buran | 43812b98e4f9480d25b426a23a7b4d2a4e498110545c7a3cb21159bf75c18e7b

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
25/03/2024, 17:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

de904e0d5b71c0c3d99430b61d40aae2.exe
Size

406KB
MD5

de904e0d5b71c0c3d99430b61d40aae2
SHA1

5e1add3f70404f2110c389674e481484365eead4
SHA256

43812b98e4f9480d25b426a23a7b4d2a4e498110545c7a3cb21159bf75c18e7b
SHA512

25f086b82e86fcef30474d13e723980f43fccdd473b0e3f556b78b434494c2b22a3e3b765fbf2647aeb030e814a1eea1fdfe6d35e894449880780d6f3732d3f0
SSDEEP

6144:Zmr7jJUEMBNUNwxJ6m16i6d+W+u7Qn7prLtSacoTccdk+Hy:ZyfJcLUNMu7Qn7prLQQTccrS

Score

10^/10

buran zeppelin persistence ransomware

Malware Config

Extracted

Path

C:\$Recycle.Bin\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note

!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email: [email protected] and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email: [email protected] Reserved email: [email protected] Reserved email: [email protected] Your personal ID: 397-583-976 Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

[email protected]

Signatures

Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
ransomware buran

Detects Zeppelin payload 13 IoCs

resource	yara_rule
behavioral1/memory/1676-2-0x0000000000400000-0x000000000054B000-memory.dmp	family_zeppelin
behavioral1/memory/2872-77-0x0000000000400000-0x000000000054B000-memory.dmp	family_zeppelin
behavioral1/memory/1676-99-0x0000000000400000-0x000000000054B000-memory.dmp	family_zeppelin
behavioral1/memory/2872-189-0x0000000000400000-0x000000000054B000-memory.dmp	family_zeppelin
behavioral1/memory/1080-194-0x0000000000400000-0x000000000054B000-memory.dmp	family_zeppelin
behavioral1/memory/412-249-0x0000000000400000-0x000000000054B000-memory.dmp	family_zeppelin
behavioral1/memory/1080-203-0x0000000000400000-0x000000000054B000-memory.dmp	family_zeppelin
behavioral1/memory/412-12115-0x0000000000400000-0x000000000054B000-memory.dmp	family_zeppelin
behavioral1/memory/412-22820-0x0000000000400000-0x000000000054B000-memory.dmp	family_zeppelin
behavioral1/memory/412-22821-0x0000000000400000-0x000000000054B000-memory.dmp	family_zeppelin
behavioral1/memory/412-24518-0x0000000000400000-0x000000000054B000-memory.dmp	family_zeppelin
behavioral1/memory/412-30674-0x0000000000400000-0x000000000054B000-memory.dmp	family_zeppelin
behavioral1/memory/2872-30705-0x0000000000400000-0x000000000054B000-memory.dmp	family_zeppelin

Zeppelin Ransomware
Ransomware-as-a-service (RaaS) written in Delphi and first seen in 2019.
ransomware zeppelin
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Renames multiple (7390) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Deletes itself 1 IoCs

pid	Process
2012	notepad.exe

Executes dropped EXE 3 IoCs

pid	Process
2872	explorer.exe
412	explorer.exe
1080	explorer.exe

Loads dropped DLL 2 IoCs

pid	Process
1676	de904e0d5b71c0c3d99430b61d40aae2.exe
1676	de904e0d5b71c0c3d99430b61d40aae2.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe\" -start"	de904e0d5b71c0c3d99430b61d40aae2.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Y:	explorer.exe
File opened (read-only)	\??\W:	explorer.exe
File opened (read-only)	\??\R:	explorer.exe
File opened (read-only)	\??\P:	explorer.exe
File opened (read-only)	\??\M:	explorer.exe
File opened (read-only)	\??\J:	explorer.exe
File opened (read-only)	\??\T:	explorer.exe
File opened (read-only)	\??\S:	explorer.exe
File opened (read-only)	\??\Q:	explorer.exe
File opened (read-only)	\??\I:	explorer.exe
File opened (read-only)	\??\G:	explorer.exe
File opened (read-only)	\??\B:	explorer.exe
File opened (read-only)	\??\X:	explorer.exe
File opened (read-only)	\??\V:	explorer.exe
File opened (read-only)	\??\L:	explorer.exe
File opened (read-only)	\??\H:	explorer.exe
File opened (read-only)	\??\E:	explorer.exe
File opened (read-only)	\??\Z:	explorer.exe
File opened (read-only)	\??\U:	explorer.exe
File opened (read-only)	\??\O:	explorer.exe
File opened (read-only)	\??\N:	explorer.exe
File opened (read-only)	\??\K:	explorer.exe
File opened (read-only)	\??\A:	explorer.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
17	iplogger.org
19	iplogger.org

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	geoiptool.com

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.commands_3.6.100.v20140528-1422.jar.kd8eby0.397-583-976	explorer.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Paris.kd8eby0.397-583-976	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME35.CSS.kd8eby0.397-583-976	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Sts.css.kd8eby0.397-583-976	explorer.exe
File created	C:\Program Files\Java\jre7\bin\plugin2\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\MSACCESS.DEV_COL.HXT	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN082.XML.kd8eby0.397-583-976	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help_3.6.0.v20130326-1254.jar	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-sendopts.xml	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0200377.WMF.kd8eby0.397-583-976	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\release.kd8eby0.397-583-976	explorer.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Atlantic\Madeira	explorer.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Prague	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\TASKUPD.CFG	explorer.exe
File opened for modification	C:\Program Files\Java\jre7\lib\jfr\profile.jfc.kd8eby0.397-583-976	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107262.WMF.kd8eby0.397-583-976	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Trek.thmx	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Slate.css	explorer.exe
File opened for modification	C:\Program Files\WriteBlock.dib	explorer.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\feature.xml.kd8eby0.397-583-976	explorer.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ug\LC_MESSAGES\vlc.mo.kd8eby0.397-583-976	explorer.exe
File created	C:\Program Files\VideoLAN\VLC\locale\zh_TW\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00736_.WMF	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TN01165_.WMF	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303\feature.xml	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\win7TSFrame.png	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0285796.WMF.kd8eby0.397-583-976	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE03464_.WMF.kd8eby0.397-583-976	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN103.XML	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectTaskIcon.jpg	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.simpleconfigurator.nl_ja_4.4.0.v20140623020002.jar	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-output2.xml.kd8eby0.397-583-976	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-lib-profiler-common.xml	explorer.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Atlantic\Madeira.kd8eby0.397-583-976	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107188.WMF	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00057_.WMF	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0234687.GIF	explorer.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\AcroRead.msi	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02439_.WMF.kd8eby0.397-583-976	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00252_.WMF.kd8eby0.397-583-976	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02441_.WMF	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WHIRL1.WMF	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\PASSWORD.JPG	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\ORIG98.POC.kd8eby0.397-583-976	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\PICTPH.POC	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Managua	explorer.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_received.gif	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0234266.WMF.kd8eby0.397-583-976	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OUTLFLTR.DAT	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\ApothecaryMergeLetter.dotx	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\EquityResume.Dotx.kd8eby0.397-583-976	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\feature.properties	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-lib-profiler-common.jar.kd8eby0.397-583-976	explorer.exe
File opened for modification	C:\Program Files\Java\jre7\lib\images\cursors\invalid32x32.gif	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0171847.WMF	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD10290_.GIF	explorer.exe
File opened for modification	C:\Program Files\7-Zip\Lang\he.txt.kd8eby0.397-583-976	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Waveform.thmx.kd8eby0.397-583-976	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\MSO.ACL.kd8eby0.397-583-976	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsHomePageScript.js.kd8eby0.397-583-976	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-lib-profiler-charts.jar	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\SoftBlue\TAB_OFF.GIF.kd8eby0.397-583-976	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-profiler.xml	explorer.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
1992	vssadmin.exe
2572	vssadmin.exe

Modifies system certificate store 2 TTPs 9 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	de904e0d5b71c0c3d99430b61d40aae2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	explorer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	explorer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	de904e0d5b71c0c3d99430b61d40aae2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	de904e0d5b71c0c3d99430b61d40aae2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	explorer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	explorer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1676	de904e0d5b71c0c3d99430b61d40aae2.exe
Token: SeDebugPrivilege	1676	de904e0d5b71c0c3d99430b61d40aae2.exe
Token: SeIncreaseQuotaPrivilege	3020	WMIC.exe
Token: SeSecurityPrivilege	3020	WMIC.exe
Token: SeTakeOwnershipPrivilege	3020	WMIC.exe
Token: SeLoadDriverPrivilege	3020	WMIC.exe
Token: SeSystemProfilePrivilege	3020	WMIC.exe
Token: SeSystemtimePrivilege	3020	WMIC.exe
Token: SeProfSingleProcessPrivilege	3020	WMIC.exe
Token: SeIncBasePriorityPrivilege	3020	WMIC.exe
Token: SeCreatePagefilePrivilege	3020	WMIC.exe
Token: SeBackupPrivilege	3020	WMIC.exe
Token: SeRestorePrivilege	3020	WMIC.exe
Token: SeShutdownPrivilege	3020	WMIC.exe
Token: SeDebugPrivilege	3020	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3020	WMIC.exe
Token: SeRemoteShutdownPrivilege	3020	WMIC.exe
Token: SeUndockPrivilege	3020	WMIC.exe
Token: SeManageVolumePrivilege	3020	WMIC.exe
Token: 33	3020	WMIC.exe
Token: 34	3020	WMIC.exe
Token: 35	3020	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2616	WMIC.exe
Token: SeSecurityPrivilege	2616	WMIC.exe
Token: SeTakeOwnershipPrivilege	2616	WMIC.exe
Token: SeLoadDriverPrivilege	2616	WMIC.exe
Token: SeSystemProfilePrivilege	2616	WMIC.exe
Token: SeSystemtimePrivilege	2616	WMIC.exe
Token: SeProfSingleProcessPrivilege	2616	WMIC.exe
Token: SeIncBasePriorityPrivilege	2616	WMIC.exe
Token: SeCreatePagefilePrivilege	2616	WMIC.exe
Token: SeBackupPrivilege	2616	WMIC.exe
Token: SeRestorePrivilege	2616	WMIC.exe
Token: SeShutdownPrivilege	2616	WMIC.exe
Token: SeDebugPrivilege	2616	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2616	WMIC.exe
Token: SeRemoteShutdownPrivilege	2616	WMIC.exe
Token: SeUndockPrivilege	2616	WMIC.exe
Token: SeManageVolumePrivilege	2616	WMIC.exe
Token: 33	2616	WMIC.exe
Token: 34	2616	WMIC.exe
Token: 35	2616	WMIC.exe
Token: SeBackupPrivilege	536	vssvc.exe
Token: SeRestorePrivilege	536	vssvc.exe
Token: SeAuditPrivilege	536	vssvc.exe
Token: SeIncreaseQuotaPrivilege	2616	WMIC.exe
Token: SeSecurityPrivilege	2616	WMIC.exe
Token: SeTakeOwnershipPrivilege	2616	WMIC.exe
Token: SeLoadDriverPrivilege	2616	WMIC.exe
Token: SeSystemProfilePrivilege	2616	WMIC.exe
Token: SeSystemtimePrivilege	2616	WMIC.exe
Token: SeProfSingleProcessPrivilege	2616	WMIC.exe
Token: SeIncBasePriorityPrivilege	2616	WMIC.exe
Token: SeCreatePagefilePrivilege	2616	WMIC.exe
Token: SeBackupPrivilege	2616	WMIC.exe
Token: SeRestorePrivilege	2616	WMIC.exe
Token: SeShutdownPrivilege	2616	WMIC.exe
Token: SeDebugPrivilege	2616	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2616	WMIC.exe
Token: SeRemoteShutdownPrivilege	2616	WMIC.exe
Token: SeUndockPrivilege	2616	WMIC.exe
Token: SeManageVolumePrivilege	2616	WMIC.exe
Token: 33	2616	WMIC.exe
Token: 34	2616	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1676 wrote to memory of 2872	1676	de904e0d5b71c0c3d99430b61d40aae2.exe	29
PID 1676 wrote to memory of 2872	1676	de904e0d5b71c0c3d99430b61d40aae2.exe	29
PID 1676 wrote to memory of 2872	1676	de904e0d5b71c0c3d99430b61d40aae2.exe	29
PID 1676 wrote to memory of 2872	1676	de904e0d5b71c0c3d99430b61d40aae2.exe	29
PID 1676 wrote to memory of 2012	1676	de904e0d5b71c0c3d99430b61d40aae2.exe	30
PID 1676 wrote to memory of 2012	1676	de904e0d5b71c0c3d99430b61d40aae2.exe	30
PID 1676 wrote to memory of 2012	1676	de904e0d5b71c0c3d99430b61d40aae2.exe	30
PID 1676 wrote to memory of 2012	1676	de904e0d5b71c0c3d99430b61d40aae2.exe	30
PID 1676 wrote to memory of 2012	1676	de904e0d5b71c0c3d99430b61d40aae2.exe	30
PID 1676 wrote to memory of 2012	1676	de904e0d5b71c0c3d99430b61d40aae2.exe	30
PID 1676 wrote to memory of 2012	1676	de904e0d5b71c0c3d99430b61d40aae2.exe	30
PID 2872 wrote to memory of 1108	2872	explorer.exe	31
PID 2872 wrote to memory of 1108	2872	explorer.exe	31
PID 2872 wrote to memory of 1108	2872	explorer.exe	31
PID 2872 wrote to memory of 1108	2872	explorer.exe	31
PID 2872 wrote to memory of 1168	2872	explorer.exe	32
PID 2872 wrote to memory of 1168	2872	explorer.exe	32
PID 2872 wrote to memory of 1168	2872	explorer.exe	32
PID 2872 wrote to memory of 1168	2872	explorer.exe	32
PID 2872 wrote to memory of 2972	2872	explorer.exe	33
PID 2872 wrote to memory of 2972	2872	explorer.exe	33
PID 2872 wrote to memory of 2972	2872	explorer.exe	33
PID 2872 wrote to memory of 2972	2872	explorer.exe	33
PID 2872 wrote to memory of 1840	2872	explorer.exe	36
PID 2872 wrote to memory of 1840	2872	explorer.exe	36
PID 2872 wrote to memory of 1840	2872	explorer.exe	36
PID 2872 wrote to memory of 1840	2872	explorer.exe	36
PID 2872 wrote to memory of 2372	2872	explorer.exe	37
PID 2872 wrote to memory of 2372	2872	explorer.exe	37
PID 2872 wrote to memory of 2372	2872	explorer.exe	37
PID 2872 wrote to memory of 2372	2872	explorer.exe	37
PID 2872 wrote to memory of 1972	2872	explorer.exe	38
PID 2872 wrote to memory of 1972	2872	explorer.exe	38
PID 2872 wrote to memory of 1972	2872	explorer.exe	38
PID 2872 wrote to memory of 1972	2872	explorer.exe	38
PID 2872 wrote to memory of 412	2872	explorer.exe	40
PID 2872 wrote to memory of 412	2872	explorer.exe	40
PID 2872 wrote to memory of 412	2872	explorer.exe	40
PID 2872 wrote to memory of 412	2872	explorer.exe	40
PID 2872 wrote to memory of 1080	2872	explorer.exe	41
PID 2872 wrote to memory of 1080	2872	explorer.exe	41
PID 2872 wrote to memory of 1080	2872	explorer.exe	41
PID 2872 wrote to memory of 1080	2872	explorer.exe	41
PID 1108 wrote to memory of 3020	1108	cmd.exe	44
PID 1108 wrote to memory of 3020	1108	cmd.exe	44
PID 1108 wrote to memory of 3020	1108	cmd.exe	44
PID 1108 wrote to memory of 3020	1108	cmd.exe	44
PID 2372 wrote to memory of 2572	2372	cmd.exe	46
PID 2372 wrote to memory of 2572	2372	cmd.exe	46
PID 2372 wrote to memory of 2572	2372	cmd.exe	46
PID 2372 wrote to memory of 2572	2372	cmd.exe	46
PID 1972 wrote to memory of 2616	1972	cmd.exe	47
PID 1972 wrote to memory of 2616	1972	cmd.exe	47
PID 1972 wrote to memory of 2616	1972	cmd.exe	47
PID 1972 wrote to memory of 2616	1972	cmd.exe	47
PID 1972 wrote to memory of 1992	1972	cmd.exe	50
PID 1972 wrote to memory of 1992	1972	cmd.exe	50
PID 1972 wrote to memory of 1992	1972	cmd.exe	50
PID 1972 wrote to memory of 1992	1972	cmd.exe	50
PID 2872 wrote to memory of 1868	2872	explorer.exe	53
PID 2872 wrote to memory of 1868	2872	explorer.exe	53
PID 2872 wrote to memory of 1868	2872	explorer.exe	53
PID 2872 wrote to memory of 1868	2872	explorer.exe	53
PID 2872 wrote to memory of 1868	2872	explorer.exe	53

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\de904e0d5b71c0c3d99430b61d40aae2.exe
"C:\Users\Admin\AppData\Local\Temp\de904e0d5b71c0c3d99430b61d40aae2.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1676
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe" -start
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Modifies system certificate store
  - Suspicious use of WriteProcessMemory
  PID:2872
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1108
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3020
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
    3⤵
    PID:1168
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    PID:2972
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
    3⤵
    PID:1840
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2372
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:2572
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1972
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2616
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:1992
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe" -agent 0
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Drops file in Windows directory
    PID:412
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe" -agent 1
    3⤵
    - Executes dropped EXE
    PID:1080
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:1868
- C:\Windows\SysWOW64\notepad.exe
  notepad.exe
  2⤵
  - Deletes itself
  PID:2012

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Filesize
975B

MD5
304eaa54690c1f3f8c943f23ef0d5e3a

SHA1
bc20123a4819a4f979ae443ba9d6e86268f530a7

SHA256
58483467519018796e954c6eb27f41d498073acb9a7c7b7cbb9444f080c889a2

SHA512
fabfa6110ba64e09fac3b333852eafc24b76f199ceeec5fe4c5e8d89361e1f3485432fde5b17daebf5a23d4bcd6e1a21d7d84bc00cba6e63391940814459b369

Download Submit
C:\MSOCache\.zeppelin

Filesize
513B

MD5
8bff8f7ec2dee0630915c750011b1bad

SHA1
3f37e6bc23aba846bffa9d510bfd03024af53c73

SHA256
aca5c1161a85a45d36eaf2bceeff54a0d668bc04957b91f49665fe2a52857ef3

SHA512
e9f1100ee8ebb3614351f8300615fa9400198848502e7d67e8dce918d95a0ce7a245db2a9951fcb7baaeff9c8d0fe36b38d368c263e5daf34ddf0947470d9abe

Download Submit
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\Vdk10.lng

Filesize
23KB

MD5
0826f2b19444af33eb4e5bae409ae452

SHA1
22d137c806c16adab6cb1fd82cfd673e263b275e

SHA256
78817035bcb9029c93f3735d98aa3b7c1eac11c6c75c3ac34c0d0dbe5226d7b8

SHA512
62d2f8a191e3aef99d8f85b3853499b256fb33085eefca54a1adb9735ea05bbcadeb21c60bb89e91e822d7f270e485e7b85af1656116d538f65c6e68154abb4b

Download Submit
C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB_EURO.txt

Filesize
28KB

MD5
0970055661c98ba3722560355c62588e

SHA1
82dd7f63f2559bea6b30917fdfeed4c910295590

SHA256
912c171699df88421285d32c0ad737bc9e73f8371ca45d87b49447605388e3f0

SHA512
09ee74c70a37b74b46f17b7de31773f18182199678447e0ecae30536c1c27dd73c89442d7cce31b683c7fea063461c64fbf6981cd0d0d3c7462159178eef531f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME39.CSS

Filesize
122KB

MD5
0135f1819d957c8e5463a91ee6869e74

SHA1
fa3330612a2d9b5852d0e53d45267d645e1bcf8a

SHA256
28c76333122f9d735f4472c4dc12d38e237d61d41b0f6a2702d7d470b65190a6

SHA512
0fa345ecf0ac12334bf7192903b96ec07bf8ab478178069f7c8877f57ceb9911d6ff6a1891f10987a5f3212da1c8caa7fff0cf5f0155a5f67b253ebb59d35434

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME54.CSS

Filesize
125KB

MD5
e12124e9da8e83ed16d7a473d256122c

SHA1
486d018dc0ca6e894ef5cf167200059fd26a77ed

SHA256
725541393f4c5a044e64866805a6291283b7e1d33953f17923ef9eb643913d21

SHA512
5de48c545c8c54160fa7151a2770f4601b8ffd66952e0b604f71918bca9f40c4c5c274edc2673f58db8066ebd74a5a4dcc1fdfad0278957f8785aa4a713219a5

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Style\ISO690.XSL

Filesize
258KB

MD5
04470436735e75bfaab49a8a9a0c55ca

SHA1
92b55ffca4f06bafde7552f6f95565f91f7de051

SHA256
22f177aab8dabd3ba72b2778366a761dbc313794562a3eae9f2d0836eef5f7cf

SHA512
84c6e39ee61202e1adfc9e73d59633be7d60b70ce3eef6411d76edfa5e766fb3bf63ed4c6ae5cc6d9576fe11e7d81391bdd511e0b28dc2eaf8b8853db7da62c6

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\EXLIRMV.XML

Filesize
78KB

MD5
908fbb1f92f0a2b7bfc21e6adae46ea3

SHA1
bb13905fd9887eb6d8bfb04cc84a58049635349a

SHA256
79408b7e7f232d06a94e1f3598008ae188e8cca02aa8105de766e41c494f3647

SHA512
86f927ba3dcb498cdea4f6ec9869dcbf6a87844633287000a5bd5635cf175c828949733c2c287894558d94f80b14b2bc50cad2cd29019262c2fd7b65b779c92a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\DataViewIconImages.jpg

Filesize
7KB

MD5
95f5312c7de9db943eff5a3c9560117b

SHA1
3840e1896bcd5f14cd584b704a0fd1b217bf5ecc

SHA256
c1744fde5124706a1196c2caafdff0e7100218b4f8431f1e1dd80261d34d8a38

SHA512
8017102331437faf4553e15a00cef087fe8ebee7c50be8e5ac1db04b3ce7692c2c47eafe83b3323e806bf9004f38a38df146a06fc50096946eaad48dd44bb277

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\IPIRMV.XML

Filesize
78KB

MD5
a2b29fef2071e2b91b533bf7b6b6dfdc

SHA1
3cb776a78e5e09be03e726de14da7d69fd445afc

SHA256
7c03ea30f0337a028de9e88523dbfb1b098d1cd8530959b1ead3d0aacfc95e44

SHA512
70e690bbe80542ea74c108d67008013369c88e3c4c6d609fd95e799a0717c2340b35a3a03e230bef9ef4070719e06b5eb16ca8b0b3784f143e08fc21e10082b1

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMFormServices\Microsoft.Office.InfoPath.xml

Filesize
249KB

MD5
49984013dc17900e3cd7258783663d7e

SHA1
8fb8373ed66e95cacaedc8979a40eded82419322

SHA256
54ade10b06862bcf26f2473591e8f9a15f792a956f105b3765dfc2192d36e4bf

SHA512
322e8b0880fcf06c9f5a74f59a17485ff0add7f30d300d50d8e2cfafe257cc2dc4ec301804a4c03081e13cc21d6fbc747d0e045a3614c1b4cac5c960fb295abb

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\OLKIRMV.XML

Filesize
78KB

MD5
b4009d6ad6ef064949f394e62f6e0ab1

SHA1
e5f20a4914a88ba3c77f79ca3a4d7540b2cd3fc5

SHA256
aa5cf75c3c92ccbd0507b05272fa33b35009d8db6012e877983f35a70a20695c

SHA512
47cf90b581d106a0e255b4cdd0b47612ab50e0cf69337366eb4b5cb0d3c64ad06a0155790af4b58ca53f98d8def9bac13a96b46a8490c203e3a7308a57d3f548

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\PPTIRMV.XML

Filesize
78KB

MD5
e0a578a22ceb3a1efe9aa974572512ac

SHA1
ff1d1b7814eb17ab15a127e7031f49de4e2ad5c7

SHA256
33dfb5dcf2aea7cfec873b3eddc947a642f6284f148318297a29f65ba263e4e1

SHA512
643fa429a39adc178687ae2cbb5036d5205a63d2a4a537a4f8f78cf314696ea852209ea15ef0685177e2e38d1c7866e356343ecb46d7c028c305a59d8269d9f3

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\WORDIRMV.XML

Filesize
78KB

MD5
6fc2e80ebf35c97d62f6cc5acdd4d9b0

SHA1
c47d98ca2674631d5725ef2eb6e89aa64caddcea

SHA256
b5ee555ae8106394c191dd78c76d866c9da7cd32a4ff60ada7d3615f781ee7d8

SHA512
b17ab0d62ae0278e350a2784a5fe6d5e4e6c972d14cf362ef5f8b1b97136b02a7637f16a96bbaed67654b09d0ccb99f59cfa4e371ed854e23de12dd7ccff48b0

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\license.html

Filesize
7KB

MD5
6199c50becdf50dc8681792c65874ba4

SHA1
7224ad14159816f781b3652a3ab17ebedebcbd91

SHA256
1840b5813aa85b01d91acd6b26467f7491760f714fff4988ff6987ba99a4f88c

SHA512
01799b2fd22b097a87f56f3e0a25a2622af195695a62f4281f21d6754728f9f3e5842917927f1728a0d6e51e19ab4456d534930b7a17487ce277eb44954d0f92

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\license.html

Filesize
10KB

MD5
18e049f6cf04c1aec908d1ec3b77e53d

SHA1
09bc82b759fc2637a994c7e2988fe2040f81936e

SHA256
2fb733e1db1447a6707e4dc9eae05107da74f86830df0716ba44ca373d2947f8

SHA512
ec07ed42d2f9db55aa01a57b673f9d265ca011301f79335bea77b82f7258f30babb49c70b07c64790e998521203b4905b9bb455d8c8e0a00866d5a141ea37117

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\ECLIPSE_.RSA

Filesize
9KB

MD5
ef835a2943c88abd0a710629418b08b1

SHA1
7cb3ed8b07b09299a940e130e2698ac3314935af

SHA256
45da9039170ef79e2c3e70a4375eb24f36ac18903d55c718ac13448da1586f21

SHA512
b920c9669fc52eaca3d746ef207db2ee7ff49b1cf29f763eb994b811c5abe56ad6abac1295f088cc33781d683e8d41e4f98c3f80d83c1f68a91d9bebda4aef57

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\license.html

Filesize
10KB

MD5
a010b7355d80129dcde23acaa60fe7ed

SHA1
1ce678a914c209ccda47ae9f2c2496b759b72702

SHA256
0dc1ee5fea77ecc4027291a76599ccb85de07bd30b98b2886218129bab23670e

SHA512
5fd4844a4eed14df45fdcb172c85dafba7fb0b900500fd9f5825859af226400945e601aad492b163c1d533dc85129191c0fe49b552a9282b8aae05ff85d8dcaf

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\epl-v10.html

Filesize
13KB

MD5
f88b76812c95ddc684ba982939ed70a7

SHA1
5deda0ac88e2cdf54f53d0289d4c985e20c33b2e

SHA256
c100b4c6b607188501ffd0be7c012a710c8b78f064f398f81731d7ea51665947

SHA512
cb7f3be5bddb701586b9e518484a1c53ed9dfd8c36d8f481dd1ed196ddde3545cdc67b22774ac758c9fda061980f6678d1a8d9ea911b1a91354deba0842ae8ca

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\license.html

Filesize
10KB

MD5
4b7d8f884fa91bc367e9c10dff5cb3c3

SHA1
fa5866205dcbae5cc058fe93a71f5828250b9fd9

SHA256
3d4d506c23cd83e5645b3a449572f5c56667982a671b2540a3c72587c7ee9fb6

SHA512
726d4a0c5331be365f1b8dda8e40ee36652ac2a6b940207101266bdf9aaded3819df0fc9311e70633fbcb1dae7f059a79a87a04b1ab1fe0d883a19124481e791

Download Submit
C:\Program Files\VideoLAN\VLC\locale\es\LC_MESSAGES\vlc.mo

Filesize
604KB

MD5
5d66bc0ba1bce238e51ca3f3a85c786d

SHA1
624da4c4ff8b4556928680b95507c29c53e36930

SHA256
6a8a231bc824edf9b57226e7fb5b9b134cf6036b18934f794cee422811c10328

SHA512
2def71093c6c33b97772ee2811a9a9c87b37ce7809669fb637321b521e51b72e99f8e5f81d4a2651f5df41f13783fa7fc0806fa71a3f36baf529be2d377eafd5

Download Submit
C:\Program Files\VideoLAN\VLC\locale\lv\LC_MESSAGES\vlc.mo

Filesize
606KB

MD5
d68301171dfd3d3fbfd141c51f329203

SHA1
e54e07760f7c3aad105dd1ac15dfe03f8cc9c7ed

SHA256
dc090042ef263d48ccac0439a4786227720c9c8efa19619b4742cdd6ffa6b2c7

SHA512
7be94ab1d66e540a16ddb84cd51495d0b8fc0b13237067b244f52ccbbdfca7a09431c9bbd8bf9cabc53199aa07a0b42b961d3408e050eaefb0c4f2be97605943

Download Submit
C:\Program Files\VideoLAN\VLC\locale\mai\LC_MESSAGES\vlc.mo

Filesize
785KB

MD5
cc7e18e56d5097a0dcf03955712f442f

SHA1
af6491896686a4957d4deeec3da0fb5dc3f56661

SHA256
446fb790696d7beb082377177eed015b0cb7155ef77002813acb48b41bf5b7f4

SHA512
c372d6121eca384c4c5d1fc64334d8067ea4ea39c3accea37ba18fdfa4a6d8b44dfe68be66dd214618f9ec8189e487262583d9ecd1518f5f4640b44b125fcfe3

Download Submit
C:\Program Files\VideoLAN\VLC\locale\nl\LC_MESSAGES\vlc.mo

Filesize
587KB

MD5
26e47a501c83521b2503455ae3cff73c

SHA1
dc3610b6b86cc4a261df4abde61ec427fe4ed522

SHA256
1c41fcc04969e7b2f220e0237ad850569ddfcd7f1026eb827506d29374ac6cd2

SHA512
c381f77d72a9527dc45ffa59ee5546d7d32849ec6c51b661f559f9be55fe281be685d6608a510311cd1186c91bda5184ebbd6e09cfa53f77a7a595a808b0af54

Download Submit
C:\Program Files\VideoLAN\VLC\locale\sk\LC_MESSAGES\vlc.mo

Filesize
621KB

MD5
468141e63f4fc9a5fa0f380a718b3e43

SHA1
4facd0d54610c09bfcdbd1fc9ff479b59f57b47c

SHA256
e8a8d17c259064cf4708e36c1a823f132567c6dde9db0e62ae9fe46a7f7e5042

SHA512
5225f86deabc1f4f259d3806f8dcb90987347d29d15a6c5b24b86dce6b7b20963a3559cd122348e95e90049e5b9760915788ddb3eca44555b0554dad2ac21577

Download Submit
C:\Program Files\VideoLAN\VLC\locale\uk\LC_MESSAGES\vlc.mo

Filesize
771KB

MD5
cf7ac0d3463cc711fef8eb621abc949a

SHA1
9ed84a972ca9631b7a68007649c877a4d95c4833

SHA256
75a6ae5e561a03ec1e7b5e108bb68aafe2f02e857d381941168dbbdd32f6e3ee

SHA512
2a6c2992a0a85b17880c5b2185a2a613542574a6c55868dab4e507455975b2ab57374c7c7ee5047de45bd6305e3e827ece2d67f9fa8759af4bb0336046d8172c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB

Filesize
2KB

MD5
11d71c970ccf0e5af1a11cb5e15d9fc9

SHA1
5cfbda5675975a7d691101a9096cd9d42c964b4c

SHA256
3f37c40cc9fbf51ffff7a4147d81398cde110a815e5fa7894d04dcb883d6fc1d

SHA512
03b6de82dbec27d4b7ca2226f30ed949091969533460f9e2d6f4162d44e4cd6c5d1d8be567b268c0935c71fe06b509001a6c9404595eef8cb2f8c5808d47e632

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\204C1AA6F6114E6A513754A2AB5760FA_3F2A9DB42365395CA97CFD2FA38D17E4

Filesize
472B

MD5
38cfeb9a4a7c8007273ead650b17d7b0

SHA1
f1bdff77349e0a1b0554b39e1480191a6593668d

SHA256
d71077717606050c4571f0933f95ac9b4cc40e8fd3a724e2728132a94750b587

SHA512
8734e86451ad7c657b54dc1ccce25bfcf49d1459634d2b2f4e65f5bdf1ab243042304fbbd3e9d7560bfc6397a33d5d09681694e6a363497b77f0b9b4e6ff5ad5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
67KB

MD5
753df6889fd7410a2e9fe333da83a429

SHA1
3c425f16e8267186061dd48ac1c77c122962456e

SHA256
b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

SHA512
9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
1KB

MD5
4bbdeccef77d0216c7c85aa8ce6fd456

SHA1
a8e6ece2829f7a721d5e02c7e37d30c0ee584105

SHA256
d4c20a525b2cb0035944212b76b0573779ec672ea64b72679dafebdf7c44a6dc

SHA512
7a5cbcde4e7d2a952f9bc846e29326b53166592224af39d3b67dd6f602a9cc77c2e4d97929823e4329ce1b6557a6df5f437dffe18f4ed93b85f97dd81105d6e9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB

Filesize
484B

MD5
13cc86f3a0065e53b28c6e0ebe7495c6

SHA1
7691409e7685dd8835c300d7fd0dd6d48b14905e

SHA256
3522076c916bbe124f9adf21162b00f3f5c00d725399aa61f40d40795ea98225

SHA512
c7f5c76e4a029df5603eb60ff1e0e95840e8541c0dac7b30b06e8554d7429c831d7513b878ceea445d6c154fbd510a119682706c60ee2a41d91183a06075d307

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\204C1AA6F6114E6A513754A2AB5760FA_3F2A9DB42365395CA97CFD2FA38D17E4

Filesize
488B

MD5
fc815eff86d62a18557a21d981b5e2dd

SHA1
12fbc993f027e5a783489a19e97523c323015295

SHA256
ba82298e9dd0891640d8c0740bea22c8fbae54073d19e23ca0004d2fd8b65eb8

SHA512
549aeb78a8ac75af754b6883088a39b74c103a3e880051c71e81926643917ba69239f63dc739ab13ba7205b83bdbf4fd2fef79d5e87c0e1e65725a1aa9066e64

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
595f717c55cf342ebb1f6403387c1f95

SHA1
006a9114d976bc805039a40181f370c0709d5760

SHA256
72112b957302842d8f6a27d0685871deedf726117d515dbc3678f72c75b3a306

SHA512
19ea3cdc36cd4f914f5639fda151aa076566d618d26013e95f4e6b95e78d3f1769ca58997d72bda069a2eabdc70af84015cea82a79d40729ae1e68cee2863acc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5dcbddc657d55b2236e30e89dbf4ac9f

SHA1
f3b539a20946e0469a7f13f3977f2d30817d9022

SHA256
98ba53bda3604806b0c55b82543f9de9727037905bf95472b0d8f01edaeab32c

SHA512
f5f51e71f297a83c89a7a9477cb5d8470953f792397d5340eeba1a705ad41918ca37e49c62745e58715e512741275503e95d63364f6d33cba323a60f946030e1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
482B

MD5
44d9e28d4950a612a7b12f5f96f5e218

SHA1
1b1f518aee894fa5879f960813696d83fe69a4e7

SHA256
180666dc46f9601c9bd4775d9ab27804a283c7d648deb6c0876bf4304e0450ec

SHA512
8d937f23d596beb495027008a2606e2dd2b65e2f7c886f565844bf38565fb09a7edf1757b2f1ae5e39ac8ece065e456bc75a01e053eeb48f5a5b2b6f3767a622

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3NPBB818\EC4QAFUK.htm

Filesize
18KB

MD5
d86c179bcfbd66e883f47019ea1ca200

SHA1
c63ad8a4b2a4c3e5408225a1231e25ec44d65eb8

SHA256
b465036b723ca3a35874e6eb4a2560140a2a9364ecc53b2dc7c0f1b59d216bea

SHA512
d9136ce45ba1210a717199f6f9292a656ef0fa86674c168a9be09c7ae2aab25c247bc417d1bf24c11fc403becc0da50805a61f0731c358c596a0780ffe986d8f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EDQW9R5V\HP85K8PL.htm

Filesize
190B

MD5
6ebbeb8c70d5f8ffc3fb501950468594

SHA1
c06e60a316e48f5c35d39bcf7ed7e6254957ac9e

SHA256
a563426e24d132cd87b70d9cb5cd3d57c2e1428873a3f3eb94649cf42e37b6a1

SHA512
75cfab1c9f5a05c892cf3b564aed06d351c6dc40048faea03ae163154ff7635252817d66b72a6ef51c4f895eebf7728f302df51148acce2a0c285502bf13652c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar29B6.tmp

Filesize
175KB

MD5
dd73cead4b93366cf3465c8cd32e2796

SHA1
74546226dfe9ceb8184651e920d1dbfb432b314e

SHA256
a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

SHA512
ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

Download Submit
C:\Users\Admin\AppData\Local\Temp\~temp001.bat

Filesize
406B

MD5
ef572e2c7b1bbd57654b36e8dcfdc37a

SHA1
b84c4db6d0dfd415c289d0c8ae099aea4001e3b7

SHA256
e6e609db3f387f42bfd16dd9e5695ddc2b73d86ae12baf4f0dfc4edda4a96a64

SHA512
b8c014b242e8e8f42da37b75fe96c52cd25ebd366d0b5103bcba5ac041806d13142a62351edecdee583d494d2a120f9b330f6229b1b5fe820e1c7d98981089e9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe

Filesize
64KB

MD5
634b7591e4a75943c2f85873aecad85f

SHA1
5edcb924e7ab5016c146144721ac06a76dcb900c

SHA256
bad21e31f60a2213c7824548a1eb520df71ad18b7e681ff6b69ce59ef2b8c82c

SHA512
5e4684c48b1bd4b5191d11f95113a2972a706dcc6fc3fea4404f48d98f9848a23ea8e58ca1bcf32c2d1620af84de3852f6b70b64c5e1eae9d5b3be9a97b74029

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe

Filesize
406KB

MD5
de904e0d5b71c0c3d99430b61d40aae2

SHA1
5e1add3f70404f2110c389674e481484365eead4

SHA256
43812b98e4f9480d25b426a23a7b4d2a4e498110545c7a3cb21159bf75c18e7b

SHA512
25f086b82e86fcef30474d13e723980f43fccdd473b0e3f556b78b434494c2b22a3e3b765fbf2647aeb030e814a1eea1fdfe6d35e894449880780d6f3732d3f0

Download Submit
C:\Users\Admin\Desktop\AssertMount.edrwx.kd8eby0.397-583-976

Filesize
266KB

MD5
604d962082d65cb0a645019632d43b75

SHA1
711dc58529c7310a146c867799967df363771309

SHA256
80f015cc4f0e71ac2518ef4f394995fbdb66b93b369b6a9e6d0d90dbbade23a0

SHA512
dc6247b8fbed90bab2fde93ae41f04a96dbcabaf0de67bcda052f6d1b340fe5a57bf0227d1c84685aa9d2bac766ed260ed222018c1d845488ebc3ea43528458d

Download Submit
C:\Users\Admin\Desktop\CheckpointConnect.001.kd8eby0.397-583-976

Filesize
321KB

MD5
c0114dbb2aea1d147b866d3a0761c50c

SHA1
5c9187bed554934cebeb1edf7733d982fa6aae7b

SHA256
11883e625c622c8980dee1c63d4eedd12f3374a58cd8e3b4c9a99cfcf3100d34

SHA512
78e87e87fbed158ec0a77ea18f227cff28bfde8bd20666dc2db6658eb71ee62ac4bf5c7026f6ddf0ccd598323d3dcfe1f9b7db31b8396136607115aa51b13706

Download Submit
C:\Users\Admin\Desktop\DisableDismount.vbe.kd8eby0.397-583-976

Filesize
668KB

MD5
801c9ce42732704ffdcc6db55668b646

SHA1
93a73c395f7ccc0603d36a3289bd46d3b1c2d83b

SHA256
8b8b539e8309287d9afe6bc5505f7867b15cb789400881be5e470b2955bd9299

SHA512
ef0b5b2c31dc8216128c31e1c9ef48ea58d90722095cf75e3fe7bcaab8634b4888ebfe8755e9fc3c857ca6a00469b866c31d3623f2c2432f514d87eed5924b68

Download Submit
C:\Users\Admin\Desktop\DisableExpand.docm.kd8eby0.397-583-976

Filesize
503KB

MD5
1e36affbf963a61d8feb5600bfb01fd1

SHA1
22322b9ac0cf5d2cdd4a12b635bfc0e439b71c65

SHA256
9b97cde1bcb14489f54c19b919516640a3ea787466336f6823990d6b064dd8d1

SHA512
3ba64540fa226e2a3ae00190c429afe1ebccb77f3c947a158af26ad0119804df3e899b310dbc580e42d1f95c8a9548fedb9b88ff09b9c8668b3a48f704823684

Download Submit
C:\Users\Admin\Desktop\EnterConvertFrom.mht.kd8eby0.397-583-976

Filesize
302KB

MD5
99d756e23a78e7560112ced043422880

SHA1
be73072238272518a23e61ddc48f3b74f13d03fe

SHA256
d2f32e409155065a353d1e0e4cf0202448e448ae8156dcd933911c7c5c5dbc8d

SHA512
f2a8a84cdd0f520cbe32efb6bad00aeace35e88b08a89cca94e40ab8ae34521cb1d4cf4f48cf3a7cf0e55515a4ad42afa4b01f7dbcb7f0fb10322c73323987ec

Download Submit
C:\Users\Admin\Desktop\EnterWrite.doc.kd8eby0.397-583-976

Filesize
522KB

MD5
ac431da3bbee874ed77e8b1e28b0d2a1

SHA1
4fa87795ce6c05ebcf3fa4a2039102c9cc59c688

SHA256
d58d8d80464e9640adeea8494070a9e469dde219db5de4f202840381fa11f089

SHA512
a3f484d838f57c29ee11118c513a64811ca1644e8ea30ce98f34659c217db19643f46e4d51340025371324f31459c9e147e78c835c44e9f8a6fcd00ba4c0daf6

Download Submit
C:\Users\Admin\Desktop\ExitEnter.mhtml.kd8eby0.397-583-976

Filesize
375KB

MD5
3c0cbe5c6ad66eb23f33e5504f874cf2

SHA1
17677e6660a1857d02d06136a0453f467ae3d8f9

SHA256
fb4298976201a4b367bebb99f7916149120c4f1e124cd72380d4dad21ffcbaff

SHA512
951ec8f477680dbc0bfce4ad61c9ab238285104417f8bdbe9c4a1843f38f84a20a0f1ee0045280b0c9d9088f57e5e0c2770e3e6411a00b1115f7f42736f902a1

Download Submit
C:\Users\Admin\Desktop\ExportSearch.edrwx.kd8eby0.397-583-976

Filesize
430KB

MD5
e547da0f247b754ca3f77e54207f1f1d

SHA1
810a2921219ca0c379de0ff6b705717ed0973880

SHA256
fb3040e65aecd5724e5952f9abcf7ce389426f46a7e985a616b341717e71e8a6

SHA512
1b32fd46869ab0386badcf9545bc2705d42fb2c91c365e6dc29aa4245d23c2a166bb7e1dd3f2c4dad23caa074fdd871020f1c64e85feff75b858d92131fbdf58

Download Submit
C:\Users\Admin\Desktop\FormatReceive.ps1xml.kd8eby0.397-583-976

Filesize
631KB

MD5
85de263016b39c00e5b4f332c2c13b4f

SHA1
d28a576d92d28858f5b14284004679889415d288

SHA256
58c31b1c838197bcc45d5b2d45093c73f49339f3f19f26058957c62d8a3a4daf

SHA512
f78c896284404845626b9eef222f6be39970517b2ebc6e94d5700284599efa72a3c5ace8a03b3410b4aee2a076dc2daf35ca247e009022ed75f7c3c64d3f59e6

Download Submit
C:\Users\Admin\Desktop\GetReset.css.kd8eby0.397-583-976

Filesize
704KB

MD5
3f60d61223d7a55442eb61db586a476d

SHA1
a549541a63b2eb28f7d0031084c9cfaf74d8021a

SHA256
17ff5782818acee699de108ee175bf319d1230b2de3c6b2a88ac7874867852d4

SHA512
fae9b46dc235294b44d1f9e84433ada9992220d94292bd949a4f95385d8bb391bf61dfed11d5a93dd5c69badcbd52020a21a3290ff201d330f316cb17d65775b

Download Submit
C:\Users\Admin\Desktop\JoinPublish.vb.kd8eby0.397-583-976

Filesize
284KB

MD5
f3bd56945c14ff35a74ee476bcc3f854

SHA1
8c7e24855531fdaec83004916112e878a1547eeb

SHA256
058661048f54e6b45f35bbd74bdcf0401d698e537fa2e0bc9b5b513d4543e509

SHA512
8c6ca4e44f7054b651d1064c9adc7122113bf6c8797fe45ab3237accea3a127171859ad99fef035d88499f2ad7dfc6fba2636f594d57c93c6b488ce13c3e347e

Download Submit
C:\Users\Admin\Desktop\PopRename.xltx.kd8eby0.397-583-976

Filesize
649KB

MD5
84fd6d5bb3dc851b66524b4fbf54e32a

SHA1
b8ee550392d749f4209e5026359dcdc80c52419d

SHA256
c18322d6345a16eafa7226f94b1bdee7c39e31dab41ef09a0dfb060806a84544

SHA512
4c4923e440fd0b5a81d7d5517c7ce782266d884ba48c71e0953460adba58dd7a8285ea35d336b539a77418728c3c4673dd614642753c5c15e9ae5a42c8d4adf8

Download Submit
C:\Users\Admin\Desktop\PublishConvertFrom.odt.kd8eby0.397-583-976

Filesize
412KB

MD5
7f1a0993de29fcdfebca89ec84bf1e2c

SHA1
d650168205f9b877548700fb01dc8110429ab9e9

SHA256
295cc0a7c0149a111f02fa0744845b961115a97b9278509cd1214f791a569272

SHA512
af2fb31529c701dc5c1bcb1a57ee3416c25c3ee030a54f4baa20c650ec58b6dcc6574cf54c1b795d09ea1ea780f02e688d031defc662cbbfcc4243dc0fdcdc4f

Download Submit
C:\Users\Admin\Desktop\ReadFind.xps.kd8eby0.397-583-976

Filesize
540KB

MD5
5551620b15efae0a9986a6d9255265df

SHA1
01ab5eecfe816f4ae33794301605ea6b3359882c

SHA256
cfba5729d9bf2eef712dbc5665d99483dddaf1b885a224d1ca02db685f481936

SHA512
08cdaa2fedc4dd368f300a0b5752f6962187203326238bef9e35c73acf9d583c831986ca886ac490439aa895959cdf603edab0afdfe6eb63755a8cab3096dcea

Download Submit
C:\Users\Admin\Desktop\ReceiveResolve.tiff.kd8eby0.397-583-976

Filesize
339KB

MD5
b27c1f188d806fd91f408350233f64ae

SHA1
45b1a33a11f7818ee57a7fdd5ddb2352a58b82a9

SHA256
c713dffc22a4850dd8d448ce18e4ec48466dfb412e85a9cc75f94d8e04cf155c

SHA512
352b8019f2e1bf9f89e8da2677267697b3134561827cd51a919c3af0adc7fc6d2271b5b93a7e33e91cb1844a593f2ba601cc711a7947e59ce29585cb25c8c3b7

Download Submit
C:\Users\Admin\Desktop\ResolveMount.dib.kd8eby0.397-583-976

Filesize
357KB

MD5
39184f6e892298601301a3266299e44d

SHA1
aafd8310b495000b7ae80426f9aee917281d9123

SHA256
16fc2793843b5df9e0ad4c4b5b3d0e52363e3bdd0139c289f5d688af635af4eb

SHA512
762c41d651d4d592541955d4e62eee9eb87c00fcf07f2c85ebc61f7b58d51b8ba16a1c29a7c325d1129ae56b2c8fea93a23903ed558007e6cb6ec4371d92de41

Download Submit
C:\Users\Admin\Desktop\SelectComplete.cab.kd8eby0.397-583-976

Filesize
558KB

MD5
9842c24eec3b58eb5126a0b5868fdd05

SHA1
47e21dcfecac583f6217816f307354245fad30fe

SHA256
3f147ce401a5a6fc377746b789ba573dc53df3b34a254560fd07f185183dbc64

SHA512
7d2b47ecf7b9b188174e8f7fa978bf295018204f5bde0f6a3fe690d06281fd914ea763dd155b013d51519c6b8f27c2fcd52cb429dde9295c33ad78b31a67494f

Download Submit
C:\Users\Admin\Desktop\StepOut.xml.kd8eby0.397-583-976

Filesize
248KB

MD5
880729f46923dd14da160ea1ab6e3b44

SHA1
3b414b3799793b945614d261164362cd0b997020

SHA256
aed0b78dfaafbf4c8134452a909e158db766df9a3582d1ef6ef86b8180b00734

SHA512
247d321c44d65de4a07cf35afa62f32ef0436732c85c5576d3e6903465e5e0a085272667c226e33a4f318abdeb57866c4ae53fa677d5fe90bf511591462cd38f

Download Submit
C:\Users\Admin\Desktop\StepUndo.au.kd8eby0.397-583-976

Filesize
686KB

MD5
6357ec697b48c8028e8c5dce19927104

SHA1
d5c946931ef5e2985e01ef9360b9e693e1e43143

SHA256
7049f55335cf061f29da0d995aec016b8418211b69be5a6813daff9af6ec91cd

SHA512
9c99eebb828f642b0219c4c173a6c7ca0e0316d765c01c2011cba158b6412e1f8db42ba4bc133a47731e1b27be1587ecb2654a0611d5c1827e6672c5204d151b

Download Submit
C:\Users\Admin\Desktop\SuspendDebug.html.kd8eby0.397-583-976

Filesize
576KB

MD5
29d0a25927c6463deb1765079bcbb14a

SHA1
81bcbcf24034bcf0f43381d88f1acb0e4149c7b5

SHA256
a344f4c819655b85c71e5bc51e3a13f8a179c152d416ff5d3298ef663e5a9e7c

SHA512
d19cf6662e5c921e97af1a0738a2378a40731d464b31ecea54e8387969cbe5217b9e23b608adaa507e445efd36dbb8bd1854e05128ebc853084a401a91ec6d16

Download Submit
C:\Users\Admin\Desktop\TraceFind.DVR.kd8eby0.397-583-976

Filesize
467KB

MD5
965b3474cc3e27a246c2f9f243e9e83c

SHA1
dc77ee8168e67065b6b605ac78fd4c39c06b3c15

SHA256
d5b7e19c7e6e03612de44469566d010bfe404daee847e1e08603845b168c3d29

SHA512
0bfacd049c7659446f7ccc6c6e3f95fdd6699b26482a0017add50008db4acb7e9a9053cacff7345409ba547e713df997bbfc70757e5ea26b146630c0ed5afb5e

Download Submit
C:\Users\Admin\Desktop\TracePing.mp2v.kd8eby0.397-583-976

Filesize
485KB

MD5
1b805e57231f0afed1b616a62492fc3c

SHA1
2c0f083c49ef0ce02512ac646aa60dfdea9e2130

SHA256
6c3f030717f80e4dbf5192c9fac218a44bcf2ad35d0c6dfcad6aebbcc7cd2d0f

SHA512
a21c5a2fca4b89d8872f4193cb4237b753a0eb7be39bc53e9a7630f12f68b5829b6b1025c6c1490002b112a32a3c38fdeec9186ed1f8585b9a1002d06a1855ed

Download Submit
C:\Users\Admin\Desktop\UnpublishFind.dwg.kd8eby0.397-583-976

Filesize
448KB

MD5
1bccb4d2d1645883b27e4149b1f1ce17

SHA1
04bee435c033b4bb360e6ca010e0bd31ee588539

SHA256
6deb89c4140b5ae48ccb09f931286824c9da2faa0f7c6bbd69ad3ec5b6713e07

SHA512
d2a6ca131f1e69d052599e3d4b87be50570259da4a92a2ad70bf851bef8414bb49e8c0db03dbb6ecd50ab4bc31d73731d7ee7add57de399dea1ed44de2bc2ebf

Download Submit
C:\Users\Admin\Desktop\UnpublishRedo.ps1.kd8eby0.397-583-976

Filesize
394KB

MD5
aedd417e807c6024a53401f993dafac1

SHA1
e17f91f2466f0bd9409e6db3f2f9d39385d4b013

SHA256
f0d920810583769f3b8a322de1347197a454d4e56a76d8aa6619a3861517fd70

SHA512
02c57e3be3910441d5c930d34fc5f795f071e9528b8d8160fe13110ffaef7f5ba977952595dc97c038c0b0341f9fff8c7d92f35582a47e9eb5e47575452a8b73

Download Submit
C:\Users\Admin\Desktop\UnpublishRepair.wma.kd8eby0.397-583-976

Filesize
595KB

MD5
e14fbcdf2654bd7e756e0713b7fd7556

SHA1
fd488ebbefd4e132f452a432eaeac91eb6023095

SHA256
cbcef0876dec23e1e358b7d934d4585034cd81bb3ce4ea9f2ff3637c69ebb178

SHA512
197a8be6ed21ef35403e6a21a425f2b33dca17a2f9f86edc1473eb7a45ce2889cbca115e2f6c5540ca71ddb99a37646abbe3379251424c6ebf8b4c70a7f1e6fb

Download Submit
C:\Users\Admin\Desktop\UseCheckpoint.pub.kd8eby0.397-583-976

Filesize
613KB

MD5
880ff46b33e9e39ca7b5ed17317c3e64

SHA1
b35e41d6ebce7750191ba743c4733f19a1f8e6c8

SHA256
e096c7dbd6bbf273048f6a357c2d744363000b2abf97b26b33c2440abd213fcf

SHA512
5640963d7d1bae9682442e775e0a6f96c2da20af40c2405906934f2dc9c0a506ce1583080e1ecc9993d0ae332a8faccdcf5690445dc38890db27ea8ebb0b353d

Download Submit
C:\vcredist2010_x86.log.html

Filesize
82KB

MD5
b3b954c2ac3c76a9ef124e886a955097

SHA1
bbaf3684b10da99b4a96a7953aaca18110a3f015

SHA256
de55f69c0dbef5f30da45c8bd658c8c1f9ea22b3320748d12b4bc2b4d5d4f2c6

SHA512
0bdd7be77376c49d40f6ab281b2740db1825b1838fe1edf5b9176645800f35ec828b4300a8f569ce96dc96b11e57e13916ada8faa9dbda6e0ca2741dc0d08b13

Download Submit
memory/412-249-0x0000000000400000-0x000000000054B000-memory.dmp

Filesize
1.3MB

Download
memory/412-24518-0x0000000000400000-0x000000000054B000-memory.dmp

Filesize
1.3MB

Download
memory/412-192-0x0000000000400000-0x000000000054B000-memory.dmp

Filesize
1.3MB

Download
memory/412-22821-0x0000000000400000-0x000000000054B000-memory.dmp

Filesize
1.3MB

Download
memory/412-22820-0x0000000000400000-0x000000000054B000-memory.dmp

Filesize
1.3MB

Download
memory/412-12115-0x0000000000400000-0x000000000054B000-memory.dmp

Filesize
1.3MB

Download
memory/412-196-0x0000000002030000-0x0000000002174000-memory.dmp

Filesize
1.3MB

Download
memory/412-30674-0x0000000000400000-0x000000000054B000-memory.dmp

Filesize
1.3MB

Download
memory/1080-194-0x0000000000400000-0x000000000054B000-memory.dmp

Filesize
1.3MB

Download
memory/1080-203-0x0000000000400000-0x000000000054B000-memory.dmp

Filesize
1.3MB

Download
memory/1080-248-0x0000000001DA0000-0x0000000001EE4000-memory.dmp

Filesize
1.3MB

Download
memory/1676-74-0x0000000004020000-0x000000000416B000-memory.dmp

Filesize
1.3MB

Download
memory/1676-1-0x0000000001FD0000-0x0000000002114000-memory.dmp

Filesize
1.3MB

Download
memory/1676-0-0x0000000000400000-0x000000000054B000-memory.dmp

Filesize
1.3MB

Download
memory/1676-100-0x0000000001FD0000-0x0000000002114000-memory.dmp

Filesize
1.3MB

Download
memory/1676-99-0x0000000000400000-0x000000000054B000-memory.dmp

Filesize
1.3MB

Download
memory/1676-2-0x0000000000400000-0x000000000054B000-memory.dmp

Filesize
1.3MB

Download
memory/1676-73-0x0000000004020000-0x000000000416B000-memory.dmp

Filesize
1.3MB

Download
memory/2012-80-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/2012-75-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download
memory/2872-77-0x0000000000400000-0x000000000054B000-memory.dmp

Filesize
1.3MB

Download
memory/2872-79-0x0000000001EA0000-0x0000000001FE4000-memory.dmp

Filesize
1.3MB

Download
memory/2872-189-0x0000000000400000-0x000000000054B000-memory.dmp

Filesize
1.3MB

Download
memory/2872-30705-0x0000000000400000-0x000000000054B000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads