441116d55e97124a067207bf57483dd3462bccfb034e56c4152675b0dcb118e7

Analysis

max time kernel
142s
max time network
119s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
16-03-2024 15:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5b79b6a81407caf12cf1894346a15e40c4dc017a35105119db3b23c7bf91c7b0.exe
Size

236KB
MD5

6aa5d9b03d34c87026ac11a6f30524fe
SHA1

c0c532d64bc1d16aeb12ea58c9e94c48eb3d64d4
SHA256

5b79b6a81407caf12cf1894346a15e40c4dc017a35105119db3b23c7bf91c7b0
SHA512

1e0cdbfd5399c03e6db32b309d38f56dc0761d6a9d2319c712f771fecc9fec8aac0c2dd2ee00e4674b26168265558e4d02a810a6326c73e36a1e453ecc394069
SSDEEP

3072:A2XIX/5EEAmkN7HqOaeV/RPMObiZif2fXSF9uvm8dDuCb4NeIAg0Fuj3RK3o1yL:AliN3qO1hR0UiZi+fC+iAObo41I

Score

10^/10

persistence ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\!#_READ_ME_#!.inf

Ransom Note

[WHAT HAPPENED] Your important files produced on this computer have been encrypted due a security problem If you want to restore them, write us to the e-mail: [email protected] You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files. [FREE DECRYPTION AS GUARANTEE] Before paying you can send to us up to 3 files for free decryption. Please note that files must NOT contain valuable information and their total size must be less than 1Mb [HOW TO OBTAIN BITCOINS] The easiest way to buy bitcoin is LocalBitcoins site. You have to register, click Buy bitcoins and select the seller by payment method and price https://localbitcoins.com/buy_bitcoins [ATTENTION] Do not rename encrypted files Do not try to decrypt your data using third party software, it may cause permanent data loss If you not write on e-mail in 36 hours - your key has been deleted and you cant decrypt your files Your ID: vbOqyNvH4VULZd2hsEl2iWGl/YVDM6tHpGbaeO2zLu/Ao+69GggA733NfbhK02nyAKlue6+kF3bNAgmiep8XhXRXpm3vgDSucqbS9iFz+Fhkq281w7o1/PfV6HNmyOjjUSgJqGfFHrZzwxhcO7jhops/UfZ078q576qvh5lmRrI=

Emails

[email protected]

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Renames multiple (267) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

5b79b6a81407caf12cf1894346a15e40c4dc017a35105119db3b23c7bf91c7b0.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\DECRYPTINFO = "\"C:\\Users\\Admin\\AppData\\Roaming\\!#_READ_ME_#!.inf\""	5b79b6a81407caf12cf1894346a15e40c4dc017a35105119db3b23c7bf91c7b0.exe

Drops desktop.ini file(s) 27 IoCs

Processes:

5b79b6a81407caf12cf1894346a15e40c4dc017a35105119db3b23c7bf91c7b0.exe

description	ioc	process
File opened for modification	C:\Users\Public\Libraries\desktop.ini	5b79b6a81407caf12cf1894346a15e40c4dc017a35105119db3b23c7bf91c7b0.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	5b79b6a81407caf12cf1894346a15e40c4dc017a35105119db3b23c7bf91c7b0.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	5b79b6a81407caf12cf1894346a15e40c4dc017a35105119db3b23c7bf91c7b0.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	5b79b6a81407caf12cf1894346a15e40c4dc017a35105119db3b23c7bf91c7b0.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	5b79b6a81407caf12cf1894346a15e40c4dc017a35105119db3b23c7bf91c7b0.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	5b79b6a81407caf12cf1894346a15e40c4dc017a35105119db3b23c7bf91c7b0.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	5b79b6a81407caf12cf1894346a15e40c4dc017a35105119db3b23c7bf91c7b0.exe
File opened for modification	C:\Users\Admin\Cookies\desktop.ini	5b79b6a81407caf12cf1894346a15e40c4dc017a35105119db3b23c7bf91c7b0.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	5b79b6a81407caf12cf1894346a15e40c4dc017a35105119db3b23c7bf91c7b0.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	5b79b6a81407caf12cf1894346a15e40c4dc017a35105119db3b23c7bf91c7b0.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	5b79b6a81407caf12cf1894346a15e40c4dc017a35105119db3b23c7bf91c7b0.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	5b79b6a81407caf12cf1894346a15e40c4dc017a35105119db3b23c7bf91c7b0.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	5b79b6a81407caf12cf1894346a15e40c4dc017a35105119db3b23c7bf91c7b0.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	5b79b6a81407caf12cf1894346a15e40c4dc017a35105119db3b23c7bf91c7b0.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	5b79b6a81407caf12cf1894346a15e40c4dc017a35105119db3b23c7bf91c7b0.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	5b79b6a81407caf12cf1894346a15e40c4dc017a35105119db3b23c7bf91c7b0.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	5b79b6a81407caf12cf1894346a15e40c4dc017a35105119db3b23c7bf91c7b0.exe
File opened for modification	C:\Users\Public\desktop.ini	5b79b6a81407caf12cf1894346a15e40c4dc017a35105119db3b23c7bf91c7b0.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	5b79b6a81407caf12cf1894346a15e40c4dc017a35105119db3b23c7bf91c7b0.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	5b79b6a81407caf12cf1894346a15e40c4dc017a35105119db3b23c7bf91c7b0.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	5b79b6a81407caf12cf1894346a15e40c4dc017a35105119db3b23c7bf91c7b0.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	5b79b6a81407caf12cf1894346a15e40c4dc017a35105119db3b23c7bf91c7b0.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	5b79b6a81407caf12cf1894346a15e40c4dc017a35105119db3b23c7bf91c7b0.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	5b79b6a81407caf12cf1894346a15e40c4dc017a35105119db3b23c7bf91c7b0.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	5b79b6a81407caf12cf1894346a15e40c4dc017a35105119db3b23c7bf91c7b0.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	5b79b6a81407caf12cf1894346a15e40c4dc017a35105119db3b23c7bf91c7b0.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	5b79b6a81407caf12cf1894346a15e40c4dc017a35105119db3b23c7bf91c7b0.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

5b79b6a81407caf12cf1894346a15e40c4dc017a35105119db3b23c7bf91c7b0.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\1.bmp"	5b79b6a81407caf12cf1894346a15e40c4dc017a35105119db3b23c7bf91c7b0.exe

Drops file in Program Files directory 6 IoCs

Processes:

5b79b6a81407caf12cf1894346a15e40c4dc017a35105119db3b23c7bf91c7b0.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Firebird\	5b79b6a81407caf12cf1894346a15e40c4dc017a35105119db3b23c7bf91c7b0.exe
File created	C:\Program Files (x86)\MSSQL.1\!#_READ_ME_#!.inf	5b79b6a81407caf12cf1894346a15e40c4dc017a35105119db3b23c7bf91c7b0.exe
File opened for modification	C:\Program Files (x86)\MSSQL.1\	5b79b6a81407caf12cf1894346a15e40c4dc017a35105119db3b23c7bf91c7b0.exe
File created	C:\Program Files\MySQL\!#_READ_ME_#!.inf	5b79b6a81407caf12cf1894346a15e40c4dc017a35105119db3b23c7bf91c7b0.exe
File opened for modification	C:\Program Files\MySQL\	5b79b6a81407caf12cf1894346a15e40c4dc017a35105119db3b23c7bf91c7b0.exe
File created	C:\Program Files (x86)\Firebird\!#_READ_ME_#!.inf	5b79b6a81407caf12cf1894346a15e40c4dc017a35105119db3b23c7bf91c7b0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 4 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exevssadmin.exevssadmin.exe

pid process

2484 vssadmin.exe
2696 vssadmin.exe
2760 vssadmin.exe
1600 vssadmin.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 2684 vssvc.exe
Token: SeRestorePrivilege 2684 vssvc.exe
Token: SeAuditPrivilege 2684 vssvc.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

NOTEPAD.EXE

pid process

1976 NOTEPAD.EXE

pid	process
2484	vssadmin.exe
2696	vssadmin.exe
2760	vssadmin.exe
1600	vssadmin.exe

description	pid	process
Token: SeBackupPrivilege	2684	vssvc.exe
Token: SeRestorePrivilege	2684	vssvc.exe
Token: SeAuditPrivilege	2684	vssvc.exe

pid	process
1976	NOTEPAD.EXE

Suspicious use of WriteProcessMemory 52 IoCs

Processes:

5b79b6a81407caf12cf1894346a15e40c4dc017a35105119db3b23c7bf91c7b0.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 2036 wrote to memory of 288	2036	5b79b6a81407caf12cf1894346a15e40c4dc017a35105119db3b23c7bf91c7b0.exe	cmd.exe
PID 2036 wrote to memory of 288	2036	5b79b6a81407caf12cf1894346a15e40c4dc017a35105119db3b23c7bf91c7b0.exe	cmd.exe
PID 2036 wrote to memory of 288	2036	5b79b6a81407caf12cf1894346a15e40c4dc017a35105119db3b23c7bf91c7b0.exe	cmd.exe
PID 2036 wrote to memory of 288	2036	5b79b6a81407caf12cf1894346a15e40c4dc017a35105119db3b23c7bf91c7b0.exe	cmd.exe
PID 2036 wrote to memory of 2804	2036	5b79b6a81407caf12cf1894346a15e40c4dc017a35105119db3b23c7bf91c7b0.exe	cmd.exe
PID 2036 wrote to memory of 2804	2036	5b79b6a81407caf12cf1894346a15e40c4dc017a35105119db3b23c7bf91c7b0.exe	cmd.exe
PID 2036 wrote to memory of 2804	2036	5b79b6a81407caf12cf1894346a15e40c4dc017a35105119db3b23c7bf91c7b0.exe	cmd.exe
PID 2036 wrote to memory of 2804	2036	5b79b6a81407caf12cf1894346a15e40c4dc017a35105119db3b23c7bf91c7b0.exe	cmd.exe
PID 288 wrote to memory of 2484	288	cmd.exe	vssadmin.exe
PID 288 wrote to memory of 2484	288	cmd.exe	vssadmin.exe
PID 288 wrote to memory of 2484	288	cmd.exe	vssadmin.exe
PID 288 wrote to memory of 2484	288	cmd.exe	vssadmin.exe
PID 2036 wrote to memory of 2748	2036	5b79b6a81407caf12cf1894346a15e40c4dc017a35105119db3b23c7bf91c7b0.exe	cmd.exe
PID 2036 wrote to memory of 2748	2036	5b79b6a81407caf12cf1894346a15e40c4dc017a35105119db3b23c7bf91c7b0.exe	cmd.exe
PID 2036 wrote to memory of 2748	2036	5b79b6a81407caf12cf1894346a15e40c4dc017a35105119db3b23c7bf91c7b0.exe	cmd.exe
PID 2036 wrote to memory of 2748	2036	5b79b6a81407caf12cf1894346a15e40c4dc017a35105119db3b23c7bf91c7b0.exe	cmd.exe
PID 2036 wrote to memory of 2544	2036	5b79b6a81407caf12cf1894346a15e40c4dc017a35105119db3b23c7bf91c7b0.exe	cmd.exe
PID 2036 wrote to memory of 2544	2036	5b79b6a81407caf12cf1894346a15e40c4dc017a35105119db3b23c7bf91c7b0.exe	cmd.exe
PID 2036 wrote to memory of 2544	2036	5b79b6a81407caf12cf1894346a15e40c4dc017a35105119db3b23c7bf91c7b0.exe	cmd.exe
PID 2036 wrote to memory of 2544	2036	5b79b6a81407caf12cf1894346a15e40c4dc017a35105119db3b23c7bf91c7b0.exe	cmd.exe
PID 2544 wrote to memory of 2696	2544	cmd.exe	vssadmin.exe
PID 2544 wrote to memory of 2696	2544	cmd.exe	vssadmin.exe
PID 2544 wrote to memory of 2696	2544	cmd.exe	vssadmin.exe
PID 2544 wrote to memory of 2696	2544	cmd.exe	vssadmin.exe
PID 2036 wrote to memory of 2460	2036	5b79b6a81407caf12cf1894346a15e40c4dc017a35105119db3b23c7bf91c7b0.exe	cmd.exe
PID 2036 wrote to memory of 2460	2036	5b79b6a81407caf12cf1894346a15e40c4dc017a35105119db3b23c7bf91c7b0.exe	cmd.exe
PID 2036 wrote to memory of 2460	2036	5b79b6a81407caf12cf1894346a15e40c4dc017a35105119db3b23c7bf91c7b0.exe	cmd.exe
PID 2036 wrote to memory of 2460	2036	5b79b6a81407caf12cf1894346a15e40c4dc017a35105119db3b23c7bf91c7b0.exe	cmd.exe
PID 2036 wrote to memory of 2624	2036	5b79b6a81407caf12cf1894346a15e40c4dc017a35105119db3b23c7bf91c7b0.exe	cmd.exe
PID 2036 wrote to memory of 2624	2036	5b79b6a81407caf12cf1894346a15e40c4dc017a35105119db3b23c7bf91c7b0.exe	cmd.exe
PID 2036 wrote to memory of 2624	2036	5b79b6a81407caf12cf1894346a15e40c4dc017a35105119db3b23c7bf91c7b0.exe	cmd.exe
PID 2036 wrote to memory of 2624	2036	5b79b6a81407caf12cf1894346a15e40c4dc017a35105119db3b23c7bf91c7b0.exe	cmd.exe
PID 2036 wrote to memory of 2388	2036	5b79b6a81407caf12cf1894346a15e40c4dc017a35105119db3b23c7bf91c7b0.exe	cmd.exe
PID 2036 wrote to memory of 2388	2036	5b79b6a81407caf12cf1894346a15e40c4dc017a35105119db3b23c7bf91c7b0.exe	cmd.exe
PID 2036 wrote to memory of 2388	2036	5b79b6a81407caf12cf1894346a15e40c4dc017a35105119db3b23c7bf91c7b0.exe	cmd.exe
PID 2036 wrote to memory of 2388	2036	5b79b6a81407caf12cf1894346a15e40c4dc017a35105119db3b23c7bf91c7b0.exe	cmd.exe
PID 2460 wrote to memory of 2760	2460	cmd.exe	vssadmin.exe
PID 2460 wrote to memory of 2760	2460	cmd.exe	vssadmin.exe
PID 2460 wrote to memory of 2760	2460	cmd.exe	vssadmin.exe
PID 2460 wrote to memory of 2760	2460	cmd.exe	vssadmin.exe
PID 2036 wrote to memory of 2740	2036	5b79b6a81407caf12cf1894346a15e40c4dc017a35105119db3b23c7bf91c7b0.exe	cmd.exe
PID 2036 wrote to memory of 2740	2036	5b79b6a81407caf12cf1894346a15e40c4dc017a35105119db3b23c7bf91c7b0.exe	cmd.exe
PID 2036 wrote to memory of 2740	2036	5b79b6a81407caf12cf1894346a15e40c4dc017a35105119db3b23c7bf91c7b0.exe	cmd.exe
PID 2036 wrote to memory of 2740	2036	5b79b6a81407caf12cf1894346a15e40c4dc017a35105119db3b23c7bf91c7b0.exe	cmd.exe
PID 2740 wrote to memory of 1600	2740	cmd.exe	vssadmin.exe
PID 2740 wrote to memory of 1600	2740	cmd.exe	vssadmin.exe
PID 2740 wrote to memory of 1600	2740	cmd.exe	vssadmin.exe
PID 2740 wrote to memory of 1600	2740	cmd.exe	vssadmin.exe
PID 2036 wrote to memory of 1976	2036	5b79b6a81407caf12cf1894346a15e40c4dc017a35105119db3b23c7bf91c7b0.exe	NOTEPAD.EXE
PID 2036 wrote to memory of 1976	2036	5b79b6a81407caf12cf1894346a15e40c4dc017a35105119db3b23c7bf91c7b0.exe	NOTEPAD.EXE
PID 2036 wrote to memory of 1976	2036	5b79b6a81407caf12cf1894346a15e40c4dc017a35105119db3b23c7bf91c7b0.exe	NOTEPAD.EXE
PID 2036 wrote to memory of 1976	2036	5b79b6a81407caf12cf1894346a15e40c4dc017a35105119db3b23c7bf91c7b0.exe	NOTEPAD.EXE

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\5b79b6a81407caf12cf1894346a15e40c4dc017a35105119db3b23c7bf91c7b0.exe
"C:\Users\Admin\AppData\Local\Temp\5b79b6a81407caf12cf1894346a15e40c4dc017a35105119db3b23c7bf91c7b0.exe"
1⤵
- Adds Run key to start application
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2036

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet
2⤵
- Suspicious use of WriteProcessMemory
PID:288

C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
3⤵
- Interacts with shadow copies
PID:2484

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c bcdedit.exe /set {default} recoveryenabled No
2⤵
PID:2804

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
2⤵
PID:2748

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
2⤵
- Suspicious use of WriteProcessMemory
PID:2544

C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:2696

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet
2⤵
- Suspicious use of WriteProcessMemory
PID:2460

C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
3⤵
- Interacts with shadow copies
PID:2760

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c bcdedit.exe /set {default} recoveryenabled No
2⤵
PID:2624

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
2⤵
PID:2388

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
2⤵
- Suspicious use of WriteProcessMemory
PID:2740

C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:1600

C:\Windows\SysWOW64\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\!#_READ_ME_#!.inf
2⤵
- Suspicious use of FindShellTrayWindow
PID:1976

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2684

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Defacement

T1491

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Assistance\Client\1.0\en-US\Help_MValidator.Lck
Filesize
16B

MD5
51ed64dbc27b3c0962bff1ddd3d9a697

SHA1
d56e632f009d40f675cb5bb3a31abe56434ea151

SHA256
8b487e2517904a5f23330da47902bba57872cd948fb69188503ea9e951a2579a

SHA512
9fa2158d634ad01982643ffb0e54daef2cecb160ff8488d29b6776573d4ed3ee9f8380d0ed057b22e285e6786f59c5c07d6299a5ec58b2924a895734f0e21a16

Download Submit
C:\ProgramData\Microsoft\MF\Pending.GRL
Filesize
14KB

MD5
d56d9fb909ae02dc65be938293fda93a

SHA1
cd275f177ae4bf13de789b1dfa1641bf8e1602d9

SHA256
7f35c8e0cecf672a9115ef263f5153e606ccaba7a0fcc4462746ac9fe9c0cb44

SHA512
c4c10c4209681f42474d2e75ba7f89d678514191bb493eceb6235322a3e7f78fa67aad6e3b2c6eb92f774c1cb353b32ae70941489620cee87be7943648ea45c2

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\user.bmp
Filesize
48KB

MD5
2385c2f60bcd6c894bd6c94e363f26d6

SHA1
7157cdc17a55b811bd993b265a8f7df73693c789

SHA256
fc132d4ebadae1f9e272dc1f3381ac9ca491495d7d91d10d0dae7dcba5743e2d

SHA512
ba6bab7bcbdee455db224b0a164edd7cb6f089ad1a58e29a26c21afee02b7ac875ac778a516cb64f1373753f5ae4e7b76d3e4e3618664900ee9063079cc17b30

Download Submit
C:\ProgramData\Package Cache\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}v12.0.40660\packages\vcRuntimeAdditional_amd64\vc_runtimeAdditional_x64.msi
Filesize
140KB

MD5
a5680e50b879562fb4272adec5643df0

SHA1
26647277c82bd2c307f3bebbb83c580903c5e2eb

SHA256
4cfde7db0ed75e6f6fbcefe9438833ca156da98ee22902bfc31c4f038ab07d0f

SHA512
171f910e6149ce418cb6251fc9c94c248d1fa3b4e7b0cce7ca5cf5f441680e420e6884ec6a8be9bdbb674c24bac7b0c9a7ab9f3679fb27b35ae6c37aa93fd831

Download Submit
C:\Users\Admin\AppData\Local\Temp\!#_READ_ME_#!.inf
Filesize
1KB

MD5
213422e7c05f99771f75ce3f59f0a45c

SHA1
83081ba7306e0cfd8edbf24861c0980f521ee66b

SHA256
55e3458359fb8c1b3b2aaf84d5ae0d205edc32820cb16610a90f18e44a89c679

SHA512
dd67f93ebe1f4be8346b1c98ef98e8f4519c94ae99744040879d5dc5fd23c2ece285a2043086ac76866f5af657856ad4322e1a046c037e31f5f6b6cb5ae9e305

Download Submit
C:\Users\Admin\AppData\Local\Temp\RD3996.tmp
Filesize
16B

MD5
770d2f3017c668bcffd742f9adc26523

SHA1
dbec39f20271ec623922e87cd03dc86e021fd243

SHA256
74d959ef2d18661aaec18233588a8a3b821b57e04e868fa2c1547bdf446a407f

SHA512
ede865d621b841eefa66f7cbada7e6f33d1d0fdd42d941193d5c0d0f14d69e323087c2c5f4fa31d429d2bf17a5b65e0c4abe7125f4ae8f4e72bd2f72a35f1e26

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir2548_2049673321\6ea5a28b-3996-422b-b7c6-9c420189f286.tmp
Filesize
88KB

MD5
3e8acce4682d9ccee2010e1c4ddcb1ca

SHA1
a76eb16b8f284841c5e253ff2593997324bd7a53

SHA256
16fe6b383eb561d29d679fb53d5115ae865b5775a538816b837a5584f4405950

SHA512
1b59206cb30f472bd11c571d6b6551255ded90ba3f07ac1624587e9e654e797b1993880d9b79704d5a6a2c1f3dd201d2c9bdc4bf0bcc7df9dcea3ed3b2f20885

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir2548_391778098\7a1865d7-3ab4-4969-a3ef-2cf9d584e017.tmp
Filesize
242KB

MD5
dbb4e2dbeb35972ac8da075e2a1efcb0

SHA1
ed985a9bbfbe738c4e73028f701e9f47ae1288e6

SHA256
6d9b45d06552ab90c63858030fe37c16cd00a58e066072d6dc3742cca47c7b7b

SHA512
096f5afe60c7b53aefa5b1c9b98ec86f3fbdb4306001043b559bd5ceb15b547699d66920ef6ad2a913039e8b019ee576cfc923fdc28ee8f16615fff20fc1e9ee

Download Submit
C:\vcredist2010_x64.log.html
Filesize
86KB

MD5
4615b96fb72edbb509cc6c6a2d645dc6

SHA1
82b06e9af299be8a9e5c84e35a28318642b3370d

SHA256
043d4369a1e77ab6281e4d6469250549ef9a32b9fa4178411e6753b4438f4970

SHA512
78f39aa4f59fcc62728b9b12e0a4ec12f5e5c8bbb6af5e61fbfc5c7ab1673fe5a95611813652949de342bbfc0c2e1645e321f6c31a5b67821efc94a65cb7d2db

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads