infinitylock | f5d002bfe80b48386a6c99c41528931b7f5df736cd34094463c3f85dde0180bf

Analysis

max time kernel
192s
max time network
180s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
07-03-2024 18:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

[email protected]
Size

211KB
MD5

b805db8f6a84475ef76b795b0d1ed6ae
SHA1

7711cb4873e58b7adcf2a2b047b090e78d10c75b
SHA256

f5d002bfe80b48386a6c99c41528931b7f5df736cd34094463c3f85dde0180bf
SHA512

62a2c329b43d186c4c602c5f63efc8d2657aa956f21184334263e4f6d0204d7c31f86bda6e85e65e3b99b891c1630d805b70997731c174f6081ecc367ccf9416
SSDEEP

1536:YoCFfC303p22fkZrRQpnqjoi7l832fbu9ZXILwVENbM:rCVC303p22sZrRQpnviB832Du9WMON

Score

10^/10

infinitylock ransomware

Malware Config

Signatures

InfinityLock Ransomware
Also known as InfinityCrypt. Based on the open-source HiddenTear ransomware.
ransomware infinitylock

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341344.JPG.9B0379BF114789273DAFA419935A3FDBA2C7CC70F2D246523F2DD9AA11D647E6	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00014_.WMF.9B0379BF114789273DAFA419935A3FDBA2C7CC70F2D246523F2DD9AA11D647E6	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\CHECKBOX.JPG.9B0379BF114789273DAFA419935A3FDBA2C7CC70F2D246523F2DD9AA11D647E6	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\CHEVRON.ICO.9B0379BF114789273DAFA419935A3FDBA2C7CC70F2D246523F2DD9AA11D647E6	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD00255_.WMF.9B0379BF114789273DAFA419935A3FDBA2C7CC70F2D246523F2DD9AA11D647E6	[email protected]
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ECHO\ECHO.INF.9B0379BF114789273DAFA419935A3FDBA2C7CC70F2D246523F2DD9AA11D647E6	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00602_.WMF.9B0379BF114789273DAFA419935A3FDBA2C7CC70F2D246523F2DD9AA11D647E6	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14514_.GIF.9B0379BF114789273DAFA419935A3FDBA2C7CC70F2D246523F2DD9AA11D647E6	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\ResourceInternal.zip.9B0379BF114789273DAFA419935A3FDBA2C7CC70F2D246523F2DD9AA11D647E6	[email protected]
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL.9B0379BF114789273DAFA419935A3FDBA2C7CC70F2D246523F2DD9AA11D647E6	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0178632.JPG.9B0379BF114789273DAFA419935A3FDBA2C7CC70F2D246523F2DD9AA11D647E6	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01179J.JPG.9B0379BF114789273DAFA419935A3FDBA2C7CC70F2D246523F2DD9AA11D647E6	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00917_.WMF.9B0379BF114789273DAFA419935A3FDBA2C7CC70F2D246523F2DD9AA11D647E6	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR2B.GIF.9B0379BF114789273DAFA419935A3FDBA2C7CC70F2D246523F2DD9AA11D647E6	[email protected]
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MUOPTIN.DLL.9B0379BF114789273DAFA419935A3FDBA2C7CC70F2D246523F2DD9AA11D647E6	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00092_.WMF.9B0379BF114789273DAFA419935A3FDBA2C7CC70F2D246523F2DD9AA11D647E6	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02368_.WMF.9B0379BF114789273DAFA419935A3FDBA2C7CC70F2D246523F2DD9AA11D647E6	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\WORDIRM.XML.9B0379BF114789273DAFA419935A3FDBA2C7CC70F2D246523F2DD9AA11D647E6	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\WINWORD.DEV_COL.HXT.9B0379BF114789273DAFA419935A3FDBA2C7CC70F2D246523F2DD9AA11D647E6	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE01661_.WMF.9B0379BF114789273DAFA419935A3FDBA2C7CC70F2D246523F2DD9AA11D647E6	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\NAMECONTROLSERVER.EXE.9B0379BF114789273DAFA419935A3FDBA2C7CC70F2D246523F2DD9AA11D647E6	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Wordcnvr.dll.9B0379BF114789273DAFA419935A3FDBA2C7CC70F2D246523F2DD9AA11D647E6	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\WSS_DocLib.ico.9B0379BF114789273DAFA419935A3FDBA2C7CC70F2D246523F2DD9AA11D647E6	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\OrielResume.Dotx.9B0379BF114789273DAFA419935A3FDBA2C7CC70F2D246523F2DD9AA11D647E6	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02022_.WMF.9B0379BF114789273DAFA419935A3FDBA2C7CC70F2D246523F2DD9AA11D647E6	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02413_.WMF.9B0379BF114789273DAFA419935A3FDBA2C7CC70F2D246523F2DD9AA11D647E6	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR48B.GIF.9B0379BF114789273DAFA419935A3FDBA2C7CC70F2D246523F2DD9AA11D647E6	[email protected]
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PROFILE\PROFILE.INF.9B0379BF114789273DAFA419935A3FDBA2C7CC70F2D246523F2DD9AA11D647E6	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TN00411_.WMF.9B0379BF114789273DAFA419935A3FDBA2C7CC70F2D246523F2DD9AA11D647E6	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Paper.xml.9B0379BF114789273DAFA419935A3FDBA2C7CC70F2D246523F2DD9AA11D647E6	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\mscss7en.dll.9B0379BF114789273DAFA419935A3FDBA2C7CC70F2D246523F2DD9AA11D647E6	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\NotifierBackground.jpg.9B0379BF114789273DAFA419935A3FDBA2C7CC70F2D246523F2DD9AA11D647E6	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGPICCAP.DPV.9B0379BF114789273DAFA419935A3FDBA2C7CC70F2D246523F2DD9AA11D647E6	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\HEADINGBB.POC.9B0379BF114789273DAFA419935A3FDBA2C7CC70F2D246523F2DD9AA11D647E6	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\OrielReport.Dotx.9B0379BF114789273DAFA419935A3FDBA2C7CC70F2D246523F2DD9AA11D647E6	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00170_.GIF.9B0379BF114789273DAFA419935A3FDBA2C7CC70F2D246523F2DD9AA11D647E6	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101865.BMP.9B0379BF114789273DAFA419935A3FDBA2C7CC70F2D246523F2DD9AA11D647E6	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107358.WMF.9B0379BF114789273DAFA419935A3FDBA2C7CC70F2D246523F2DD9AA11D647E6	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\MessageHistoryIconImagesMask.bmp.9B0379BF114789273DAFA419935A3FDBA2C7CC70F2D246523F2DD9AA11D647E6	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsImageTemplate.html.9B0379BF114789273DAFA419935A3FDBA2C7CC70F2D246523F2DD9AA11D647E6	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00161_.GIF.9B0379BF114789273DAFA419935A3FDBA2C7CC70F2D246523F2DD9AA11D647E6	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152570.WMF.9B0379BF114789273DAFA419935A3FDBA2C7CC70F2D246523F2DD9AA11D647E6	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\msproof7.dll.9B0379BF114789273DAFA419935A3FDBA2C7CC70F2D246523F2DD9AA11D647E6	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Style\SIST02.XSL.9B0379BF114789273DAFA419935A3FDBA2C7CC70F2D246523F2DD9AA11D647E6	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\FLYER98.POC.9B0379BF114789273DAFA419935A3FDBA2C7CC70F2D246523F2DD9AA11D647E6	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Biscay.css.9B0379BF114789273DAFA419935A3FDBA2C7CC70F2D246523F2DD9AA11D647E6	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN04206_.WMF.9B0379BF114789273DAFA419935A3FDBA2C7CC70F2D246523F2DD9AA11D647E6	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0198712.WMF.9B0379BF114789273DAFA419935A3FDBA2C7CC70F2D246523F2DD9AA11D647E6	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0281904.WMF.9B0379BF114789273DAFA419935A3FDBA2C7CC70F2D246523F2DD9AA11D647E6	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21316_.GIF.9B0379BF114789273DAFA419935A3FDBA2C7CC70F2D246523F2DD9AA11D647E6	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\SAVE.GIF.9B0379BF114789273DAFA419935A3FDBA2C7CC70F2D246523F2DD9AA11D647E6	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\BRCHUR11.POC.9B0379BF114789273DAFA419935A3FDBA2C7CC70F2D246523F2DD9AA11D647E6	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\LTHD11.POC.9B0379BF114789273DAFA419935A3FDBA2C7CC70F2D246523F2DD9AA11D647E6	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02749G.GIF.9B0379BF114789273DAFA419935A3FDBA2C7CC70F2D246523F2DD9AA11D647E6	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\rtf_spellcheck.gif.9B0379BF114789273DAFA419935A3FDBA2C7CC70F2D246523F2DD9AA11D647E6	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR37F.GIF.9B0379BF114789273DAFA419935A3FDBA2C7CC70F2D246523F2DD9AA11D647E6	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\BORDERS\MSART13.BDR.9B0379BF114789273DAFA419935A3FDBA2C7CC70F2D246523F2DD9AA11D647E6	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\1033\TRANSMRR.DLL.9B0379BF114789273DAFA419935A3FDBA2C7CC70F2D246523F2DD9AA11D647E6	[email protected]
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\goopdateres_en-GB.dll.9B0379BF114789273DAFA419935A3FDBA2C7CC70F2D246523F2DD9AA11D647E6	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0293844.WMF.9B0379BF114789273DAFA419935A3FDBA2C7CC70F2D246523F2DD9AA11D647E6	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21534_.GIF.9B0379BF114789273DAFA419935A3FDBA2C7CC70F2D246523F2DD9AA11D647E6	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\MSACCESS_COL.HXC.9B0379BF114789273DAFA419935A3FDBA2C7CC70F2D246523F2DD9AA11D647E6	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\rtf_choosefont.gif.9B0379BF114789273DAFA419935A3FDBA2C7CC70F2D246523F2DD9AA11D647E6	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Library\Analysis\PROCDB.XLAM.9B0379BF114789273DAFA419935A3FDBA2C7CC70F2D246523F2DD9AA11D647E6	[email protected]

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	[email protected]
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	[email protected]

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
1412	NETSTAT.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2272	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2272	taskmgr.exe
Token: SeDebugPrivilege	2648	[email protected]
Token: SeDebugPrivilege	1412	NETSTAT.EXE

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe
2272	taskmgr.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1640 wrote to memory of 1412	1640	cmd.exe	37
PID 1640 wrote to memory of 1412	1640	cmd.exe	37
PID 1640 wrote to memory of 1412	1640	cmd.exe	37

C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
1⤵
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2648

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2272

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1640
- C:\Windows\system32\NETSTAT.EXE
  netstat -b
  2⤵
  - Gathers network information
  - Suspicious use of AdjustPrivilegeToken
  PID:1412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightYellow\TAB_OFF.GIF.9B0379BF114789273DAFA419935A3FDBA2C7CC70F2D246523F2DD9AA11D647E6

Filesize
352B

MD5
f8f385e76aab9b30d76226dd9a16d829

SHA1
07590c0fe2912eca38cdd52502a73f344a086c54

SHA256
a039fef0bd77d043f76d0107fb393e96f67862eb7e7b4cd839f9db97e723fcb6

SHA512
3ac70da3720d7f6ed6df65ddf7fac8c5cb0f637371aa649579759c0de9e72bc71f365dd8ed490cf8348fb8af00f25cb30246ce960b4d48c21f7af05fa49d2e1f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightYellow\TAB_ON.GIF.9B0379BF114789273DAFA419935A3FDBA2C7CC70F2D246523F2DD9AA11D647E6

Filesize
224B

MD5
058de27aed7e26f6a3c2949e2f13917b

SHA1
884dacafe41d1dc328b9a27a296b9b122d2c35a5

SHA256
57bdafc1109a529cc21618e2797012aa8b2b61674f0d3f6f474fd3688a0ba4ff

SHA512
82ed43217f45f45a0f75a37596dd5a08d654d116020bbc844a5664d5b805ea2d85cdedbd9a94381f1bb38143cd5a03b4cd45cc5c49255a5096fdea4df83e12a6

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\INFOPATH_F_COL.HXK.9B0379BF114789273DAFA419935A3FDBA2C7CC70F2D246523F2DD9AA11D647E6

Filesize
128B

MD5
db5fc5ec1a9c490fc8d0ae46fcc42a12

SHA1
992b4b8d750f47302c288e475207358bfaaa6e64

SHA256
0939866cb7cb5f13a5ce99a1bf99fdb5893ed1d15431c72feb08b40c1bf75e3a

SHA512
5de3fc262b89bdc4a0a5ced6206b1737bfc36519457edb4ffa763425208e5bfbd3359986f21dd153f0f9855a4fc0b32c802e0a1bf8cb83f47e7dc2a4e2e522d2

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\INFOPATH_K_COL.HXK.9B0379BF114789273DAFA419935A3FDBA2C7CC70F2D246523F2DD9AA11D647E6

Filesize
128B

MD5
6ec7608322a58b92174e34cb123c64d5

SHA1
ca08b75e872b7ca05294ca8afbb5c91cf83ec3fb

SHA256
ed6b6c64322bf8d7536c53fdb919ddfff383219ee56ba8e0efe253e6a4e74c68

SHA512
161e574c54bd217d153baf17942e3cd36b83ad2b5326a4dfca91c7473c84fb5a1c316557411fe38f6d34e586302c07c2a53bd29df72f809ae0723e5ee4cb5d9e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BabyBlue\BUTTON.GIF.9B0379BF114789273DAFA419935A3FDBA2C7CC70F2D246523F2DD9AA11D647E6

Filesize
192B

MD5
65394900d0e5849f888ac27fc19bcddd

SHA1
bd9dfc4bb58477ebda64ba8499d880984c760f70

SHA256
6d51146f048b93dafb2fd587fcbba8cc7eb8c9d61544b5dc6aeb0113469fe9be

SHA512
6a314159031e65a29b41e0e1509e8a8b04fd6abd11de3bdfa32a9b2aace3a80a7920eb40ee32f5ae514392dc892f3a7c12c9d981b8ae613e2b738d5acf4fc761

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\TAB_OFF.GIF.9B0379BF114789273DAFA419935A3FDBA2C7CC70F2D246523F2DD9AA11D647E6

Filesize
512B

MD5
17b18f0a97bd5020fa425ff5af58f82e

SHA1
88b56c72fbe78c4e3390e5fab35dcf2dd0838b85

SHA256
14a804986c18fd8573189055995aa13b616cc4c64a4ec181238444dda55589a7

SHA512
21d81526da51d3d9fbb7faad35bd217fab7076dd6f145b1f0cc548be956426a51b1b7672f9fe045da50debf4c2a56e9b1213035c1afd698d2acb95c78de13f31

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\TAB_ON.GIF.9B0379BF114789273DAFA419935A3FDBA2C7CC70F2D246523F2DD9AA11D647E6

Filesize
1KB

MD5
8d224ed17a6140ea6a127bcbf7e89c6d

SHA1
21c24b8b975b4ef19a28c2801b02f236dd5e61aa

SHA256
cf8a8cf51e092497addd7b8e9bf7fae9a23c3de32450d0512454ccab83b379b1

SHA512
358a91a3279e523cc0904166568ac19a3fd158a38a28904fe8a7c751529146d7adcd0580a7c942965b1de7390a619d1346481963a8677d6b03075dbf0ae3c32c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.NO.XML.9B0379BF114789273DAFA419935A3FDBA2C7CC70F2D246523F2DD9AA11D647E6

Filesize
816B

MD5
48a01f34dc0bab8d4ec0ed9087ad74a4

SHA1
4a63b5a922f4f0014157e257f9a8f393bc29dad9

SHA256
b9b7e46cea24868a2d4e1c319cc4cb8a7cbd0244aa1a909a46313778171ac31f

SHA512
fa5f22d62bb00df0dc624f256c28affeb518ce759dcea124b9dfa0e9109dbbbb0137ef827543ce7f12f169126645e33c0cc0300399447dad0d932bb5f685ddaa

Download Submit
memory/2272-567-0x0000000002C90000-0x0000000002CA0000-memory.dmp

Filesize
64KB

Download
memory/2272-2839-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2272-2859-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2272-562-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2272-563-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2648-499-0x0000000074610000-0x0000000074CFE000-memory.dmp

Filesize
6.9MB

Download
memory/2648-1-0x0000000074610000-0x0000000074CFE000-memory.dmp

Filesize
6.9MB

Download
memory/2648-0-0x0000000001240000-0x000000000127C000-memory.dmp

Filesize
240KB

Download
memory/2648-2-0x0000000000CE0000-0x0000000000D20000-memory.dmp

Filesize
256KB

Download
memory/2648-521-0x0000000000CE0000-0x0000000000D20000-memory.dmp

Filesize
256KB

Download
memory/2648-5348-0x0000000000CE0000-0x0000000000D20000-memory.dmp

Filesize
256KB

Download
memory/2648-5349-0x0000000000CE0000-0x0000000000D20000-memory.dmp

Filesize
256KB

Download