d2cd85862ac5d78517c76646778e0a43b868fee55e4887d7a7251a298c77490451e451898db4064703fa1a2bbfef35fd822bc8a61f6f2ad9

Download Submit
memory/1716-16-0x0000000073F70000-0x000000007465E000-memory.dmp

Filesize
6.9MB

Download
memory/1716-1-0x0000000073F70000-0x000000007465E000-memory.dmp

Filesize
6.9MB

Download
memory/1716-2-0x0000000000AF0000-0x0000000000B30000-memory.dmp

Filesize
256KB

Download
memory/1716-3-0x0000000000960000-0x00000000009A6000-memory.dmp

Filesize
280KB

Download
memory/1716-4-0x00000000009E0000-0x0000000000A14000-memory.dmp

Filesize
208KB

Download
memory/1716-5-0x0000000000B30000-0x0000000000B7C000-memory.dmp

Filesize
304KB

Download
memory/1716-0-0x0000000001230000-0x0000000001278000-memory.dmp

Filesize
288KB

Download
memory/2412-32-0x0000000073880000-0x0000000073F6E000-memory.dmp

Filesize
6.9MB

Download
memory/2412-21-0x0000000004A70000-0x0000000004AB0000-memory.dmp

Filesize
256KB

Download
memory/2412-20-0x0000000073880000-0x0000000073F6E000-memory.dmp

Filesize
6.9MB

Download
memory/2412-19-0x0000000001230000-0x0000000001278000-memory.dmp

Filesize
288KB

Download
memory/2964-18-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2964-45-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2964-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2964-17-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2964-11-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2964-10-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2964-9-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2964-8-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2964-2899-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2964-7-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2964-43-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2964-14-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2964-47-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2964-50-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2964-53-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2964-56-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2964-2331-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2964-66-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2964-6-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2964-278-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2964-2312-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/3036-71-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/3036-28-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads