7eb551e50bcfc1d4a3209399aaa5af6f6079aff2a233b103af933468d75dae30

Analysis

max time kernel
128s
max time network
133s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30/12/2023, 07:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Video.scr
Size

501KB
MD5

95e262649c92fe0ed751212d5ab5ceb4
SHA1

47335a184e4ea778f4bd5fefdb84862f53377486
SHA256

b401cbb362310927a6c965b0c08572cbe1d306a45f2c4fc0d180950b997c0f45
SHA512

b19dfee8dee74636e7887bc8a4e82795040c0508ba41c8fd591ff5ae9933cb4a69c83e4d738a47a771b07d018aee2ed9e8d54f94b5ed05ea4d0fe584f8f1c9dd
SSDEEP

6144:mKrxiyLvmWVXGlvqSKMXoztsPaB/9O+xBh0OXjNKU7+X0X+Yhs3hKjV0Muq+p/Oc:3tLXhnWoJsPa/FbTgU7HX+YZVDvZ9Y

Score

7^/10

ransomware spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ÔÀÉËÛ.txt	Video.scr

Executes dropped EXE 1 IoCs

pid	Process
2696	svchost.exe

Loads dropped DLL 4 IoCs

pid	Process
2140	Video.scr
2140	Video.scr
2140	Video.scr
2140	Video.scr

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\Windows\SysWOW64\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\en-US\Licenses\_Default\HomeBasic\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\fr-FR\lpeula.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\ja-JP\Licenses\OEM\Ultimate\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\fr-FR\Licenses\_Default\Ultimate\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\it-IT\Licenses\_Default\UltimateE\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\en-US\Licenses\eval\HomePremiumN\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\es-ES\Licenses\OEM\Starter\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\fr-FR\Licenses\OEM\EnterpriseN\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\fr-FR\Licenses\OEM\Enterprise\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\it-IT\Licenses\eval\StarterN\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\de-DE\Licenses\OEM\StarterE\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\es-ES\Licenses\eval\HomeBasicE\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\es-ES\Licenses\eval\UltimateN\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\it-IT\Licenses\eval\HomeBasic\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\ja-JP\Licenses\OEM\EnterpriseE\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\de-DE\Licenses\OEM\ProfessionalN\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\en-US\Licenses\OEM\EnterpriseE\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\fr-FR\Licenses\eval\StarterE\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\es-ES\Licenses\OEM\HomePremiumN\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\es-ES\Licenses\_Default\EnterpriseN\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\fr-FR\Licenses\OEM\ProfessionalE\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\it-IT\Licenses\eval\HomePremiumE\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\it-IT\Licenses\eval\ProfessionalN\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\de-DE\Licenses\eval\HomePremiumE\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\de-DE\Licenses\_Default\EnterpriseN\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\de-DE\Licenses\_Default\ProfessionalE\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\ja-JP\Licenses\OEM\Enterprise\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\es-ES\Licenses\_Default\ProfessionalN\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\fr-FR\Licenses\eval\Ultimate\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\fr-FR\Licenses\_Default\StarterN\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\it-IT\Licenses\OEM\ProfessionalN\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\ja-JP\Licenses\OEM\HomeBasicE\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\en-US\Licenses\eval\HomePremium\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\es-ES\Licenses\OEM\HomeBasicN\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\es-ES\Licenses\_Default\HomeBasicE\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\es-ES\Licenses\_Default\Professional\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\es-ES\Licenses\_Default\UltimateN\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\it-IT\Licenses\eval\EnterpriseE\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\it-IT\Licenses\OEM\HomePremium\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\ja-JP\Licenses\eval\EnterpriseN\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\de-DE\Licenses\eval\HomePremiumN\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\de-DE\Licenses\_Default\Ultimate\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\es-ES\Licenses\OEM\StarterN\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\WCN\en-US\Add_a_device_or_computer_to_a_network_usb.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\en-US\Licenses\_Default\ProfessionalN\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\it-IT\Licenses\_Default\Ultimate\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\it-IT\lipeula.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\de-DE\Licenses\OEM\Starter\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\es-ES\Licenses\eval\Starter\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\fr-FR\Licenses\OEM\HomeBasic\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\it-IT\Licenses\OEM\Ultimate\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\it-IT\Licenses\_Default\HomeBasicE\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\ja-JP\Licenses\eval\HomePremiumE\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\ja-JP\Licenses\eval\UltimateN\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\ja-JP\Licenses\_Default\ProfessionalN\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\de-DE\Licenses\eval\StarterN\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\en-US\Licenses\eval\HomeBasicE\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\en-US\Licenses\eval\HomeBasicN\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\ja-JP\Licenses\eval\ProfessionalN\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\ja-JP\Licenses\OEM\ProfessionalE\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\WCN\ja-JP\Add_a_device_or_computer_to_a_network_usb.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\de-DE\Licenses\eval\UltimateN\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\fr-FR\Licenses\_Default\UltimateN\license.rtf	svchost.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Control Panel\Desktop\Wallpaper = "c:\\ooo.jpg"	svchost.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02829J.JPG	svchost.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Calendar\CalendarViewButtonImages.jpg	svchost.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\AddToViewArrow.jpg	svchost.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectToolsetIconImages.jpg	svchost.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\TABOFF.JPG	svchost.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Stationery\Roses.jpg	svchost.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0287643.JPG	svchost.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382926.JPG	svchost.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\WebToolIconImages.jpg	svchost.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIcons.jpg	svchost.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0164153.JPG	svchost.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0216112.JPG	svchost.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.XLS	svchost.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Calendar\GlobeButtonImage.jpg	svchost.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\ViewHeaderPreview.jpg	svchost.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\Network Sharing\wmpnss_bw48.jpg	svchost.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341554.JPG	svchost.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382952.JPG	svchost.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_ContactLow.jpg	svchost.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\PASSWORD.JPG	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe Systems,inc\Adobe Flash Video\winsatmediasamples_31bf3856ad364e35_6.1.7600.16385_none_0b34d0642122c1c4\Clip_480_5sec_6mbps_h264.mp4	svchost.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382962.JPG	svchost.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382967.JPG	svchost.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01179J.JPG	svchost.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\CHECKBOX.JPG	svchost.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsViewAttachmentIcons.jpg	svchost.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\SynchronizationEula.rtf	svchost.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Stationery\SoftBlue.jpg	svchost.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_FileHigh.jpg	svchost.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\CommsOutgoingImage.jpg	svchost.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0315580.JPG	svchost.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0337280.JPG	svchost.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341328.JPG	svchost.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0387578.JPG	svchost.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\OutofSyncIconImages.jpg	svchost.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\Words.pdf	svchost.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099186.JPG	svchost.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145272.JPG	svchost.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\DigitalInk.jpg	svchost.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382969.JPG	svchost.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\StaticText.jpg	svchost.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Stationery\1033\SEAMARBL.JPG	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe Systems,inc\Adobe Flash Video\us_581f4464e637a2c6\HELP_What_is_Activation.rtf	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe Systems,inc\Adobe Flash Video\it_e09c57750c431b94\OOBE_HELP_What_is_HomeGroup.rtf	svchost.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\Network Sharing\wmpnss_color48.jpg	svchost.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099188.JPG	svchost.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0287641.JPG	svchost.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0287642.JPG	svchost.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0315612.JPG	svchost.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormToolImages.jpg	svchost.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0384862.JPG	svchost.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03205I.JPG	svchost.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveDocumentReview\BodyPaneBackground.jpg	svchost.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\SplashImage.jpg	svchost.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\SAMPLES\SOLVSAMP.XLS	svchost.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099145.JPG	svchost.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145895.JPG	svchost.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0313896.JPG	svchost.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveDocumentReview\ActiveTabImage.jpg	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe Systems,inc\Adobe Flash Video\us_e3dcb0ba12aa17d7\Add_a_device_or_computer_to_a_network_usb.rtf	svchost.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Reader 9.0\Reader\PDFSigQFormalRep.pdf	svchost.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0179963.JPG	svchost.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02759J.JPG	svchost.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0287644.JPG	svchost.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-l..-startern.resources_31bf3856ad364e35_6.1.7601.17514_fr-fr_9b79043567dee40c\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-l..homebasic.resources_31bf3856ad364e35_6.1.7601.17514_it-it_27607ce0d66d59f6\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-l..l-starter.resources_31bf3856ad364e35_6.1.7600.16385_de-de_d736d369e9c074b5\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\winsxs\x86_microsoft-windows-l..epremiumn.resources_31bf3856ad364e35_6.1.7600.16385_en-us_6286f234122031db\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\winsxs\x86_microsoft-windows-l..ultimatee.resources_31bf3856ad364e35_6.1.7601.17514_ja-jp_1f13ba22df0a61ce\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7601.17514_none_f35f9773adf74c06\SoftBlue.jpg	svchost.exe
File opened for modification	\??\c:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Images\topGradRepeat.jpg	svchost.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-h..statement.resources_31bf3856ad364e35_6.1.7601.17514_de-de_e566a189254450cd\vofflps.rtf	svchost.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-l..-startere.resources_31bf3856ad364e35_6.1.7600.16385_de-de_9eea396542b09367\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-l..mepremium.resources_31bf3856ad364e35_6.1.7601.17514_fr-fr_1f3ca993b38eba0f\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\winsxs\x86_microsoft-windows-l..ultimaten.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_62df25c59bf13d16\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\Globalization\MCT\MCT-US\Wallpaper\US-wp2.jpg	svchost.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-h..atement_r.resources_31bf3856ad364e35_6.1.7601.17514_en-us_b558e03eab75aa2b\privacy.rtf	svchost.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-l..m-starter.resources_31bf3856ad364e35_6.1.7601.17514_de-de_e662f6f8b87f49c0\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-l..ultimatee.resources_31bf3856ad364e35_6.1.7601.17514_it-it_66824d6f7f078d03\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-s..allpaper-landscapes_31bf3856ad364e35_6.1.7600.16385_none_e57abb2f66db71a9\img7.jpg	svchost.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-shell-wallpaper-scenes_31bf3856ad364e35_6.1.7600.16385_none_a4393b1a254aeaee\img26.jpg	svchost.exe
File opened for modification	\??\c:\Windows\winsxs\x86_microsoft-windows-l..epremiumn.resources_31bf3856ad364e35_6.1.7601.17514_fr-fr_606c0c39cfc8e3d3\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\winsxs\x86_microsoft-windows-l..omebasice.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_d7860e8fdbc3ec95\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-l..-ultimate.resources_31bf3856ad364e35_6.1.7600.16385_en-us_461635f4a801c710\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-l..terprisee.resources_31bf3856ad364e35_6.1.7601.17514_ja-jp_3f223e118fdfe4d4\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-shell-wallpaper-nature_31bf3856ad364e35_6.1.7600.16385_none_d5909570704a09c0\img4.jpg	svchost.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_netfx-aspnet_webadmin_images_b03f5f7f11d50a3a_6.1.7600.16385_none_3b995fcfc0e586ab\ASPdotNET_logo.jpg	svchost.exe
File opened for modification	\??\c:\Windows\winsxs\x86_microsoft-windows-l..epremiumn.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_0509c517051939e2\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\winsxs\x86_microsoft-windows-l..mepremium.resources_31bf3856ad364e35_6.1.7600.16385_de-de_92688006fc394ff6\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\winsxs\x86_microsoft-windows-l..-startere.resources_31bf3856ad364e35_6.1.7600.16385_es-es_eb87d0be79581f9b\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\winsxs\x86_microsoft-windows-l..essionaln.resources_31bf3856ad364e35_6.1.7601.17514_ja-jp_5cb8f6ec6f92741b\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\Globalization\MCT\MCT-ZA\Wallpaper\ZA-wp5.jpg	svchost.exe
File opened for modification	\??\c:\Windows\winsxs\x86_microsoft-windows-l..homebasic.resources_31bf3856ad364e35_6.1.7601.17514_de-de_95a6423a6506ef76\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\1055\eula.rtf	svchost.exe
File opened for modification	\??\c:\Windows\winsxs\x86_microsoft-windows-l..epremiume.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_7d6d7fc69e556242\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\winsxs\x86_microsoft-windows-l..ultimatee.resources_31bf3856ad364e35_6.1.7601.17514_en-us_f04371ec21c4626e\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\Web\Wallpaper\Characters\img20.jpg	svchost.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-l..omebasicn.resources_31bf3856ad364e35_6.1.7600.16385_de-de_cf07afe341c4a9c6\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-h..indetails.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_896c43bb2bec630b	svchost.exe
File opened for modification	\??\c:\Windows\winsxs\x86_microsoft-windows-l..m-starter.resources_31bf3856ad364e35_6.1.7601.17514_en-us_3335316deeffe44f\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-l..essionale.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_789a038687e73e79\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-l..omebasice.resources_31bf3856ad364e35_6.1.7600.16385_es-es_0a96c93d360af1ce\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-l..ultimatee.resources_31bf3856ad364e35_6.1.7601.17514_fr-fr_7c5a5728a7d5a785\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\winsxs\x86_microsoft-windows-l..l-starter.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_c68be0c2133a174b\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\3082\eula.rtf	svchost.exe
File opened for modification	\??\c:\Windows\winsxs\x86_microsoft-windows-l..l-starter.resources_31bf3856ad364e35_6.1.7600.16385_de-de_7b1837e63163037f\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\Globalization\MCT\MCT-AU\Wallpaper\AU-wp4.jpg	svchost.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-l..epremiume.resources_31bf3856ad364e35_6.1.7601.17514_es-es_18ee408c6e8c2e28\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-l..l-starter.resources_31bf3856ad364e35_6.1.7600.16385_es-es_7ff30646d8c5721f\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-l..mepremium.resources_31bf3856ad364e35_6.1.7601.17514_ja-jp_82de17a17fd19c14\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-l..ultimatee.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_eb806fad92a5e1bd\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-s..allpaper-characters_31bf3856ad364e35_6.1.7600.16385_none_bde0eaed84920a21\img23.jpg	svchost.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-s..allpaper-characters_31bf3856ad364e35_6.1.7600.16385_none_bde0eaed84920a21\img21.jpg	svchost.exe
File opened for modification	\??\c:\Windows\winsxs\x86_microsoft-windows-l..omebasice.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_512fa3b8707f96fa\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-l..mepremium.resources_31bf3856ad364e35_6.1.7601.17514_es-es_53d92c4ec2b28e59\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-l..omebasice.resources_31bf3856ad364e35_6.1.7600.16385_it-it_97763583000eedae\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-l..ultimaten.resources_31bf3856ad364e35_6.1.7600.16385_es-es_8ff8d5f6972fa091\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-za-component_31bf3856ad364e35_6.1.7601.17514_none_a5926b147a413e6a\ZA-wp2.jpg	svchost.exe
File opened for modification	\??\c:\Windows\winsxs\x86_microsoft-windows-ie-eula.resources_31bf3856ad364e35_11.2.9600.16428_en-us_c6464ed8149df7fd\eula.rtf	svchost.exe
File opened for modification	\??\c:\Windows\winsxs\x86_microsoft-windows-l..mepremium.resources_31bf3856ad364e35_6.1.7601.17514_de-de_77aa6534195a350d\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\winsxs\x86_microsoft-windows-l..-ultimate.resources_31bf3856ad364e35_6.1.7601.17514_es-es_79ab1e6143614d40\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\winsxs\x86_microsoft-windows-l..epremiume.resources_31bf3856ad364e35_6.1.7601.17514_es-es_bccfa508b62ebcf2\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-l..epremiume.resources_31bf3856ad364e35_6.1.7601.17514_en-us_1922e3a86e653c83\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-l..epremiume.resources_31bf3856ad364e35_6.1.7601.17514_it-it_f7c88fd818ef8148\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-l..fessional.resources_31bf3856ad364e35_6.1.7601.17514_es-es_52164c29ccb273ce\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-l..l-starter.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_22aa7c45cb978881\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-l..omebasicn.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_936f7103201721b3\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-s..lpaper-architecture_31bf3856ad364e35_6.1.7600.16385_none_d99106b927aa7782\img15.jpg	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Control Panel 3 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Control Panel\Desktop	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Control Panel\Desktop\	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Control Panel\Desktop\TileWallpaper = "0"	svchost.exe

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002213d23592f6d648a137f9bf65c22cfa00000000020000000000106600000001000020000000edccbb5601823176b117a3ae7318467dd0c6823f368c6061bea1d021a68d5f9a000000000e800000000200002000000019610ef44859982f7ff5e75d6a9d20730cb79a4d9e764dc125375d857c8430e990000000a4424ff44f9ea4ed39ea7097df7ceb3424070e5452cc3c37d60317de9b1b1b71eaf20005b78472677d0c5ebe38fb42f806116beb2d9bfdb111d784f95d57cc211ebea5551fbe874ea05687be0c228f72c9b62cc6b929e649f2e99fe03351b2cbc5a905cfa80047f60a79c4bb013e19face0c39889abd9d857b10a19bd779488d56b9f8688b2d3a3877e1cd643d17282640000000a62af44ec6a011d23e0d1e2c1dc55ab011998a9ed1a387a23f586019034b619f46739525b95332620cd8515d8defe4bf497eddd0bf7b78fe97e26e133ce67d30	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f046df71963cda01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002213d23592f6d648a137f9bf65c22cfa00000000020000000000106600000001000020000000c578199b3c98b95471d8e6639af1c56915856372ed49094bc585b8457081c3e0000000000e800000000200002000000017e34a75ffe8bddc46d5bb04053486b009e959d684fe89229486890134f60cae200000007cee1bd7b95902effe6527dfe1b4d3966d622858899908bde74d5fb26ff28772400000001478da68a56e94c6c01871b13742064875a5e85b73a69dc74d57a9311f8ebf7451f5b8818f550e4d4c87c84b564582deb41a551dced400e53d17854a69c6bfbf	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{9A433DE1-A889-11EE-9B34-6E556AB52A45} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "410263815"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2696	svchost.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2436	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2436	iexplore.exe
2436	iexplore.exe
2420	IEXPLORE.EXE
2420	IEXPLORE.EXE
2420	IEXPLORE.EXE
2420	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2140 wrote to memory of 2764	2140	Video.scr	28
PID 2140 wrote to memory of 2764	2140	Video.scr	28
PID 2140 wrote to memory of 2764	2140	Video.scr	28
PID 2140 wrote to memory of 2764	2140	Video.scr	28
PID 2140 wrote to memory of 2696	2140	Video.scr	29
PID 2140 wrote to memory of 2696	2140	Video.scr	29
PID 2140 wrote to memory of 2696	2140	Video.scr	29
PID 2140 wrote to memory of 2696	2140	Video.scr	29
PID 2696 wrote to memory of 1356	2696	svchost.exe	39
PID 2696 wrote to memory of 1356	2696	svchost.exe	39
PID 2696 wrote to memory of 1356	2696	svchost.exe	39
PID 2696 wrote to memory of 1356	2696	svchost.exe	39
PID 2140 wrote to memory of 2536	2140	Video.scr	37
PID 2140 wrote to memory of 2536	2140	Video.scr	37
PID 2140 wrote to memory of 2536	2140	Video.scr	37
PID 2140 wrote to memory of 2536	2140	Video.scr	37
PID 2536 wrote to memory of 2436	2536	cmd.exe	33
PID 2536 wrote to memory of 2436	2536	cmd.exe	33
PID 2536 wrote to memory of 2436	2536	cmd.exe	33
PID 2536 wrote to memory of 2436	2536	cmd.exe	33
PID 2436 wrote to memory of 2420	2436	iexplore.exe	35
PID 2436 wrote to memory of 2420	2436	iexplore.exe	35
PID 2436 wrote to memory of 2420	2436	iexplore.exe	35
PID 2436 wrote to memory of 2420	2436	iexplore.exe	35

C:\Users\Admin\AppData\Local\Temp\Video.scr
"C:\Users\Admin\AppData\Local\Temp\Video.scr" /S
1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2140
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Adobe Systems,inc\Adobe Flash Video\msg.vbs"
  2⤵
  PID:2764
- C:\Program Files (x86)\Adobe Systems,inc\Adobe Flash Video\svchost.exe
  "C:\Program Files (x86)\Adobe Systems,inc\Adobe Flash Video\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Sets desktop wallpaper using registry
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Modifies Control Panel
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2696
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c uuu.bat
    3⤵
    PID:1356
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Program Files (x86)\Adobe Systems,inc\Adobe Flash Video\stata.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2536

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" "http://moops.sooot.cn/"
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2436
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2436 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe Systems,inc\Adobe Flash Video\msg.vbs

Filesize
93B

MD5
b34b57288f11f444c45c6b01a5686f5b

SHA1
adf5cd49bba9f026170ba97f2583b4e33cc37eb3

SHA256
0e00483a4a7e1c83ad577e08a4207ea62ec51c7e817d921256855d857dda6262

SHA512
4aae8d2eeae05d501f98adecbcc54415838b48db405f8bae0afdc156ab633865724a37d9bd0dd08783e7a323b779f4af0702d1d499c593264b8b0cc1b92dc4b7

Download Submit
C:\Program Files (x86)\Adobe Systems,inc\Adobe Flash Video\stata.bat

Filesize
54B

MD5
37f62c226aeaa2be7cdfe7cd079db9fe

SHA1
5c9479864576b9617a0997fe745b4cf846279073

SHA256
b2ad75022d0f6a008df39fc6e5edf3550f6df011a5ff4a0100652a3fa3048179

SHA512
fde4d2a763a43403469713df775d1b6e332543d546973ac81158061b3971c1317a9ebbd7b0c7a2564f9297981ffb12f36b61f81f7a83b0c62751c80e458d2fbe

Download Submit
C:\Program Files (x86)\Adobe Systems,inc\Adobe Flash Video\svchost.exe

Filesize
208KB

MD5
847d3af29f513e9e4238be3de5720019

SHA1
90f2bc80435508b81c3445fa06914c8046f2c25d

SHA256
809ccd23028b121544489d9b47c551e4fbbc26f54b88c8bf2903d8fd342f2791

SHA512
caccca98980ac0ea744c090fcafb5cc0d8df51ca296d9661b8548f02a5208a1d78c3da8f558c289dfccd844c3cb5dfa5058b5135e915d7499a3bbe969d0b50ee

Download Submit
C:\Program Files (x86)\Adobe Systems,inc\Adobe Flash Video\svchost.exe

Filesize
177KB

MD5
1032c423c04bfbaf98e0b04ce2b3b8c8

SHA1
91757ca95b5e9678ddeb23faeb6b60a53c9a32ae

SHA256
76f801fb2c4e00a41507d64b477622356ed6d28551535b67369d61e592cbf27c

SHA512
6422dea881b002d4f5c75b50c6384c3b369f7e2a04dc72da43985da0b0f3b854a78ef9af0cf5aa5c62bd755c3b444d891724eb70bb6697400212bda1d740cdb6

Download Submit
C:\Program Files (x86)\Adobe Systems,inc\Adobe Flash Video\uuu.bat

Filesize
17B

MD5
bf55292f19b02c6dd1934f2ea2c6ae9d

SHA1
0dc0e99b63b557bd0eef88422a98bdd944bc0d86

SHA256
0a233cde4c8f447e9de44205506e62fee592a625f9c4e1ee1394a5de9712902e

SHA512
e570ce99327527cd3d63256eac3763ba88e33ff4110bbcbeddce0860e88b45afb8180ef82a01669a6e5205a28353a9fce95a1cd9906da10670f9a7c9d947c500

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a4acc15145eee6cfb417a1f13b48443f

SHA1
f4e0d0125aecc75e694b627178f55445d12728c1

SHA256
d0a5596ff0d73c083126d887a691e45518146148216f7aae51c8d92ab6968d47

SHA512
6caff19cee5acb9532e42bdb44993b18702829845ab8b2fcc2853a8899ac9080241d871ca00a05b1d5661a6db87951d808de8fffa1a4767ee93845482c88147e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
db3fac66b21dc8128c6b55990461e288

SHA1
c3aa25d6604e5a54c311ca3fd6262f05278fcc58

SHA256
57ef45a61686d8db158d8cce58b90d7203619ed5c66072eee21b42105f3636b7

SHA512
47135d900827f5128a175c7a5c9f599b326ad03458b694d9fb56d5a64807111ba651a090fcdd949122c905f8dd9b668885100c56047c2a1e196b1638c9a5f4f5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
fe7829cf28bf7fbfb27ecf0da074409a

SHA1
715a80e80fa1b1e8a947f75364ac96cfd6083319

SHA256
670c6711cb9f450baf2e1d7abc9e1f16a8a7750532e750ce9ed89a91bd9f82c2

SHA512
cc211287c49895e72d20ab6b9d2f5f8c2939f623750f5d1c006ff7122038346559e1106c33f168d7d1f180de206ec904a47ca471eac62aa07112bb7a4ff3c369

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
786fe63e9d942c8baf54d19ad14c01a7

SHA1
50f191b8a7403cf71043d0d05bf81c3825f3b538

SHA256
630f86d5241fc60ea07aabe4a3a7311fb379b11600169c1ff74ba72df2b5309a

SHA512
f4815524a399eabf134741ed5b9ff04a548f90cd74c7eba1c3ef4f0a502e84b58424a25628ff857bbff48e72a81ecc87e21d1883dcdb2a4d35db3ade13f8312a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5640c97c40d50bada82001173b1fb109

SHA1
4085c72bb7aa15df82ae8d4e59f4b7b716fee07e

SHA256
55f4823a37d970aaf7d34f396050f9a2d1a03c21ad398d78fd5c5b6e4c0450b8

SHA512
86b07e053e5b8809ba38812f5488a993e2bf6b834545958b18da3af190bbde751755dc7f6c1877c08c8f3155d8d986f081d82b1b642d78dc4d5854e833cc7914

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5ed3f48315f7e6e66d08d0d5678ab6c6

SHA1
584cd7f8e71a4a3eca93a2c7ad2c2e739d318baa

SHA256
cbb9e463fd1487899bf5642fb852bf0df9d65654f4dc3d5f578b6f526cab4864

SHA512
c226852f3d36b28fb4538a113e234abca207b88e4858d286443b1ae6712333b38d281b3769da53598bbaeb6e5d49e5f977459fa6b8e5ea6c69342f0bbd1aa648

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
419856bce966782d8b3e6f3167b7295b

SHA1
cfc3b7897342dedbd246b4ef4ac9a5ca341db761

SHA256
431ff30ead84b1e4ca5984391bced62f231af0d5256cd17c36f09ddc43758332

SHA512
f238f375317b950f11b60960fe7ce6abc81049b52e60791369fd09c909e5a121aded134542997b9e21d18917793ac64c28706319f3e968258924ad59c5e31514

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
efe8b2ed020c21bab8dc00fde731db44

SHA1
577ab00b680964721dcfd3c5f15eb2cd43e287d2

SHA256
582864403a17ef43a41092aa6e5333e9419212b7c172710063df1a5cc8b95f87

SHA512
370d7856cd71e3d8654d303c8634fb8c5b746e4a60f0a756e99f3fcc23c2aa3443b9898a6756408142566f1180d6299efebe3c477db8c7260c8a338268d575bf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1ab59b59a00ec6b4ceb318b6ea7bbbd1

SHA1
8418fc67d5ac415d2b3908da1becf6079f09bd43

SHA256
a7dde74db3acc934da31fa7129e651ae452a03652aaf711655a278dd6f46f9a3

SHA512
822f8a84fd369b2c89c5cb0d72ef0b743f1a7dcf7a3e179b39d07494bbeea10a8ae9c2276c0720996c507d7a285ced7456f2ef638ac24262029122a31acf80a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab8BCE.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar8C5E.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
\Program Files (x86)\Adobe Systems,inc\Adobe Flash Video\svchost.exe

Filesize
363KB

MD5
51110e395ff4bd02ba1964e0aac40ede

SHA1
5f6071853af3d92b90ba514f66272b2b40c6903c

SHA256
d941bbe06aa47be79909ec6b94d6ba68358c5cdfb542cb3de3acfe8895f889ab

SHA512
9de12e8feab39a41c2098526e24318b9ecbb972c4bb08e1ac82ee13e107dad8d91d876ad252a290d26e50ddc80bb1479cf62b8a5b425f7098ddcd36b6a7b6dce

Download Submit
\Program Files (x86)\Adobe Systems,inc\Adobe Flash Video\svchost.exe

Filesize
281KB

MD5
53675c620ab7bc96b7ebcbf7ec22f64d

SHA1
207d43e1776e71fdfb9b1f84f51cefc9c798d3fb

SHA256
c1a9cf898a9bbfc8c8e121657759db7d8505dd0de466fc1c5d6e2c0fe214b831

SHA512
c02b696e521b1ae1251f0f12be690e0506a9241e5bb65984a7cb7d66bd78ee90399f9169f3c044a601b2ec1d866c3470a39722c3bac9391ac5d87e7921ba3a82

Download Submit
memory/2140-37-0x0000000003620000-0x000000000365C000-memory.dmp

Filesize
240KB

Download
memory/2140-51-0x0000000003620000-0x000000000365C000-memory.dmp

Filesize
240KB

Download
memory/2140-52-0x0000000003620000-0x000000000365C000-memory.dmp

Filesize
240KB

Download
memory/2140-38-0x0000000003620000-0x000000000365C000-memory.dmp

Filesize
240KB

Download
memory/2140-28-0x0000000003620000-0x000000000365C000-memory.dmp

Filesize
240KB

Download
memory/2140-49-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2140-476-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2140-36-0x0000000003620000-0x000000000365C000-memory.dmp

Filesize
240KB

Download
memory/2696-45-0x0000000001C60000-0x0000000001CD7000-memory.dmp

Filesize
476KB

Download
memory/2696-467-0x0000000001C60000-0x0000000001CD7000-memory.dmp

Filesize
476KB

Download
memory/2696-466-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2696-363-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2696-59-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2696-57-0x0000000001C60000-0x0000000001CD7000-memory.dmp

Filesize
476KB

Download
memory/2696-465-0x0000000001C00000-0x0000000001C55000-memory.dmp

Filesize
340KB

Download
memory/2696-55-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2696-56-0x0000000001C00000-0x0000000001C55000-memory.dmp

Filesize
340KB

Download
memory/2696-53-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2696-50-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2696-46-0x0000000001C00000-0x0000000001C55000-memory.dmp

Filesize
340KB

Download
memory/2696-47-0x0000000000640000-0x0000000000642000-memory.dmp

Filesize
8KB

Download
memory/2696-48-0x0000000001F20000-0x0000000001F21000-memory.dmp

Filesize
4KB

Download
memory/2696-42-0x0000000001C00000-0x0000000001C55000-memory.dmp

Filesize
340KB

Download
memory/2696-44-0x0000000001C00000-0x0000000001C55000-memory.dmp

Filesize
340KB

Download
memory/2696-43-0x0000000001C00000-0x0000000001C55000-memory.dmp

Filesize
340KB

Download
memory/2696-40-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download