ctblocker | 1278fce7d3446e34bc6c46b7262ddb63c34c848696d428a24c896b9c700c1203

Analysis

max time kernel
149s
max time network
125s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
19-05-2024 18:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Uw Factuur 0092-0287492-39238.pdf.exe
Size

804KB
MD5

88a509f4974b099b9a18c97e93d23f6b
SHA1

215f031e777464de6a253be0c520c6ce815bdf88
SHA256

5930f3589545070d4ab4e09c857db89b9b60e882d12ee6dc0b7213e37d32a50e
SHA512

f9b378d7819f7087ef6abf276c59acf8b528d675e69f1da6d63b6690fb3d9f241c5702ae7e23f35bd21547bfe5e3202c2c5879326003caacc817d3ddc1b0cb4f
SSDEEP

12288:7W02CHYwXcuevg6KILXB6iVZdXlQgBI7SJrydLCf6WsfrZBIr5kei+o3cw5s7CRH:7ACHnXcEILxtZtSg+SBzf9uIuvMqkk

Score

10^/10

ctblocker defense_evasion execution impact ransomware

Malware Config

Extracted

Path

C:\ProgramData\nxvokvc.html

Ransom Note

Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://tmc2ybfqzgkaeilm.onion.cab or http://tmc2ybfqzgkaeilm.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org. 2. In the Tor Browser open the http://tmc2ybfqzgkaeilm.onion Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. Follow the instructions on the server. The list of your encrypted files: Path File

URLs

http://tmc2ybfqzgkaeilm.onion.cab

http://tmc2ybfqzgkaeilm.tor2web.org

http://tmc2ybfqzgkaeilm.onion

Signatures

CTB-Locker
Ransomware family which uses Tor to hide its C2 communications.
ransomware ctblocker
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

bwgpbya.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\International\Geo\Nation bwgpbya.exe
Executes dropped EXE 4 IoCs

Processes:

bwgpbya.exebwgpbya.exebwgpbya.exebwgpbya.exe

pid process

2632 bwgpbya.exe
792 bwgpbya.exe
1804 bwgpbya.exe
1888 bwgpbya.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\International\Geo\Nation	bwgpbya.exe

pid	process
2632	bwgpbya.exe
792	bwgpbya.exe
1804	bwgpbya.exe
1888	bwgpbya.exe

Loads dropped DLL 6 IoCs

Processes:

Uw Factuur 0092-0287492-39238.pdf.exebwgpbya.exebwgpbya.exe

pid	process
2880	Uw Factuur 0092-0287492-39238.pdf.exe
2880	Uw Factuur 0092-0287492-39238.pdf.exe
2632	bwgpbya.exe
2632	bwgpbya.exe
1804	bwgpbya.exe
1804	bwgpbya.exe

Drops desktop.ini file(s) 2 IoCs

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\$RECYCLE.BIN\S-1-5-18\desktop.ini	svchost.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-18\desktop.ini	svchost.exe

Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

svchost.exe

description ioc process

File opened (read-only) \??\F: svchost.exe

description	ioc	process
File opened (read-only)	\??\F:	svchost.exe

Drops file in System32 directory 64 IoCs

Processes:

bwgpbya.exebwgpbya.exebwgpbya.exe

description	ioc	process
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\callout.unicode.start.character.xml	bwgpbya.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\PCDR_HUD_4_3.scheme	bwgpbya.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\error.png	bwgpbya.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\403-18.htm	bwgpbya.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\error_1.png	bwgpbya.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\component.label.includes.part.label.xml	bwgpbya.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\404.htm	bwgpbya.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\chapter_open.gif	bwgpbya.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\goURL_lr_photoshop_it.csv	bwgpbya.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\PCDR_HUD_4_3.scheme	bwgpbya.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\404.htm	bwgpbya.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\PriorityQueue.mi	bwgpbya.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\403-18.htm	bwgpbya.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Steel - Stainless.3PP	bwgpbya.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Linker.dll	bwgpbya.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Adobe-Korea1-H-CID	bwgpbya.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\dsc_backup_tile.png	bwgpbya.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\palm_alpha_0.png	bwgpbya.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\error_1.png	bwgpbya.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\compare-with-callbacks.js	bwgpbya.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\caution.png	bwgpbya.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\sgr.fca	bwgpbya.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\inventory_2.png	bwgpbya.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\error.png	bwgpbya.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Linker.dll	bwgpbya.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\palm_alpha_0.png	bwgpbya.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\callout.unicode.start.character.xml	bwgpbya.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Adobe-Korea1-H-CID	bwgpbya.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\graphical.admonition.properties.xml	bwgpbya.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\asyncqueue.js	bwgpbya.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\compare-with-callbacks.js	bwgpbya.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\goURL_lr_photoshop_tw.csv	bwgpbya.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\caution.png	bwgpbya.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\asyncqueue.js	bwgpbya.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\goURL_lr_photoshop_it.csv	bwgpbya.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\403-16.htm	bwgpbya.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\dsc_health_good_tile.png	bwgpbya.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\sgr.fca	bwgpbya.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Rabbinate.wMW	bwgpbya.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\closed.png	bwgpbya.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\wmimplex.CNT	bwgpbya.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Steel - Stainless.3PP	bwgpbya.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\head.js	bwgpbya.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\speaker_system.png	bwgpbya.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\PriorityQueue.mi	bwgpbya.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\component.label.includes.part.label.xml	bwgpbya.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\figure.properties.xml	bwgpbya.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\alert_alt.png	bwgpbya.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Rabbinate.wMW	bwgpbya.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Warn If RGB.jsx	bwgpbya.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\t21.png	bwgpbya.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\chapter_open.gif	bwgpbya.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\speaker_system.png	bwgpbya.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\inventory_2.png	bwgpbya.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Grayscale.act	bwgpbya.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\t21.png	bwgpbya.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	bwgpbya.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\graphical.admonition.properties.xml	bwgpbya.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\PlanObj.java	bwgpbya.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\dsc_backup_tile.png	bwgpbya.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\closed.png	bwgpbya.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\alert_alt.png	bwgpbya.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\dsc_health_good_tile.png	bwgpbya.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\wmimplex.CNT	bwgpbya.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

Explorer.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Documents\\!Decrypt-All-Files-wtkyctd.bmp"	Explorer.EXE

Suspicious use of SetThreadContext 3 IoCs

Processes:

Uw Factuur 0092-0287492-39238.pdf.exebwgpbya.exebwgpbya.exe

description	pid	process	target process
PID 2880 set thread context of 2804	2880	Uw Factuur 0092-0287492-39238.pdf.exe	Uw Factuur 0092-0287492-39238.pdf.exe
PID 2632 set thread context of 792	2632	bwgpbya.exe	bwgpbya.exe
PID 1804 set thread context of 1888	1804	bwgpbya.exe	bwgpbya.exe

Drops file in Program Files directory 2 IoCs

Processes:

svchost.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-wtkyctd.bmp	svchost.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-wtkyctd.txt	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 2 IoCs

installer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\bwgpbya.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\bwgpbya.exe	nsis_installer_2

Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1056 vssadmin.exe

pid	process
1056	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

Processes:

bwgpbya.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main	bwgpbya.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	bwgpbya.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	bwgpbya.exe

Modifies data under HKEY_USERS 23 IoCs

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\ = "%SystemRoot%\\System32\\imageres.dll,-55"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{c75fc47e-0d58-11ef-96b0-fed6c5e8d4ab}\NukeOnDelete = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{38861de4-0d90-11ef-8234-806e6f6e6963}\MaxCapacity = "14116"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{c75fc47e-0d58-11ef-96b0-fed6c5e8d4ab}	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\Full = "%SystemRoot%\\System32\\imageres.dll,-54"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\Empty = "%SystemRoot%\\System32\\imageres.dll,-55"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{38861de4-0d90-11ef-8234-806e6f6e6963}	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{38861de4-0d90-11ef-8234-806e6f6e6963}\NukeOnDelete = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WallpaperStyle = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{c75fc47e-0d58-11ef-96b0-fed6c5e8d4ab}\MaxCapacity = "2047"	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\LastEnum = 30002c007b00330038003800360031006400650034002d0030006400390030002d0031003100650066002d0038003200330034002d003800300036006500360066003600650036003900360033007d00000030002c007b00630037003500660063003400370065002d0030006400350038002d0031003100650066002d0039003600620030002d006600650064003600630035006500380064003400610062007d0000000000	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\TileWallpaper = "0"	svchost.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

Uw Factuur 0092-0287492-39238.pdf.exebwgpbya.exe

pid process

2804 Uw Factuur 0092-0287492-39238.pdf.exe
792 bwgpbya.exe
792 bwgpbya.exe
792 bwgpbya.exe
792 bwgpbya.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

bwgpbya.exeExplorer.EXE

description pid process

Token: SeDebugPrivilege 792 bwgpbya.exe
Token: SeDebugPrivilege 792 bwgpbya.exe
Token: SeShutdownPrivilege 1196 Explorer.EXE
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

bwgpbya.exe

pid process

1888 bwgpbya.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

bwgpbya.exe

pid process

1888 bwgpbya.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

bwgpbya.exe

pid process

1888 bwgpbya.exe
1888 bwgpbya.exe
Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

1196 Explorer.EXE

pid	process
2804	Uw Factuur 0092-0287492-39238.pdf.exe
792	bwgpbya.exe
792	bwgpbya.exe
792	bwgpbya.exe
792	bwgpbya.exe

description	pid	process
Token: SeDebugPrivilege	792	bwgpbya.exe
Token: SeDebugPrivilege	792	bwgpbya.exe
Token: SeShutdownPrivilege	1196	Explorer.EXE

pid	process
1888	bwgpbya.exe

pid	process
1888	bwgpbya.exe

pid	process
1888	bwgpbya.exe
1888	bwgpbya.exe

pid	process
1196	Explorer.EXE

Suspicious use of WriteProcessMemory 44 IoCs

Processes:

Uw Factuur 0092-0287492-39238.pdf.exetaskeng.exebwgpbya.exebwgpbya.exesvchost.exebwgpbya.exe

description	pid	process	target process
PID 2880 wrote to memory of 2804	2880	Uw Factuur 0092-0287492-39238.pdf.exe	Uw Factuur 0092-0287492-39238.pdf.exe
PID 2880 wrote to memory of 2804	2880	Uw Factuur 0092-0287492-39238.pdf.exe	Uw Factuur 0092-0287492-39238.pdf.exe
PID 2880 wrote to memory of 2804	2880	Uw Factuur 0092-0287492-39238.pdf.exe	Uw Factuur 0092-0287492-39238.pdf.exe
PID 2880 wrote to memory of 2804	2880	Uw Factuur 0092-0287492-39238.pdf.exe	Uw Factuur 0092-0287492-39238.pdf.exe
PID 2880 wrote to memory of 2804	2880	Uw Factuur 0092-0287492-39238.pdf.exe	Uw Factuur 0092-0287492-39238.pdf.exe
PID 2880 wrote to memory of 2804	2880	Uw Factuur 0092-0287492-39238.pdf.exe	Uw Factuur 0092-0287492-39238.pdf.exe
PID 2880 wrote to memory of 2804	2880	Uw Factuur 0092-0287492-39238.pdf.exe	Uw Factuur 0092-0287492-39238.pdf.exe
PID 2524 wrote to memory of 2632	2524	taskeng.exe	bwgpbya.exe
PID 2524 wrote to memory of 2632	2524	taskeng.exe	bwgpbya.exe
PID 2524 wrote to memory of 2632	2524	taskeng.exe	bwgpbya.exe
PID 2524 wrote to memory of 2632	2524	taskeng.exe	bwgpbya.exe
PID 2632 wrote to memory of 792	2632	bwgpbya.exe	bwgpbya.exe
PID 2632 wrote to memory of 792	2632	bwgpbya.exe	bwgpbya.exe
PID 2632 wrote to memory of 792	2632	bwgpbya.exe	bwgpbya.exe
PID 2632 wrote to memory of 792	2632	bwgpbya.exe	bwgpbya.exe
PID 2632 wrote to memory of 792	2632	bwgpbya.exe	bwgpbya.exe
PID 2632 wrote to memory of 792	2632	bwgpbya.exe	bwgpbya.exe
PID 2632 wrote to memory of 792	2632	bwgpbya.exe	bwgpbya.exe
PID 792 wrote to memory of 600	792	bwgpbya.exe	svchost.exe
PID 600 wrote to memory of 1904	600	svchost.exe	DllHost.exe
PID 600 wrote to memory of 1904	600	svchost.exe	DllHost.exe
PID 600 wrote to memory of 1904	600	svchost.exe	DllHost.exe
PID 792 wrote to memory of 1196	792	bwgpbya.exe	Explorer.EXE
PID 792 wrote to memory of 1056	792	bwgpbya.exe	vssadmin.exe
PID 792 wrote to memory of 1056	792	bwgpbya.exe	vssadmin.exe
PID 792 wrote to memory of 1056	792	bwgpbya.exe	vssadmin.exe
PID 792 wrote to memory of 1056	792	bwgpbya.exe	vssadmin.exe
PID 792 wrote to memory of 1804	792	bwgpbya.exe	bwgpbya.exe
PID 792 wrote to memory of 1804	792	bwgpbya.exe	bwgpbya.exe
PID 792 wrote to memory of 1804	792	bwgpbya.exe	bwgpbya.exe
PID 792 wrote to memory of 1804	792	bwgpbya.exe	bwgpbya.exe
PID 1804 wrote to memory of 1888	1804	bwgpbya.exe	bwgpbya.exe
PID 1804 wrote to memory of 1888	1804	bwgpbya.exe	bwgpbya.exe
PID 1804 wrote to memory of 1888	1804	bwgpbya.exe	bwgpbya.exe
PID 1804 wrote to memory of 1888	1804	bwgpbya.exe	bwgpbya.exe
PID 1804 wrote to memory of 1888	1804	bwgpbya.exe	bwgpbya.exe
PID 1804 wrote to memory of 1888	1804	bwgpbya.exe	bwgpbya.exe
PID 1804 wrote to memory of 1888	1804	bwgpbya.exe	bwgpbya.exe
PID 600 wrote to memory of 2604	600	svchost.exe	wmiprvse.exe
PID 600 wrote to memory of 2604	600	svchost.exe	wmiprvse.exe
PID 600 wrote to memory of 2604	600	svchost.exe	wmiprvse.exe
PID 600 wrote to memory of 2124	600	svchost.exe	DllHost.exe
PID 600 wrote to memory of 2124	600	svchost.exe	DllHost.exe
PID 600 wrote to memory of 2124	600	svchost.exe	DllHost.exe

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
1⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:600

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
2⤵
PID:1904

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -Embedding
2⤵
PID:2604

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
2⤵
PID:2124

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Sets desktop wallpaper using registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:1196

C:\Users\Admin\AppData\Local\Temp\Uw Factuur 0092-0287492-39238.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Uw Factuur 0092-0287492-39238.pdf.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2880

C:\Users\Admin\AppData\Local\Temp\Uw Factuur 0092-0287492-39238.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Uw Factuur 0092-0287492-39238.pdf.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2804

C:\Windows\system32\taskeng.exe
taskeng.exe {3CC027C5-98C3-4793-81DB-773929C8FC76} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:2524

C:\Users\Admin\AppData\Local\Temp\bwgpbya.exe
C:\Users\Admin\AppData\Local\Temp\bwgpbya.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2632

C:\Users\Admin\AppData\Local\Temp\bwgpbya.exe
C:\Users\Admin\AppData\Local\Temp\bwgpbya.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:792

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows all
4⤵
- Interacts with shadow copies
PID:1056

C:\Users\Admin\AppData\Local\Temp\bwgpbya.exe
"C:\Users\Admin\AppData\Local\Temp\bwgpbya.exe" -u
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1804

C:\Users\Admin\AppData\Local\Temp\bwgpbya.exe
"C:\Users\Admin\AppData\Local\Temp\bwgpbya.exe" -u
5⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1888

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Defacement

T1491

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Package Cache\xmxmivk
Filesize
654B

MD5
05a940d588deddcdc6fbaaebd0a9a739

SHA1
793430f542cfc8436f5cdaa2871040b35fa1dc30

SHA256
3169998e2d6c2924c2a0b29e02568dbc0f5850bcc27bb5ee19ed125b47d20163

SHA512
a14e134fcf2259d8f1c16631c3e402d598949bca68fcc7bc2b630f939cb88b16629955cdda4b30a4ab7b1ee53dd3be166d4df8e0ed1bf91cd00fc505e126e06a

Download Submit
C:\ProgramData\Package Cache\xmxmivk
Filesize
654B

MD5
fad7ffbebfa8983b0d97804144df9829

SHA1
969ba4b3820271964273be8a743d70d1d81ad966

SHA256
f12aaa10c80e68b6ca8e958570809af06af5e53ee5fcdc3016493e91e654352f

SHA512
cb5a5399400f9c24a1bfb1e1dffa056c53e804ba4d212a7fff5cd2d0b76180ee85bcf133b34326be73b6442d871bb244b61d0d8d012a22c64c1879327d5f6196

Download Submit
C:\ProgramData\nxvokvc.html
Filesize
63KB

MD5
736a0670797f599360eb824b3fb35d13

SHA1
cbd071c8d6e6da8495352444c39badaf68899f19

SHA256
fbba2ba74644454bcb6b1548e205b987d77143c8f239687f1a95b69bcba21e16

SHA512
061546cbd8e9733bb794559cb6ac7fd405e19ce36f208f17b620b379af654a535aa72645d681bf5a56fe11472526d62925a7e8ea41a7da7bd582dea105b00b8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\bwgpbya.exe
Filesize
804KB

MD5
88a509f4974b099b9a18c97e93d23f6b

SHA1
215f031e777464de6a253be0c520c6ce815bdf88

SHA256
5930f3589545070d4ab4e09c857db89b9b60e882d12ee6dc0b7213e37d32a50e

SHA512
f9b378d7819f7087ef6abf276c59acf8b528d675e69f1da6d63b6690fb3d9f241c5702ae7e23f35bd21547bfe5e3202c2c5879326003caacc817d3ddc1b0cb4f

Download Submit
C:\Users\Admin\AppData\Roaming\asyncqueue.JS
Filesize
4KB

MD5
97c2cce0b8038bd21abaf457b50f8112

SHA1
ac6fc6496817e98c7701fc9afc5e0b6eb78d74bb

SHA256
f59ee97d7d97c887e5da91778ce8d3583b1e448680581e1796312d017e699059

SHA512
874ff6ce0ca3ed1a57e379e91a9ff94e3893b3ceb9e7c1b6bf715565347c14e3e8b8a3bdeb86ae55a9ce9d67eeb3dd6289e63b756dbb4b1db91ef08a88798fc3

Download Submit
C:\Users\Admin\AppData\Roaming\compare-with-callbacks.JS
Filesize
1KB

MD5
2c6f5684ce8e64e2ac4d106ec6c361dd

SHA1
78f431b04243778cf02f29c63ec1f10e464bde6a

SHA256
1d552bba9fdb2557c0a0b55c79eb322852df0e6a0bcb3b48cfbdd335f32b3552

SHA512
0e53cd5e0c943e9c2014b8b778811b4aa83610347f7156ef4b5f616a13a7d29552f72087fe8a956c1c9464af224dcf113232d65e913049e8be8966aa7f2887a6

Download Submit
C:\Users\Admin\AppData\Roaming\head.JS
Filesize
25B

MD5
19ebe25a2df3c27bfc3c692ba7ce9158

SHA1
f7f5514d24f03611b055af2fc9a541ecf579142e

SHA256
f5f9b7e1859d47775dfe65573624e84f1e2d6f9c2a3a08f684b8148cefb720e8

SHA512
76c4e82aa9bf6d64c956788eacb9c8bc13db2e626c44a548ab7a49dda9569ea06b48dc46b92e725ce2ab4a7a7124cf01565923adbc7a4c529ac429184639659b

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\403-16.htm
Filesize
1KB

MD5
9d02dc79e5a6215c2931e56925a8bebc

SHA1
17f413e8eddea932d0088a4a86c43fc8d06c8c7a

SHA256
30c45a56c91ecfd5b654ad172fddc84e5d930e18f5031c778223651c5348d612

SHA512
7f64b11eee14c4e13d084211bd4848cdb27471dde064fad7ac787b7307a85b5b8c953d40b26b8db410bad2b268d6bd94e4e4cb8be6c299cd32e5818988ac22db

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\403-18.htm
Filesize
1KB

MD5
56dc72e6d4312b109ec4862c045d00d6

SHA1
35cb8a074b875326de6d4206feb631479c47e782

SHA256
0246ad30d0589512453a988e290c7c0a3d3a74dfaa7213f3716ef3ebf7c0b4d3

SHA512
7c7a1b996fec2e28b30533b297517bd5d621f0b7beac69b87c08742146028c6dfc9e34f3e391226d72f7723e54a3833877dca09b820299497ea7167395f1869b

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\AortaEndoderm.4
Filesize
1KB

MD5
a88ef914e52cf1ffe510701425e937df

SHA1
b192efc9c4389ee475d5a020c7113d1116576743

SHA256
1e55c3c596abad16c43bc6ce3104672d629b9c766d750580cc9a0bf22fabb03f

SHA512
600d9a0fbb7130f908f1a64288def37197a4d3e59489afc051eb8db085f71886f089917592b20260a06d01d217e826c854af445d884bea4ba8b68542c76ba362

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Grayscale.act
Filesize
772B

MD5
2ce81a3cc84b5269c1ac1fa076fd3810

SHA1
2f46aa44381ece540573257a59b1ff03977455d0

SHA256
fe468943559318a5108b2f74f642f1e2405e2eab23f37d14dc83c41f195e6af2

SHA512
d6911f56347566c13302e33f5dce0d740b4752986c2daef04f6a58e29fa94053496b41bf5f3aaa51e730ac1b2be0316e60ef9fcc7822ab049b8379b64cf34edd

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\PCDR_HUD_4_3.scheme
Filesize
193B

MD5
2136d93e357aa5a3b7cdd6b123744d74

SHA1
4746a60f98592eca58f3e613e2d9eb5ef1457902

SHA256
9f6005a93ba80caa9e8dd301951898a222e066a8abce6d60aeb2370fca2ce82d

SHA512
8e5b26f8bc6a6953cae3aba8d1d433c848eed79616d2f1c5f408eab643dd81776ac557c9595683ff7d04220eeb8d0465fa036c61295da551c89cde95c1043863

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\PlanObj.java
Filesize
1KB

MD5
7094b6cd01119f5de85450b283a367db

SHA1
e03c02f4ff5dabe4b98ec4a423cd1964e9591dc0

SHA256
4ac71308dafbfe1a53e0a6bf7a74cdeafeb4d81086b8483f3a35c8b8fafd6070

SHA512
7ee072b238b285f18e7fef3903c102e712ffb32ccca8f52409154f77bf9d06b8829c09283276c3a14472f62022cd42d807764c886ffa2c66beeb6a4521d25783

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\PriorityQueue.mi
Filesize
3KB

MD5
216ac955299235967e6acff2d142f90e

SHA1
0eb63a15b7e5e132ef5d7b8f35000c19c1e4914f

SHA256
3f8a4c058009b40c2c9db0a2742904419b3f83ace1a161fcd4535f4537618e36

SHA512
3c5cc8b586ca7586ed33745985760bf1b986932505696c63c7fef00785409cc312daa6de584e41521cebca1355c2d4e2cbacb3a8556015026547f169c7b0afe7

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Rabbinate.wMW
Filesize
654KB

MD5
044033a694bcbef5652fa85ae36d3e2a

SHA1
927f3297ce02cd6fc62633c49cc44cfac7596958

SHA256
94ff0b44f0b036ef99c3e012e509bcbecacfe8c81027c9768b66a35e010cfbf3

SHA512
536abbb905c7e03abcdf4de28fef1cf002205f3522cf473ebee05db53942b5028298a4162e0aafca68d44b4964886e11afe3f1d95107eed08bd06b8a512dd16b

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Warn If RGB.jsx
Filesize
3KB

MD5
ae91301a596819d2abe479e3d5bcf3f7

SHA1
c1effcc1b453ee3060d95334fae707d309732dee

SHA256
866ac76bce63b709c4a74c8ddeeb943064b51834abcb84994c9e49f66a42195c

SHA512
0cf8612875d2f5e4b75df043ee450ffa4f6091ab9a6b5d4dab851757c31a86c3edbb4385a59f4a7c2ac3c6926d6309529c92cb0c7d0e3c4f0f907e6fe48767d9

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\alert_alt.png
Filesize
1KB

MD5
f1e7e527a5440044e05eaac629619e7d

SHA1
04320a6c16c5d0e07c931fbc118683dacae8eae1

SHA256
517b4d1320bb728dea51edfe782d9eed3474c38398d984ec61e3ee792c26bf34

SHA512
e93e2a57362cbcf3ce542b578ac65e27e56772a22e26e169238428d26ebcba8970264ab4e174a1a43b23a6815978235fcb1fc526b9ef8f7de1a7c6a3af37f9cd

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\callout.unicode.start.character.xml
Filesize
1KB

MD5
4ab850cbbc8203dd0272494ccc005144

SHA1
3713848ecbb70b421956290a24cf5b966d9d6dec

SHA256
61b9afd95c0598c0cd16099a19d5d2b3dd1b3ce3441ad00f55be5dc40441e910

SHA512
89aa963cc1a79d48b48088c9d6963e0b19a2d8f528ade67e5bb69fd9c084147f46ed220cb6573da1b10416951ba22f8cafa7fe0b181b09644dee03c67274f67a

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\caution.png
Filesize
887B

MD5
c81b5317d4908545f44864fce61f1851

SHA1
2845725264796608d781187d95d7d41ab872dea5

SHA256
e9faf89885257ccdf9b9cdea3c4104079977d43d907fd948f4c1526aee0c923a

SHA512
f1cfa4d3aaa99bfcd51fd39314b75547e5ba26df5daf3ca432d95941e42099b5e429367ee80caae0f4e00ce5a62a4e5c4eea9e7b4deddc82c68ba7fe382a51e8

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\chapter_open.gif
Filesize
49B

MD5
3252c7b1c9eec98d0e253f5705dae0bc

SHA1
69ebac148684c7eef555716a94c630fc22ad065a

SHA256
61fb055c679d0185e3bc60c249f1282af26818a108b6920788e2ccc5497eef10

SHA512
4ff9a548a3cc4bcbeed534590430c1466ff82e9794a16634c25127d384fe0732e315be83ffe07525716e3955f51bec9a5496ade681ad2078e7422b0e3fc855d0

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\closed.png
Filesize
157B

MD5
4de70be943778ffb0944086eac44ab2e

SHA1
eb989987af641851d16c411eae221a940b7c65b2

SHA256
faf0f34598a38de61a682563da285f05d10bef7664d7c7645e9cc48078032135

SHA512
06a297061d9c7d528c39c48313273ffa9cab32b6065ae741653d95e902883506d03b424ca696257038277a84ce7641fd4a1a8158141eed60dadbd2358d633cb6

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\component.label.includes.part.label.xml
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\dsc_backup_tile.png
Filesize
3KB

MD5
beb396b92b562044ba2a79aac9dc3f03

SHA1
55c9d9f618771539b48ee31caac008cf2256c48a

SHA256
5aca0d04f8792e6feadb2179cd7470efe5c8aa622217613f3a0a5b2d23f73d85

SHA512
2a1b8c00d71fad6e16682893db2fc62a17d99ea8409efcc559464a32bcf6de46e5ab3a1cc69f77587d5b6142b344b517dc10c7434a99aedf45d684662ca46070

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\dsc_health_good_tile.png
Filesize
4KB

MD5
dd893d20a7523ef1da87bfd16df4e31d

SHA1
af8ebae84025ecc4b065967ed76acfbb793f8b42

SHA256
132542fca5d2885e83de0d2bdbaafad979ed34eeaac5d6b21771877a01493749

SHA512
b0f198978e47abc716c74dd49156b421dc3a81c0c288d5b748a2357056c0bfd1a359adf34732df50a3462de8c8a8b6adf87c1cc3c086f4b6c803a17932935d69

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\error.png
Filesize
1KB

MD5
1d1b1d388440bb5e2cdd4f4faa885716

SHA1
db102db4952cbb019575f9e9e8dbb46599e21d69

SHA256
f684fb3e456e1b76256fb7a210575a7a5701d18defa60e8e5ea9eee2881c5cbd

SHA512
33c05c70aef42e944abda76ddbdc1499d16544d94c5f2d3a1deccf9b91383077c52160ba9811f0136dd64dda292fea242b91cd68b1bf9c3ace01866da2e374fb

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\error_1.png
Filesize
3KB

MD5
6f42ca6b4105204fcd946cc2ae17d9a1

SHA1
7d4a234e40ef4564943ece66d46d9e1417586887

SHA256
7d4b3a73836005095e230d6d34297baa68f816b71cc6b78ced7a6f60b46c829c

SHA512
724726aa1b898646522140872210fb4766d5c9998eed3192f112313081377e68077536f6589d98f3300909592584bf3b65820da253feea8eeb558153900cf97a

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\figure.properties.xml
Filesize
912B

MD5
85c3875488d7834f7e6c8cb973f9eaf5

SHA1
26d894c21384bffaa2fc4ac4e0138010fcc839e2

SHA256
55618438832b35086532ac70c82361619861ced1a42317a2fd8d38c112c556ab

SHA512
e73662c767978b893ae0ad26c8500efd7adc674f748b0e26484329c1780f1de551746b8e88012f0c7d5e3fc4875c6968ee6c31655cf75a7d3caf6e3c0efba8b2

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\goURL_lr_photoshop_it.csv
Filesize
518B

MD5
721b165d59b4fb4963d72ee30e0bb528

SHA1
c86e55ac72145e3fa7f477934b0530c9ecf5832c

SHA256
7ddcde24717074d4947fba773cf40f4aaabc007c721a8dad73fa49611922ca03

SHA512
ab4f7b2253098bc80f38fc814061e87fbeedca25f23a1e425e50910e36432bea74ec2e6856de4f3adbff380b4f6b7e44d7e022e6442b3a4b680f0939e5dd8b22

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\goURL_lr_photoshop_tw.csv
Filesize
315B

MD5
a495dbfcf4b0a3d3c31fb66ae38d372b

SHA1
8e4f6d1a038404df23ed5ec0ea78e33620ae50ed

SHA256
ab450cefc9d7dc3db5204e235475bc8168c064019b81d4c582c7cb3eb718a642

SHA512
3439f9cefb4c7337f8a203fb2ff225104657fcb20771c54896f75e83f6bc76c6e91ffb2952d209a3ab17cc904223185d0d8da3db4fddaae4a8430b2438294eae

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\graphical.admonition.properties.xml
Filesize
1KB

MD5
99f4c33375ac47e42b19d2766b80f5ec

SHA1
6d701d5fa120432034b33a3e83a5147ac77b392f

SHA256
2bb3ea90ac6dcc887c92b0d494dcf6e4947d5f587aa94d8ea770e2b7429ac05e

SHA512
afbc107d7db9be73619a8cafe16d8c51ff4682399b59ebee34a6868695cd1295b136259a59061eff0b2afc7c75eddd372c39cb91808401a2cd00b65112170d5b

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\inventory_2.png
Filesize
1KB

MD5
6442c313e40885c47ac01d0e433fdc5d

SHA1
dddeee37bb621a2ee59ecceacd626bc83c0750c4

SHA256
985468cf92e095bd5f2d4e210a4285d01b07b77b26989427f3172498d8197632

SHA512
e4d6821dcf953ed4081f6cf9554b6956bbf9408ce240810ae083249f170df0e92aaeaabb012d69e96aeb5f65b9d351e2ca19ebdac8d015b3cfac1035520c5b8d

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\palm_alpha_0.png
Filesize
2KB

MD5
d07b4c478fe0bbf228844214eaa2c4dd

SHA1
31c2997444ca4939c66ce58f14b175127a0c9dc8

SHA256
320afddc24a28690d50c1ff09305a93f3bd4972981f76d6af688328d6a788a23

SHA512
062266e7915db75bc2d415168aa2ae4fbc6771b5dca4bfe88af1d029b323f38aca8d07d179bef10ad557f9e44d86c2d3c0dcf74957e17e861c158626ee1c53cb

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\sgr.fca
Filesize
1KB

MD5
076627fda0165dde7903bec469fa925c

SHA1
4dde60848d01def1e33584fadfbfe73d4d3376b5

SHA256
ab9048b1e3c4a588e23a2e01524b86d2a5ad75450e753b15d8ebdde37348019e

SHA512
80f2f596b7c576fbbc0e05785611cda26ce4e30a282b0221a4816e36ea10f9fd3085c14d4accadc8303e93d9fc054eba6565a47d006dceed22dc2173de80448a

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\speaker_system.png
Filesize
1KB

MD5
c01f89dc4104276efafdb2c54eb96623

SHA1
b4bcddeaf49a11be86633652a40eff99d5063c9f

SHA256
8ac76e6e7f12ca2f2d3b2a544879c7bf711200987cdc7024b636b1ee2bf0368f

SHA512
98cb18158230973b86ea97871a85b50a8cf1927f2abd1095980563b673af2fe813974a26b10b97c1068039e6fcc9845f4c7e5ae96a649cbbc7899edb023dacbb

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\t21.png
Filesize
1KB

MD5
b5cf827e091773ed84be06ecf2cf9966

SHA1
9c9e6132f17a119215c9b4887b1eb9ef116e8f4c

SHA256
23945722bf5e84a77946e3c7441877edb69960ee46f5432ba330e98b0b45735e

SHA512
f7f65af7c9c8d2d8ca64e5466e022eb9e8bc4f34e6546948d6e9c892d878c6cb5987be2c28e871d0a5edb7bee85b6b14c7ef700f36e516a222c07e087b18b825

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\wmimplex.CNT
Filesize
1KB

MD5
d335f72da6671c0f185f56118bfe6784

SHA1
700eefb07dedfbc0db8caa4236ca39d10ca84228

SHA256
a1cf001973dea0f1c7854278762607d1f3162d9563a0a2febe31793055acf20a

SHA512
427fb907d3381d432f60ee04e0cc90b96daaf7f0e5015fdaf78e7889f009e164a20952d118ced882fe692e09dd67af8798627a3ecb574952fa43f40dbd6487a0

Download Submit
F:\$RECYCLE.BIN\S-1-5-18\desktop.ini
Filesize
129B

MD5
a526b9e7c716b3489d8cc062fbce4005

SHA1
2df502a944ff721241be20a9e449d2acd07e0312

SHA256
e1b9ce9b57957b1a0607a72a057d6b7a9b34ea60f3f8aa8f38a3af979bd23066

SHA512
d83d4c656c96c3d1809ad06ce78fa09a77781461c99109e4b81d1a186fc533a7e72d65a4cb7edf689eeccda8f687a13d3276f1111a1e72f7c3cd92a49bce0f88

Download Submit
\Users\Admin\AppData\Local\Temp\nst1778.tmp\System.dll
Filesize
11KB

MD5
883eff06ac96966270731e4e22817e11

SHA1
523c87c98236cbc04430e87ec19b977595092ac8

SHA256
44e5dfd551b38e886214bd6b9c8ee913c4c4d1f085a6575d97c3e892b925da82

SHA512
60333253342476911c84bbc1d9bf8a29f811207787fdd6107dce8d2b6e031669303f28133ffc811971ed7792087fe90fb1faabc0af4e91c298ba51e28109a390

Download Submit
\Users\Admin\AppData\Roaming\Linker.dll
Filesize
20KB

MD5
d4347e5ece1d7cc8a2fffb1afef7ea32

SHA1
4a656426fdc156a914494cef7f8fc437d6ca28dc

SHA256
6f7a21dd4e3539e81113a54f5f1ab70fb3e5457033e923fbb95fdb80b7c433cd

SHA512
0923dd987ef862f4341643627c68fdf276a749aa647c29509d72ec9ee77accb79a5fde7e1387696534e096c8c1714ce694c9c826faff2a06178b7068e7d48d56

Download Submit
memory/600-124-0x0000000000120000-0x0000000000197000-memory.dmp

Filesize
476KB

Download
memory/600-121-0x0000000000120000-0x0000000000197000-memory.dmp

Filesize
476KB

Download
memory/600-118-0x0000000000120000-0x0000000000197000-memory.dmp

Filesize
476KB

Download
memory/600-120-0x0000000000120000-0x0000000000197000-memory.dmp

Filesize
476KB

Download
memory/600-117-0x0000000000120000-0x0000000000197000-memory.dmp

Filesize
476KB

Download
memory/600-126-0x0000000000120000-0x0000000000197000-memory.dmp

Filesize
476KB

Download
memory/600-1337-0x0000000000120000-0x0000000000197000-memory.dmp

Filesize
476KB

Download
memory/600-128-0x0000000000120000-0x0000000000197000-memory.dmp

Filesize
476KB

Download
memory/600-132-0x0000000000120000-0x0000000000197000-memory.dmp

Filesize
476KB

Download
memory/792-1359-0x0000000000910000-0x0000000000B5B000-memory.dmp

Filesize
2.3MB

Download
memory/792-1349-0x0000000000910000-0x0000000000B5B000-memory.dmp

Filesize
2.3MB

Download
memory/792-113-0x0000000000910000-0x0000000000B5B000-memory.dmp

Filesize
2.3MB

Download
memory/792-107-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1888-1455-0x00000000006D0000-0x000000000091B000-memory.dmp

Filesize
2.3MB

Download
memory/1888-1454-0x00000000006D0000-0x000000000091B000-memory.dmp

Filesize
2.3MB

Download
memory/2804-46-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/2804-52-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/2804-48-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2804-50-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/2804-44-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/2804-53-0x0000000000A10000-0x0000000000C2A000-memory.dmp

Filesize
2.1MB

Download
memory/2804-54-0x0000000000400000-0x00000000004A4600-memory.dmp

Filesize
657KB

Download
memory/2804-55-0x0000000000C30000-0x0000000000E7B000-memory.dmp

Filesize
2.3MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads