7185e8c694984f512a44f240e4b89647c759ba756bd9e9947414941e4342d466

Analysis

max time kernel
1799s
max time network
1565s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
17/07/2024, 19:21

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe
Size

235KB
MD5

fac89802b3db89ba74cf8891824af3d6
SHA1

27b57dfdc8b1b265e3755cc0068be846c4c4981e
SHA256

21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061
SHA512

2c604a00446fe4901341a4c8093443cba06fc00ee90a946749c3b66b2205339850740406edd0553ef55a33573599c7e494eb1b0552395d1cd9e54a8d4268b3e5
SSDEEP

3072:thrQ6J0Exp7gW31x+S/EkuIDNGqLW4t5P0tz/aMgb2JpL7Ag0FujYWkcv23nNT3I:tiHgpR31kS8kuIpW60tRPAOs3sc8

Score

10^/10

defense_evasion execution impact persistence ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\!#_READ_ME_#!.inf

Ransom Note

[WHAT HAPPENED] Your important files produced on this computer have been encrypted due a security problem If you want to restore them, write us to the e-mail: [email protected] You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files. [FREE DECRYPTION AS GUARANTEE] Before paying you can send to us up to 3 files for free decryption. Please note that files must NOT contain valuable information and their total size must be less than 1Mb [HOW TO OBTAIN BITCOINS] The easiest way to buy bitcoin is LocalBitcoins site. You have to register, click Buy bitcoins and select the seller by payment method and price https://localbitcoins.com/buy_bitcoins [ATTENTION] Do not rename encrypted files Do not try to decrypt your data using third party software, it may cause permanent data loss If you not write on e-mail in 36 hours - your key has been deleted and you cant decrypt your files Your ID: j3Tjd3fs1LodjY9VuaKGfXXlKimB5hng1Su5RjgqSss94riM/pzdzewpzY+6tUbDsmby4j+CQhdNcrI1F6eV8gpfbYGHN/qbffoY/8BFqhqo658cH43rpTXTixRrMc6eFz4+UzAQLyLktcDLEe6F+SMBkKYkyJmS+NJxIG8JV6Q=

Emails

[email protected]

Signatures

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (301) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\DECRYPTINFO = "\"C:\\Users\\Admin\\AppData\\Roaming\\!#_READ_ME_#!.inf\""	21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe

Drops desktop.ini file(s) 27 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe
File opened for modification	C:\Users\Admin\Cookies\desktop.ini	21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe
File opened for modification	C:\Users\Public\desktop.ini	21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\1.bmp"	21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Interacts with shadow copies 3 TTPs 6 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
1056	vssadmin.exe
2348	vssadmin.exe
2616	vssadmin.exe
2672	vssadmin.exe
1728	vssadmin.exe
2092	vssadmin.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeBackupPrivilege	2772	vssvc.exe
Token: SeRestorePrivilege	2772	vssvc.exe
Token: SeAuditPrivilege	2772	vssvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2972 wrote to memory of 3052	2972	21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe	30
PID 2972 wrote to memory of 3052	2972	21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe	30
PID 2972 wrote to memory of 3052	2972	21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe	30
PID 2972 wrote to memory of 3052	2972	21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe	30
PID 2972 wrote to memory of 2364	2972	21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe	32
PID 2972 wrote to memory of 2364	2972	21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe	32
PID 2972 wrote to memory of 2364	2972	21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe	32
PID 2972 wrote to memory of 2364	2972	21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe	32
PID 2972 wrote to memory of 2636	2972	21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe	34
PID 2972 wrote to memory of 2636	2972	21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe	34
PID 2972 wrote to memory of 2636	2972	21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe	34
PID 2972 wrote to memory of 2636	2972	21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe	34
PID 3052 wrote to memory of 1056	3052	cmd.exe	36
PID 3052 wrote to memory of 1056	3052	cmd.exe	36
PID 3052 wrote to memory of 1056	3052	cmd.exe	36
PID 3052 wrote to memory of 1056	3052	cmd.exe	36
PID 2972 wrote to memory of 2492	2972	21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe	37
PID 2972 wrote to memory of 2492	2972	21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe	37
PID 2972 wrote to memory of 2492	2972	21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe	37
PID 2972 wrote to memory of 2492	2972	21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe	37
PID 2492 wrote to memory of 2348	2492	cmd.exe	39
PID 2492 wrote to memory of 2348	2492	cmd.exe	39
PID 2492 wrote to memory of 2348	2492	cmd.exe	39
PID 2492 wrote to memory of 2348	2492	cmd.exe	39
PID 2972 wrote to memory of 2928	2972	21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe	43
PID 2972 wrote to memory of 2928	2972	21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe	43
PID 2972 wrote to memory of 2928	2972	21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe	43
PID 2972 wrote to memory of 2928	2972	21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe	43
PID 2972 wrote to memory of 2148	2972	21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe	45
PID 2972 wrote to memory of 2148	2972	21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe	45
PID 2972 wrote to memory of 2148	2972	21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe	45
PID 2972 wrote to memory of 2148	2972	21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe	45
PID 2972 wrote to memory of 2888	2972	21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe	47
PID 2972 wrote to memory of 2888	2972	21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe	47
PID 2972 wrote to memory of 2888	2972	21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe	47
PID 2972 wrote to memory of 2888	2972	21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe	47
PID 2972 wrote to memory of 1688	2972	21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe	49
PID 2972 wrote to memory of 1688	2972	21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe	49
PID 2972 wrote to memory of 1688	2972	21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe	49
PID 2972 wrote to memory of 1688	2972	21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe	49
PID 2928 wrote to memory of 2616	2928	cmd.exe	50
PID 2928 wrote to memory of 2616	2928	cmd.exe	50
PID 2928 wrote to memory of 2616	2928	cmd.exe	50
PID 2928 wrote to memory of 2616	2928	cmd.exe	50
PID 1688 wrote to memory of 2672	1688	cmd.exe	52
PID 1688 wrote to memory of 2672	1688	cmd.exe	52
PID 1688 wrote to memory of 2672	1688	cmd.exe	52
PID 1688 wrote to memory of 2672	1688	cmd.exe	52
PID 2972 wrote to memory of 2924	2972	21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe	53
PID 2972 wrote to memory of 2924	2972	21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe	53
PID 2972 wrote to memory of 2924	2972	21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe	53
PID 2972 wrote to memory of 2924	2972	21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe	53
PID 2972 wrote to memory of 2016	2972	21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe	55
PID 2972 wrote to memory of 2016	2972	21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe	55
PID 2972 wrote to memory of 2016	2972	21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe	55
PID 2972 wrote to memory of 2016	2972	21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe	55
PID 2972 wrote to memory of 2348	2972	21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe	57
PID 2972 wrote to memory of 2348	2972	21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe	57
PID 2972 wrote to memory of 2348	2972	21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe	57
PID 2972 wrote to memory of 2348	2972	21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe	57
PID 2972 wrote to memory of 1924	2972	21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe	60
PID 2972 wrote to memory of 1924	2972	21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe	60
PID 2972 wrote to memory of 1924	2972	21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe	60
PID 2972 wrote to memory of 1924	2972	21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe	60

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe
"C:\Users\Admin\AppData\Local\Temp\21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe"
1⤵
- Adds Run key to start application
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious use of WriteProcessMemory
PID:2972
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3052
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin.exe Delete Shadows /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:1056
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c bcdedit.exe /set {default} recoveryenabled No
  2⤵
  PID:2364
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  PID:2636
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2492
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin.exe delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:2348
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2928
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin.exe Delete Shadows /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:2616
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c bcdedit.exe /set {default} recoveryenabled No
  2⤵
  PID:2148
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  PID:2888
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1688
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin.exe delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:2672
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet
  2⤵
  PID:2924
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin.exe Delete Shadows /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:1728
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c bcdedit.exe /set {default} recoveryenabled No
  2⤵
  PID:2016
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  PID:2348
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
  2⤵
  PID:1924
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin.exe delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:2092
- C:\Windows\SysWOW64\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\!#_READ_ME_#!.inf
  2⤵
  PID:1568

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Assistance\Client\1.0\en-US\Help_MValidator.Lck

Filesize
16B

MD5
6341a17163bfe281a2e9fa7a985e0f5f

SHA1
6ddd27908cfcb3b9bf1bc2106c14f819d744bf8b

SHA256
5069304e78aa759159cc407be3e3bef87c1b919182b701144cbab00d2869c493

SHA512
5be574959b7d8ee28caf289b6859d8fd76af5dc65bfe2fe178946c42158444259ffc1e340c18c576faf64812ef2c6761fab7d38acb6a92326d715d3188782508

Download Submit
C:\ProgramData\Microsoft\MF\Pending.GRL

Filesize
14KB

MD5
0aab37846d84c41ac8884aeb3fe3055c

SHA1
a0088d090ffa67d5a753cbd3b3018a7cf3e48c0b

SHA256
e5ef960db0d6498969ee7198db1828055a0c62014036d72d1834d54446381f55

SHA512
a436598c033d7f2658225c7aaca615c481648ecb8441b61a4019899e4aeff35174bd7eca42a4f5d14c3f5213ba025f7fc840a044f9faaa55e8ad78f79df3451b

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\user.bmp

Filesize
48KB

MD5
472218eeac3a3494ff9e932b2b527382

SHA1
bcf61341236e86327237dd49bfd4040c143e81dc

SHA256
0601c8688fa40e02c14c07d2d59ab91208f5422d9e9bb921f3cfc6ecdbc0fefa

SHA512
8713bc4ea809a379d55e71eb02b7fcd27cbc86671c1c09021a8a66e827f12375d39f4f21b5ff776e9bf56eb45abb773cda32480c99d0bbc76afc67bb91b036af

Download Submit
C:\ProgramData\Package Cache\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}v12.0.40660\packages\vcRuntimeAdditional_amd64\vc_runtimeAdditional_x64.msi

Filesize
140KB

MD5
5ca99cd66116b2bfac6477df9877fa24

SHA1
c154ff279518c29076df222b02e5a0f47f082da3

SHA256
47009664fef725d9c0ddb12cddc41b1732d88a4613c0f1d0e5120c4e813df7f8

SHA512
0cd624ef243b88d834995cd738946881c641ce6d90a0a284a552939afa42bfe9245062b3278d1b60a0a9102e264d96d1f5734f6ade2e7fa03cade8a21d53993b

Download Submit
C:\Users\Admin\AppData\Local\Temp\!#_READ_ME_#!.inf

Filesize
1KB

MD5
467bb9265d25f08a90ac10b7695d4756

SHA1
3cdac5e4c31364a98a06e5836d7d1671bb08435d

SHA256
0d76a909d93875ebc4480a2af20faf21002d24eeb0f6dada2cd4b0406aa1d2aa

SHA512
592a75c99e8e2962366536222840099fbc1817784aea194c1cc41ae3019b0553cec06ab37641b6d9187232183b8e44a70372431dea1fd9967c88fa57032113e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir2076_1697866534\1008fba4-e12e-4fb6-b030-9ef025751633.tmp

Filesize
88KB

MD5
d21d256110dd3ea30116298709c8e7fa

SHA1
e10d1fabce19cb8cab3a3f1674936e8ecda0bcb9

SHA256
c0753f2dbe04d552630f95f1601a1c1bff886552c9f42bbcd898a13221f4d78d

SHA512
a1fe3f7ad7a17eeb838415de34b084783f967eec0c6d291c5f55725f7bb119f311825918a5d10937bfaf06f165359a992cecc28ff0e9d4c7e92140c6fb501da8

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir2076_762273943\de2794d7-234b-41a8-bb47-48c478696e49.tmp

Filesize
242KB

MD5
bf17a69f87c9069958e3c889859b2ca2

SHA1
0a0cee4280b10f1573f65d3ac3d48499ec06db11

SHA256
f01a9b6a5fad150e82f4fc7156f5be16071d735faff6685b826cb0396e89876f

SHA512
bfbac078236a819877f4f515f1c323eb769d1f1dabcfeb55dc737ed0f30344ee0627d0e490dfa13f4ad44ed9b0d7504668693799691e87bc44a47d5998ca9496

Download Submit
C:\Users\Admin\Desktop\InvokeCheckpoint.xlsx

Filesize
12KB

MD5
f898b5617fbf6a242acf01b9c423b73a

SHA1
a45c0704575ae2e99b31fd40bc8a7afe923f3334

SHA256
238a73ec4517c68c402f4e8ecc66d8cd7d4790eae9a6a5dd9e0c6e839e53feee

SHA512
56d81ad4aa1fe91744e778c231899ecc877b43070f2d2da8a302b9ef703d50782575c8dc3ec0b3d8e00a8225385a4bd4a3e96d280b92e761a3bcb6d967c64253

Download Submit
C:\vcredist2010_x64.log.html

Filesize
85KB

MD5
6122fc930c7792bd8008597511390a07

SHA1
41a70b0e75d5c56346cb28153ace8687229b7dff

SHA256
77e6edd65a2ed08064f7bfd90b791662d236d18bd89c56e0d5d9644fb21f0603

SHA512
479e00228cd6a72aca47857331039584f5f36f39c7cb47120dc9941d53cd6566bffc3fc8091e94e71be6537fab540049b1631bfbcda9ae0ebd9eab1c613c8b7d

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads