Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
236s -
max time network
236s -
platform
windows10-1703_x64 -
resource
win10-20231220-en -
resource tags
-
submitted
11/02/2024, 20:38
Errors
General
-
Target
jhgw.py
-
Size
8KB
-
MD5
25656285e953e9a0d47f74e35b04cdc5
-
SHA1
8479a801987b0a837ad12ade4b96346857bcfc63
-
SHA256
fa6ef21abbecee8a4518ab0c4a06918e12cdf656ac17bce02fb2e0efc8affe9b
-
SHA512
cb002e7cc4410d76664d12c84d5d9e0cca3d20b595f2b9c14c5478f47256d035489df6d198aa77ee1b14d88b34f598d41f1b5fc5d052bcd4abde1962b6f87beb
-
SSDEEP
192:Z3JDdIFVpRN+9CNB7hrWibDkndjgsYFRo7sL:Z+zb+0jNhkndjgsYFRH
Malware Config
Signatures
-
Drops file in Windows directory 6 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 19 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 12 IoCs
-
Modifies Internet Explorer settings 1 TTPs 55 IoCs
-
Modifies data under HKEY_USERS 15 IoCs
-
Modifies registry class 64 IoCs
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Suspicious behavior: AddClipboardFormatListener 5 IoCs
-
Suspicious behavior: EnumeratesProcesses 20 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 5 IoCs
-
Suspicious use of AdjustPrivilegeToken 15 IoCs
-
Suspicious use of FindShellTrayWindow 7 IoCs
-
Suspicious use of SendNotifyMessage 3 IoCs
-
Suspicious use of SetWindowsHookEx 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\jhgw.py1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3680.0.736475177\321624636" -parentBuildID 20221007134813 -prefsHandle 1684 -prefMapHandle 1672 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ac87cdad-e257-4e6d-8721-be6c033df608} 3680 "\\.\pipe\gecko-crash-server-pipe.3680" 1764 1be3cac4058 gpu3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3680.1.983175231\1369268003" -parentBuildID 20221007134813 -prefsHandle 2108 -prefMapHandle 2104 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c26d9bff-e01a-48e4-9022-730709bf5a0d} 3680 "\\.\pipe\gecko-crash-server-pipe.3680" 2120 1be31a72b58 socket3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3680.2.1657865637\925764106" -childID 1 -isForBrowser -prefsHandle 2860 -prefMapHandle 2716 -prefsLen 20866 -prefMapSize 233444 -jsInitHandle 1368 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3603434c-94df-42a5-bfcc-b9bc8df31094} 3680 "\\.\pipe\gecko-crash-server-pipe.3680" 2748 1be40a9c858 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3680.3.1575876771\1267201066" -childID 2 -isForBrowser -prefsHandle 3480 -prefMapHandle 3476 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1368 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1a974395-dd12-41a4-99a6-8b1365203356} 3680 "\\.\pipe\gecko-crash-server-pipe.3680" 3460 1be31a62b58 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3680.4.46469010\955064897" -childID 3 -isForBrowser -prefsHandle 4152 -prefMapHandle 4148 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1368 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3366d594-ded4-4c94-9b9a-37162ffa32ac} 3680 "\\.\pipe\gecko-crash-server-pipe.3680" 4156 1be41f94858 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3680.6.1281260717\1986492252" -childID 5 -isForBrowser -prefsHandle 5016 -prefMapHandle 5020 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1368 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d65e91b2-dff0-4299-9cc8-af685aaf706d} 3680 "\\.\pipe\gecko-crash-server-pipe.3680" 5004 1be43206858 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3680.7.803147902\1046553997" -childID 6 -isForBrowser -prefsHandle 5216 -prefMapHandle 5220 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1368 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {eebe5f54-7f26-464c-a215-b3f306ffbbd6} 3680 "\\.\pipe\gecko-crash-server-pipe.3680" 5204 1be43208f58 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3680.5.213825658\13153778" -childID 4 -isForBrowser -prefsHandle 4884 -prefMapHandle 4880 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1368 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4b7c0f26-4ee3-4c0a-9fc9-9ce2827b4e3d} 3680 "\\.\pipe\gecko-crash-server-pipe.3680" 4860 1be411cbb58 tab3⤵
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n /f "C:\Users\Admin\Documents\UnblockSync.dot"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies registry class
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\Documents\ConvertFromGroup.pdf"1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140432⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=FC6F73E79041610FB1F28FA86DD48411 --mojo-platform-channel-handle=1620 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=6ED1A15C11245B6E1C81A214AEC3A050 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=6ED1A15C11245B6E1C81A214AEC3A050 --renderer-client-id=2 --mojo-platform-channel-handle=1628 --allow-no-sandbox-job /prefetch:13⤵
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=EC237C55FAE3E77CE30C838D4D2E872D --mojo-platform-channel-handle=2200 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=EA621473D76CCA2BB9BB6491481B8357 --mojo-platform-channel-handle=1752 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=D949D62023D8F6A78948423F78774B6A --mojo-platform-channel-handle=2296 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=8D6CC3D9C6E3EF5F027CE28DED9643B5 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=8D6CC3D9C6E3EF5F027CE28DED9643B5 --renderer-client-id=8 --mojo-platform-channel-handle=1900 --allow-no-sandbox-job /prefetch:13⤵
-
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n /f "C:\Users\Admin\Documents\UnblockSync.dot"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Documents\These.docx" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -nohome1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5692 CREDAT:82945 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /n "C:\Users\Admin\Documents\ExportSplit.xltm"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -nohome1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2176 CREDAT:82945 /prefetch:22⤵
- Modifies Internet Explorer settings
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Documents\weklrwe.txt1⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x0 /state0:0xa3a8e055 /state1:0x41c64e6d1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
471B
MD537a0eceba9fc68a11616a311a8a721a6
SHA150008e06c434623eb933d8c5a5984da6eade33f6
SHA2568356e4d8c317ca805025a1e63ee967a9f0a3d20f06a65d6bb584ab33cd4562e1
SHA512aee733f6d0a09ed2d8d087a9ca26ac1943aeed1aa60c61aff7e343fb7f7d27087f6b83b759a6bd98c1c564757e51bd19b8ea3f0f60c705680e331d70b0d7dd17
-
Filesize
471B
MD5128883f132890be8f20258eb9978799f
SHA1b9edb700015398f7d4dd3b1a5383f482890df639
SHA256a66d40a357d67884bbb7cf78f691f4447c84c2aa7f375ef2d48ec6269207a635
SHA51210c257871cb6088a2908f986b975813c5ad6d7bb91093129775a54d236bbd9f6f86fc91c7d9a47fe8424aa1afbd3edba78fe835a823806e0e1afd8c2c90c20bc
-
Filesize
412B
MD5675e2610e245182f456e099223424e3f
SHA12941df7bcaa1253cd460499ecd3303ec0a089cb1
SHA256fa8eaf797b988c6a4458decb652118cb9026044c71cebe6fbac9d455b49168a0
SHA51202e4557bb23a1cb59b6e29ef7bbc72ff0aac549355b52b586b1ea7575e7abfd48bd967e847353b327655861e69fa616adb89fac2e93ef0e04764222411d94360
-
Filesize
412B
MD51fef80eb5b8114d751f82476c1aad4ad
SHA19e4b3369ef4e9872a9d49adabc78526755cec91a
SHA256105e527e72e392f53ea19f12e0c4764158122480b3295716c2d1827d0721daac
SHA51282fe619957fe5ee5c77a11720e05496bd253574da4e136c64c13c408ca90a9ea566d1e646b8a3727fc754d50bb226fcebc246f8f7ee8c8c2b233597e4f01faf8
-
Filesize
5KB
MD5af8467dd487cc61eebf385643b146969
SHA10b8a34cb9c6580552c5e87c2d80475afe9cdc2c8
SHA25664e5b95bb5b89ed173dd82992cede6b69d46ba1d9b6a8e8b97e43eea24ae24d4
SHA512fd85ec82d22e77171de1d8ddf2c66bce584e4a0a581745d3023c999726d97b3dd8cd16b9eb45d92aa96e2951f53f87f39d93f5ab2d8d5a9499a9c138e7279517
-
Filesize
5KB
MD5be19a5d423b7388070785d9536304bd1
SHA1ac0dee1639f00e279418b482b13d10ea72fc348c
SHA256ad421929fba6eef3d9bb967e8068b1be1ea02e9986fe51546886c7220a3c6a67
SHA512ef89c3d718764108f5f964b9328150916bb0714c9878d1ae327fa5da24ef39b83b675e95a9a9f271d4db3b97614eb018856348e92c206681c50919e87b2c2cbb
-
Filesize
4KB
MD539f935ac288138d0bdba219f80a26c51
SHA10f4db64bb4fb4cd6c2517c1b8db461ed53487541
SHA256dd1e906446827728b79fd86f45e1019f4dd956314909d96d380a11d2c7087b52
SHA512dd06c83ed3e02935d803c88c99b435926426ac3a43ae3386a3ca8dcf4294307ee9e90ac6c9121e4afd5540b9ac958828b5a07807501d6cdbe67d846c7762db4d
-
Filesize
21B
MD5f1b59332b953b3c99b3c95a44249c0d2
SHA11b16a2ca32bf8481e18ff8b7365229b598908991
SHA256138e49660d259061d8152137abd8829acdfb78b69179890beb489fe3ffe23e0c
SHA5123c1f99ecc394df3741be875fbe8d95e249d1d9ac220805794a22caf81620d5fdd3cce19260d94c0829b3160b28a2b4042e46b56398e60f72134e49254e9679a4
-
Filesize
417B
MD5c56ff60fbd601e84edd5a0ff1010d584
SHA1342abb130dabeacde1d8ced806d67a3aef00a749
SHA256200e8cc8dd12e22c9720be73092eafb620435d4569dbdcdba9404ace2aa4343c
SHA512acd2054fddb33b55b58b870edd4eb6a3cdd3131dfe6139cb3d27054ac2b2a460694c9be9c2a1da0f85606e95e7f393cf16868b6c654e78a664799bc3418da86e
-
Filesize
87B
MD5e4e83f8123e9740b8aa3c3dfa77c1c04
SHA15281eae96efde7b0e16a1d977f005f0d3bd7aad0
SHA2566034f27b0823b2a6a76fe296e851939fd05324d0af9d55f249c79af118b0eb31
SHA512bd6b33fd2bbce4a46991bc0d877695d16f7e60b1959a0defc79b627e569e5c6cac7b4ad4e3e1d8389a08584602a51cf84d44cf247f03beb95f7d307fbba12bb9
-
Filesize
14B
MD56ca4960355e4951c72aa5f6364e459d5
SHA12fd90b4ec32804dff7a41b6e63c8b0a40b592113
SHA25688301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3
SHA5128544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d
-
Filesize
159KB
MD5ff8604803d3a4fa95e57ec0401c14c6e
SHA14551602b1ad9ce872b1096420fc172ad62d4ff7e
SHA2566b78f9bbf6211ed4a2a238abdfcd36a9ebad58395cfbb7ac49f6f430c8252ec0
SHA512842ca08d9c853b170e5353747f0165980b8c3e32ae06be4fdef51e1496349b12a8f2c50e576adaef82b8baa4721855a467fcdf5e568f85a20894e56146c8bc70
-
Filesize
24KB
MD53e6e9de44cc90ef739d366e3c4627110
SHA15f36b1b7e81be184db67f3aae8dd9ac66dc754a1
SHA256100efc124b59a60dd473816140798d5428963a177c9d008f5c2371dd337bb999
SHA512631265bec9201e3bff22e00403370443d3d45543cdfccff089d808dd2c543e3fff92ff254e24e3ac20dba86f2f760865b7b0ae63e9c6d0cd6faee8db76cbba9b
-
Filesize
8KB
MD55d4f6257b8a30e1b65fd3b26facc1ac1
SHA123b1654b783fa54f52bff652c566978695200a2f
SHA256c2d760641951e6d1ab62444d1ca4e672406957c58525aafd3d537667f05e1f49
SHA512a96c071273ffeed5bfbaa867b032e1f6f5b14cc9ea2ab8a689a7b02b3228f3b6c0c09660515053c4761d9a1cdac8c1c254a7766d4afc679d94c9540eceedcc9e
-
Filesize
2KB
MD57a040e9cfbe5708dc9c6288279e3a13d
SHA1bd0ec0136bb2a5dd6b447aa8c8a90565cbd78610
SHA2563a1661b3d1f4b1a3ee45fa5f09de5f082e6e44894866d5e385085fbb20d895b4
SHA5120e46644259f1a5461b6eeed78822d13f8d8ced8643cfb90bbf4e1d1459452a6e610f009bb6e137fbe0ead83ed92f75e24c4b868f72b498be05e2401c879bfa0b
-
Filesize
2.4MB
MD5353cb16d70eddce23d66f4aec7580061
SHA161121be0832167cc9ce2e8e54d7c6f0c0216f3b4
SHA2566279cc085547b82e8d80ef3b0b730a6e8bfe673ff3541548b0ff8781c13a524b
SHA5121316ba235a1e34cba4e9de2577c1287438d65aa55d65553eb738d1d31d97b1941f0154cb07a860d7a505bdc1e26d807a661943d4c9e852a108eaa3efc5e40223
-
Filesize
13KB
MD540ec6b2375dc0c644ff0d5297f6d789c
SHA10ab2f7b3a0d4e83c7988c2b8b6c8f1bc5dc6abaf
SHA256ca7be3c3d65a40c35b46ea87d55f64a5bf24836a741c9386ec256731e6fb6ca6
SHA5125bda5e0d5df6688bc89483e7e2d9bdd5071a58e4bafbde388ec46de87044346977cc75ebd32400b1d25c366f628b49521fa287803a67fcd62e26ab17a767627f
-
Filesize
758B
MD584cc977d0eb148166481b01d8418e375
SHA100e2461bcd67d7ba511db230415000aefbd30d2d
SHA256bbf8da37d92138cc08ffeec8e3379c334988d5ae99f4415579999bfbbb57a66c
SHA512f47a507077f9173fb07ec200c2677ba5f783d645be100f12efe71f701a74272a98e853c4fab63740d685853935d545730992d0004c9d2fe8e1965445cab509c3
-
Filesize
20KB
MD5f4f020807e6f048178c0bd2862b9dc3a
SHA13446e786b8c7f625d38d0fc4a1095e1a13d2d5b4
SHA256a094dba0284316345094ddcdca4ba9f5a8529093d9b6e025d0be1fc24d4b7813
SHA512ed8a009d60bda4bcc7ca0b558632512363da65bd4145da223b3e489a354a34b7588f9152fd5a2eafe15760ae99c033b81057a39e8df7a870683bbf0bdd6d0291
-
Filesize
442KB
MD585430baed3398695717b0263807cf97c
SHA1fffbee923cea216f50fce5d54219a188a5100f41
SHA256a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA51206511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1
-
Filesize
8.0MB
MD5a01c5ecd6108350ae23d2cddf0e77c17
SHA1c6ac28a2cd979f1f9a75d56271821d5ff665e2b6
SHA256345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42
SHA512b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72
-
Filesize
281B
MD5c0a505b1176f73dfd39e85a005b820d9
SHA1166cb78219daa12f61ad3ddc17c6fce2a7fa08a0
SHA25608c5131aa8a5ee13c485e9df3cf157621844f3ebbdf206a549195c1136922f92
SHA5128157d3ef639c829edf7aa125d53e26859c651ac547621680e14521e18e6a6c54525693f47ffa82e5046ce43c2a8d5753fc18855eb81e8c92c35e07b3ea26f26c
-
Filesize
259B
MD5b265cb8bbbac9231f16e2100b3818e5e
SHA179c39340eac094e1c6c081430ec28e0cd63f5118
SHA25666f406db76e6112c51a69481345b2a14e21370b913d5eae9b6f6460a006ec661
SHA51250d6f15c119d1cf62fab0f7eb1853cbe2b8b617eccab8d94b5d4e2b20f2f24ec3ce750b4377f57cb7bcdf6581cd7bb51e58adf1d4a67fad433847fa45319e0b5
-
Filesize
2KB
MD57827f9930478af09d9e23621a094eb6c
SHA14b08a444f63ea8181754aa255dd38b41cbd37ab9
SHA256c0d8f33b08a81d0f8ab9b295dbc7ddcd902762fe98a66f8f5e04f21da416cded
SHA512bc8f407e14c666f8442f1d5199dbcb4de9bc29c4780cfbe6b34e81679ccf38b52088c1fe40e1df3b191d388bbd9240ffc07c7d8383150639e972d43e3185a453
-
Filesize
746B
MD579f50e67b54f921d27cc3604e892f2b7
SHA1c1126e0858f8f403d04cdc06617f6cbc4bc38f81
SHA256f9192afbb4d4939b44ac9d979cc37ad6175b28345cb5c449987721f8421f2865
SHA512fa96f8cca65e8c217eacad44f6b6e7e3df25bc85158e1505a48047c0aa70a006092eea5795d1a86764c28d98899a070c9b95b064d1ada1d43ae3bc5dc55bf8d8
-
Filesize
11KB
MD53817649de88f53c2b89c8b17c1ce5a8c
SHA1c7374a0287eda4f78276c1aa4772427edd468c97
SHA256a93215754095c2b5f5c0d3a1a39f6bc7a3b72a8fbcbe71c97a5bffc1fb9d7d3b
SHA5128ad07ad10df7e67c6056990cf21038ddc0b635d82930834f8c83d3193e6ebf5dfc649954c9f261028d63840c15d26923768ff13200454b00ac95f05b6656ef3a
-
Filesize
997KB
MD5fe3355639648c417e8307c6d051e3e37
SHA1f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA2561ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA5128f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c
-
Filesize
116B
MD53d33cdc0b3d281e67dd52e14435dd04f
SHA14db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1
-
Filesize
479B
MD549ddb419d96dceb9069018535fb2e2fc
SHA162aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA2562af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA51248386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2
-
Filesize
372B
MD58be33af717bb1b67fbd61c3f4b807e9e
SHA17cf17656d174d951957ff36810e874a134dd49e0
SHA256e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA5126125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7
-
Filesize
11.8MB
MD533bf7b0439480effb9fb212efce87b13
SHA1cee50f2745edc6dc291887b6075ca64d716f495a
SHA2568ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e
SHA512d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275
-
Filesize
1KB
MD5688bed3676d2104e7f17ae1cd2c59404
SHA1952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA25633899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA5127a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776
-
Filesize
1KB
MD5937326fead5fd401f6cca9118bd9ade9
SHA14526a57d4ae14ed29b37632c72aef3c408189d91
SHA25668a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2
-
Filesize
7KB
MD53a3efcdb02023ed94eb1d67fe447061a
SHA1e6359d687c95e3b0b19856219589892a8f268387
SHA256d3c1081ce480dcc94ffe053baed153faaed0064e577e5d2c437df08dacb12cbf
SHA51228b72e217c4f282964b44f1c226db8a9e8f398a8dc3c4506ab8497fe9dbbb2d97b83988f7f956255e9b4792a20ef3f1b1a3911256dc10fdc42b7fc3c2657567e
-
Filesize
259B
MD5c8dc58eff0c029d381a67f5dca34a913
SHA13576807e793473bcbd3cf7d664b83948e3ec8f2d
SHA2564c22e8a42797f14510228f9f4de8eea45c526228a869837bd43c0540092e5f17
SHA512b8f7c4150326f617b63d6bc72953160804a3749f6dec0492779f6c72b3b09c8d1bd58f47d499205c9a0e716f55fe5f1503d7676a4c85d31d1c1e456898af77b4
-
Filesize
1KB
MD5a71c129d143d73ca7b70cc6649ed0d80
SHA18d67fda8cbe7052dd652f6adfe7d2e65f5a966d8
SHA256c6cb9bedb91dd61075ee6e75c90ddabd0c0f13f664e7c168d72ddfbaaeab29cd
SHA512de90708fb213633fed53d4c3391a50b38ece2b5ab8bbfb96f3514a24195bb5a866d7c7536d42c0fc8ab28125caf6b808d23dcbf0848827e169b444f0c9cf1820
-
Filesize
855B
MD59cfa255db5cd078f4bef272e9f9eaacc
SHA1c28e18a89ba6115eab922c039523776ce7159294
SHA256fd380d98596ae7fab4c4561576e19e646807d7fca3e14e13d3e26f8899451d0d
SHA51216a936e455800bf9124f1ad275039443507fb24c36b4aa15c9ab94f755a164eff3c0a78fbc422784405052e09f83d3a7cdba47448bc847a10ccaf61d6aff8e49
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
64KB
-
Filesize
696KB
-
Filesize
1.9MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
696KB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
64KB
-
Filesize
1.9MB
-
Filesize
696KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
1.9MB
-
Filesize
64KB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
696KB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
4KB
-
Filesize
64KB
-
Filesize
4KB
-
Filesize
64KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
696KB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
696KB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB