lockfile | 2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
30-12-2023 22:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1f0a89360bb9471af8b2b1136eafd65f.exe
Size

250KB
MD5

1f0a89360bb9471af8b2b1136eafd65f
SHA1

a7bd3592ff31c5c659cda9810936ddce842d6590
SHA256

2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a
SHA512

c696ee6a3a65cf01f120724c8536d14bbdc5283e6a62e1a26454629ea30c4015d62c1ba6139ca158f9952d6028ea7d9a1f76a4d2adad4e3a377d06607f5ad031
SSDEEP

6144:bAr3VCaIjpP65V3Q400RwDym6flM5OPh2r:bAr3VCMP00RwDymd5Uh2r

Score

10^/10

lockfile ransomware spyware stealer upx

Malware Config

Extracted

Path

C:\Users\LOCKFILE-README-GLTGRJAG-1704392475.hta

Ransom Note

<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"><meta http-equiv="x-ua-compatible" content="ie=9"><title>LOCKFILE</title><hta:application id=LOCKFILE applicationName=LOCKFILE icon=explorer.exe selection=yes scroll=no contextmenu=no innerBorder=no windowState=maximize minimizeButton=no singleInstance=yes sysMenu=no /><link rel="stylesheet" href="public/css/test.css"><meta name="viewport" content="width=device-width, initial-scale=1.0"><style>html{font-size:100%}body{position:relative;border:0;font-family:Arial;padding:1% 0 0 0;margin:0;width:100vw;height:100vh;overflow:hidden}*{font-size:1rem}.g1{content:"";position:absolute;left:0;top:50%;transform:translateY(-50%);height:368px;width:150px;z-index:-1}.g2{z-index:-1;content:"";position:absolute;right:0;top:50%;transform:translateY(-50%);height:368px;width:150px}.container{width:90%;margin:auto}.container img{max-width:100%}.ht{margin-bottom:1%;position:relative;padding-left:16px;font-weight:900;font-size:1rem;line-height:100%;letter-spacing:.05em;text-transform:uppercase;color:#dedede}.hb{margin-bottom:1%}.hb img{width:850px;max-width:100%}.hi{margin-bottom:1rem;background:#fcfcfd;border:1px dashed #f71b3a;box-sizing:border-box;border-radius:4px;padding:1rem 3rem;width:100%}.hit{margin-bottom:1%;font-weight:bold;font-size:.9rem;line-height:100%;color:#222}.hib{font-weight:bold;font-size:.9rem;line-height:100%;color:#f71b3a}.main-p{font-weight:bold;font-size:1rem;line-height:125%;color:#333160}.mn{position:absolute;width:5%;height:276px;top:3rem}.mn img{max-width:90%}.ml1{position:absolute;width:50%;height:10rem;left:0;top:0;background:#f3f3fc;border:1px solid #cfd3da;box-sizing:border-box;padding:2% 2%}.ml2{position:absolute;width:50%;height:13rem;left:0;top:11rem;background:#f3f3fc;border:1px solid #cfd3da;box-sizing:border-box;padding:2% 2%}.mr3{position:absolute;padding:2% 2%;width:48%;height:24rem;left:52%;top:0;background:#ffdfdf;border:1px solid #ffa5aa;box-sizing:border-box;border-radius:4px;font-size:15px;line-height:130%}.mlb{font-size:.8rem;line-height:1.2;color:#8988a4;margin-top:2%;margin-bottom:2%}.mlb img{max-width:14px}.sp1{left:0;top:50%;position:absolute;display:block;width:6px;height:6px;background:#f71b3a;transform:translateY(-50%) rotate(135deg)}.mll{font-size:.9rem;line-height:1.2;color:#333160;margin-bottom:2%;position:relative;padding-left:20px}.mll a{font-size:.8rem}.mlt{margin-bottom:15px;font-weight:bold;font-size:.9rem;line-height:1.2;color:#333160}.mlt img{max-width:14px;position:relative}.mrli{font-size:.9rem;line-height:1.2;margin-bottom:2%;position:relative;padding-left:25px}.mrli a{font-size:.9rem}</style><script type="text/javascript">function o(c){var d=new ActiveXObject("WScript.Shell");d.run(c.href)};</script></head><body bgcolor=#F8F8F8 text="buttontext"><img class="g1" src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAJYAAAFwAQMAAABgpRCKAAAABlBMVEXw8PDv7+81SmF7AAAAAXRSTlMBN+Ho8AAAAWpJREFUeAHt1slxBCEMhWFRs3AkhA7BIRAahEYIDoEQOM5CIfvOX2V5nwWOX+8t6RWirzIt1QamGayDaQY7gSlZBTuBKVkBO4ENMM1gFayBdTAly2AV7ATWwQaYZrACVsFOYB1sgClZBitgDewE1sGG0ZSsGK2CNbATWP/YDC/t6K9uYDsqe4Kyb/Pflx0Y9mUEC9CrHnrVgeHgRLANhimA+fkniAPDaU9gERJgI4PoCWAe0mMH5sAgytgSWIQMJdvIIC6D0TwZFGRnNEcGhSOT71iai/4ti39mJyim9bxly27TdFpkFayBnYzWly1btuxH7AVMElgAc2CSwCJYAPNgDkzIElgE24wWwLzRdkZzRpPvWFom+rPmjLYzmjda+EY/R7AEZpxBDxZuyPyN2+7Gzd2hya1buiFTmzmwHZgHiw+8l1q27PTD1r5h1WjFaBlMZhtG62AnsAZWwDKYzNbBGliZbchs9Z3eAJcyeuremDsyAAAAAElFTkSuQmCC"><img class="g2" src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAJYAAAFwAQMAAABgpRCKAAAABlBMVEXv7+/w8PB6KHGJAAAAAnRSTlP/AZKwANwAAAGJSURBVHgB7dSHbQMhFMbxh1xQZwQWyA6MdozGCBmBEVB3QRApF3wk77P80l34q/+uH4Xqx56JWSRmO+LmuSXi5rll4haBEbcMLAEL3Apx2wFLwAIw4paB7YBFYAEYcSvAdsASsAjMAyNuBVgGtgMWheaBEbcitJ3QErAILADzwEhmBVheQGfig9ssncgCqyeLjfRioZkFVhfzb7QCZjrrbtesNJu4qbpYbo8AZjrbtUcAc52l9lhuqnYWZ1sB072F2Qww25ufzV2y9nrAKjfVW5ltJTTdW57NCM32tjtv7pKl2SahVZmpdxY/ZasvWXg1/cNmftX82fMsOg+YvVobNmxHvAgsAPPQ/rPRaDR64qQzN8dNVW4amAXmgE3cVOW2AqaBGaFZYA7YJLQqMyW01TdMQxu2+oYpoZHUJqE5YFZoBpgGtgJGyCZg7opsunKr123qBm115aavyFZCU9/ZDwywW2k08j9s4RsWhZaEtgOWgRWhVWQeWACWgO2AZWAVWQCWgBVg7MQX+2SwUiS8JcwAAAAASUVORK5CYII="><div class="container" style=""><div class="ht"><span style="width:6px;height:15px;background:#f71b3a;position:absolute;display:block;left:0;top:0"></span>LOCK <span style="color:#c4c4c4">FILE</span></div><div class="hb"><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAA4QAAAAwBAMAAAC706n2AAAAGFBMVEVHcEwiIiIiIiIiIiL3Gzr//f79tL76ZHmOe1JuAAAABHRSTlMA/axJAz2MyAAACKNJREFUeAHtmwli4joWRfPDBoDaAMMGnKol1LSBgtoAkA1k2H7LJxxeSW21TEjPfr/bsZ4Gh3t0Jduh7qaYYooppviPj2//hTFRmxBOCCeEE8IJ4YRwignhvzg+bzYrz7YmZ5tN92ejexv1J9QvUmwdgJ+b1D1VEIwkwpfT6e34RPHn6fRImehPyR53u93+0Q5EFKLpj9PpQP4yIAlbUfAydkud0lgcjZPxx8WfcoSbiwZ+prM0RohlhBozBfu8XiyW22IY6xU0HYiORAxngcYzG9nvzkiX+OTZ8oJsseAKxsxGD4tFR1OC3MO5G8XZgqC7CL/vdun4vNv9ovgjqZV+HHcE50nEcwkAz5cqCsZvivzk7NyacR2NgpexW/8bPHGUoO3Jc3HPAyEfwjPiTXxLyxDHQI3Ui9wcIVVD0VCtFPQvB+joYdxFxZwuNmJgfhLxy6xlSXMR5nhpHJfpRGj34gOetd5z5Icnoimpqa9VJcIjbYQ5EuEPET6J0Eoyz7YUoWDmgZDocmAVhHMRig01AqEm0EGQkm4bIZRE6PWXTRfqvpSf09KRay6kvwh14U4D6EKpVSSl6nsgtKEIqR/pwm9VF2pCbagEiJUjnLdduKZChPJAjXUwAM5KN0JKum2EkhAhPbqGC2UHSWqNqgsZq3ChC59lhSs45VW5C3+SFSFn71pIy4vbV4SoJ6WFsRy1kCKReqmGCAnZSTIQrpoIGQwgXp9Gq6YLWUG1/1+MQqnLXSj7GQ3LvXD3C2l14T52NI4AKqtiEghGSs6JCzVXQltS63npQtt6HRqRi3VHlWJRHJjd4rIbcpq78FyERbydyATVWbSg7El+GRotcxc+wLjhQi/s1KG7Uyh3ISmaly7EEAhJmSzUDkKjUV5VIvweCB3QcobF/Y/QhWYK3F78+PhNhHqmE6HCqmQdIS4x5x3fpgt9sYck4SEpW1j2JGMCdRFqPdlXXSguDg7soIMutEnGJQWCgVDBf0KAQhiWBsIx4VngZqDMhXWEdRd6bsSyowjgULUBF5qR/FKEF7gCsrlbE4cMYcOF5gIhwoOu4UIM6G3UwyDCdRWhLkTU3ZALc4RHq0qEVFlwwJYLPc/3wgZCJrEA2ghzFy66QLiqIcSAWPE6FwbCyM8lUnWh04urXu9CrcUS+FOEmmm0C025HjLgob0XXu9CealoiXDeQrga4ULwKegNLoSVHaoudLQNg7zbhfteq6Tj8Vz+XXPhc82FtJZNSgLtA/bC3WOG0M/oJ7vKhWxMDRcq0bZver0LA6G8tVzVhaZSdCNd+DC0F/Ynz66Ex/ZCmt/OyEWyjLRr74XtO1LfrolQMZzbTv9xe+Ey/a/uQrWlEsPe6sIHL1d3oeGzUNOFsxSLIRf2qibBL2Uq6y4sHyqsBxVJfFV34f7Uh/7LEFr5yKB9PD6J0Amp2P35LMXloWLpa8sUeQY1egClC50VXdet4zk8xQVZis+LARduiNpeqPPo2XCht8tNFxI2zbkk/zwmLLrQePp7hFGVI8SfHBzwV92F5zjU3874uoBwNY0pr2iDj/b6K8ugRi/esAsN+YSgxqpwofmu7kLSsGu68N4r1F1Ye8Gm696wWH4LCuVCGlUlwt/0NJkY1F0YCOvvSOnxkl0u5rBzO5uWbYS4dtCFDlMKGgi70oXmq3uhEBYjXOjiOM6F5Iq98PwoFy5U4poLDwVCXCeKlGTQW13oH5u8XvhARULgJkK6pP//QxcqbSALuFe5UFT2aLjQ+lEutHvhwu+IZlkRawhp5ghiOXgkye7admH9Hak9Xo6Xkh/RY/nHprYLk55f6i5URdrmZltCZawLA4YgGy4UYcOFbO0LRwouKp70PupC7ycyhFalw1OOUBR4kSSn735H+jP9F8FqKsJei3ADn0l1ejN0fVAqM94fbodcyDC6p0AYf831up44dMWFDzGBPsqFrswDLmTyP1lW8ByhtAOBCe25xy4k6XjDc6HhahoIsy0deZS1/VzIbK49F2qOEqG5q58LY6P+MBe6Mg/shfhLIHixjjBUNpHd55gE6m3vSA3rs7UROByVpP1cyBSuPBeaaiIc9VxI1lh+oAu92oALv/fKHS3XEB5LxraVYObVG96RVhHeZ3NbkJ9UsuXCpHLFhTD+OBfy0/hAF3ouwmx1/CUQBa+60HUve+NmPJEk1d4Lr3chDIilCJVnzEI6q7nQ+X+7C+++fLGF0Y12oVcQtL9TzLvIlS4cLOu4AqEMTJAxDjETbt8LXw4lwodsbsc3FkYivCsQ3m/VD/FWN7kw5oAlWVznQgfrOK7oIsKAXOyFGS+p2QR1dy6kuczQkoG3pM6Em9+Reu4dqY7zc4BQTQJYdS9EGRffpUn1s/87Xejj+T33rw7tFznWvpDr4rXftkAoYFqeB3tru3AXlGfLhSEi6u4fT/3DmU2DpAlwBSy9epUL9/vj6Xg6gCudpNIbupMXB6EbgdjUjiTSrNN/fo+TTComEcSS+rn4nh8kRCjWsS506NWdTPjSqMbxN3XY9cDXqD4NIbSln8mgkI2cr451F8Yud7BpWDNn6onJa/ZCgvbHbFM16BAT3pNzaT3u6082moOgfGhD/GtcaP/83aUIw9PrAuGsitCRbcloXkaEjHXNXhiSSigg2FZG2lGuV9yRBqldIEy1Bo01n/doIkT7DFgVIZ+fPtaon3zaLqwipJMI/U1JdCNdSGS1jl3c+XaBcNCFCq4NVbf2J1/LLoxukI29sOlCbeg4mcrM7bgVXDVduFZh+0hA/dhkbnLhKhDaUpjjXQhiX+lZWonQAce70PdbpKyStQld6Zm3qVfshaLKXOhbbi9WrHULELqqjlxIg9PapuqHs29x4fYuEN4Ssy8pslJ3479s+vn6+qrm//J49eIg/NBQqI+OrqvXTf84bYoJ4YRwQjghnBBOCKeYYooppphiiv+O+Bvo15hrmh7VCwAAAABJRU5ErkJggg=="></div><div class="hi"><div class="hit">Any attempts to restore your files with the thrid-party software will be <span style="color:#f71b3a;font-size:.9rem">fatal for your files!</span></div><div class="hib">Restore you data posible only buying private key from us.</div></div><div class="main-p">There is only one way to get your files back:</div><div style="position:relative;margin-top:15px"><div class="mn" style=""><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAADgAAAEVBAMAAABH7TtxAAAALVBMVEVHcEz/NXAiIiL9DTYiIiKSIDUiIiL9EzwiIiIiIiL/N3L9ACP8AST+KF3+G0rPEf4SAAAADHRSTlMA/v7+PxmqQoLamc5bm0ExAAAB20lEQVR4Ae3ZtZYUURDG8W9npgV39289xd01w909w2Ncwjl95gHgPYhwWc1xYngFpLjdhd1G16vG539+reHF5+k/fj28c2vYKG/rP2zYsPV+OMxHBSrdvBIAtl9RqDQkKwAONihUeokJlyJkg0KlrAl5IU4kKhwm51ri1BLLBSYSsWFYOicllj/1wmG3z6qfxAAuRtlmkUU92lMu3kS2T42RQjnamPslhtwv1EE9T42RQrlCDdAoVKDM2ivrAaxchdLKpRAq0DOnBHqmaph8WLTY3pPkoOd5cVLeZnNle4dIPVqLFi1a7DtxcK580SFy0LsO2efg93nxRSdKixYtWrToiYs7RBY7RhZn5MW3eXHxX8sZ3U1atGjRYs+Nd7uZHNiUFxd2vizmbtaiRYsWOz7ubjrpbcHtpjneuKup6e5JP2xqeuiHSnHj+FJg7dErUNiU7nUH2YCQ5P4MKj3YeIlLl/MoaxSmew1YG3P/pTq3GDmgqcnR9ekqZjlYhUTi7qZ0dP0T2MpaJ92s1xgk/LLWuFD3mcV1rEBmk24VCDhVet16BCvXO+ogkDRs5YUdrLt2OOR+Rx0ElpNcf4lknUShKUScsIJEo1AHgWAVdIR6b4rQk/4YnMNP5yP+Vz9OakSaLAAAAABJRU5ErkJggg=="></div><div style="margin-left:6%;position:relative"><div class="ml1"><div style="position:relative;top:50%;transform:translateY(-50%)"><div style="font-weight:bold;font-size:1rem;line-height:1.2;color:#333160">contact us</div><div class="mlb" style=""><span class=sp2><img class=im1 src="data:image/x-icon;base64,AAABAAEAGBgAAAEAIACICQAAFgAAACgAAAAYAAAAMAAAAAEAIAAAAAAAAAkAAAAAAAAAAAAAAAAAAAAAAAD//////////9XV1f9YVlj/KScp/yUjJf8lIyX/JSMl/yUjJf8lIyX/JSMl/yUjJf8lIyX/JSMl/yUjJf8lIyX/JSMl/yUjJf8lIyX/JiQm/1FQUf/S0tL/////////////////+Pj4/2ppav8hHyH/JSMl/yUjJf8lIyX/JSMl/yQiJP8iICL/IiAi/yIgIv8iICL/IiAi/yIgIv8kIiT/JSMl/yUjJf8lIyX/JSMl/yEfIf9qaGr/+Pj4////////////5eTl/z49Pv8jISP/JSMl/yUjJf8lIyX/JCIk/zk3Of+CgYL/jYyN/42Mjf+NjI3/joyO/318ff80MjT/JCIk/yUjJf8lIyX/JSMl/yMhI/8+PT7/5eTl////////////4eHh/zw6PP8kIiT/JSMl/yUjJf8lIyX/IR8h/3Nxc/////////////////////////////v7+/9jYmP/IiAi/yUjJf8lIyX/JSMl/yQiJP88Ojz/4eHh////////////4eHh/zw6PP8kIiT/JSMl/yUjJf8lIyX/IR8h/3h3eP////////////////////////////v7+/9nZWf/IR8h/yUjJf8lIyX/JSMl/yQiJP88Ojz/4eHh////////////4eHh/zw6PP8kIiT/JSMl/yUjJf8lIyX/IiAi/11cXf/39/f//////////////////////+np6f9JR0n/IyEj/yUjJf8lIyX/JSMl/yQiJP88Ojz/4eHh////////////4eHh/zw6PP8kIiT/JSMl/yUjJf8lIyX/JCIk/y0sLf+srKz/////////////////8fHx/4KBgv8mJCb/JSMl/yUjJf8lIyX/JSMl/yQiJP88Ojz/4eHh////////////4eHh/zw6PP8kIiT/JSMl/yUjJf8lIyX/JSMl/yQiJP8zMTP/o6Kj//39/f/z8/P/eHd4/yUjJf8lIyX/JSMl/yUjJf8lIyX/JSMl/yQiJP88Ojz/4eHh////////////4eHh/zw6PP8kIiT/JSMl/yUjJf8lIyX/JSMl/yQhJP89PD3/x8fH///////+/v7/xsXG/z89P/8jISP/JSMl/yUjJf8lIyX/JSMl/yQiJP88Ojz/4eHh////////////4eHh/zw6PP8kIiT/JSMl/yUjJf8lIyX/JSMl/yIgIv+DgYP//////////////////////4OCg/8iICL/JSMl/yUjJf8lIyX/JSMl/yQiJP88Ojz/4eHh////////////4eHh/zw6PP8kIiT/JSMl/yUjJf8lIyX/JSMl/yIgIv+OjY7//////////////////////4yLjP8iICL/JSMl/yUjJf8lIyX/JSMl/yQiJP88Ojz/4eHh////////////4eHh/zw6PP8kIiT/JSMl/yUjJf8lIyX/JSMl/yMhI/9QT1D/5OPk////////////4+Pj/09OT/8jISP/JSMl/yUjJf8lIyX/JSMl/yQiJP88Ojz/4eHh////////////4uHi/zw6PP8kIiT/JSMl/yUjJf8lIyX/JSMl/yUjJf8lIyX/VlRW/6CfoP+enZ7/VlRW/yUjJf8lIyX/JSMl/yUjJf8lIyX/JSMl/yMhI/88Ojz/4uLi////////////7+/v/05NTv8hHyH/JSMl/yUjJf8lIyX/JSMl/yUjJf8lIyX/IiAi/yclJ/88Ojz/JSMl/yQiJP8lIyX/JSMl/yUjJf8lIyX/JSMl/yEfIf9QT1D/8PDw/////////////////6yrrP82NTb/JCIk/yQiJP8lIyX/JSMl/yUjJf8kIiT/IiAi/yIgIv+FhIX/l5aX/zAuMP8kIiT/JSMl/yUjJf8kIiT/JCIk/zg2OP+vrq////////////////////////39/f/T0tP/rKys/6Khov9DQkP/IyEj/yQiJP8vLS//aWhp/5STlP+/vr///v7+/5aVlv8mJCb/IyEj/0NBQ/+ioaL/rKys/9TT1P/+/v7///////////////////////////////////////n5+f9YV1j/IR8h/y4sLv+mpqb/+/v7/////////////////+np6f9IRkj/IB4g/1hWWP/5+fn///////////////////////////////////////////////////////b29v9XVlf/Hx0f/19eX//4+Pj///////////////////////39/f9sa2z/Hhwe/1ZVVv/19fX///////////////////////////////////////////////////////f39/9aWVr/Hhwe/3V0df////////////////////////////////90c3T/Hhwe/1pZWv/39/f///////////////////////////////////////////////////////39/f9vbW//Hhwe/1VUVf/y8vL///////////////////////Ly8v9VVFX/Hhwe/29ub//9/f3///////////////////////////////////////////////////////////+kpKT/JCIk/yknKf+Yl5j/+vr6////////////+/v7/5qZmv8pJyn/JCIk/6SjpP/////////////////////////////////////////////////////////////////q6er/VFNU/yAeIP8sKiz/bWxt/6Wkpf+lpKX/bm1u/y0rLf8gHiD/VFJU/+np6f//////////////////////////////////////////////////////////////////////0NDQ/1BPUP8kIiT/IR8h/yQiJP8kIiT/IR8h/yQiJP9QT1D/0NDQ/////////////////////////////////////////////////////////////////////////////////+Dg4P+CgYL/Pjw+/yclJ/8nJSf/Pj0+/4KBgv/g3+D///////////////////////////////////////////8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA="> UTox       </span><span class=sp2><img class=im1 src="data:image/x-icon;base64,AAABAAEAGBgAAAEAIACICQAAFgAAACgAAAAYAAAAMAAAAAEAIAAAAAAAAAkAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAABgAAAAfAAAAHwAAAB8AAAAfAAAAHwAAAB8AAAAfAAAAHwAAAB8AAAAfAAAAHwAAAB8AAAAfAAAAHwAAAB8AAAAfAAAAHwAAAB8AAAAYAAAAAgAAAAAAAAAYAAAAjQAAANgAAADkAAAA5AAAAOQAAADkAAAA5AAAAOQAAADkAAAA5AAAAOQAAADkAAAA5AAAAOQAAADkAAAA5AAAAOQAAADkAAAA5AAAAOQAAADYAAAAjQAAABgAAAChAAAA/wAAAOMAAACIAAAAgQAAAIIAAACBAAAAgQAAAIEAAACBAAAAgQAAAIEAAACBAAAAgQAAAIEAAACBAAAAgQAAAIEAAACCAAAAgQAAAIgAAADjAAAA/wAAAKEAAAD1AAAA8QAAAPEAAABnAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGcAAADxAAAA8QAAAPUAAAD/AAAAlQAAAKwAAADwAAAAVAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAVAAAAPAAAACsAAAAlQAAAP8AAAD/AAAAfgAAABsAAADEAAAA5QAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAA5QAAAMQAAAAbAAAAfgAAAP8AAAD/AAAAgQAAAAAAAAAuAAAA1gAAANYAAAAuAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC4AAADWAAAA1gAAAC4AAAAAAAAAgQAAAP8AAAD/AAAAgAAAAAAAAAAAAAAAQAAAAOUAAADEAAAAHwAAAAAAAAAAAAAAAAAAACcAAAAnAAAAAAAAAAAAAAAAAAAAHwAAAMQAAADlAAAAPwAAAAAAAAAAAAAAgAAAAP8AAAD/AAAAgAAAAAAAAAAAAAAAAAAAAFQAAADwAAAAsAAAABIAAAAAAAAATAAAANwAAADcAAAATAAAAAAAAAASAAAAsAAAAPAAAABUAAAAAAAAAAAAAAAAAAAAgAAAAP8AAAD/AAAAgAAAAAAAAAAAAAAAAAAAAAAAAABqAAAA9gAAAJoAAABrAAAA7AAAANEAAADRAAAA7AAAAGsAAACaAAAA9gAAAGoAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAP8AAAD/AAAAgAAAAAAAAAAAAAAAAAAAAAAAAAACAAAAhgAAAP0AAAD8AAAAtAAAACIAAAAiAAAAtAAAAPwAAAD9AAAAhgAAAAIAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAP8AAAD/AAAAgAAAAAAAAAAAAAAAAAAAAAAAAAAUAAAAngAAAPsAAACaAAAAFAAAAAAAAAAAAAAAFAAAAJoAAAD7AAAAngAAABQAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAP8AAAD/AAAAgAAAAAAAAAAAAAAAAAAAACMAAAC0AAAA9QAAAH8AAAAKAAAAAAAAAAAAAAAAAAAAAAAAAAoAAAB/AAAA9gAAALQAAAAjAAAAAAAAAAAAAAAAAAAAgAAAAP8AAAD/AAAAgAAAAAAAAAAAAAAANgAAAMsAAADtAAAAZQAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADAAAAZQAAAO0AAADLAAAANgAAAAAAAAAAAAAAgAAAAP8AAAD/AAAAgAAAAAAAAABMAAAA3wAAAN8AAABMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEwAAADfAAAA3wAAAEwAAAAAAAAAgAAAAP8AAAD/AAAAhgAAAGIAAADtAAAAywAAADYAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA2AAAAywAAAO0AAABiAAAAhgAAAP8AAAD2AAAA4AAAAPAAAACxAAAAHwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHwAAALEAAADwAAAA4AAAAPYAAAChAAAA/wAAAPQAAACYAAAAfwAAAIIAAACBAAAAgQAAAIEAAACBAAAAgQAAAIEAAACBAAAAgQAAAIEAAACBAAAAgQAAAIEAAACCAAAAfwAAAJgAAAD0AAAA/wAAAKEAAAAYAAAAjQAAANgAAADjAAAA5AAAAOQAAADkAAAA5AAAAOQAAADkAAAA5AAAAOQAAADkAAAA5AAAAOQAAADkAAAA5AAAAOQAAADkAAAA5AAAAOMAAADYAAAAjQAAABgAAAAAAAAAAgAAABgAAAAfAAAAHwAAAB8AAAAfAAAAHwAAAB8AAAAfAAAAHwAAAB8AAAAfAAAAHwAAAB8AAAAfAAAAHwAAAB8AAAAfAAAAHwAAAB8AAAAYAAAAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD///8AAAAAAAAAAAAAAAAAAAAAAAAAAAAA/wAAAH4AAAAAAAAAAAAAAAAAAAAAAAAQAAgAAAAAAAAAAAAAAAAAABgAAAB+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAP///wA="> Email </span></div><div class="mll"><span class=sp1></span> qTox ID:  B2F873769EB6B508EBC2103DDEB7366CEFB7B09AB8314DAD0C4346169072686690489B47EAEB     <a href="https://utox.org/" class=ah1 onclick="o(this)">https://tox.chat/download.html</a> </a></div><div class="mll"><span class=sp1></span> Email:     [email protected]    </div></div></div><div class="ml2"><div style="position:relative;top:50%;transform:translateY(-50%)"><div class="mlt" style="">Through a <img style="" src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABYAAAAWCAMAAADza

Emails

[email protected]

URLs

http-equiv="Content-Type"

http-equiv="x-ua-compatible"

Extracted

Path

C:\Users\Public\LOCKFILE-README.hta

Family

lockfile

Ransom Note

LOCK FILE Any attempts to restore your files with the thrid-party software will be fatal for your files! Restore you data posible only buying private key from us. There is only one way to get your files back: contact us qTox ID: B2F873769EB6B508EBC2103DDEB7366CEFB7B09AB8314DAD0C4346169072686690489B47EAEB https://tox.chat/download.html Email: [email protected] Through a recommended Download Tor Browser - https://www.torproject.org/ and install it. Open link in Tor Browser - http://zqaflhty5hyziovsxgqvj2mrz5e5rs6oqxzb54zolccfnvtn5w2johad.onion This link only works in Tor Browser! Follow the instructions on this page Do not try to recover files yourself. this process can damage your data and recovery will become impossible Do not rename encrypted files. Do not waste time trying to find the solution on the Internet. The longer you wait, the higher will become the decryption key price Decryption of your files with the help of third parties may cause increased price (they add their fee to our). Tor Browser may be blocked in your country or corporate network. Use https://bridges.torproject.org or use Tor Browser over VPN. Thanks to the warning wallpaper provided by lockbit, it's easy to use

Emails

[email protected]

URLs

https://tox.chat/download.html

http://zqaflhty5hyziovsxgqvj2mrz5e5rs6oqxzb54zolccfnvtn5w2johad.onion

Signatures

Detect LockFile payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3004-1281-0x000000013FA40000-0x000000013FB19000-memory.dmp	family_lockfile
behavioral1/memory/3004-7684-0x000000013FA40000-0x000000013FB19000-memory.dmp	family_lockfile

LockFile
LockFile is a new ransomware that emerged in July 2021 with ProxyShell vulnerabilties.
ransomware lockfile
Renames multiple (1058) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Drivers directory 29 IoCs

Processes:

1f0a89360bb9471af8b2b1136eafd65f.exe

description	ioc	process
File created	C:\Windows\System32\drivers\UMDF\en-US\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Windows\SysWOW64\drivers\de-DE\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Windows\SysWOW64\drivers\UMDF\it-IT\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Windows\System32\drivers\etc\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Windows\SysWOW64\drivers\UMDF\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Windows\SysWOW64\drivers\UMDF\es-ES\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Windows\SysWOW64\drivers\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Windows\SysWOW64\drivers\es-ES\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Windows\SysWOW64\drivers\ja-JP\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Windows\System32\drivers\de-DE\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Windows\System32\drivers\UMDF\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Windows\System32\drivers\UMDF\fr-FR\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Windows\SysWOW64\drivers\UMDF\ja-JP\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Windows\System32\drivers\ja-JP\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Windows\SysWOW64\drivers\fr-FR\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Windows\SysWOW64\drivers\it-IT\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Windows\System32\drivers\fr-FR\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Windows\System32\drivers\UMDF\it-IT\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Windows\System32\drivers\en-US\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Windows\SysWOW64\drivers\UMDF\fr-FR\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Windows\SysWOW64\drivers\UMDF\en-US\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Windows\System32\drivers\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Windows\System32\drivers\it-IT\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Windows\System32\drivers\UMDF\ja-JP\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Windows\SysWOW64\drivers\en-US\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Windows\SysWOW64\drivers\UMDF\de-DE\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Windows\System32\drivers\es-ES\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Windows\System32\drivers\UMDF\de-DE\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Windows\System32\drivers\UMDF\es-ES\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

452 cmd.exe

pid	process
452	cmd.exe

Drops startup file 1 IoCs

Processes:

1f0a89360bb9471af8b2b1136eafd65f.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/3004-0-0x000000013FA40000-0x000000013FB19000-memory.dmp	upx
behavioral1/memory/3004-1281-0x000000013FA40000-0x000000013FB19000-memory.dmp	upx
behavioral1/memory/3004-7684-0x000000013FA40000-0x000000013FB19000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

Processes:

1f0a89360bb9471af8b2b1136eafd65f.exe

description	ioc	process
File created	C:\Windows\SysWOW64\it-IT\Licenses\eval\HomeBasicE\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Windows\System32\Dism\it-IT\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnbr006.inf_amd64_neutral_f156853def526447\Amd64\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Windows\System32\es-ES\Licenses\_Default\EnterpriseE\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Windows\System32\es-ES\Licenses\_Default\HomeBasicN\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Windows\SysWOW64\icsxml\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Windows\System32\DriverStore\FileRepository\cxfalcon_ibv64.inf_amd64_neutral_d065aec3fcf4ec4e\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmpn1.inf_amd64_neutral_e44cc033b67e7d04\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Windows\System32\DriverStore\FileRepository\tape.inf_amd64_neutral_c6a6811d3d827dba\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Windows\SysWOW64\es-ES\Licenses\_Default\Professional\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Windows\SysWOW64\Setup\es-ES\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Windows\SysWOW64\fr-FR\Licenses\_Default\HomePremiumN\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Windows\SysWOW64\ja-JP\Licenses\eval\HomeBasicE\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Windows\System32\com\ja-JP\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Windows\System32\de-DE\Licenses\OEM\HomePremiumE\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Windows\System32\spp\tokens\issuance\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitsTransfer\ja-JP\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Windows\SysWOW64\en-US\Licenses\eval\Enterprise\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Windows\SysWOW64\migwiz\dlmanifests\Microsoft-Windows-StorageMigration\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmrock5.inf_amd64_neutral_cadd97421d121ebb\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netbxnda.inf_amd64_neutral_c81780c5dcabd0a0\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wsdprint.inf_amd64_neutral_f91980f20f3112ed\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Windows\System32\migwiz\dlmanifests\Microsoft-Windows-NetworkBridge\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Windows\SysWOW64\Setup\ja-JP\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Windows\SysWOW64\it-IT\Licenses\_Default\HomeBasicN\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Windows\SysWOW64\migwiz\PostMigRes\data\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Windows\System32\config\RegBack\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmarch.inf_amd64_neutral_4261401e3170ebfb\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmlasno.inf_amd64_neutral_c86d5b5e5fa8b48a\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prncs302.inf_amd64_ja-jp_96eca15be06b1482\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Windows\System32\spool\drivers\x64\3\mui\0409\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Windows\System32\IME\IMETC10\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Windows\System32\Speech\Engines\SR\it-IT\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Windows\SysWOW64\fr-FR\Licenses\_Default\HomeBasicN\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wdmvsc.inf_amd64_neutral_a2cf745000e2ea92\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Windows\System32\ja-JP\Licenses\_Default\ProfessionalE\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Windows\SysWOW64\oobe\en-US\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmcomp.inf_amd64_neutral_e5ca2f01ca47bddb\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmmotou.inf_amd64_neutral_eb1d978f38f35bca\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnsv002.inf_amd64_neutral_6ca80563d6148ee5\Amd64\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Windows\SysWOW64\wbem\fr-FR\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnky002.inf_amd64_neutral_525d9740c77e325f\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Windows\System32\slmgr\0410\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Windows\SysWOW64\de-DE\Licenses\eval\ProfessionalN\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Windows\SysWOW64\en-US\Licenses\eval\ProfessionalE\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Windows\System32\catroot2\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Windows\System32\Dism\de-DE\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Windows\System32\DriverStore\FileRepository\angelu64.inf_amd64_neutral_3d6079dd78127f5e\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wiaep002.inf_amd64_neutral_0a982dec66379cb0\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Windows\System32\migwiz\replacementmanifests\Microsoft-Windows-OfflineFiles-Core\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Windows\SysWOW64\en-US\Licenses\OEM\HomeBasicN\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Windows\SysWOW64\ja-JP\Licenses\eval\HomeBasicN\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Windows\SysWOW64\it-IT\Licenses\OEM\ProfessionalE\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmdsi.inf_amd64_neutral_e77f438012239042\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnlx00w.inf_amd64_neutral_d4c93bb2fbf75723\Amd64\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0PS72R2M\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Windows\SysWOW64\DriverStore\en-US\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Windows\SysWOW64\InstallShield\setupdir\0013\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnxx002.inf_amd64_neutral_560fdd891b24f384\Amd64\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Windows\SysWOW64\de-DE\Licenses\_Default\HomeBasicE\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Windows\SysWOW64\ja-JP\Licenses\eval\Starter\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe

Drops file in Program Files directory 64 IoCs

Processes:

1f0a89360bb9471af8b2b1136eafd65f.exe

description	ioc	process
File opened for modification	C:\Program Files\7-Zip\Lang\mn.txt	1f0a89360bb9471af8b2b1136eafd65f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\kamchatka	1f0a89360bb9471af8b2b1136eafd65f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\j0292286.wmf	1f0a89360bb9471af8b2b1136eafd65f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\mawson	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\fr-FR\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\bl00152_.wmf	1f0a89360bb9471af8b2b1136eafd65f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\j0105360.wmf	1f0a89360bb9471af8b2b1136eafd65f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\bs00441_.wmf	1f0a89360bb9471af8b2b1136eafd65f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\outlook.dev_k_col.hxk	1f0a89360bb9471af8b2b1136eafd65f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\bdrtkful.poc	1f0a89360bb9471af8b2b1136eafd65f.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fur\LC_MESSAGES\vlc.mo	1f0a89360bb9471af8b2b1136eafd65f.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\recovr32.cnv	1f0a89360bb9471af8b2b1136eafd65f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\so02268_.wmf	1f0a89360bb9471af8b2b1136eafd65f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\j0238959.wmf	1f0a89360bb9471af8b2b1136eafd65f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\sy00560_.wmf	1f0a89360bb9471af8b2b1136eafd65f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\locale\core_visualvm.jar	1f0a89360bb9471af8b2b1136eafd65f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\na01474_.wmf	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-api-caching_zh_cn.jar	1f0a89360bb9471af8b2b1136eafd65f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\j0292278.wmf	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ta\LC_MESSAGES\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Africa\nairobi	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PIXEL\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\ja-JP\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\de-DE\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\acro20.lng	1f0a89360bb9471af8b2b1136eafd65f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\so00704_.wmf	1f0a89360bb9471af8b2b1136eafd65f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\tr00126_.wmf	1f0a89360bb9471af8b2b1136eafd65f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\j0287020.wmf	1f0a89360bb9471af8b2b1136eafd65f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\brussels	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\css\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\j0105912.wmf	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Program Files\Microsoft Games\FreeCell\ja-JP\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\infopath_col.hxt	1f0a89360bb9471af8b2b1136eafd65f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.nl_ja_4.4.0.v20140623020002.jar	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\DataType\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\syowa	1f0a89360bb9471af8b2b1136eafd65f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\recycle.wmf	1f0a89360bb9471af8b2b1136eafd65f.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Atlantic\madeira	1f0a89360bb9471af8b2b1136eafd65f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\dd01170_.wmf	1f0a89360bb9471af8b2b1136eafd65f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\pswavy.wmf	1f0a89360bb9471af8b2b1136eafd65f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.core.commands.nl_zh_4.4.0.v20140623020002.jar	1f0a89360bb9471af8b2b1136eafd65f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.workbench.nl_ja_4.4.0.v20140623020002.jar	1f0a89360bb9471af8b2b1136eafd65f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\bd06102_.wmf	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\form.js	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\Presentation Designs\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\feature.properties	1f0a89360bb9471af8b2b1136eafd65f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\pe03668_.wmf	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\en-US\css\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ar.txt	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.configuration_5.5.0.165303.jar	1f0a89360bb9471af8b2b1136eafd65f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\j0198102.wmf	1f0a89360bb9471af8b2b1136eafd65f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\email11.poc	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.garbagecollector.nl_ja_4.4.0.v20140623020002.jar	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Indiana\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\j0250504.wmf	1f0a89360bb9471af8b2b1136eafd65f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\brch98sp.poc	1f0a89360bb9471af8b2b1136eafd65f.exe

Drops file in Windows directory 64 IoCs

Processes:

1f0a89360bb9471af8b2b1136eafd65f.exe

description	ioc	process
File created	C:\Windows\winsxs\amd64_eventviewersettings.resources_31bf3856ad364e35_6.1.7600.16385_de-de_4a360e25beb75a4d\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..putername.resources_31bf3856ad364e35_6.1.7600.16385_it-it_ec2a8bc0ed056604\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-events.resources_31bf3856ad364e35_6.1.7600.16385_de-de_a041c100b985443d\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Windows\winsxs\x86_ddores.resources_31bf3856ad364e35_6.1.7600.16385_en-us_5c4247eed23781da\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-s..madvanced.resources_31bf3856ad364e35_6.1.7600.16385_es-es_aee713c9ed7b0da3\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.VisualStudio.Tools.Applications.ComRPCChannel\8.0.0.0__b03f5f7f11d50a3a\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Windows\assembly\GAC_MSIL\System.Data.SqlXml.resources\2.0.0.0_ja_b77a5c561934e089\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Windows\winsxs\amd64_prnnr003.inf.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_26bf1facff1302e4\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Windows\winsxs\amd64_tsprint.inf_31bf3856ad364e35_6.1.7601.17514_none_ca1bed7d5beee2f8\amd64\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-icsigd.resources_31bf3856ad364e35_6.1.7600.16385_es-es_14256cc5377d4e42\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_es-es_c8451224905fb33f\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-duser.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_73a83d2d2f7a0e00\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-twext.resources_31bf3856ad364e35_6.1.7600.16385_es-es_11eab51bccaaf9d5\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-dpiscaling.resources_31bf3856ad364e35_6.1.7600.16385_en-us_057de34e5a8ea31c\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-ie-infocard.resources_31bf3856ad364e35_8.0.7600.16385_ja-jp_c5079e0d3ab8f002\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-rpc-ns.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_7266a173a5b0605a\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Windows\winsxs\amd64_server-help-chm.comexp.resources_31bf3856ad364e35_6.1.7600.16385_en-us_251c978d797d5c4b\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Windows\winsxs\amd64_devicepairingproxy.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_7f4f041e22424650\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Windows\winsxs\amd64_msdv.inf.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b1d69ea4b8ab3c12\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Windows\winsxs\x86_desktop_shell-gettingstarted.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_debfc28a2e2600eb\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Windows\winsxs\x86_netfx-_vsavb7rtui_b03f5f7f11d50a3a_6.1.7600.16385_none_24e6a98ae7855ab9\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Windows\winsxs\msil_microsoft.web.manag..nt.webdav.resources_31bf3856ad364e35_6.1.7600.16385_de-de_71b1283683a76a6f\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Windows\assembly\GAC_MSIL\ComSvcConfig\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Windows\winsxs\msil_iiehost_b03f5f7f11d50a3a_6.1.7600.16385_none_56100bff47b890a3\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-taskbarcpl.resources_31bf3856ad364e35_6.1.7600.16385_de-de_2803da416ca2cec0\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Windows\winsxs\amd64_server-help-chm.nap.resources_31bf3856ad364e35_6.1.7600.16385_de-de_821d94e46283e8d1\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-compact.resources_31bf3856ad364e35_6.1.7600.16385_de-de_24a866aeedb4c9f8\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-bubbles.resources_31bf3856ad364e35_6.1.7600.16385_de-de_7f5c9b4fc7fa82f2\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-nfs-adminmmc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_5081821862f9dc0a\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-atbroker.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_65b0ce353b009c87\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-e..ehprivjob.resources_31bf3856ad364e35_6.1.7600.16385_de-de_49e806b857d27fcf\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..indetails.resources_31bf3856ad364e35_6.1.7600.16385_it-it_e746c4ae38d15130\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-i..favorites.resources_31bf3856ad364e35_8.0.7600.16385_fr-fr_aa2f4b7be84827f9\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p..rtmonitor.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b12fab6d36e5136e\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-c..n-comrepl.resources_31bf3856ad364e35_6.1.7600.16385_en-us_7a43d94b3ba04b6e\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Windows\assembly\GAC_MSIL\System.Core.resources\3.5.0.0_it_b77a5c561934e089\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Serialization.Json\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-wusa.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_98d236f1683c8164\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-a..ence-mitigations-c2_31bf3856ad364e35_6.1.7601.17514_none_749de8353d4bd160\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-s..-msscript.resources_31bf3856ad364e35_6.1.7600.16385_en-us_ceaabf751a874229\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-r..-detector.resources_31bf3856ad364e35_6.1.7600.16385_es-es_cbe144ab260021bd\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Windows\winsxs\msil_system.drawing.design.resources_b03f5f7f11d50a3a_6.1.7600.16385_ja-jp_3ca4dcce1313e214\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Windows\winsxs\amd64_hidbth.inf_31bf3856ad364e35_6.1.7600.16385_none_7f07aed06f24a51d\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-m..utilities.resources_31bf3856ad364e35_6.1.7600.16385_it-it_6e201243d7806634\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-r..erycenter.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_1276d7675954221c\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.V9921e851#\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-efs-rekeywiz.resources_31bf3856ad364e35_6.1.7600.16385_en-us_15495050540f23f5\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-onex.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_5b39ac2b4e1f167d\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-rpc-adm.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_d0e436e42475718a\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Windows\assembly\GAC_32\System.Data.OracleClient\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Windows\assembly\GAC_64\Microsoft.MediaCenter.Interop\6.1.0.0__31bf3856ad364e35\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Windows\winsxs\amd64_netfx-iehost_b03f5f7f11d50a3a_6.1.7600.16385_none_7dd203ef359dfcfb\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-s..ionengine.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_8ba155016eda35d6\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Windows\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\PresentationUI\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-s..cy-engine.resources_31bf3856ad364e35_6.1.7600.16385_it-it_524bb44d60ddbc71\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-cdosys.resources_31bf3856ad364e35_6.1.7601.17514_nb-no_1d1edaf7a80e1441\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-dpapi-keys.resources_31bf3856ad364e35_6.1.7600.16385_it-it_756ddde051618f16\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-events.resources_31bf3856ad364e35_6.1.7600.16385_it-it_cb88b5d13e2d7b8c\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..ols-klist.resources_31bf3856ad364e35_6.1.7600.16385_en-us_8942ec8df0dc8142\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Windows\winsxs\amd64_server-help-chm.iismmc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_4b7529f49a9291a6\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Windows\assembly\GAC_MSIL\System.XML.resources\2.0.0.0_de_b77a5c561934e089\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-l..epremiume.resources_31bf3856ad364e35_6.1.7600.16385_it-it_37669c3d6397c19d\LOCKFILE-README-GLTGRJAG-1704392475.hta	1f0a89360bb9471af8b2b1136eafd65f.exe

Kills process with WMI 9 IoCs
evasion

Processes:

WMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exe

pid process

2716 WMIC.exe
2976 WMIC.exe
1728 WMIC.exe
2732 WMIC.exe
2724 WMIC.exe
2456 WMIC.exe
2532 WMIC.exe
2696 WMIC.exe
2600 WMIC.exe

pid	process
2716	WMIC.exe
2976	WMIC.exe
1728	WMIC.exe
2732	WMIC.exe
2724	WMIC.exe
2456	WMIC.exe
2532	WMIC.exe
2696	WMIC.exe
2600	WMIC.exe

Modifies Internet Explorer settings 1 TTPs 10 IoCs

adware spyware

Modify Registry

T1112

Processes:

mshta.exemshta.exemshta.exemshta.exemshta.exemshta.exemshta.exemshta.exemshta.exemshta.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2016 PING.EXE

pid	process
2016	PING.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WMIC.exeWMIC.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2976	WMIC.exe
Token: SeSecurityPrivilege	2976	WMIC.exe
Token: SeTakeOwnershipPrivilege	2976	WMIC.exe
Token: SeLoadDriverPrivilege	2976	WMIC.exe
Token: SeSystemProfilePrivilege	2976	WMIC.exe
Token: SeSystemtimePrivilege	2976	WMIC.exe
Token: SeProfSingleProcessPrivilege	2976	WMIC.exe
Token: SeIncBasePriorityPrivilege	2976	WMIC.exe
Token: SeCreatePagefilePrivilege	2976	WMIC.exe
Token: SeBackupPrivilege	2976	WMIC.exe
Token: SeRestorePrivilege	2976	WMIC.exe
Token: SeShutdownPrivilege	2976	WMIC.exe
Token: SeDebugPrivilege	2976	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2976	WMIC.exe
Token: SeRemoteShutdownPrivilege	2976	WMIC.exe
Token: SeUndockPrivilege	2976	WMIC.exe
Token: SeManageVolumePrivilege	2976	WMIC.exe
Token: 33	2976	WMIC.exe
Token: 34	2976	WMIC.exe
Token: 35	2976	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2976	WMIC.exe
Token: SeSecurityPrivilege	2976	WMIC.exe
Token: SeTakeOwnershipPrivilege	2976	WMIC.exe
Token: SeLoadDriverPrivilege	2976	WMIC.exe
Token: SeSystemProfilePrivilege	2976	WMIC.exe
Token: SeSystemtimePrivilege	2976	WMIC.exe
Token: SeProfSingleProcessPrivilege	2976	WMIC.exe
Token: SeIncBasePriorityPrivilege	2976	WMIC.exe
Token: SeCreatePagefilePrivilege	2976	WMIC.exe
Token: SeBackupPrivilege	2976	WMIC.exe
Token: SeRestorePrivilege	2976	WMIC.exe
Token: SeShutdownPrivilege	2976	WMIC.exe
Token: SeDebugPrivilege	2976	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2976	WMIC.exe
Token: SeRemoteShutdownPrivilege	2976	WMIC.exe
Token: SeUndockPrivilege	2976	WMIC.exe
Token: SeManageVolumePrivilege	2976	WMIC.exe
Token: 33	2976	WMIC.exe
Token: 34	2976	WMIC.exe
Token: 35	2976	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1728	WMIC.exe
Token: SeSecurityPrivilege	1728	WMIC.exe
Token: SeTakeOwnershipPrivilege	1728	WMIC.exe
Token: SeLoadDriverPrivilege	1728	WMIC.exe
Token: SeSystemProfilePrivilege	1728	WMIC.exe
Token: SeSystemtimePrivilege	1728	WMIC.exe
Token: SeProfSingleProcessPrivilege	1728	WMIC.exe
Token: SeIncBasePriorityPrivilege	1728	WMIC.exe
Token: SeCreatePagefilePrivilege	1728	WMIC.exe
Token: SeBackupPrivilege	1728	WMIC.exe
Token: SeRestorePrivilege	1728	WMIC.exe
Token: SeShutdownPrivilege	1728	WMIC.exe
Token: SeDebugPrivilege	1728	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1728	WMIC.exe
Token: SeRemoteShutdownPrivilege	1728	WMIC.exe
Token: SeUndockPrivilege	1728	WMIC.exe
Token: SeManageVolumePrivilege	1728	WMIC.exe
Token: 33	1728	WMIC.exe
Token: 34	1728	WMIC.exe
Token: 35	1728	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1728	WMIC.exe
Token: SeSecurityPrivilege	1728	WMIC.exe
Token: SeTakeOwnershipPrivilege	1728	WMIC.exe
Token: SeLoadDriverPrivilege	1728	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

1f0a89360bb9471af8b2b1136eafd65f.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 3004 wrote to memory of 2936	3004	1f0a89360bb9471af8b2b1136eafd65f.exe	cmd.exe
PID 3004 wrote to memory of 2936	3004	1f0a89360bb9471af8b2b1136eafd65f.exe	cmd.exe
PID 3004 wrote to memory of 2936	3004	1f0a89360bb9471af8b2b1136eafd65f.exe	cmd.exe
PID 2936 wrote to memory of 2976	2936	cmd.exe	WMIC.exe
PID 2936 wrote to memory of 2976	2936	cmd.exe	WMIC.exe
PID 2936 wrote to memory of 2976	2936	cmd.exe	WMIC.exe
PID 3004 wrote to memory of 2160	3004	1f0a89360bb9471af8b2b1136eafd65f.exe	cmd.exe
PID 3004 wrote to memory of 2160	3004	1f0a89360bb9471af8b2b1136eafd65f.exe	cmd.exe
PID 3004 wrote to memory of 2160	3004	1f0a89360bb9471af8b2b1136eafd65f.exe	cmd.exe
PID 2160 wrote to memory of 1728	2160	cmd.exe	WMIC.exe
PID 2160 wrote to memory of 1728	2160	cmd.exe	WMIC.exe
PID 2160 wrote to memory of 1728	2160	cmd.exe	WMIC.exe
PID 3004 wrote to memory of 2560	3004	1f0a89360bb9471af8b2b1136eafd65f.exe	cmd.exe
PID 3004 wrote to memory of 2560	3004	1f0a89360bb9471af8b2b1136eafd65f.exe	cmd.exe
PID 3004 wrote to memory of 2560	3004	1f0a89360bb9471af8b2b1136eafd65f.exe	cmd.exe
PID 2560 wrote to memory of 2600	2560	cmd.exe	WMIC.exe
PID 2560 wrote to memory of 2600	2560	cmd.exe	WMIC.exe
PID 2560 wrote to memory of 2600	2560	cmd.exe	WMIC.exe
PID 3004 wrote to memory of 2680	3004	1f0a89360bb9471af8b2b1136eafd65f.exe	cmd.exe
PID 3004 wrote to memory of 2680	3004	1f0a89360bb9471af8b2b1136eafd65f.exe	cmd.exe
PID 3004 wrote to memory of 2680	3004	1f0a89360bb9471af8b2b1136eafd65f.exe	cmd.exe
PID 2680 wrote to memory of 2696	2680	cmd.exe	WMIC.exe
PID 2680 wrote to memory of 2696	2680	cmd.exe	WMIC.exe
PID 2680 wrote to memory of 2696	2680	cmd.exe	WMIC.exe
PID 3004 wrote to memory of 2728	3004	1f0a89360bb9471af8b2b1136eafd65f.exe	cmd.exe
PID 3004 wrote to memory of 2728	3004	1f0a89360bb9471af8b2b1136eafd65f.exe	cmd.exe
PID 3004 wrote to memory of 2728	3004	1f0a89360bb9471af8b2b1136eafd65f.exe	cmd.exe
PID 2728 wrote to memory of 2716	2728	cmd.exe	WMIC.exe
PID 2728 wrote to memory of 2716	2728	cmd.exe	WMIC.exe
PID 2728 wrote to memory of 2716	2728	cmd.exe	WMIC.exe
PID 3004 wrote to memory of 2672	3004	1f0a89360bb9471af8b2b1136eafd65f.exe	cmd.exe
PID 3004 wrote to memory of 2672	3004	1f0a89360bb9471af8b2b1136eafd65f.exe	cmd.exe
PID 3004 wrote to memory of 2672	3004	1f0a89360bb9471af8b2b1136eafd65f.exe	cmd.exe
PID 2672 wrote to memory of 2732	2672	cmd.exe	WMIC.exe
PID 2672 wrote to memory of 2732	2672	cmd.exe	WMIC.exe
PID 2672 wrote to memory of 2732	2672	cmd.exe	WMIC.exe
PID 3004 wrote to memory of 2496	3004	1f0a89360bb9471af8b2b1136eafd65f.exe	cmd.exe
PID 3004 wrote to memory of 2496	3004	1f0a89360bb9471af8b2b1136eafd65f.exe	cmd.exe
PID 3004 wrote to memory of 2496	3004	1f0a89360bb9471af8b2b1136eafd65f.exe	cmd.exe
PID 2496 wrote to memory of 2724	2496	cmd.exe	WMIC.exe
PID 2496 wrote to memory of 2724	2496	cmd.exe	WMIC.exe
PID 2496 wrote to memory of 2724	2496	cmd.exe	WMIC.exe
PID 3004 wrote to memory of 2712	3004	1f0a89360bb9471af8b2b1136eafd65f.exe	cmd.exe
PID 3004 wrote to memory of 2712	3004	1f0a89360bb9471af8b2b1136eafd65f.exe	cmd.exe
PID 3004 wrote to memory of 2712	3004	1f0a89360bb9471af8b2b1136eafd65f.exe	cmd.exe
PID 2712 wrote to memory of 2456	2712	cmd.exe	WMIC.exe
PID 2712 wrote to memory of 2456	2712	cmd.exe	WMIC.exe
PID 2712 wrote to memory of 2456	2712	cmd.exe	WMIC.exe
PID 3004 wrote to memory of 2508	3004	1f0a89360bb9471af8b2b1136eafd65f.exe	cmd.exe
PID 3004 wrote to memory of 2508	3004	1f0a89360bb9471af8b2b1136eafd65f.exe	cmd.exe
PID 3004 wrote to memory of 2508	3004	1f0a89360bb9471af8b2b1136eafd65f.exe	cmd.exe
PID 2508 wrote to memory of 2532	2508	cmd.exe	WMIC.exe
PID 2508 wrote to memory of 2532	2508	cmd.exe	WMIC.exe
PID 2508 wrote to memory of 2532	2508	cmd.exe	WMIC.exe
PID 3004 wrote to memory of 1772	3004	1f0a89360bb9471af8b2b1136eafd65f.exe	mshta.exe
PID 3004 wrote to memory of 1772	3004	1f0a89360bb9471af8b2b1136eafd65f.exe	mshta.exe
PID 3004 wrote to memory of 1772	3004	1f0a89360bb9471af8b2b1136eafd65f.exe	mshta.exe
PID 3004 wrote to memory of 1880	3004	1f0a89360bb9471af8b2b1136eafd65f.exe	mshta.exe
PID 3004 wrote to memory of 1880	3004	1f0a89360bb9471af8b2b1136eafd65f.exe	mshta.exe
PID 3004 wrote to memory of 1880	3004	1f0a89360bb9471af8b2b1136eafd65f.exe	mshta.exe
PID 3004 wrote to memory of 2292	3004	1f0a89360bb9471af8b2b1136eafd65f.exe	mshta.exe
PID 3004 wrote to memory of 2292	3004	1f0a89360bb9471af8b2b1136eafd65f.exe	mshta.exe
PID 3004 wrote to memory of 2292	3004	1f0a89360bb9471af8b2b1136eafd65f.exe	mshta.exe
PID 3004 wrote to memory of 1800	3004	1f0a89360bb9471af8b2b1136eafd65f.exe	mshta.exe

C:\Users\Admin\AppData\Local\Temp\1f0a89360bb9471af8b2b1136eafd65f.exe
"C:\Users\Admin\AppData\Local\Temp\1f0a89360bb9471af8b2b1136eafd65f.exe"
1⤵
- Drops file in Drivers directory
- Drops startup file
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3004
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic process where "name like '%vmwp%'" call terminate
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2936
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic process where "name like '%vmwp%'" call terminate
    3⤵
    - Kills process with WMI
    - Suspicious use of AdjustPrivilegeToken
    PID:2976
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic process where "name like '%sqlservr%'" call terminate
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2680
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic process where "name like '%sqlservr%'" call terminate
    3⤵
    - Kills process with WMI
    PID:2696
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic process where "name like '%omtsreco%'" call terminate
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2672
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic process where "name like '%vmware%'" call terminate
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2508
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic process where "name like '%tnslsnr%'" call terminate
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2712
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic process where "name like '%oracle%'" call terminate
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2496
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic process where "name like '%mysqld%'" call terminate
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2728
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic process where "name like '%vbox%'" call terminate
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2560
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic process where "name like '%virtualbox%'" call terminate
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2160
- C:\Windows\system32\mshta.exe
  mshta "C:\Users\Public\LOCKFILE-README.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
  2⤵
  - Modifies Internet Explorer settings
  PID:676
- C:\Windows\system32\mshta.exe
  mshta "C:\Users\Public\LOCKFILE-README.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
  2⤵
  - Modifies Internet Explorer settings
  PID:2204
- C:\Windows\system32\cmd.exe
  cmd /c ping 127.0.0.1 -n 5 && del "C:\Users\Admin\AppData\Local\Temp\1f0a89360bb9471af8b2b1136eafd65f.exe" && exit
  2⤵
  - Deletes itself
  PID:452
- - C:\Windows\system32\PING.EXE
    ping 127.0.0.1 -n 5
    3⤵
    - Runs ping.exe
    PID:2016
- C:\Windows\system32\mshta.exe
  mshta "C:\Users\Public\LOCKFILE-README.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
  2⤵
  - Modifies Internet Explorer settings
  PID:1188
- C:\Windows\system32\mshta.exe
  mshta "C:\Users\Public\LOCKFILE-README.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
  2⤵
  - Modifies Internet Explorer settings
  PID:1516
- C:\Windows\system32\mshta.exe
  mshta "C:\Users\Public\LOCKFILE-README.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
  2⤵
  - Modifies Internet Explorer settings
  PID:1848
- C:\Windows\system32\mshta.exe
  mshta "C:\Users\Public\LOCKFILE-README.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
  2⤵
  - Modifies Internet Explorer settings
  PID:1392
- C:\Windows\system32\mshta.exe
  mshta "C:\Users\Public\LOCKFILE-README.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
  2⤵
  - Modifies Internet Explorer settings
  PID:1800
- C:\Windows\system32\mshta.exe
  mshta "C:\Users\Public\LOCKFILE-README.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
  2⤵
  - Modifies Internet Explorer settings
  PID:2292
- C:\Windows\system32\mshta.exe
  mshta "C:\Users\Public\LOCKFILE-README.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
  2⤵
  - Modifies Internet Explorer settings
  PID:1880
- C:\Windows\system32\mshta.exe
  mshta "C:\Users\Public\LOCKFILE-README.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
  2⤵
  - Modifies Internet Explorer settings
  PID:1772

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "name like '%virtualbox%'" call terminate
1⤵
- Kills process with WMI
- Suspicious use of AdjustPrivilegeToken
PID:1728

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "name like '%vbox%'" call terminate
1⤵
- Kills process with WMI
PID:2600

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "name like '%omtsreco%'" call terminate
1⤵
- Kills process with WMI
PID:2732

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "name like '%oracle%'" call terminate
1⤵
- Kills process with WMI
PID:2724

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "name like '%tnslsnr%'" call terminate
1⤵
- Kills process with WMI
PID:2456

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "name like '%vmware%'" call terminate
1⤵
- Kills process with WMI
PID:2532

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "name like '%mysqld%'" call terminate
1⤵
- Kills process with WMI
PID:2716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\LOCKFILE-README-GLTGRJAG-1704392475.hta

Filesize
26KB

MD5
1081f7601b184340776f0ed997f7645f

SHA1
6e952b4415ea7c60a726006bfeb08d89f00f694d

SHA256
b199bcbfa99f8e76eff033179a32521c69b7b5396a9e4a5fb37166b467392b76

SHA512
e3885fc903df378f9d667d750bff74cfb6082b907e7d7a529269eba6aca839807c9343bbc78af361598bf7ea95909a65fae87f6897d6ceb5ae336aef83742b8c

Download Submit
C:\Users\Public\LOCKFILE-README.hta

Filesize
21KB

MD5
eb158675e76fc2445e6763566d99a7c3

SHA1
f204da7d6e4c3aa5bfce08b3aa203b286eec972c

SHA256
2a46f52d5cab528f6b23fc1496945129a52ab7fc240a701529db7818e7a8d9e9

SHA512
78f017e88ad661cacf0b497903cc65e891c61b3cc651d72270852511dc5c7821fc21ead347e9e2d79c9d01876204fae2f4a08da7fcc46fa7342dcf58ad85fd55

Download Submit
memory/3004-0-0x000000013FA40000-0x000000013FB19000-memory.dmp

Filesize
868KB

Download
memory/3004-1281-0x000000013FA40000-0x000000013FB19000-memory.dmp

Filesize
868KB

Download
memory/3004-7684-0x000000013FA40000-0x000000013FB19000-memory.dmp

Filesize
868KB

Download