Description	Indicator	Process	Target
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Local\Temp\ransomware.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\svchost.exe	N/A

Drops startup file

Description	Indicator	Process	Target
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url	C:\Users\Admin\AppData\Roaming\svchost.exe	N/A
File opened for modification	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\svchost.url	C:\Windows\system32\taskmgr.exe	N/A

Executes dropped EXE

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Roaming\svchost.exe	N/A

Adds Run key to start application

persistence

Description	Indicator	Process	Target
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Store = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe"	C:\Users\Admin\AppData\Roaming\svchost.exe	N/A

Drops desktop.ini file(s)

Description	Indicator	Process	Target
File created	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	C:\Users\Admin\AppData\Roaming\svchost.exe	N/A
File created	C:\Users\Admin\Music\desktop.ini	C:\Users\Admin\AppData\Roaming\svchost.exe	N/A
File created	C:\Users\Admin\Searches\desktop.ini	C:\Users\Admin\AppData\Roaming\svchost.exe	N/A
File created	F:\$RECYCLE.BIN\S-1-5-21-1337824034-2731376981-3755436523-1000\desktop.ini	C:\Users\Admin\AppData\Roaming\svchost.exe	N/A
File created	C:\Users\Admin\Desktop\desktop.ini	C:\Users\Admin\AppData\Roaming\svchost.exe	N/A
File created	C:\Users\Admin\Links\desktop.ini	C:\Users\Admin\AppData\Roaming\svchost.exe	N/A
File created	C:\Users\Admin\Contacts\desktop.ini	C:\Users\Admin\AppData\Roaming\svchost.exe	N/A
File created	C:\Users\Admin\Documents\desktop.ini	C:\Users\Admin\AppData\Roaming\svchost.exe	N/A
File created	C:\Users\Admin\Downloads\desktop.ini	C:\Users\Admin\AppData\Roaming\svchost.exe	N/A
File created	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	C:\Users\Admin\AppData\Roaming\svchost.exe	N/A
File created	C:\Users\Admin\Favorites\Links\desktop.ini	C:\Users\Admin\AppData\Roaming\svchost.exe	N/A
File created	C:\Users\Admin\Videos\desktop.ini	C:\Users\Admin\AppData\Roaming\svchost.exe	N/A
File created	C:\Users\Admin\Pictures\desktop.ini	C:\Users\Admin\AppData\Roaming\svchost.exe	N/A
File created	C:\Users\Admin\OneDrive\desktop.ini	C:\Users\Admin\AppData\Roaming\svchost.exe	N/A
File created	C:\Users\Admin\Saved Games\desktop.ini	C:\Users\Admin\AppData\Roaming\svchost.exe	N/A
File created	C:\Users\Admin\Favorites\desktop.ini	C:\Users\Admin\AppData\Roaming\svchost.exe	N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description	Indicator	Process	Target
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	C:\Windows\system32\taskmgr.exe	N/A
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	C:\Windows\system32\taskmgr.exe	N/A
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	C:\Windows\system32\taskmgr.exe	N/A

Checks processor information in registry

Description	Indicator	Process	Target
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	C:\Windows\system32\taskmgr.exe	N/A
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	C:\Windows\system32\taskmgr.exe	N/A

Modifies registry class

Description	Indicator	Process	Target
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	C:\Users\Admin\AppData\Roaming\svchost.exe	N/A

Opens file in notepad (likely ransom note)

ransomware

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\system32\NOTEPAD.EXE	N/A

Suspicious behavior: AddClipboardFormatListener

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Roaming\svchost.exe	N/A

Suspicious behavior: EnumeratesProcesses

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\ransomware.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\ransomware.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\ransomware.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\ransomware.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\ransomware.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\ransomware.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\ransomware.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\ransomware.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\ransomware.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\ransomware.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\ransomware.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\ransomware.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\ransomware.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\ransomware.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\ransomware.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\ransomware.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\ransomware.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\ransomware.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\ransomware.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\ransomware.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\ransomware.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\ransomware.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\ransomware.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\svchost.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\svchost.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\svchost.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\svchost.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\svchost.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\svchost.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\svchost.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\svchost.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\svchost.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\svchost.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\svchost.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\svchost.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\svchost.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\svchost.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\svchost.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\svchost.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\svchost.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\svchost.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\svchost.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\svchost.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\svchost.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\svchost.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\svchost.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\svchost.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A

Suspicious behavior: GetForegroundWindowSpam

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A

Suspicious use of AdjustPrivilegeToken

Description	Indicator	Process	Target
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\ransomware.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\svchost.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Windows\system32\taskmgr.exe	N/A
Token: SeSystemProfilePrivilege	N/A	C:\Windows\system32\taskmgr.exe	N/A
Token: SeCreateGlobalPrivilege	N/A	C:\Windows\system32\taskmgr.exe	N/A

Suspicious use of FindShellTrayWindow

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\system32\NOTEPAD.EXE	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A

Suspicious use of SendNotifyMessage

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 3300 wrote to memory of 2328	N/A	C:\Users\Admin\AppData\Local\Temp\ransomware.exe	C:\Users\Admin\AppData\Roaming\svchost.exe
PID 3300 wrote to memory of 2328	N/A	C:\Users\Admin\AppData\Local\Temp\ransomware.exe	C:\Users\Admin\AppData\Roaming\svchost.exe
PID 2328 wrote to memory of 432	N/A	C:\Users\Admin\AppData\Roaming\svchost.exe	C:\Windows\system32\NOTEPAD.EXE
PID 2328 wrote to memory of 432	N/A	C:\Users\Admin\AppData\Roaming\svchost.exe	C:\Windows\system32\NOTEPAD.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\ransomware.exe

"C:\Users\Admin\AppData\Local\Temp\ransomware.exe"

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe"

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_it.txt

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /7

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	8.8.8.8.in-addr.arpa	udp

Files

memory/3300-0-0x00007FFE899C3000-0x00007FFE899C5000-memory.dmp

memory/3300-1-0x0000000000690000-0x000000000069A000-memory.dmp

C:\Users\Admin\AppData\Roaming\svchost.exe

MD5	ac6b23f341c93a5deb6692d8fed6f6a4
SHA1	6466c45b8c8dd60f03392614063d1c490231bf03
SHA256	cb84c85fb50de9ac3bc4763c504ca87067680bc129d44c256570f7e1449ab9c5
SHA512	d4483be2b241c12da57785d861018e88d75fbda736e51900872d105f11309474393c8381d654c4cf74242a7f138e070983ace9836806232afda9dee30e3dd29f

memory/2328-14-0x00007FFE899C0000-0x00007FFE8A481000-memory.dmp

C:\Users\Admin\Pictures\read_it.txt

MD5	18e13fb949ed44a7a60c867626989b17
SHA1	fa3766fa77f5353e34566f08980241da958a0526
SHA256	6e042f64e2ca554ceff5983f1efad19d1d409c2be80be8c306f27afc57e97798
SHA512	8cd750017c2d83c50fdfb7c52bde8c26b4d926e59d985dfe33c7be354142476a23993461144df987942af5d2e22f563f80b7bfcd8b30fa895fa4b7101fa0532c

memory/2328-126-0x00007FFE899C0000-0x00007FFE8A481000-memory.dmp

memory/4104-127-0x000001E670730000-0x000001E670731000-memory.dmp

memory/4104-128-0x000001E670730000-0x000001E670731000-memory.dmp

memory/4104-129-0x000001E670730000-0x000001E670731000-memory.dmp

memory/4104-134-0x000001E670730000-0x000001E670731000-memory.dmp

memory/4104-139-0x000001E670730000-0x000001E670731000-memory.dmp

memory/4104-138-0x000001E670730000-0x000001E670731000-memory.dmp

memory/4104-137-0x000001E670730000-0x000001E670731000-memory.dmp

memory/4104-136-0x000001E670730000-0x000001E670731000-memory.dmp

memory/4104-135-0x000001E670730000-0x000001E670731000-memory.dmp

memory/4104-133-0x000001E670730000-0x000001E670731000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url

MD5	1a09a38485cbf1d59c29d8e3213e1ab9
SHA1	9cbe6ebd07b13a0d4b2565dc15a273629aa97251
SHA256	0a3bdc40dc0d243784bc5fa887b79110350b3d3200684f3ba99880fcea40e3b8
SHA512	a33c228196a4b3f14e40ac6ccb6c43002de28063594c472db852bedac20a6725f4e7601b9f32516e2c6bea35f83746973b3f1d200d9e5d668bda7553b62ac616

Malware Analysis Report

2024-08-06 16:13

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

Threat Level: Known bad

Malicious Activity Summary

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Sample ID	240628-fbb36a1grh
Target	ransomware.exe
SHA256	cb84c85fb50de9ac3bc4763c504ca87067680bc129d44c256570f7e1449ab9c5
Tags	chaos persistence ransomware