fc748a45a8524436bd615954d2c11e6c942b5c47c16380a81e55458c7702c2f2

Resubmissions

28/02/2024, 13:18

240228-qkfstace42 4

28/02/2024, 13:17

240228-qjbsgace25 1

Analysis

max time kernel
104s
max time network
106s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
28/02/2024, 13:17

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

virus.bat
Size

64B
MD5

b41dadc105a2e0d761cd9f95efad164f
SHA1

ba1e3f6f565c9f8b32cb1909125f8f2d2f1615a9
SHA256

fc748a45a8524436bd615954d2c11e6c942b5c47c16380a81e55458c7702c2f2
SHA512

e0a71ac44daf3bc8465d4f869e08f15a4dcb29475dde369ea8b42971710cafdea29adf8e1886b345dc7245f9a7519734bf6bdeceb4bf32b841ab488bdad7a936

Score

1^/10

Malware Config

Signatures

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "156"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
13848	NOTEPAD.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5344	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4348 wrote to memory of 1792	4348	cmd.exe	88
PID 4348 wrote to memory of 1792	4348	cmd.exe	88
PID 4348 wrote to memory of 1536	4348	cmd.exe	90
PID 4348 wrote to memory of 1536	4348	cmd.exe	90
PID 4348 wrote to memory of 4896	4348	cmd.exe	92
PID 4348 wrote to memory of 4896	4348	cmd.exe	92
PID 4348 wrote to memory of 4044	4348	cmd.exe	94
PID 4348 wrote to memory of 4044	4348	cmd.exe	94
PID 4348 wrote to memory of 4568	4348	cmd.exe	96
PID 4348 wrote to memory of 4568	4348	cmd.exe	96
PID 4348 wrote to memory of 5016	4348	cmd.exe	222
PID 4348 wrote to memory of 5016	4348	cmd.exe	222
PID 4348 wrote to memory of 3840	4348	cmd.exe	221
PID 4348 wrote to memory of 3840	4348	cmd.exe	221
PID 4348 wrote to memory of 1216	4348	cmd.exe	220
PID 4348 wrote to memory of 1216	4348	cmd.exe	220
PID 4348 wrote to memory of 2380	4348	cmd.exe	219
PID 4348 wrote to memory of 2380	4348	cmd.exe	219
PID 4348 wrote to memory of 4740	4348	cmd.exe	218
PID 4348 wrote to memory of 4740	4348	cmd.exe	218
PID 4348 wrote to memory of 4708	4348	cmd.exe	217
PID 4348 wrote to memory of 4708	4348	cmd.exe	217
PID 4348 wrote to memory of 4232	4348	cmd.exe	216
PID 4348 wrote to memory of 4232	4348	cmd.exe	216
PID 4348 wrote to memory of 3460	4348	cmd.exe	215
PID 4348 wrote to memory of 3460	4348	cmd.exe	215
PID 4348 wrote to memory of 1948	4348	cmd.exe	214
PID 4348 wrote to memory of 1948	4348	cmd.exe	214
PID 4348 wrote to memory of 3976	4348	cmd.exe	213
PID 4348 wrote to memory of 3976	4348	cmd.exe	213
PID 4348 wrote to memory of 2184	4348	cmd.exe	212
PID 4348 wrote to memory of 2184	4348	cmd.exe	212
PID 4348 wrote to memory of 1672	4348	cmd.exe	211
PID 4348 wrote to memory of 1672	4348	cmd.exe	211
PID 4348 wrote to memory of 1840	4348	cmd.exe	210
PID 4348 wrote to memory of 1840	4348	cmd.exe	210
PID 4348 wrote to memory of 4572	4348	cmd.exe	209
PID 4348 wrote to memory of 4572	4348	cmd.exe	209
PID 4348 wrote to memory of 1524	4348	cmd.exe	208
PID 4348 wrote to memory of 1524	4348	cmd.exe	208
PID 4348 wrote to memory of 2796	4348	cmd.exe	207
PID 4348 wrote to memory of 2796	4348	cmd.exe	207
PID 4348 wrote to memory of 112	4348	cmd.exe	206
PID 4348 wrote to memory of 112	4348	cmd.exe	206
PID 4348 wrote to memory of 2044	4348	cmd.exe	205
PID 4348 wrote to memory of 2044	4348	cmd.exe	205
PID 4348 wrote to memory of 4216	4348	cmd.exe	204
PID 4348 wrote to memory of 4216	4348	cmd.exe	204
PID 4348 wrote to memory of 4048	4348	cmd.exe	97
PID 4348 wrote to memory of 4048	4348	cmd.exe	97
PID 4348 wrote to memory of 4864	4348	cmd.exe	202
PID 4348 wrote to memory of 4864	4348	cmd.exe	202
PID 4348 wrote to memory of 1708	4348	cmd.exe	201
PID 4348 wrote to memory of 1708	4348	cmd.exe	201
PID 4348 wrote to memory of 2348	4348	cmd.exe	200
PID 4348 wrote to memory of 2348	4348	cmd.exe	200
PID 4348 wrote to memory of 2224	4348	cmd.exe	199
PID 4348 wrote to memory of 2224	4348	cmd.exe	199
PID 4348 wrote to memory of 1008	4348	cmd.exe	198
PID 4348 wrote to memory of 1008	4348	cmd.exe	198
PID 4348 wrote to memory of 3732	4348	cmd.exe	197
PID 4348 wrote to memory of 3732	4348	cmd.exe	197
PID 4348 wrote to memory of 2664	4348	cmd.exe	196
PID 4348 wrote to memory of 2664	4348	cmd.exe	196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\virus.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4348
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1792
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1536
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4896
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4044
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4568
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4048
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2396
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4064
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4128
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3992
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2832
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1256
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3704
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3564
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1488
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1392
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2652
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1924
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4696
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3860
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2288
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3676
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4440
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1160
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:764
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1348
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4604
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:536
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5060
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3384
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3412
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3608
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3044
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1592
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4112
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2492
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1664
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1060
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1936
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3000
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4936
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2664
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3732
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1008
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2224
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2348
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1708
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4864
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4216
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2044
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:112
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2796
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1524
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4572
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1840
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1672
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2184
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3976
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1948
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3460
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4232
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4708
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4740
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2380
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1216
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3840
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5016
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5820
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5836
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5912
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5952
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5944
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5936
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5928
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6000
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3652
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2544
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6176
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6188
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6204
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6232
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6360
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6552
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6716
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6900
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6892
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6884
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6876
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7180
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7264
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7308
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7324
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7368
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7348
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7400
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7512
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7528
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7552
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7580
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7684
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7692
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7788
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7812
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7848
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7936
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7960
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8028
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8016
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8008
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8000
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7992
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7984
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7976
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8228
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8252
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8244
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8236
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8428
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8500
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8540
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8556
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8628
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8652
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8708
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8644
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8636
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8824
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8832
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8876
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8932
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8956
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8848
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9112
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9188
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8672
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8916
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9220
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9252
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9352
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9404
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9420
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9464
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9436
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9584
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9604
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9612
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9656
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9708
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9648
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9812
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9948
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9956
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9988
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10028
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10116
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10168
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10184
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10208
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9836
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10140
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10316
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10332
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10360
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10392
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10404
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10544
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10580
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10596
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10624
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10648
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10676
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10752
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10808
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10816
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10988
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11044
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11080
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11120
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10912
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10904
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10896
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10888
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10880
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10872
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10864
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10968
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11148
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11388
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11412
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11436
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11584
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11640
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11628
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11672
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11756
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11832
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11848
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11864
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11888
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11916
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11944
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12032
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12140
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12164
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12132
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12124
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12116
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12108
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12100
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12092
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12084
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12076
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12068
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12060
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12052
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12344
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12600
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12592
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12584
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12576
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12568
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12560
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12552
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12544
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12536
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12528
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12520
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12512
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12504
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12496
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12488
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12480
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12472
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12464
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12456
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12448
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12440
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12432
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12424
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12416
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12408
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12400
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12392
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12384
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12376

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\help.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:13848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\help.bat" "
1⤵
PID:14244

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3866055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:5344

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\help.bat

Filesize
47B

MD5
19cb8c01ca87e89904eb9dcd16a13469

SHA1
9811a2f56ce9134bf5bb8853701aeb49b6ba7e40

SHA256
8132ef3b21db9a66844e6f5bbf96b131fae887c3feb5329c40df87fc9e6d7fec

SHA512
0565bebbe03ee1a3869654046e4cecb2b624e4bd778254b9ecc0f18aa1a47765db3630f29620d081725a9c300b22a30420bdccfabe39ed40f3f19d1c55c7a94a

Download Submit