885597ae08102247ee256cf2772c9a4ac5178b13d7813a2caa72770d9c9f9886

Analysis

max time kernel
304s
max time network
306s
platform
windows11-21h2_x64
resource
win11-20240426-en
resource tags

arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
submitted
28/04/2024, 13:12

Sharing

Copy URL Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

WaljiVeerJ307218713021 (2023 - 2024 Term 2 23_24)141222.pdf
Size

38KB
MD5

a811bff26af06dcfb017ef389660ae57
SHA1

25e6daa9ed13ce4f4454a70b511e11059044f416
SHA256

885597ae08102247ee256cf2772c9a4ac5178b13d7813a2caa72770d9c9f9886
SHA512

cce48541d87be5a65e5c969bcf21312c9e70efadc7d559e086a0dcfc68c84c3cd4f5307cac8e3e6c4095868341517f505354375183b1e6bde82c7b5b6a594c73
SSDEEP

768:VxF5rIgtpjmr2G9o0paNbRKLAi5FCR4iT+XhdrEI2ctaCFZk+pXY:4gHmr2G9o0gFRK0i5FC6XrrE3uTFZVXY

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
1092	SystemSettingsAdminFlows.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	SystemSettingsAdminFlows.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\Recovery\ReAgent.xml	SystemSettingsAdminFlows.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\PBR\INF\setupapi.offline.20210605_121033.log	SystemSettingsAdminFlows.exe
File opened for modification	C:\Windows\Logs\PBR\Panther\setupinfo	SystemSettingsAdminFlows.exe
File opened for modification	C:\Windows\Logs\PBR\setupact.log	SystemSettingsAdminFlows.exe
File created	C:\Windows\Logs\PBR\Timestamp.xml	SystemSettingsAdminFlows.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	SystemSettingsAdminFlows.exe
File opened for modification	C:\Windows\Logs\PBR\Panther\actionqueue	SystemSettingsAdminFlows.exe
File created	C:\Windows\Logs\PBR\Panther\UnattendGC\setupact.log	SystemSettingsAdminFlows.exe
File created	C:\Windows\Logs\PBR\Panther\diagerr.xml	SystemSettingsAdminFlows.exe
File created	C:\Windows\Logs\PBR\Panther\setup.etl	SystemSettingsAdminFlows.exe
File opened for modification	C:\Windows\Logs\PBR\Panther\actionqueue\specialize.uaq	SystemSettingsAdminFlows.exe
File created	C:\Windows\Logs\PBR\PushButtonReset.etl	SystemSettingsAdminFlows.exe
File opened for modification	C:\Windows\Logs\PBR\ResetSession.xml	SystemSettingsAdminFlows.exe
File created	C:\Windows\Logs\PBR\Panther\Contents0.dir	SystemSettingsAdminFlows.exe
File opened for modification	C:\Windows\Logs\PBR\PushButtonReset.etl	SystemSettingsAdminFlows.exe
File opened for modification	C:\Windows\Logs\PBR\ReAgent\ReAgent.xml	SystemSettingsAdminFlows.exe
File created	C:\Windows\Logs\PBR\Panther\UnattendGC\diagerr.xml	SystemSettingsAdminFlows.exe
File opened for modification	C:\Windows\Logs\PBR\Panther\Contents1.dir	SystemSettingsAdminFlows.exe
File opened for modification	C:\Windows\Logs\PBR\Panther\setuperr.log	SystemSettingsAdminFlows.exe
File opened for modification	C:\Windows\Logs\PBR\Panther\cbs.log	SystemSettingsAdminFlows.exe
File opened for modification	C:\Windows\Logs\PBR\INF\setupapi.setup.log	SystemSettingsAdminFlows.exe
File created	C:\Windows\Logs\PBR\Panther\cbs.log	SystemSettingsAdminFlows.exe
File created	C:\Windows\Logs\PBR\INF\setupapi.dev.log	SystemSettingsAdminFlows.exe
File created	C:\Windows\Logs\PBR\DISM\dism.log	SystemSettingsAdminFlows.exe
File opened for modification	C:\Windows\Logs\PBR\Panther\actionqueue\oobeSystem.uaq	SystemSettingsAdminFlows.exe
File opened for modification	C:\Windows\Logs\PBR\Panther\diagwrn.xml	SystemSettingsAdminFlows.exe
File created	C:\Windows\Logs\PBR\ReAgent\ReAgent.xml	SystemSettingsAdminFlows.exe
File opened for modification	C:\Windows\Logs\PBR\CBS	SystemSettingsAdminFlows.exe
File opened for modification	C:\Windows\Logs\PBR\DISM\dism.log	SystemSettingsAdminFlows.exe
File created	C:\Windows\Logs\PBR\Panther\MainQueueOnline1.que	SystemSettingsAdminFlows.exe
File opened for modification	C:\Windows\Logs\PBR\setuperr.log	SystemSettingsAdminFlows.exe
File created	C:\Windows\Logs\PBR\INF\setupapi.setup.log	SystemSettingsAdminFlows.exe
File opened for modification	C:\Windows\Logs\PBR\Panther\_s_37BB.tmp	SystemSettingsAdminFlows.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Logs\PBR\Panther\setupact.log	SystemSettingsAdminFlows.exe
File opened for modification	C:\Windows\Logs\PBR\Panther\unattend.xml	SystemSettingsAdminFlows.exe
File opened for modification	C:\Windows\Logs\PBR\Panther\_s_3972.tmp	SystemSettingsAdminFlows.exe
File created	C:\Windows\Logs\PBR\Panther\DDACLSys.log	SystemSettingsAdminFlows.exe
File opened for modification	C:\Windows\Logs\PBR\Panther\UnattendGC\setuperr.log	SystemSettingsAdminFlows.exe
File opened for modification	C:\Windows\Logs\PBR\BCDCopy	SystemSettingsAdminFlows.exe
File created	C:\Windows\Logs\PBR\INF\setupapi.offline.20210605_121033.log	SystemSettingsAdminFlows.exe
File created	C:\Windows\Logs\PBR\INF\setupapi.offline.log	SystemSettingsAdminFlows.exe
File opened for modification	C:\Windows\Logs\PBR\INF\setupapi.dev.log	SystemSettingsAdminFlows.exe
File opened for modification	C:\Windows\Logs\PBR	SystemSettingsAdminFlows.exe
File opened for modification	C:\Windows\Logs\PBR\Panther\diagerr.xml	SystemSettingsAdminFlows.exe
File created	C:\Windows\Logs\PBR\SessionID.xml	SystemSettingsAdminFlows.exe
File opened for modification	C:\Windows\Logs\PBR\Panther\_s_35F5.tmp	SystemSettingsAdminFlows.exe
File created	C:\Windows\Logs\PBR\Panther\actionqueue\oobeSystem.uaq	SystemSettingsAdminFlows.exe
File opened for modification	C:\Windows\Logs\PBR\Panther\setup.exe	SystemSettingsAdminFlows.exe
File opened for modification	C:\Windows\Logs\PBR\WinRE	SystemSettingsAdminFlows.exe
File opened for modification	C:\Windows\Logs\PBR\BCDCopy.LOG2	SystemSettingsAdminFlows.exe
File opened for modification	C:\Windows\Logs\PBR\CBS\CBS.log	SystemSettingsAdminFlows.exe
File created	C:\Windows\Logs\PBR\Panther\_s_3972.tmp	SystemSettingsAdminFlows.exe
File created	C:\Windows\Logs\PBR\BCDCopy	SystemSettingsAdminFlows.exe
File created	C:\Windows\Logs\PBR\Panther\UnattendGC\diagwrn.xml	SystemSettingsAdminFlows.exe
File created	C:\Windows\Logs\PBR\setuperr.log	SystemSettingsAdminFlows.exe
File created	C:\Windows\Logs\PBR\Panther\setupact.log	SystemSettingsAdminFlows.exe
File opened for modification	C:\Windows\Logs\PBR\Panther	SystemSettingsAdminFlows.exe
File created	C:\Windows\Logs\PBR\ResetSession.xml	SystemSettingsAdminFlows.exe
File opened for modification	C:\Windows\Logs\PBR\INF	SystemSettingsAdminFlows.exe
File opened for modification	C:\Windows\Logs\PBR\BCDCopy.LOG1	SystemSettingsAdminFlows.exe
File opened for modification	C:\Windows\Logs\PBR\Panther\UnattendGC\diagwrn.xml	SystemSettingsAdminFlows.exe
File opened for modification	C:\Windows\Logs\PBR\Panther\MainQueueOnline0.que	SystemSettingsAdminFlows.exe
File opened for modification	C:\Windows\Logs\PBR\ResetConfig.ini	SystemSettingsAdminFlows.exe
File opened for modification	C:\Windows\Logs\PBR\Panther\UnattendGC\setupact.log	SystemSettingsAdminFlows.exe

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	vds.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies data under HKEY_USERS 17 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133587836509318612"	chrome.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "118"	LogonUI.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
4248	AcroRd32.exe
4248	AcroRd32.exe
4248	AcroRd32.exe
4248	AcroRd32.exe
4248	AcroRd32.exe
4248	AcroRd32.exe
4248	AcroRd32.exe
4248	AcroRd32.exe
4248	AcroRd32.exe
4248	AcroRd32.exe
4248	AcroRd32.exe
4248	AcroRd32.exe
4248	AcroRd32.exe
4248	AcroRd32.exe
4248	AcroRd32.exe
4248	AcroRd32.exe
4248	AcroRd32.exe
4248	AcroRd32.exe
4248	AcroRd32.exe
4248	AcroRd32.exe
4536	chrome.exe
4536	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
4536	chrome.exe
4536	chrome.exe
4536	chrome.exe
4536	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4536	chrome.exe
Token: SeCreatePagefilePrivilege	4536	chrome.exe
Token: SeShutdownPrivilege	4536	chrome.exe
Token: SeCreatePagefilePrivilege	4536	chrome.exe
Token: SeShutdownPrivilege	4536	chrome.exe
Token: SeCreatePagefilePrivilege	4536	chrome.exe
Token: SeShutdownPrivilege	4536	chrome.exe
Token: SeCreatePagefilePrivilege	4536	chrome.exe
Token: SeShutdownPrivilege	4536	chrome.exe
Token: SeCreatePagefilePrivilege	4536	chrome.exe
Token: SeShutdownPrivilege	4536	chrome.exe
Token: SeCreatePagefilePrivilege	4536	chrome.exe
Token: SeShutdownPrivilege	4536	chrome.exe
Token: SeCreatePagefilePrivilege	4536	chrome.exe
Token: SeShutdownPrivilege	4536	chrome.exe
Token: SeCreatePagefilePrivilege	4536	chrome.exe
Token: SeShutdownPrivilege	4536	chrome.exe
Token: SeCreatePagefilePrivilege	4536	chrome.exe
Token: SeShutdownPrivilege	4536	chrome.exe
Token: SeCreatePagefilePrivilege	4536	chrome.exe
Token: SeShutdownPrivilege	4536	chrome.exe
Token: SeCreatePagefilePrivilege	4536	chrome.exe
Token: SeShutdownPrivilege	4536	chrome.exe
Token: SeCreatePagefilePrivilege	4536	chrome.exe
Token: SeShutdownPrivilege	4536	chrome.exe
Token: SeCreatePagefilePrivilege	4536	chrome.exe
Token: SeShutdownPrivilege	4536	chrome.exe
Token: SeCreatePagefilePrivilege	4536	chrome.exe
Token: SeShutdownPrivilege	4536	chrome.exe
Token: SeCreatePagefilePrivilege	4536	chrome.exe
Token: SeShutdownPrivilege	4536	chrome.exe
Token: SeCreatePagefilePrivilege	4536	chrome.exe
Token: SeShutdownPrivilege	4536	chrome.exe
Token: SeCreatePagefilePrivilege	4536	chrome.exe
Token: SeShutdownPrivilege	4536	chrome.exe
Token: SeCreatePagefilePrivilege	4536	chrome.exe
Token: SeShutdownPrivilege	4536	chrome.exe
Token: SeCreatePagefilePrivilege	4536	chrome.exe
Token: SeShutdownPrivilege	4536	chrome.exe
Token: SeCreatePagefilePrivilege	4536	chrome.exe
Token: SeShutdownPrivilege	4536	chrome.exe
Token: SeCreatePagefilePrivilege	4536	chrome.exe
Token: SeShutdownPrivilege	4536	chrome.exe
Token: SeCreatePagefilePrivilege	4536	chrome.exe
Token: SeShutdownPrivilege	4536	chrome.exe
Token: SeCreatePagefilePrivilege	4536	chrome.exe
Token: SeShutdownPrivilege	4536	chrome.exe
Token: SeCreatePagefilePrivilege	4536	chrome.exe
Token: SeShutdownPrivilege	4536	chrome.exe
Token: SeCreatePagefilePrivilege	4536	chrome.exe
Token: SeShutdownPrivilege	4536	chrome.exe
Token: SeCreatePagefilePrivilege	4536	chrome.exe
Token: SeShutdownPrivilege	4536	chrome.exe
Token: SeCreatePagefilePrivilege	4536	chrome.exe
Token: SeShutdownPrivilege	4536	chrome.exe
Token: SeCreatePagefilePrivilege	4536	chrome.exe
Token: SeShutdownPrivilege	4536	chrome.exe
Token: SeCreatePagefilePrivilege	4536	chrome.exe
Token: SeShutdownPrivilege	4536	chrome.exe
Token: SeCreatePagefilePrivilege	4536	chrome.exe
Token: SeShutdownPrivilege	4536	chrome.exe
Token: SeCreatePagefilePrivilege	4536	chrome.exe
Token: SeShutdownPrivilege	4536	chrome.exe
Token: SeCreatePagefilePrivilege	4536	chrome.exe

Suspicious use of FindShellTrayWindow 28 IoCs

pid	Process
4248	AcroRd32.exe
4536	chrome.exe
4536	chrome.exe
4536	chrome.exe
4536	chrome.exe
4536	chrome.exe
4536	chrome.exe
4536	chrome.exe
4536	chrome.exe
4536	chrome.exe
4536	chrome.exe
4536	chrome.exe
4536	chrome.exe
4536	chrome.exe
4536	chrome.exe
4536	chrome.exe
4536	chrome.exe
4536	chrome.exe
4536	chrome.exe
4536	chrome.exe
4536	chrome.exe
4536	chrome.exe
4536	chrome.exe
4536	chrome.exe
4536	chrome.exe
4536	chrome.exe
4536	chrome.exe
4536	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
4536	chrome.exe
4536	chrome.exe
4536	chrome.exe
4536	chrome.exe
4536	chrome.exe
4536	chrome.exe
4536	chrome.exe
4536	chrome.exe
4536	chrome.exe
4536	chrome.exe
4536	chrome.exe
4536	chrome.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
4248	AcroRd32.exe
4248	AcroRd32.exe
4248	AcroRd32.exe
4248	AcroRd32.exe
4248	AcroRd32.exe
4248	AcroRd32.exe
4248	AcroRd32.exe
1092	SystemSettingsAdminFlows.exe
2776	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4248 wrote to memory of 568	4248	AcroRd32.exe	82
PID 4248 wrote to memory of 568	4248	AcroRd32.exe	82
PID 4248 wrote to memory of 568	4248	AcroRd32.exe	82
PID 568 wrote to memory of 2044	568	RdrCEF.exe	83
PID 568 wrote to memory of 2044	568	RdrCEF.exe	83
PID 568 wrote to memory of 2044	568	RdrCEF.exe	83
PID 568 wrote to memory of 2044	568	RdrCEF.exe	83
PID 568 wrote to memory of 2044	568	RdrCEF.exe	83
PID 568 wrote to memory of 2044	568	RdrCEF.exe	83
PID 568 wrote to memory of 2044	568	RdrCEF.exe	83
PID 568 wrote to memory of 2044	568	RdrCEF.exe	83
PID 568 wrote to memory of 2044	568	RdrCEF.exe	83
PID 568 wrote to memory of 2044	568	RdrCEF.exe	83
PID 568 wrote to memory of 2044	568	RdrCEF.exe	83
PID 568 wrote to memory of 2044	568	RdrCEF.exe	83
PID 568 wrote to memory of 2044	568	RdrCEF.exe	83
PID 568 wrote to memory of 2044	568	RdrCEF.exe	83
PID 568 wrote to memory of 2044	568	RdrCEF.exe	83
PID 568 wrote to memory of 2044	568	RdrCEF.exe	83
PID 568 wrote to memory of 2044	568	RdrCEF.exe	83
PID 568 wrote to memory of 2044	568	RdrCEF.exe	83
PID 568 wrote to memory of 2044	568	RdrCEF.exe	83
PID 568 wrote to memory of 2044	568	RdrCEF.exe	83
PID 568 wrote to memory of 2044	568	RdrCEF.exe	83
PID 568 wrote to memory of 2044	568	RdrCEF.exe	83
PID 568 wrote to memory of 2044	568	RdrCEF.exe	83
PID 568 wrote to memory of 2044	568	RdrCEF.exe	83
PID 568 wrote to memory of 2044	568	RdrCEF.exe	83
PID 568 wrote to memory of 2044	568	RdrCEF.exe	83
PID 568 wrote to memory of 2044	568	RdrCEF.exe	83
PID 568 wrote to memory of 2044	568	RdrCEF.exe	83
PID 568 wrote to memory of 2044	568	RdrCEF.exe	83
PID 568 wrote to memory of 2044	568	RdrCEF.exe	83
PID 568 wrote to memory of 2044	568	RdrCEF.exe	83
PID 568 wrote to memory of 2044	568	RdrCEF.exe	83
PID 568 wrote to memory of 2044	568	RdrCEF.exe	83
PID 568 wrote to memory of 2044	568	RdrCEF.exe	83
PID 568 wrote to memory of 2044	568	RdrCEF.exe	83
PID 568 wrote to memory of 2044	568	RdrCEF.exe	83
PID 568 wrote to memory of 2044	568	RdrCEF.exe	83
PID 568 wrote to memory of 2044	568	RdrCEF.exe	83
PID 568 wrote to memory of 2044	568	RdrCEF.exe	83
PID 568 wrote to memory of 2044	568	RdrCEF.exe	83
PID 568 wrote to memory of 2044	568	RdrCEF.exe	83
PID 568 wrote to memory of 3508	568	RdrCEF.exe	84
PID 568 wrote to memory of 3508	568	RdrCEF.exe	84
PID 568 wrote to memory of 3508	568	RdrCEF.exe	84
PID 568 wrote to memory of 3508	568	RdrCEF.exe	84
PID 568 wrote to memory of 3508	568	RdrCEF.exe	84
PID 568 wrote to memory of 3508	568	RdrCEF.exe	84
PID 568 wrote to memory of 3508	568	RdrCEF.exe	84
PID 568 wrote to memory of 3508	568	RdrCEF.exe	84
PID 568 wrote to memory of 3508	568	RdrCEF.exe	84
PID 568 wrote to memory of 3508	568	RdrCEF.exe	84
PID 568 wrote to memory of 3508	568	RdrCEF.exe	84
PID 568 wrote to memory of 3508	568	RdrCEF.exe	84
PID 568 wrote to memory of 3508	568	RdrCEF.exe	84
PID 568 wrote to memory of 3508	568	RdrCEF.exe	84
PID 568 wrote to memory of 3508	568	RdrCEF.exe	84
PID 568 wrote to memory of 3508	568	RdrCEF.exe	84
PID 568 wrote to memory of 3508	568	RdrCEF.exe	84
PID 568 wrote to memory of 3508	568	RdrCEF.exe	84
PID 568 wrote to memory of 3508	568	RdrCEF.exe	84
PID 568 wrote to memory of 3508	568	RdrCEF.exe	84

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\WaljiVeerJ307218713021 (2023 - 2024 Term 2 23_24)141222.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4248
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:568
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=4EF283F8CB2121BCEBAC94BAA2ADF694 --mojo-platform-channel-handle=1752 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:2044
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=8A531095610A871590DFF7E900BC840D --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=8A531095610A871590DFF7E900BC840D --renderer-client-id=2 --mojo-platform-channel-handle=1780 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:3508
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=84A26F17A66336C4A8D2FF54F4F9C1B4 --mojo-platform-channel-handle=2344 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:3104
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=EEA5465B150EC3D6256E66F392723860 --mojo-platform-channel-handle=1740 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:1948
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=2560EA20536B7E55792598222A6A6CF6 --mojo-platform-channel-handle=2356 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:812
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=72C2F6F3CE80A8170604391CF92F5814 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=72C2F6F3CE80A8170604391CF92F5814 --renderer-client-id=7 --mojo-platform-channel-handle=2428 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:2508

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3920

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd0206ab58,0x7ffd0206ab68,0x7ffd0206ab78
  2⤵
  PID:2484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1356 --field-trial-handle=1756,i,4029677637788013849,9861284394348416477,131072 /prefetch:2
  2⤵
  PID:4904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2120 --field-trial-handle=1756,i,4029677637788013849,9861284394348416477,131072 /prefetch:8
  2⤵
  PID:2124
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2208 --field-trial-handle=1756,i,4029677637788013849,9861284394348416477,131072 /prefetch:8
  2⤵
  PID:2956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3076 --field-trial-handle=1756,i,4029677637788013849,9861284394348416477,131072 /prefetch:1
  2⤵
  PID:2500
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3164 --field-trial-handle=1756,i,4029677637788013849,9861284394348416477,131072 /prefetch:1
  2⤵
  PID:3492
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4256 --field-trial-handle=1756,i,4029677637788013849,9861284394348416477,131072 /prefetch:1
  2⤵
  PID:4892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4408 --field-trial-handle=1756,i,4029677637788013849,9861284394348416477,131072 /prefetch:8
  2⤵
  PID:652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4556 --field-trial-handle=1756,i,4029677637788013849,9861284394348416477,131072 /prefetch:8
  2⤵
  PID:4728
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4552 --field-trial-handle=1756,i,4029677637788013849,9861284394348416477,131072 /prefetch:8
  2⤵
  PID:3980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4788 --field-trial-handle=1756,i,4029677637788013849,9861284394348416477,131072 /prefetch:8
  2⤵
  PID:1216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4940 --field-trial-handle=1756,i,4029677637788013849,9861284394348416477,131072 /prefetch:8
  2⤵
  PID:3508
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4940 --field-trial-handle=1756,i,4029677637788013849,9861284394348416477,131072 /prefetch:1
  2⤵
  PID:2788

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:1612

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:1028

C:\Windows\System32\oobe\UserOOBEBroker.exe
C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:4916

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
PID:1268

C:\Windows\system32\SystemSettingsAdminFlows.exe
"C:\Windows\system32\SystemSettingsAdminFlows.exe" FeaturedResetPC
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1092

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:872

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Checks SCSI registry key(s)
PID:1112

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:2540

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:3936

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa39c8855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$SysReset\Logs\ResetConfig.ini

Filesize
186B

MD5
47069918e9e83eb02bff5ce5498c9bbd

SHA1
17ffee2e0ddfec27bba8c1a3550d57c7f92960d5

SHA256
e7688a4bb28fbb7b562886e29da34887d6189a52041de39b538d5c2caf3c932e

SHA512
7a0d2ed36988aa921e0e09779bb8defe38133c8f6add2159cceeee59f5083d391fea2f7bee961b5bba4767e75eea8a2670e7900290c17ce7cc80fae7e037a4c1

Download Submit
C:\$SysReset\Logs\setupact.log

Filesize
115KB

MD5
6b6dd6951a77510a6cb0869d52ca7ba8

SHA1
02e1c994740b41af01f82cb9f01010cfc5b0fd4e

SHA256
224f3af246d86257886b4fc235e0e8b9d21dec537c6b3f4f1c734be1ae74bd7e

SHA512
258965f56ea6c86825819cef89df2f6222fd5b7a079f839ba92df759ae87180e3da54cf486a1adbc72a9734701af1433bdda1268278b6c65d4702846c611813a

Download Submit
C:\$SysReset\Logs\setuperr.log

Filesize
974B

MD5
73dbfdd89aec53ca279415e45eae18d4

SHA1
1dbce1f1a41b39d816da490423a3c64ca03d7000

SHA256
f4e3ee5b9596584df7d97733020da66fe2bdd887e82564f196d33a0e8aebd8fa

SHA512
9a385f0aaa198775c6f4f146806a6c83b048f4b9c90f07727015f6be89638015e4fcbba3d23af6d40442c1caf33d161508827573f73c9c2d61721e6d91abd073

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
95065b36162142e2d8cfcb7952dda1d6

SHA1
d0a016620819c76f6ec42967be38670936382044

SHA256
33905b35e18cf72fea6b5805c7e1ef34c1e564249147323629e69e9bbe1441ee

SHA512
1611f82eb63433dc2427304db2ad550cc325e32ce2461a90c6a13a822069efcae9d4d0a6efe5c7afa0c6b568e581edf39082874bece2d8162056fef7903bfe65

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
36KB

MD5
b30d3becc8731792523d599d949e63f5

SHA1
19350257e42d7aee17fb3bf139a9d3adb330fad4

SHA256
b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3

SHA512
523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
56KB

MD5
752a1f26b18748311b691c7d8fc20633

SHA1
c1f8e83eebc1cc1e9b88c773338eb09ff82ab862

SHA256
111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131

SHA512
a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
408B

MD5
00c50a49e6a27d41cf47f4181d3a8c04

SHA1
a7e86bc0e242e30aba672875138a565233befe10

SHA256
801c1edd15a4caee68b46f4ae27ef5b75fab511c93b19f6f153780150f33bb3d

SHA512
6de8e38fa01b6669813812125165f975c3738568f068d7a337bffe58b43bd339bf2d4b8c3a3e3d8a18415c476055fd1bfecfdbbcf5944b398aae27bf3cc37c62

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
288B

MD5
9091ecf3bf166358c349cb7f3c0c040e

SHA1
34ec042c7e4acc0d772f0146815cafa69299090d

SHA256
6a0a649bb9a80719301aeff7bda627b70113c83c9263c0416127dbff6a51e15e

SHA512
ec5aa468c0424304d6c7bbe6feeb7b12e830209cb7b7788572204367238dbbe8d3f98066b08888c8c215e6a5b8a90fd10d1345b760c6e5d36c9b4d7a5434b6a0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
1ea671d955854743f09a7e24e24e13cf

SHA1
ede6d9c672390bd4ff34d4fd1b4046e469ed8ee0

SHA256
4da87183230823e360df7128d70ba70589698beb9e3502c89234ea16f5da80a2

SHA512
fac1e021b232fd4acccede2c4e13b3cd9a0fbfdcd94dd88905e40e516be01600fd2812a04ddcb3e7ccd3eb8bb7d70eed25000572f81ee004fb64dbf2b0d18d9b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

Filesize
264KB

MD5
75c696b2e7deb38a8d72216dff9cd06f

SHA1
fc9cf02715181f523d92fa6a592e3ec44f4e48e9

SHA256
2212fc96e28e823a71348a99e8bc03bd0c8a0ce5ee642280933483e8d521405f

SHA512
980df325565a44935e5de9d7ae8b52af930139955d22278419e3ea4ca71a37f58557fc43ab8778d2c2df257f88d8e10d4419bd13125d7d8fa4c34a71211a25d6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
f8d52379166bea237f55f6f3312f9709

SHA1
a182bf1a0ae0524c40c8797625853b6b796a1a40

SHA256
aca70067da9dda2f35bcb36e4218dfb722aec75f5144074f2f40be45fa488f4b

SHA512
07639a9f84442cb4556ad93fb1ec6cba9a20b3b9612c804730b6ad1f42fd23aec1c8710c4f16ad356192c306c4a8fbf1614565c16d33a703463f80a3d4282ae4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
15bc4bc7a97e93585db7ad9f2358527a

SHA1
8bbee7919746ed02f658503567fb55e102257162

SHA256
7f4c5143c3a807d7e53a0738c02b600b205731669101b73d33b8c0cc0d895e5c

SHA512
132f452b6a4d29a398014ae7b2da7471de5a6c792e85db334c0ab6412d30586a615f09bb5153640f56a86c5fec77c8454b22dc3f4a25ac5d18254a9225a54c58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
d25adaa9358ad47adcdd679f11af2af0

SHA1
cdb320bf848a36a7ecf28f8eaf770c41f000469e

SHA256
085ff85e07a7ebb90ceb283db2aa5594ed83485473e96a68d1605b1555150ceb

SHA512
713dfa305b86ccc279acf809780304ca174c24b679893157568e5bc15006d495a134763797a19a97a14233c5995d634df505d0f83a3ab73b0337adbfea16bcab

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
4e64d9d6993430679a51d8216e1774a8

SHA1
868e030fa9b549b65bc01d5c3dc07b487a961a78

SHA256
473f242ce9f82aa8a28969635602edc2296d758cf3493d1a0d1cc4ea6834c5a5

SHA512
40631215e284c76071afc947d1884af6e7f05a681d2540ef4e1a372d4d90a0719ecfc8e05a603ef40bcaf357da12400ed9aa6fb5259137f81d1794658ac7036c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
0d99b0054bf1c09fadfc5a7d3e76333a

SHA1
d7f0db98a3b7faf6fd5c5fbeb14d4c85afdc23d0

SHA256
8efd17a1cb03e5f25de18038833adcc831bf6c6cf6ddded4b37160119186fb96

SHA512
72ecfa4507ff46f024a4974af2db6802016146bdb86bf4f0c437c7dc4177d22e4ab31785b03940d1ce73508ebdb4fb6f198fe96900d1a1015e038db86c3077e4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
524B

MD5
2c6c15f7e2491fccfa01cbfeab895a61

SHA1
91fe4043b4169c8e80690e947929cc8ffe7e9855

SHA256
94204308ab6dc0a52e8131f5d2f47bbd55e37daefb8e692968b0fc2bdd20bab9

SHA512
9a1b2d27cd9b42a64f76e013c1e48a2a0d1adcc9149f0b57a66405831e2c7c0385e2e0f420b3e326a31632339de880debd619768c600efe733f928809a27f0c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
bc78d1f808bd0a6dbeac9f826607fe70

SHA1
32296a0cbebd52f21c76a085fee5f65dc787050f

SHA256
331f5cc1cd212a4315d8f90a4928fdc2c106a2fb6d92faf3fab3d201791cea73

SHA512
d08f3696b0701f09031d33376fe7c25847f50fcc4161c7d5c03c61c10b4bfee5e30219415ef18b2e1fc47280a8b294717b501f7a0b9dfb311b4263c844c6cb9c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
cbb4c58aac4e0a6f2f0c1241d194b488

SHA1
ae4c8a863c85cfa586c5b9e35824d6b970d67609

SHA256
ac89c1d57caa4a8fbe67f4df2a24d342db48d14f0ec6b40401539278b701ac06

SHA512
8ab6b8e2304c6200d0b8e2206718f66bcf69a395ee38977a997119c9b0d7babb2bf0c51c3062c65d9dfaa02c5d9f27ac8a77fc0c70f42d16c66fa01178071ff0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
1cf09cf620c47fd0d895643abd6e5921

SHA1
d3ba8451c8183434097c60af35f4314805cbeb2c

SHA256
a869629046d6c3f0508156c2bdd507689bdc4afb98e2aa1d4dea39bfc720ad2e

SHA512
adf6034cccd91175de15a6f2cdcf2a452e0b816f974c55aa0706b64bc2eda35c670dd4210d372d227fcc14e6a0ff58505398e4d956684bc2a954c00e5f845261

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
3a72bf3af3402fddcbfc07473885273c

SHA1
95a355ced09d5b2591ddd924ad4970d79a5298bd

SHA256
1d587ff197e037d69e05fe556b68c2e6ffbe5bc201cbcf6f88992901b23080e2

SHA512
dcd0394f5b9de006684d7538f567cdd035076594babab166e9292e3efd02976646575eb742fcc67e0dc0bf6deb420c71d86f2cd81032727d5c7e79b8e4fd1bc9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
257KB

MD5
fb58b1b72e3f9556ebef6bb09659baf6

SHA1
ba37a9f661f03a6ca491996ac5d4680fccc29fbb

SHA256
368865b7c466eea6a24779806ea9d391f95a9e2c93bdda9b49af7ec301771db5

SHA512
0d4242bad89f13e8b13e5575dacc09836c109a120cf69b7d09341a671b42b03f963bea729b936da4716ddbe74dfe8bfd57eb58f7564b7507ce4edf6da7e4d16b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
257KB

MD5
dcb9782e61b528cfcaaf25038d27ab8b

SHA1
3f489732fe0f0b7fabf25d969f816f78117f3cf9

SHA256
68c88e514941a173fd05329acdf2a73df848d23229cc92b5fec04597f52abe13

SHA512
04b9541423c1f3d0ea826b5bac0a40def3026d74be01d82d9a8f42b35312bba182e7f27ad388a237b58c6dce0d0bf7ee30c8b0caacf6a05bd3b3d6ebd2c58be9

Download Submit
C:\Users\Admin\AppData\Local\Temp\{8430E4BF-33EB-443F-AAD9-89CD12DBFB13}\ssshim.dll

Filesize
148KB

MD5
3de653713e705e001c3f0be1efc51ed3

SHA1
63565592c266226d36604933e51725e90010da25

SHA256
c78ebef77e03135b3cea0705d4c259d782ed80746faea4e9f4a851e494fa94f9

SHA512
7db1063fa2a7c0bcf394d7a20984ab1b501cb24fae5e801addace77424ba773c948a87d8c3fb38f06366b1478f70ba0278c48f219d224ff6e904ff2ee161fb4e

Download Submit
C:\Windows\Logs\PBR\ResetSession.xml

Filesize
7KB

MD5
626b8deb3a207eb82e04d88d68e4ec8b

SHA1
64790c041ed2fbd9019dd705a31fcbe356fe479b

SHA256
9f314c28ca8cb27d211773095cc3ff86b589a20b900711e61195d2ebf0133c0c

SHA512
3d5196a34a76ea051157a04bc249c0b22114f5e31f1b17f72f378dc0c32015ee42f60bb959040b66dfc595c7838455cd77824479e49d0631f4523967243bbee2

Download Submit
C:\Windows\Logs\PBR\SessionID.xml

Filesize
106B

MD5
d4698140dd197925d525c1428bba5d9b

SHA1
489889899bdacf61d41940e2a49a3a6d971219de

SHA256
9b6c8a46a845888b4b19124ef994f952d53ea39f14151b34f991e61412719107

SHA512
55d40306ea4e5e86e07f0e08717b3eb06aadf72889d3a0850f627ecd29dd59da62c0c32a96f47cf9ea1ec1cdea5e10b23152c7dfccf4eee954002de7c4780c8b

Download Submit
C:\Windows\Logs\PBR\Timestamp.xml

Filesize
42B

MD5
8d6ee034227d8894f2ce8c192ef589ee

SHA1
f525a4d9d9a6dabfc448ee5183de680fbde253aa

SHA256
9190039505c50353a791ff1aa1bf7dfa3417db7d8cb3a1d94d8888ee139f6cf4

SHA512
e281c6b07134d3185e7ad786987216bb11a67611b97561a94eba336d4223346ade9a1eef2fb2edd9f55f085e9bfc654d177865c75487520c1035584bba42bbba

Download Submit
C:\Windows\Logs\PBR\WinRE\bootstat.dat

Filesize
66KB

MD5
668d82b83f8c52c0e5368a44b7eaa5a4

SHA1
069ec5b3f9ae609baafe6e59651dd361a9c6b33f

SHA256
106beb7dabcde632548e4e752c3c6222936ba8ddc2cf7e4864296070bd0553e1

SHA512
e475a3b75a9fbd00c80da10debf287cbfa06a7d583cbc886e42db81f9e0b32f2dc6c3676181d430699bfb2ffe0c71f5e40bd80836d5c2794840d7d1ab0d9b98d

Download Submit
C:\Windows\Panther\UnattendGC\diagwrn.xml

Filesize
12KB

MD5
c32cd9caa0409d78f795a955332e80de

SHA1
8fedfed0a0efa7b89a644b499f612d0d10524cd9

SHA256
bc723574a64f731e8785e924231f1c3e64aae7877a199a2da1da19e81e31acc5

SHA512
a98875348328af09fd04990cdfe36c27e50a1a850323f37b1831b7cff758e906a89875f966a26ebbf4bde618b216b0c3f08786d66995cbb8295fe7c769cc6505

Download Submit
C:\Windows\System32\Recovery\ReAgent.xml

Filesize
1KB

MD5
bdccc0adae91f88308d7819f3c331192

SHA1
6f1c52fb12f4b108b33047d821fda2e93fe0e38c

SHA256
a4809049764b27e7fc7104bca944448d1b517907ada24a05f6637b7b069b37a1

SHA512
c1eb3ec3ea415e29e87c6d03bc39abf0fed80583b5dbe25c8fa44547335a68dea6278415b1ad6bff5f2e78d858a6f2f638b2d7df6df3a00ae7d17dc4516d2428

Download Submit

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads