dharma | dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0

Analysis

max time kernel
357s
max time network
363s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
21-03-2024 05:14

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

free robux for roblox.exe
Size

1.0MB
MD5

055d1462f66a350d9886542d4d79bc2b
SHA1

f1086d2f667d807dbb1aa362a7a809ea119f2565
SHA256

dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0
SHA512

2c5e570226252bdb2104c90d5b75f11493af8ed1be8cb0fd14e3f324311a82138753064731b80ce8e8b120b3fe7009b21a50e9f4583d534080e28ab84b83fee1
SSDEEP

24576:FRYz/ERA0eMuWfHvgPw/83JI8CorP9qY0:FE/yADMuYvgP93JIc2

Score

10^/10

dharma evasion persistence ransomware spyware stealer trojan

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Ransom Note

All your files have been encrypted! All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail [email protected] Write this ID in the title of your message F2BE9A00 In case of no answer in 24 hours write us to theese e-mails: [email protected] You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files. Free decryption as guarantee Before paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) How to obtain Bitcoins The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. https://localbitcoins.com/buy_bitcoins Also you can find other places to buy Bitcoins and beginners guide here: http://www.coindesk.com/information/how-can-i-buy-bitcoins/ Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

[email protected]

Signatures

Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
ransomware dharma
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Renames multiple (313) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops startup file 5 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\free robux for roblox.exe	free robux for roblox.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	free robux for roblox.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-F2BE9A00.[[email protected]].ncov	free robux for roblox.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-F2BE9A00.[[email protected]].ncov	free robux for roblox.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta	free robux for roblox.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\free robux for roblox.exe = "C:\\Windows\\System32\\free robux for roblox.exe"	free robux for roblox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Windows\System32\Info.hta = "mshta.exe \"C:\\Windows\\System32\\Info.hta\""	free robux for roblox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\Info.hta = "mshta.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Info.hta\""	free robux for roblox.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mshta.exe

Drops desktop.ini file(s) 64 IoCs

description	ioc	Process
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini	free robux for roblox.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	free robux for roblox.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	free robux for roblox.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	free robux for roblox.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	free robux for roblox.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	free robux for roblox.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	IEXPLORE.EXE
File opened for modification	C:\Program Files\Microsoft Games\Hearts\desktop.ini	free robux for roblox.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	free robux for roblox.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	free robux for roblox.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	free robux for roblox.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	free robux for roblox.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\JYWEBS5E\desktop.ini	free robux for roblox.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	free robux for roblox.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	free robux for roblox.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	free robux for roblox.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	free robux for roblox.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	free robux for roblox.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	free robux for roblox.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\desktop.ini	free robux for roblox.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\desktop.ini	free robux for roblox.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	free robux for roblox.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Ringtones\desktop.ini	free robux for roblox.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	free robux for roblox.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	free robux for roblox.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	free robux for roblox.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	free robux for roblox.exe
File opened for modification	C:\Users\Public\desktop.ini	free robux for roblox.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	free robux for roblox.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3J2LRC5A\desktop.ini	free robux for roblox.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LGZQH3SP\desktop.ini	free robux for roblox.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	free robux for roblox.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	free robux for roblox.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	free robux for roblox.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	free robux for roblox.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	free robux for roblox.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\desktop.ini	free robux for roblox.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\desktop.ini	free robux for roblox.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	free robux for roblox.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\F9UL0C6O\desktop.ini	free robux for roblox.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini	free robux for roblox.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	free robux for roblox.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	free robux for roblox.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	free robux for roblox.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\desktop.ini	free robux for roblox.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	free robux for roblox.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	free robux for roblox.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	free robux for roblox.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	free robux for roblox.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	free robux for roblox.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	free robux for roblox.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	free robux for roblox.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	free robux for roblox.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	free robux for roblox.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	free robux for roblox.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	free robux for roblox.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	free robux for roblox.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	free robux for roblox.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	free robux for roblox.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\Desktop.ini	free robux for roblox.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\J3XTYXPF\desktop.ini	free robux for roblox.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\PY5FLSJ8\desktop.ini	free robux for roblox.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	free robux for roblox.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	free robux for roblox.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\System32\Info.hta	free robux for roblox.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Speech\Files\UserLexicons\SP_95ECAC0C669944A48BC8B0078C4F251D.dat	utilman.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Speech\Files\UserLexicons\SP_95ECAC0C669944A48BC8B0078C4F251D.dat	utilman.exe
File created	C:\Windows\System32\free robux for roblox.exe	free robux for roblox.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\flight_recorder.png	free robux for roblox.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-applemenu_ja.jar.id-F2BE9A00.[[email protected]].ncov	free robux for roblox.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-util-enumerations_zh_CN.jar	free robux for roblox.exe
File opened for modification	C:\Program Files\Windows Journal\de-DE\jnwmon.dll.mui	free robux for roblox.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\STSLISTI.DLL	free robux for roblox.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\weather.html	free robux for roblox.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_lg.gif	free robux for roblox.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TN00011_.WMF.id-F2BE9A00.[[email protected]].ncov	free robux for roblox.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Maroon.css	free robux for roblox.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\InfoPathWelcomeImage.jpg	free robux for roblox.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\en-US\msdasqlr.dll.mui	free robux for roblox.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\css\blafdoc.css.id-F2BE9A00.[[email protected]].ncov	free robux for roblox.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\html\cpyr.htm.id-F2BE9A00.[[email protected]].ncov	free robux for roblox.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\PYCC.pf.id-F2BE9A00.[[email protected]].ncov	free robux for roblox.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\SketchIconImages.bmp.id-F2BE9A00.[[email protected]].ncov	free robux for roblox.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_hyperlink.gif	free robux for roblox.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\MSOUC_COL.HXC	free robux for roblox.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR20F.GIF	free robux for roblox.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\calendar_double_orange.png	free robux for roblox.exe
File created	C:\Program Files\Java\jre7\bin\rmiregistry.exe.id-F2BE9A00.[[email protected]].ncov	free robux for roblox.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-api-search.xml.id-F2BE9A00.[[email protected]].ncov	free robux for roblox.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN01060_.WMF.id-F2BE9A00.[[email protected]].ncov	free robux for roblox.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\EN00397_.WMF.id-F2BE9A00.[[email protected]].ncov	free robux for roblox.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-host-remote.jar.id-F2BE9A00.[[email protected]].ncov	free robux for roblox.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\goopdateres_hu.dll.id-F2BE9A00.[[email protected]].ncov	free robux for roblox.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\images\base-undocked-3.png	free robux for roblox.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\en-US\MSTTSLoc.dll.mui	free robux for roblox.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\PowerPoint.en-us\PowerPointMUI.XML.id-F2BE9A00.[[email protected]].ncov	free robux for roblox.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\stream_filter\librecord_plugin.dll.id-F2BE9A00.[[email protected]].ncov	free robux for roblox.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\JPEGIM32.FLT	free robux for roblox.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\WWINTL.REST.IDX_DLL	free robux for roblox.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SCHDREQ.CFG	free robux for roblox.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02749G.GIF	free robux for roblox.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\libavi_plugin.dll.id-F2BE9A00.[[email protected]].ncov	free robux for roblox.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME34.CSS	free robux for roblox.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ro.pak.id-F2BE9A00.[[email protected]].ncov	free robux for roblox.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\XLLEX.DLL.id-F2BE9A00.[[email protected]].ncov	free robux for roblox.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\messageboxinfo.ico	free robux for roblox.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\SpringGreen\TAB_OFF.GIF	free robux for roblox.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\OrielMergeFax.Dotx	free robux for roblox.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-options-keymap.xml.id-F2BE9A00.[[email protected]].ncov	free robux for roblox.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_glass_100_fdf5ce_1x400.png	free robux for roblox.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00440_.WMF	free robux for roblox.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\org-openide-util_ja.jar.id-F2BE9A00.[[email protected]].ncov	free robux for roblox.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Guayaquil.id-F2BE9A00.[[email protected]].ncov	free robux for roblox.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0304405.WMF	free robux for roblox.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Flow.xml.id-F2BE9A00.[[email protected]].ncov	free robux for roblox.exe
File created	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21400_.GIF.id-F2BE9A00.[[email protected]].ncov	free robux for roblox.exe
File created	C:\Program Files\Microsoft Games\FreeCell\ja-JP\FreeCell.exe.mui.id-F2BE9A00.[[email protected]].ncov	free robux for roblox.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EXPEDITN\EXPEDITN.INF.id-F2BE9A00.[[email protected]].ncov	free robux for roblox.exe
File created	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14656_.GIF.id-F2BE9A00.[[email protected]].ncov	free robux for roblox.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21315_.GIF	free robux for roblox.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Style\MLA.XSL.id-F2BE9A00.[[email protected]].ncov	free robux for roblox.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\ENGDIC.DAT.id-F2BE9A00.[[email protected]].ncov	free robux for roblox.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Americana.css.id-F2BE9A00.[[email protected]].ncov	free robux for roblox.exe
File created	C:\Program Files\Java\jre7\lib\zi\SystemV\AST4ADT.id-F2BE9A00.[[email protected]].ncov	free robux for roblox.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02749U.BMP.id-F2BE9A00.[[email protected]].ncov	free robux for roblox.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-modules-appui.xml.id-F2BE9A00.[[email protected]].ncov	free robux for roblox.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\jconsole.jar.id-F2BE9A00.[[email protected]].ncov	free robux for roblox.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\ECLIPSE_.RSA.id-F2BE9A00.[[email protected]].ncov	free robux for roblox.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSTORES.DLL.id-F2BE9A00.[[email protected]].ncov	free robux for roblox.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\QuickStyles\Elegant.dotx.id-F2BE9A00.[[email protected]].ncov	free robux for roblox.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\TWSTRUCT.DLL.id-F2BE9A00.[[email protected]].ncov	free robux for roblox.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-api-annotations-common.xml.id-F2BE9A00.[[email protected]].ncov	free robux for roblox.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 32 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Configuration Data	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Configuration Data	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Component Information	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Identifier	csrss.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Component Information	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Identifier	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Component Information	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Component Information	csrss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter	csrss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Identifier	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Identifier	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Configuration Data	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\1\KeyboardController	csrss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1	csrss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Configuration Data	csrss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0	csrss.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Identifier	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController	csrss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Component Information	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Configuration Data	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0	csrss.exe

Interacts with shadow copies 2 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
748	vssadmin.exe
2516	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 49 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c073b6414f7bda01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TypedURLs\url5 = "https://login.live.com/"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TypedURLs	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TypedURLsTime\url1 = a0a154404f7bda01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "417160182"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TypedURLsTime	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TypedURLs\url4 = "https://signin.ebay.com/ws/ebayisapi.dll"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{74823461-E742-11EE-9B89-EA263619F6CB} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TypedURLsTime\url2 = 0000000000000000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TypedURLs\url3 = "https://login.aliexpress.com/"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TypedURLsTime\url5 = 0000000000000000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TypedURLsTime\url6 = 0000000000000000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TypedURLs\url2 = "https://www.facebook.com/"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TypedURLsTime\url3 = 0000000000000000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TypedURLsTime\url4 = 0000000000000000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ad5411b5ef83134f8dd3b2861cd1e3e300000000020000000000106600000001000020000000d993deb028cb1d0fdac9f0a4daf8773269e0a03cf97634415020459f59d08233000000000e8000000002000020000000fe6c4fa556cb8db1aacec4c683f14c82609d7793bfce3638ebeead4d2cb0953b2000000086f5c5590ca1ad75fdaa7cd93d3e2a6ff130d7ecdce0ea4c5276db207c587f0240000000afc517bfbaea08e738ae510582d8ea09556d5454abdbee54e7465bbb7f821561a7474fa0a470a59aa7e3cfeb983b52eb3f5cd0870337af0fc60ebbbd00583881	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ad5411b5ef83134f8dd3b2861cd1e3e300000000020000000000106600000001000020000000a03543c9e0cc3081494931d771d54bc4b09b2463debcae1bc3be40d743adf461000000000e800000000200002000000098b14385367ad0d021cda3737cf8e0b1927a707f6d2a3e9aff0d5be88e4866b59000000096a8f1eac4eead35848399c4744eb70a86b134cd278fe7ebf1bf6ecf150864cd034026b8be5289b5c269fd3396eb1dd750d8e4c41fc853476971a1d5dc585de160f5b6a06e7f319f700899e2d893c599c9c228022b91c6e9bb9ea9b03e8b54a30634f0ba5a9f9ba562b5c2c4ae62a31cc2159cb62059cc332f3668d6a47760f630424d86081c44cfdbfeb16a7098d474400000000f17f23ff62dc1d4867212d47444b5fea020a2acb79fda9d12177f872f250156ddb77596754efa30fc50e9602b313bbaafe5dea42af708a482b4f018d00b1f02	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TypedURLs\url1 = "http://xnxx.com/"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TypedURLs\url6 = "https://twitter.com/"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe

Modifies data under HKEY_USERS 46 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\CurrentUserLexicon\Generation = "0"	utilman.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\MediaProperties\PrivateProperties	utilman.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\LoadedBefore = "1"	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\Voices\DefaultTokenId = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech\\Voices\\Tokens\\MS-Anna-1033-20-DSK"	utilman.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\CurrentUserLexicon\AppLexicons	utilman.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\CurrentUserLexicon\{C9E37C15-DF92-4727-85D6-72E5EEB6995A}\Files\Datafile = "%1a%\\Microsoft\\Speech\\Files\\UserLexicons\\SP_95ECAC0C669944A48BC8B0078C4F251D.dat"	utilman.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick	utilman.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm\wheel = "1"	utilman.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\AudioOutput\TokenEnums\MMAudioOut\{0.0.0.00000000}.{a1758a1b-7967-45d4-8c49-dc01acbc8efc}	utilman.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\AudioOutput\TokenEnums\MMAudioOut\{0.0.0.00000000}.{a1758a1b-7967-45d4-8c49-dc01acbc8efc}\DeviceId = "{0.0.0.00000000}.{a1758a1b-7967-45d4-8c49-dc01acbc8efc}"	utilman.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\LastLoadedDPI = "96"	winlogon.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech	utilman.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\CurrentUserLexicon	utilman.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\AudioOutput\TokenEnums\MMAudioOut\{0.0.0.00000000}.{a1758a1b-7967-45d4-8c49-dc01acbc8efc}\Attributes	utilman.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\PhoneConverters\DefaultTokenId = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech\\PhoneConverters\\Tokens\\English"	utilman.exe
Key created	\REGISTRY\USER\.DEFAULT\System	utilman.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\MuiCached\MachinePreferredUILanguages = 65006e002d00550053000000	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\ThemeActive = "1"	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\ColorName = "NormalColor"	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\CurrentUserLexicon\CLSID = "{C9E37C15-DF92-4727-85D6-72E5EEB6995A}"	utilman.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\AudioOutput\TokenEnums	utilman.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\AudioOutput\TokenEnums\MMAudioOut	utilman.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\AudioOutput\TokenEnums\MMAudioOut\{0.0.0.00000000}.{a1758a1b-7967-45d4-8c49-dc01acbc8efc}\Attributes\Vendor = "Microsoft"	utilman.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\AudioOutput\DefaultTokenId = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech\\AudioOutput\\TokenEnums\\MMAudioOut\\"	utilman.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\CurrentUserLexicon\{C9E37C15-DF92-4727-85D6-72E5EEB6995A}	utilman.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\CurrentUserLexicon\{C9E37C15-DF92-4727-85D6-72E5EEB6995A}\Files	utilman.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm	utilman.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\AppLexicons	utilman.exe
Key created	\REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm	utilman.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\AudioOutput\TokenEnums\MMAudioOut\{0.0.0.00000000}.{a1758a1b-7967-45d4-8c49-dc01acbc8efc}\ = "Speakers (High Definition Audio Device)"	utilman.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\AudioOutput\TokenEnums\MMAudioOut\{0.0.0.00000000}.{a1758a1b-7967-45d4-8c49-dc01acbc8efc}\CLSID = "{A8C680EB-3D32-11D2-9EE7-00C04F797396}"	utilman.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\AudioOutput\TokenEnums\MMAudioOut\{0.0.0.00000000}.{a1758a1b-7967-45d4-8c49-dc01acbc8efc}\Attributes\Technology = "MMSys"	utilman.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\SizeName = "NormalSize"	winlogon.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\Voices	utilman.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	utilman.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\MediaProperties	utilman.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\AudioOutput\TokenEnums\MMAudioOut\{0.0.0.00000000}.{a1758a1b-7967-45d4-8c49-dc01acbc8efc}\DeviceName = "Speakers (High Definition Audio Device)"	utilman.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\LastUserLangID = "1033"	winlogon.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\AudioOutput	utilman.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control	utilman.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\CurrentUserLexicon\ = "Current User Lexicon"	utilman.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\PhoneConverters	utilman.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet	utilman.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ThemeManager	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\DllName = "%SystemRoot%\\resources\\themes\\Aero\\Aero.msstyles"	winlogon.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	utilman.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2876	free robux for roblox.exe
2876	free robux for roblox.exe
2876	free robux for roblox.exe
2876	free robux for roblox.exe
2876	free robux for roblox.exe
2876	free robux for roblox.exe
2876	free robux for roblox.exe
2876	free robux for roblox.exe
2876	free robux for roblox.exe
2876	free robux for roblox.exe
2876	free robux for roblox.exe
2876	free robux for roblox.exe
2876	free robux for roblox.exe
2876	free robux for roblox.exe
2876	free robux for roblox.exe
2876	free robux for roblox.exe
2876	free robux for roblox.exe
2876	free robux for roblox.exe
2876	free robux for roblox.exe
2876	free robux for roblox.exe
2876	free robux for roblox.exe
2876	free robux for roblox.exe
2876	free robux for roblox.exe
2876	free robux for roblox.exe
2876	free robux for roblox.exe
2876	free robux for roblox.exe
2876	free robux for roblox.exe
2876	free robux for roblox.exe
2876	free robux for roblox.exe
2876	free robux for roblox.exe
2876	free robux for roblox.exe
2876	free robux for roblox.exe
2876	free robux for roblox.exe
2876	free robux for roblox.exe
2876	free robux for roblox.exe
2876	free robux for roblox.exe
2876	free robux for roblox.exe
2876	free robux for roblox.exe
2876	free robux for roblox.exe
2876	free robux for roblox.exe
2876	free robux for roblox.exe
2876	free robux for roblox.exe
2876	free robux for roblox.exe
2876	free robux for roblox.exe
2876	free robux for roblox.exe
2876	free robux for roblox.exe
2876	free robux for roblox.exe
2876	free robux for roblox.exe
2876	free robux for roblox.exe
2876	free robux for roblox.exe
2876	free robux for roblox.exe
2876	free robux for roblox.exe
2876	free robux for roblox.exe
2876	free robux for roblox.exe
2876	free robux for roblox.exe
2876	free robux for roblox.exe
2876	free robux for roblox.exe
2876	free robux for roblox.exe
2876	free robux for roblox.exe
2876	free robux for roblox.exe
2876	free robux for roblox.exe
2876	free robux for roblox.exe
2876	free robux for roblox.exe
2876	free robux for roblox.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeBackupPrivilege	1604	vssvc.exe
Token: SeRestorePrivilege	1604	vssvc.exe
Token: SeAuditPrivilege	1604	vssvc.exe
Token: 33	2164	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2164	AUDIODG.EXE
Token: 33	2164	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2164	AUDIODG.EXE
Token: SeShutdownPrivilege	3556	LogonUI.exe
Token: SeShutdownPrivilege	3556	LogonUI.exe
Token: SeSecurityPrivilege	3516	winlogon.exe
Token: SeBackupPrivilege	3516	winlogon.exe
Token: SeSecurityPrivilege	3516	winlogon.exe
Token: SeTcbPrivilege	3516	winlogon.exe
Token: SeShutdownPrivilege	3556	LogonUI.exe
Token: SeShutdownPrivilege	3556	LogonUI.exe
Token: SeShutdownPrivilege	3556	LogonUI.exe
Token: SeShutdownPrivilege	3516	winlogon.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1972	iexplore.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
1280	mshta.exe
1972	iexplore.exe
1972	iexplore.exe
888	IEXPLORE.EXE
888	IEXPLORE.EXE
632	IEXPLORE.EXE
632	IEXPLORE.EXE
1972	iexplore.exe
632	IEXPLORE.EXE
632	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 57 IoCs

description	pid	Process	procid_target
PID 2876 wrote to memory of 2664	2876	free robux for roblox.exe	28
PID 2876 wrote to memory of 2664	2876	free robux for roblox.exe	28
PID 2876 wrote to memory of 2664	2876	free robux for roblox.exe	28
PID 2876 wrote to memory of 2664	2876	free robux for roblox.exe	28
PID 2664 wrote to memory of 2728	2664	cmd.exe	30
PID 2664 wrote to memory of 2728	2664	cmd.exe	30
PID 2664 wrote to memory of 2728	2664	cmd.exe	30
PID 2664 wrote to memory of 2516	2664	cmd.exe	31
PID 2664 wrote to memory of 2516	2664	cmd.exe	31
PID 2664 wrote to memory of 2516	2664	cmd.exe	31
PID 2876 wrote to memory of 2432	2876	free robux for roblox.exe	37
PID 2876 wrote to memory of 2432	2876	free robux for roblox.exe	37
PID 2876 wrote to memory of 2432	2876	free robux for roblox.exe	37
PID 2876 wrote to memory of 2432	2876	free robux for roblox.exe	37
PID 2432 wrote to memory of 2944	2432	cmd.exe	39
PID 2432 wrote to memory of 2944	2432	cmd.exe	39
PID 2432 wrote to memory of 2944	2432	cmd.exe	39
PID 2432 wrote to memory of 748	2432	cmd.exe	40
PID 2432 wrote to memory of 748	2432	cmd.exe	40
PID 2432 wrote to memory of 748	2432	cmd.exe	40
PID 2876 wrote to memory of 1612	2876	free robux for roblox.exe	41
PID 2876 wrote to memory of 1612	2876	free robux for roblox.exe	41
PID 2876 wrote to memory of 1612	2876	free robux for roblox.exe	41
PID 2876 wrote to memory of 1612	2876	free robux for roblox.exe	41
PID 2876 wrote to memory of 1280	2876	free robux for roblox.exe	42
PID 2876 wrote to memory of 1280	2876	free robux for roblox.exe	42
PID 2876 wrote to memory of 1280	2876	free robux for roblox.exe	42
PID 2876 wrote to memory of 1280	2876	free robux for roblox.exe	42
PID 1972 wrote to memory of 888	1972	iexplore.exe	45
PID 1972 wrote to memory of 888	1972	iexplore.exe	45
PID 1972 wrote to memory of 888	1972	iexplore.exe	45
PID 1972 wrote to memory of 888	1972	iexplore.exe	45
PID 1972 wrote to memory of 632	1972	iexplore.exe	46
PID 1972 wrote to memory of 632	1972	iexplore.exe	46
PID 1972 wrote to memory of 632	1972	iexplore.exe	46
PID 1972 wrote to memory of 632	1972	iexplore.exe	46
PID 3048 wrote to memory of 3556	3048	csrss.exe	54
PID 3048 wrote to memory of 3556	3048	csrss.exe	54
PID 3516 wrote to memory of 3556	3516	winlogon.exe	54
PID 3516 wrote to memory of 3556	3516	winlogon.exe	54
PID 3516 wrote to memory of 3556	3516	winlogon.exe	54
PID 3048 wrote to memory of 3556	3048	csrss.exe	54
PID 3048 wrote to memory of 3556	3048	csrss.exe	54
PID 3048 wrote to memory of 3556	3048	csrss.exe	54
PID 3048 wrote to memory of 3556	3048	csrss.exe	54
PID 3048 wrote to memory of 3556	3048	csrss.exe	54
PID 3048 wrote to memory of 3556	3048	csrss.exe	54
PID 3048 wrote to memory of 3556	3048	csrss.exe	54
PID 3048 wrote to memory of 3556	3048	csrss.exe	54
PID 3048 wrote to memory of 3556	3048	csrss.exe	54
PID 3048 wrote to memory of 3548	3048	csrss.exe	55
PID 3048 wrote to memory of 3548	3048	csrss.exe	55
PID 3516 wrote to memory of 3548	3516	winlogon.exe	55
PID 3516 wrote to memory of 3548	3516	winlogon.exe	55
PID 3516 wrote to memory of 3548	3516	winlogon.exe	55
PID 3048 wrote to memory of 3548	3048	csrss.exe	55
PID 3048 wrote to memory of 3548	3048	csrss.exe	55

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\free robux for roblox.exe
"C:\Users\Admin\AppData\Local\Temp\free robux for roblox.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2876
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2664
- - C:\Windows\system32\mode.com
    mode con cp select=1251
    3⤵
    PID:2728
- - C:\Windows\system32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:2516
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2432
- - C:\Windows\system32\mode.com
    mode con cp select=1251
    3⤵
    PID:2944
- - C:\Windows\system32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:748
- C:\Windows\System32\mshta.exe
  "C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
  2⤵
  - Modifies Internet Explorer settings
  PID:1612
- C:\Windows\System32\mshta.exe
  "C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
  2⤵
  - Checks whether UAC is enabled
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1280

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1604

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1972
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1972 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:888
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1972 CREDAT:472069 /prefetch:2
  2⤵
  - Drops desktop.ini file(s)
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:632

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:2804

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:816

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x47c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2164

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:3048

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3516
- C:\Windows\system32\LogonUI.exe
  "LogonUI.exe" /flags:0x0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3556
- C:\Windows\system32\utilman.exe
  utilman.exe /debug
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:3548

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
1⤵
PID:3568

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:1872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\osetup.dll.id-F2BE9A00.[[email protected]].ncov

Filesize
1.2MB

MD5
0077b8dff46a52b0125293c1fca0f99b

SHA1
68a8a027be5595d0b567198b813e0f8836251a47

SHA256
2781b4af89a7b2353449daa6941dc7a3265cae0c841e52aaa8301fe1a923b482

SHA512
3ed7f45a18b705ccf8a28aa78310a338c7a9622fdb62f2d92c5bc83167c3b52547a18e2d0f3db2016ae378b43fc553544115d86749c36496baae7e7e2972e397

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
67KB

MD5
753df6889fd7410a2e9fe333da83a429

SHA1
3c425f16e8267186061dd48ac1c77c122962456e

SHA256
b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

SHA512
9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A076F1E564CC55CC50C90DE55DC44E15

Filesize
472B

MD5
5ee48a54fbf61705b1df0dec229d13e4

SHA1
986ee78906904adce3afb4c3e80761a84a98c2fd

SHA256
0dd316076792ebb1ed6ea210f2e6829a153ad37f408b44284352855d8e6b1f26

SHA512
610d3bde12d3d199c72c459be1c351d394ea9b3dba3ff8204f9ec96430b6610332aeedec71b5df25c86e0aee3c1d1198e0fc80bfb05095eb1e26c62034c778a7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
efb45342a1be576755e6b074079fa5dd

SHA1
4b34aa5cc4648c0e5fa1056376d9944cfb8363c0

SHA256
b675af600ebcf8410f8d6000456c0e3183cb1559076f55f4d9cfbc922e3a6cff

SHA512
37a1c4302bc973f7097dd8228bf36a358425087227cef84079089d8eb2af4fcf7cee5fb721a940cc70f6e46597684b2e4ebcc42a66e27f20227150263f15771f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
92e3dabe1be0508bf92eeed53fc0c91c

SHA1
70e10b3e6d895679f938fb5b1e49dd84347f1922

SHA256
fffda2867d73bc295e2c8f8d9b7ec3991687fb1dff26092d6d51245e2667af8b

SHA512
401c55db1b589fb692dc477fcd100195f3c7597cb2e03c73c0754cae94116d86b2ea2356ddf3ca11ecc7abcea8ed5ecb8c80fae8cab0410c3b4fc4177a087dad

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
172714474c8996ab59764397cb79e210

SHA1
7b2c5880243eb9f6e88c1429c11165ffdea0c0e7

SHA256
424f3370465d2dc11c45427c6a3c4150a264d076b8a7ee847849cdefecfd005a

SHA512
546cbff43b3f678cc239581dcc5c82d5f425a37b9d4470bd33390458bc7a22f59509e6aaa2f99815ea3001cddf82066d30459ee441f9c596ebd497eb7bb22ce2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
45d1054d527a6f7f1ac54d783c398423

SHA1
a08b5a9f204165a51aca8b4a11fe54a38e78b682

SHA256
44c25703b47c0afee608912c2f579ae4ec4a2105ae0413a521dc3046fb7c5b48

SHA512
aa911ff37fda61a6222cc256ad401d59aa5c9515d9e754a66920194aaf9b56ef477ffb026f86ebf5c75350c8e00083a6926a4c0b38571998c1102649a8616977

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8f8636e3ef2968998191a322a4e62a17

SHA1
d4e7d2b64ddf733b88aaa1822788268472f4196c

SHA256
ccd453ad41203a1d2b1996ac977b567cc1fc29b09dd64a4b26508c4ba4116029

SHA512
5f935cf2fbd4032125ccb47a5c3e77fe26b29f9bb5c62e5213898eb50396e9c9047c9a5877c635f9b0910e067e663f478fed8749f25b02a9d3e87705e47bf51c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a16ab9619bfbf0683a90a42f1b673f05

SHA1
04e7c4c49f16eec7d6227695db207d024e5257ce

SHA256
045bee3f69694ef271cb8ad45ba2cf821f1d1e0801433c969527aa5fe3f36fb2

SHA512
29e8151d12fc1ddaf54b52dba8473bdeb10103347cda8e347868555a7810da9b043541f548249e648bcafdf023252dc5b73bd9938e0212a2c806c1ae9424aa77

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
43c8df515ccaf2a7a83ca4d5868b06e2

SHA1
6931dec12df8655de08d094d431653807527dfea

SHA256
6301f24efc792562a4444ef780fe2ae9e380af1f1bc016a2cfc3706371d26de1

SHA512
f9fa02293879f58c1946be943ebd34a21958dc998381017e734fcfd03a6cbff0b14c3b4ac77d4c96236502524c1a51524d5ccaed42919e4f38908b50be2d058a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
54477d661f4b2205112404317faf3521

SHA1
e2d141b3ae572d5623400761be859e32f27f343f

SHA256
67a22d781aed6d4df2c084b203674f5d82eb89d111099d2f50bc1998f500bdde

SHA512
ef50f803a9c128b2d4790d71abeb3d5d80e3b29855010c3d31cec285ea718c344afa86566c5f6224af9d0a3267585f68fe11aeb1b63c1f1b863bd6726edf1e71

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3fd995807cb9cf93122cf1367835ee19

SHA1
4adc2eb9fa2d0ac6cf4c1df27bad334eb4a49e8c

SHA256
d237c85f49e0ebac9dc80b8073d8c9745e84608b18f10847863936f217edb5e9

SHA512
684e05e9c751b94284a4df6fa3f7e01d29b4c85cf7b362271426c8d1c8ef6984185b10d43bdfa1441631fc3b8bd6c99f85ce6b10a094dcc0c388fafb3651f7c2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c4fd07e91ff21d19f252f8e4215a40d4

SHA1
d02e766934fc1f87d96a7e626ee5a53952e9bc58

SHA256
896e5c46fe1a02560b281536223bee847c3d8d7be59462fb9b38963df7df4601

SHA512
46d5c8b1753ad49ce206aa6baba519e58ee39d270b40a0037490e6d0d5c6a27b6350679df8c5e77941e90da6f93731fedd03ffec96867dd95354f11daddbbeee

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
eb7e5ce2b4a1f0e7e40ed3ce3587704d

SHA1
4491709c47e551d9e318d40ae4c997211c761ebb

SHA256
2e49972d4dd6ce134980634522f4306f9109ad43bb7d2570e3ee6dce5af3d8d8

SHA512
a553aed6e35e9f8e7e0e44aad5beae54806561d831f7e84425fc2df2b00b2710b18d4eafd30ab6601e1f6b268b462db93f235a54b646ff0cd1338cb01e405308

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
49cc415bfad227e495de9349350905d6

SHA1
fa58e631b9376a49ab6f5ff6bb613db6cb08465d

SHA256
af67f76536bf775c44513dd2ee4592b54d5fdc48d6b0ecc001bf67aac3234845

SHA512
afd05428cc58b41e4d32590a79080c007f04509c3334808a1c06091072d2609b34e284a4074a2a1e105dd4679af762cd8f5a36fe640482f8f5056dd56d3db5c6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a9bfbd93fb39a77f7e6c461e8830f8ba

SHA1
2242415bacef1590f3ceb152c1697019d4163829

SHA256
895c13b02cea9866b86fbf56c54efca61f23b26eb81ec97b3f04e65a2562b956

SHA512
85713779ada10d101f96d34547a51fd3eb75678313a0321e69b64fc9abd9d045342496bcb9cf1e7d1f1bbbbfcd03eb4772b34dbbcc891be6d0268a84b3463e64

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A076F1E564CC55CC50C90DE55DC44E15

Filesize
484B

MD5
a5a31bddab333c0690cf67a6d2306a9f

SHA1
80db5fc56c2215d3bfb6e7fc35e18c9e7ac4c5fe

SHA256
7187e228bba2afbad189ebe3768f80be051415b893149b3c38b71a444e3cc23b

SHA512
57608b6ef164f30f0650752d0fc76d2afd1c4f2daba584211940b7c6433846a3352b1122fbcecf4651cf06b2eb04467f0147d8245a7c57c79c71692a43eef204

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
fd1036589481e8cd5982e9cf9d55eb30

SHA1
b69b9b2779e39f6a6868a4c5c7cb2980fa12ee24

SHA256
6f86afb17e87076cc4f48120623d2abba6567ceda037a12013d076dcb320fb12

SHA512
488b29f6aa7ede552ada10a90ccef5a9390577d1b7ce1082e1e5a3f39ce3ef6e491d8e4f4c92b13fac81985298a667b6a4d42f8212de4c6d79ff6730bb5fd652

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\re26ad0\imagestore.dat

Filesize
1KB

MD5
95bb31d321cdca2ab269b08c37638bc9

SHA1
93d4c307ea19f687e0c2b30fe310fa784060e066

SHA256
1bb4cb88341e231ad34f10025e7500eee3bfb18f2747b1685c45eef1b27f692e

SHA512
f4f411d52dbca49aab83e6aaaad5480496d4628c7c0dcf162f3c5d0b99e2150f58768df7225f74dcf1c5261aa534b92a3cdb2c629a592b5565c0d26e0e13c368

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini

Filesize
130B

MD5
941682911c20b2dabecb20476f91c98a

SHA1
0b0becf019cb15e75cdfa23bf0d4cb976f109baa

SHA256
3fef99e07b0455f88a5bb59e83329d0bfcebe078d907985d0abf70be26b9b89a

SHA512
a12f5caf5fd39cf2ae600e4378b9296d07787a83ae76bc410b89182a2f8e3202c4ca80d811d548193dff439541de9447f9fa141ebfd771e7ab7a6053cb4af2b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\A0RJ9PVC\favicon-32x32[1].png

Filesize
1KB

MD5
13ec9ac2e996d9391656ea2eab20aa3c

SHA1
b1859fcd2bac5dbcc01723ed2cf8de42da3a29e4

SHA256
8e8c6df89c21ab3b77f17fbc488e33f581326a4b6d3491d1abc9991f748f1447

SHA512
61692fd6ff2b951802c6bd873ee2cebd540f7c3ae339aa4b01bf05f710a55bbddefdb297e2d29b6f1ff7ec6012f7e1b8daf7c870021220c4028b62e5646fb565

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GMBM03ZS\qsmlX32FK5DP.xml

Filesize
201B

MD5
f30ded146946a5ca5fc0b55f45998e48

SHA1
beb1ea5aba33f4a655f95c09989d81ea19110d57

SHA256
5f29f52ca46ab110b6035b63b1afdce4c237ab88f6bd40dbc21c2cfb2ce50a5a

SHA512
dcfcd612a37de4040e07bcb61af608e2ff4080cb2bbe4d21913e7a81a9b2579060ab34a71694668f08a0b9097685a39be973abc886c88b35febf3ccae743a2ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GMBM03ZS\qsml[10].xml

Filesize
200B

MD5
38667c3f9fb42963b07539aa8c78e649

SHA1
7c6fc4d73f2704d2dc267fbc4f870890abe7f20f

SHA256
695a872885cfc4575861589073743308f981aeaf72e473fc6f57a72e9a77b751

SHA512
a3a418e1b7826798953094d347b53272ed8d38e00e484f9887e7807f9f80fbfb3ab5d21f495da1c726402bbcb2b645cd7bbdf4a70f68f516348ff49f32098d1c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GMBM03ZS\qsml[1].xml

Filesize
490B

MD5
de9016bf8c0192a451f9f22c39b2353f

SHA1
c54620fe30162e6898a856f0b3ec9cb6e6a4deec

SHA256
479bf8c6ff0df95eef9876ac43caddfdb6947b87142c3e5f9b5f3717f77d9fb0

SHA512
59b9e808e7efc355d1d04bcb4172ed567407e230095d38f3d7d977a908c507c2a1296e8924bdb924fa5de8517b62ea1af61ef531d55297977252f16a98ae0c55

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GMBM03ZS\qsml[2].xml

Filesize
512B

MD5
f1da65547654d193bbb4db2e34c2f5ca

SHA1
291e6e79a59f6be5e974276b03f536d35f11f5b7

SHA256
f522f1bd9305fb44eb1161cda0b80e3db9f9767d9e9e55d761470776fc38f48c

SHA512
ddbcda7b90275e567701182f631c850fefe18d624e3ee65176180faab7f5a289bb33e76c3d414a3c6f0bf5bd02a3a3df5789e59d9b7a7a2170afdc812eba3fc4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GMBM03ZS\qsml[3].xml

Filesize
598B

MD5
6538ab6bf710b17ba3890f27f0178b7a

SHA1
bf0cdd885a7b8cfd02f219e4a6fd15f340a269a1

SHA256
b2b4a99692b1622da62ccd39bd9fc270cda8f13622c00e4f55b934dbc7f52cc2

SHA512
0f37c2f5e807d2aefc818dd8eb3007cbe507d7afd4c8d747f5500846c0dfea2450137d8b36251f20cce33f662f2c45fcf5cab0952db7a099e6eea1917e9632c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GMBM03ZS\qsml[5].xml

Filesize
431B

MD5
7b8c38483ed876a753ef8af97fbdbfc9

SHA1
b98474fdbbdb67ced29e0add17fa25a6c2ed3b49

SHA256
7db46e2a01fd54ab7cdb7335f4e4e010525c014cf4d22a8d140173a3045e9e82

SHA512
f86eea946b49cb2fb5ae68a31eb79e2724821a7a6ab07ece2d11d41a7ba19ebfc417e9eee906f2a54d06f4ab040f762a4cafbc40f0bac697ae0972821c7868eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GMBM03ZS\qsml[6].xml

Filesize
577B

MD5
fb9e8d115a3fb7ea7690bde7c948c3e6

SHA1
375edf3c89b53cebe4f06e22913a86100097a2f4

SHA256
ce7b8ee50963124866c65b26d523bf06c9dbe3032e2940c2908b5d443eca5b7e

SHA512
fdc3a887379a16f37f7bee62b73b1d4da1bb5df1f994f82a2e51828c4150e1d1d55503af0ee51102a701e4eadd39ecb822f4bdebd84df77fbc30cd2ef45ce984

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GMBM03ZS\qsml[7].xml

Filesize
197B

MD5
5d10ab2ae5f6bc6c062ff8fa0942ba83

SHA1
958c91e7f57773f98f0ea5d2d2e60ce53e0810ff

SHA256
436c3477f1ecad08c5f378f111ea2182fcbf7fc06d55c2877f270fd8d4ab5d4e

SHA512
1033be226a8616b16b4da5737adcbde4d38d0a5565b24b25fb7de40661423a13238a67005672e4e03f34491344dd05d4e3130c15fa9a6a16eac97e3fa324f8d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GMBM03ZS\qsml[8].xml

Filesize
198B

MD5
c3dd26690af43e568b622281a648a0bf

SHA1
83a41b87ca10256a5fd9b52da59a48460aee57ee

SHA256
b2acfca40832b4ced84e4a046b749b34cc4e8abb1a66392b3d97ad496af35d67

SHA512
eccb7fc137d8aa8912b07d5526c9fcd8af3f146df48c42adc299569836291aa48ecf642d18536eeb85563abaaeb542eac2de8b3f1b5460cc56ecdae5e49d5f00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GMBM03ZS\qsml[9].xml

Filesize
199B

MD5
252e0631bf22fd80f0a36f13ba841f0d

SHA1
dcbc1860d2e8ee50d3979b4c172e0ce369b61735

SHA256
0454cb1eb30791524cf8d2265460175fe450894d8f9883c580c0d076b78888a6

SHA512
3103ce6fff09a4f5e37500cb8a4ee24cb82c41f7f972226774a6370af34b5c6a7a2e24fcd169b3402873bbdb8d2328578cd2d8aaa5f9c15add2f548152f1855c

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarEF25.tmp

Filesize
175KB

MD5
dd73cead4b93366cf3465c8cd32e2796

SHA1
74546226dfe9ceb8184651e920d1dbfb432b314e

SHA256
a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

SHA512
ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\3S5P4BMG.txt

Filesize
499B

MD5
7bbb116a7d9ae278e2b43f662f881c3f

SHA1
1163ff3cb0365e459cd8ea916757fbe8b5d9a94c

SHA256
ebe46d5c614fca0f6bd2ab31470bf92830d1fe02328b2de2fc72eef93e668d6e

SHA512
4b7397a91ea2c0a891ee467da94743bc168e3d8eda5ac526143e63b6cf4609562781b904da7f20c5f964e0a03b060107c7cb69d1b71cf128a74d933a4d56500d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Filesize
13KB

MD5
58637e647d5c12017d6f46a10a97e260

SHA1
ddc6126874c888bf534e08df87021181e9f53dfe

SHA256
40308487a9f0b70f66ed40582f689368a49cb31122b9e28fd765cbb2e5031025

SHA512
5e5d78d9d125ab352a50755bd2e3280b756aec9653144bb71c1849686771283554198024b68889686157406135c1456b5c5393cdea049e2bc140990966b6322d

Download Submit
memory/816-20916-0x0000000002E10000-0x0000000002E11000-memory.dmp

Filesize
4KB

Download
memory/1280-20218-0x0000000003050000-0x0000000003060000-memory.dmp

Filesize
64KB

Download
memory/1280-20194-0x000007FFFFF80000-0x000007FFFFF90000-memory.dmp

Filesize
64KB

Download
memory/1872-20924-0x0000000002B30000-0x0000000002B31000-memory.dmp

Filesize
4KB

Download
memory/2876-0-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/2876-13495-0x000000000ACA0000-0x000000000ACD4000-memory.dmp

Filesize
208KB

Download
memory/2876-3699-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/2876-1-0x000000000ACA0000-0x000000000ACD4000-memory.dmp

Filesize
208KB

Download
memory/2876-2-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/3548-20919-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/3556-20918-0x0000000002AB0000-0x0000000002AB1000-memory.dmp

Filesize
4KB

Download
memory/3556-20923-0x0000000002AB0000-0x0000000002AB1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads