Resubmissions
28-10-2024 19:44
241028-yfzzwswbnl 319-09-2024 17:46
240919-wcq7gasarn 314-09-2024 23:25
240914-3egt5sshjc 629-08-2024 08:30
240829-kd8mcs1hph 929-08-2024 08:05
240829-jy9jqashqp 329-08-2024 07:45
240829-jlqabasell 329-08-2024 07:24
240829-h8gq1szblh 329-08-2024 02:45
240829-c8p5hazemc 327-08-2024 21:54
240827-1sjjsatcmf 826-08-2024 22:44
240826-2nwtzs1brm 6Analysis
-
max time kernel
324s -
max time network
325s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
-
submitted
29-08-2024 07:24
General
-
Target
https://mega.nz/file/8zdVADbQ#zgBChae6OAWDlXIIXvyN2uTShbQUcxQkIfMD9eQhdQM
Malware Config
Signatures
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 60 IoCs
-
NTFS ADS 3 IoCs
-
Opens file in notepad (likely ransom note) 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 18 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 27 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of FindShellTrayWindow 60 IoCs
-
Suspicious use of SendNotifyMessage 22 IoCs
-
Suspicious use of SetWindowsHookEx 6 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://mega.nz/file/8zdVADbQ#zgBChae6OAWDlXIIXvyN2uTShbQUcxQkIfMD9eQhdQM1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffa7c973cb8,0x7ffa7c973cc8,0x7ffa7c973cd82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1872,9797939218111313659,15985579848169226536,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1924 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1872,9797939218111313659,15985579848169226536,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2064 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1872,9797939218111313659,15985579848169226536,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2724 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,9797939218111313659,15985579848169226536,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,9797939218111313659,15985579848169226536,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1888 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1872,9797939218111313659,15985579848169226536,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4732 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,9797939218111313659,15985579848169226536,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5372 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,9797939218111313659,15985579848169226536,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3808 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1872,9797939218111313659,15985579848169226536,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5976 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,9797939218111313659,15985579848169226536,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4924 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,9797939218111313659,15985579848169226536,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5300 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1872,9797939218111313659,15985579848169226536,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=2420 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,9797939218111313659,15985579848169226536,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3024 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1872,9797939218111313659,15985579848169226536,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6284 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,9797939218111313659,15985579848169226536,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6280 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,9797939218111313659,15985579848169226536,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6472 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,9797939218111313659,15985579848169226536,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6228 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,9797939218111313659,15985579848169226536,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5684 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,9797939218111313659,15985579848169226536,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5484 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,9797939218111313659,15985579848169226536,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2652 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,9797939218111313659,15985579848169226536,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6844 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,9797939218111313659,15985579848169226536,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5280 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,9797939218111313659,15985579848169226536,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4832 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,9797939218111313659,15985579848169226536,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6548 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1872,9797939218111313659,15985579848169226536,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=7032 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,9797939218111313659,15985579848169226536,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7048 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,9797939218111313659,15985579848169226536,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5596 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,9797939218111313659,15985579848169226536,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6224 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,9797939218111313659,15985579848169226536,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6580 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,9797939218111313659,15985579848169226536,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1520 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,9797939218111313659,15985579848169226536,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6668 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,9797939218111313659,15985579848169226536,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6308 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,9797939218111313659,15985579848169226536,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7412 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,9797939218111313659,15985579848169226536,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6952 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1872,9797939218111313659,15985579848169226536,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1736 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,9797939218111313659,15985579848169226536,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7400 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1872,9797939218111313659,15985579848169226536,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7456 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x00000000000004C0 0x00000000000004D01⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\nexus\combo.txt1⤵
- Modifies registry class
- Opens file in notepad (likely ransom note)
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\cheaphotmails.txt1⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\socks4 (18).txt1⤵
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\nexus\proxies.txt1⤵
- Modifies registry class
- Opens file in notepad (likely ransom note)
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Desktop\nexus\NexusFN.exe"C:\Users\Admin\Desktop\nexus\NexusFN.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD53e2612636cf368bc811fdc8db09e037d
SHA1d69e34379f97e35083f4c4ea1249e6f1a5f51d56
SHA2562eecaacf3f2582e202689a16b0ac1715c628d32f54261671cf67ba6abbf6c9f9
SHA512b3cc3bf967d014f522e6811448c4792eed730e72547f83eb4974e832e958deb7e7f4c3ce8e0ed6f9c110525d0b12f7fe7ab80a914c2fe492e1f2d321ef47f96d
-
Filesize
152B
MD5e8115549491cca16e7bfdfec9db7f89a
SHA1d1eb5c8263cbe146cd88953bb9886c3aeb262742
SHA256dfa9a8b54936607a5250bec0ed3e2a24f96f4929ca550115a91d0d5d68e4d08e
SHA512851207c15de3531bd230baf02a8a96550b81649ccbdd44ad74875d97a700271ef96e8be6e1c95b2a0119561aee24729cb55c29eb0b3455473688ef9132ed7f54
-
Filesize
30KB
MD5d1ac99f22b8d1149ba74efd60d894819
SHA129a846bd46ecab2c9fa87d1a86fae6c08e642b70
SHA2564b87080fbb2db7330df4068005d45c3339a603f29579731eca94ed8dfff88ddb
SHA51267cf99b90dba66196ff724f2c4d6fba333d88cca9cc42312530973f2f145cc24b3669178ab7c32e254d957ff84078edaf4fd9918ae2631f75e5cbb2fe10cf416
-
Filesize
34KB
MD5118ac39cff9e828be993490f864266ff
SHA1ae5df00b1ffe0cc28ff84dac418a866540267d8b
SHA2564a81760dfecd6b4890a7ad37ad772d15a7dbc8cc409fcb48a0501ee75cd55767
SHA51288272ad598555ff57f316466c7625f53b07bcc5e65f11f44573712dcd6144a4ac2e32b11c7547b06552168299b8b7b01dadce6dfb92fc99289bb9ca562b621e6
-
Filesize
102KB
MD594f16cfc0d63c0632a7ffcfea76602e7
SHA14e721cd4a07875e4028c56fc0743b9cd9c45c650
SHA2564343702def9ed11dc8db2489f03d38cdc08cbfa2bd8a8f869920aacb8f33ff28
SHA5122257c5aa0e6ce80445778866468efb04a9a07b60872a420b8617d3a7c653055207321458f27018e3fee002aef2733cf62eec1ca6aa573baf757d331f7b57e01f
-
Filesize
91KB
MD5610f9799bdf95232bb7d9e6b5cfee168
SHA185315fd506adbede2200977518516c287f417e74
SHA25622dd1cd645b44adffd6efbfcbab21817a31c660fc89b23738c439489f6b1ff06
SHA512dc33bd92733a38c5f72e2e63f9b11e960a0ee108c27f0889a7438c33361fa7dc0f13db8f421e8b7321b3b837aa6acc8aad395dd9b4d72062a1e26476397206c4
-
Filesize
24KB
MD5c594a826934b9505d591d0f7a7df80b7
SHA1c04b8637e686f71f3fc46a29a86346ba9b04ae18
SHA256e664eef3d68ac6336a28be033165d4780e8a5ab28f0d90df1b148ef86babb610
SHA51204a1dfdb8ee2f5fefa101d5e3ff36e87659fd774e96aa8c5941d3353ccc268a125822cf01533c74839e5f1c54725da9cc437d3d69b88e5bf3f99caccd4d75961
-
Filesize
212KB
MD52257803a7e34c3abd90ec6d41fd76a5a
SHA1f7a32e6635d8513f74bd225f55d867ea56ae4803
SHA256af23860fb3a448f2cc6107680078402555a345eb45bc5efb750f541fe5d7c174
SHA512e9f4dc90d0829885f08879e868aa62041150b500f62682fc108da258eee26ad9509dcbf6e8a55f2d0bdba7aa9118dd149a70a7d851820d4ea683db7808c48540
-
Filesize
72B
MD5d69efe2ba1eb62afe4c303818c6e9e8b
SHA1c02a2bbf20f1eeeb7589d2b5d6e0474f935837a7
SHA256f3647d8d75ea331d3cbd1c9460fe8d2b8cad3e97de301446ccdf24983f8839ec
SHA512dd21073c73cd72bcbf17c9d3e522ec84606fbf639a0a97360e68f77008a8985519fa80a1daa5a792f1f89583af0eead1a3120693aafa126f953c7b370dc8fa21
-
Filesize
1KB
MD5bf8e92db5170fef1a6cc27cf81dd42d2
SHA1d8e72e6592e71bd846eee9c2eec6049fbff5b738
SHA25601a445180b6020cce4d90bef6299af3535abfa63c5b1a8002c481fd7a59a2065
SHA51284bf644e7d832749b0008bfb18eef96b026fc90acd8ee14106b4ab989ab9a562d30cd9e4baeb3bef45b8a0fa08f1102b2a2de8e89d8cd351e7eb3ec2c28ee65f
-
Filesize
1KB
MD5c7ba6b3a91f19775b8d9af14c2979e8e
SHA12714da6a577ebf04b1e17a4aaa4243132494f15c
SHA25633dda2726132305aed8db8fb33cb6b72db85f56224d73ce2f96339f69c96c1d6
SHA512633a02862385289f4cfbb2a2282d863658a4307a78f8a7df077e5aa147274fbd6522791a2de203938c996c52a05305c4163ff8b8cbea59494de23ee02c2fcf48
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
188B
MD5008114e1a1a614b35e8a7515da0f3783
SHA13c390d38126c7328a8d7e4a72d5848ac9f96549b
SHA2567301b76033c2970e61bab5eaddaff5aa652c39db5c0ea5632814f989716a1d18
SHA512a202fc891eace003c346bad7e5d2c73dadf9591d5ce950395ff4b63cc2866b17e02bd3f0ad92749df033a936685851455bcdbfad30f26e765c3c89d3309cb82b
-
Filesize
2KB
MD542295f5f04940c9074151c5b35df2de9
SHA1dec0bf850180eb4d6d40c13eb63c2afbebfaffdd
SHA256131c320f89709b599a094eada44088975bf42bc5a92b3e29fccc6eedc4f093dd
SHA51227cfbf221abaeebc24bbd80196470ee638973f20bd65b8a86aa835d1411e03207a7568d873ab15d9247933aec805fb997cbd268242aca0ba5059fdf3d71776f1
-
Filesize
2KB
MD59cc77b78a0dbf4764f3172a79ba99253
SHA1efafdc63b002874fad232e6aa5c5f41799dfdd36
SHA256a590cc672f444e6f2a688a50c413f9d4445d9dce36896d7b00d49228a299a585
SHA5122739f12e52269a232fd3e6b868ebd96712a4e3dcd892b8e3b75146f45760b12eb13cc5f172882e4878ed223d0045e51a04f9f8b886430aa73b29aa121feb6072
-
Filesize
5KB
MD56ca0acc2f5069ee4f9f2491de5d4c785
SHA1054825f552adc8cd456349a650199a42ef5569a7
SHA25665e85fc84b4e231dd208c7a9a84b47b70e258befbb997f0a03255f6818833fa3
SHA512e9d3649452c10e1e07f598a42b28c1e8babbd3f5995dc7334f60ee3fcdf8ea20f3f12a007348edd356803e9f962ffc3c0dd9b292cb326b2bdee8b7c518768a17
-
Filesize
6KB
MD51ba85f25cc6f1dc0db7e0ea93c556c20
SHA12cef13177306ecc1ef7bf0cf506fa9e026f5b6ea
SHA25656f048dc086ee86adf301f361290471c0bf6fb7124cbc2a650bf8ba783f35b1f
SHA512f2f1dc7c6da421575b91ae3f90b18145c2104b36a9f8ac106715aaff2e67cc872da168ebe7067aec2afc8c4d6e3372ed9c0b04376034a6925613303757765472
-
Filesize
7KB
MD5eb6b0e58d6ab7d6ad84ec93b5b026313
SHA147dabc23693b4931e5d6f56d22392443eb82c774
SHA256033691e68008d5ac744076bb0e55598d0a645ede92884e6970cc0226e86bd34b
SHA512ff516179efb5f65a0f798da181788e00a545d2063ff5052e29077c51737272f30a28a6d4959c39c5429bc987a403f4e1aedacd8465316c2cff7a005d84ff232a
-
Filesize
6KB
MD561ac96236b5b8cdc3ec0d810b9124431
SHA1ded5d1b9a6d27f11b5ee7c3146b1dd195d2867c3
SHA2560d513e3fb62fc6e3a9e3847834d71731eefd8e4d82208bdee1a0d8a88c9fef40
SHA5127f997c4beef57785ae830482080773783ec8696a8715aebc593f942f67b2456da91b057ca0af010dd2ff4545b997613d1e2cd02102a6649fbe8b24d9e7f1411c
-
Filesize
7KB
MD57c31f4eac1d44af4c926fc29edb5edee
SHA19b3ebb428fca080eb88e2c586ae6f4d8e6b2f62c
SHA2563ee6e7b5cc84a550f59116a31fb7a1849c5316353f6a2d01935aecc0c460ddda
SHA512e264e7fa7a276f66a5199df9a1c07be8b935b5488adea0d0be6e51c58c1d0465fbd6a0acc98ffb73d47ba90cb7a4d78e7866e49618bafa03bbd133278ac1a911
-
Filesize
6KB
MD5b7e65355b6cd52eff2fd955b453bc71b
SHA136206ab3d28a6f6507695f39002ed06a3513c147
SHA256495612a156177c081c0dddb5eab1913ae090c249eb1a4ce8de414480d71b5869
SHA512ccc57d499f1bcc8868106c88ead7b0bd937b578c45bb001c4a50e967610befefb902edb1173ce2d67df1eac6fc7482a76260d57f7930cf59f2ac489b9d6b7ddf
-
Filesize
7KB
MD5bfd139a02320771e1fd2804cb7ce4c10
SHA1a8c8f1b49842c3d690ec2f7940894219499c35b7
SHA256ec922e799d8c30e229e8f2a22a6b38c7231251ac63ed53163ef72c50e50f4d25
SHA512f0e23bd069814ad29bb166ee16b0175c001bcb5fe33464877e6b8bb0466c761caf251517d80b94b67de79a479d697b1569e3ba43ebc7a1d8c3c0985d3aa8bd10
-
Filesize
6KB
MD530b8e31d851b422fa816654a88d93892
SHA15ea3267bba10aa81a7c3e44c8c673d48daa94cdc
SHA256df9d51552b0f5b3447a9d07390a3352b6192fcf5053ceab6c310210fe7d9d55b
SHA5124e964e8ea722c1697afcf49dd3f624123f694fb984837a607f5ca586ff4f28104d3c25efed17b41c0de5866f1a80c7d05f9ffcc148f79643885fc8bfe628b9f9
-
Filesize
41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
Filesize
72B
MD54f4871bae077cbfe6edff5400acbad16
SHA12790e19828f0d64e1daff40df4a717f301bed10a
SHA2566100b84ab15f7cdd6fd4ec14edc699a34f693eabb3d85a2045fbe9045e2db34f
SHA512101e117ee030a0332ec39454283d6bae3e6610e5cb53921d9933d6e399d2a08ba8f468b94078f3523a36975071f81891de55e288e7aa676197235ab0012e67ae
-
Filesize
48B
MD51c20e600af3390c0dd3a084cca49fa83
SHA1791f35501eb41f54d9e77ab114369ad58768b898
SHA256f613000ff88c26b45bce6f20839f0e2b58dc0008869ce29811e31567ee33cf07
SHA5120b96da39eec04e246b31f3d283d8976a88d59a5a45c94abd13d19dc99ff42c3672e470bbb86f09ae31957f4cb2f33db45d1ffdcf5e4f3ad7886b8fc4211d0401
-
Filesize
2KB
MD5dc813f1f23dc6ea56c9c1f3447711748
SHA1d78b33e95fdfda5d879c68ade855514642312d34
SHA256b7b1c613c82c6efe4d2fbfda7eca3551e83bb11d0c169032d7f7d6c3002a4f7a
SHA5121600f857b74f8df87d298a89bac4d062b97792ee106c29a029ff5aab1fffd9532efeb1af5e35e54b8bcb73abd8db83c730669b553f368205d5d7b1ede5a3b47b
-
Filesize
1KB
MD5f4396aa442c00e807f7287419319d3e1
SHA18a5f91b8c4d1e33ce552b86d26535928965f2bde
SHA2569c3cbff307a93b04d9579f52148d3be7db0908ab39043e2c0db86b0da72fe4b3
SHA51222089b4aceaf35d14dad5a8cf91b17ceb146eae6f996c4aebbd3bbd128f23947ac112b4bca53fce0c69ea283953fd722973532d1f6e570685b3725b8b3829a7b
-
Filesize
2KB
MD5a384ad63a549eb6a4684f4d85001e362
SHA11bb62972717a92eca761f3c2b38e541b9b4f173f
SHA2560f621b9c49576ff2fcf25409ee942329ee6206e3b70f2976876e9b0e65ff8cad
SHA51268b59619241276038e930becb1bc4c1a8d46ccfb4ee0d3e231639a943e328910d51cf4bfcdfb6c29f09bdcd648de42cc314d2256025d6f51a04050d1bd16e4d0
-
Filesize
203B
MD5682785980491de756e59c28853b5f963
SHA1a3f085c19b60f627a3f06272efb9516e9782dd78
SHA256a5d858d5887d71143559aaf6aec98275ac9eaec708ae8eb5d0918899661a7f87
SHA51276a71d2ad1b264936d401ed91997e6ec328a863ec02f7dfb4e801241917931ac9c333f71f6bf85e223968067345144faa507bad80c7ee337eb204d3339035c0c
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
11KB
MD57b6a78f45b9b8f378cc42dfa7c809f75
SHA1a0fe87da1fc781ff3966038a4d8d5d8585b288fd
SHA256e4b718c71f178015094047144f61b43758f9f24d2db08f9bbb47958a7e5a0cae
SHA51222c3f1f744f1c9efb3fd6c858d65455041e20377dbb430597256b2529f742d8649eef62e5d22e983cc015e23a6be8bb091bc29a601815d1bd9f585f73b53f143
-
Filesize
10KB
MD5ee525ba6396f4985d20fa7878670dbf5
SHA141badbd8b31a675db9f9bb1a2251bd0b13620617
SHA25653343d7cb28e960c67790a8c948159d3c1ac6be1abce30ad38083ecc60feb365
SHA512669cea51fc79cec3d48c5de1f7c004b7e906c8544ecb664befcf48c43468235abefc37168d30d0c2ffb20240c0011cfca7533286a352184bff83d4d8b86aef37
-
Filesize
11KB
MD5b61abee94a89f865f52835aa44b2f2a3
SHA135e57386a2b396378d828de36c6b5a6968bd7f0b
SHA2569165ba6757051e148544be098cc51f6503586b6ccd2f5bb7497398bbd5f3301d
SHA512df46ec3d5ce2ede3dca4b5a67d235708fd501838c0637f3afe2a78642b939d81784bca2f93855aa2468bdcf6a6a931a8a293a23ae838ba3dc9ff2ae5c8415b0e
-
Filesize
12KB
MD5aab4621b65eb42b4c5eba81e13b6c909
SHA1be971bba3a69c86a536441deedf8813980d0542b
SHA256edd68f48175e151e253c4d7fa99ed6d1ee77b5f2332de2a150a06d745aed5289
SHA5126b49b50456af9c58dfb8c7e978beb0966f1796fc7c028dfe3e22e1803147e6d972ed8197640c00a95e2a3253d1de0c07bce28f70d95b9af324f080d67ce00054
-
Filesize
14KB
MD5ff4fe505cfe0ce36d6c7626604cb4185
SHA1847af2c9d481ae7af688b54e4011359715a0804e
SHA256e4134189599b6a075a7d340d2c8420416c330e96dd3ec3b86b111cca9972e9e7
SHA512a2516a1eff4dff0d5b5771dbf09f957b72ab064a4e84d366cbdc87dfe2baab1acda2cf75092e82584d3338737274e2ec5574e67ae3c699bdb989639692b16920
-
Filesize
369KB
MD5a9bbfc89690d3095e180b07c6d1e367d
SHA1e05cfdcb8701c3d9e3840aecdd77516572bc0278
SHA256a66f58a10ae4cf981749ae70edfbe2759c93eb6eedeaa332c8dfafc3c89e8d53
SHA5124d8358b3b4ed88db446d819d2e74fed91f51b68f9d9b2d8c63b1e0a1d223b6e044030eb4d5824c1fc8d4cd05ad05c1e684b05623485383d5866593989436d3a9
-
Filesize
1KB
MD5023182fa42575e5e9d66ff7a2c365600
SHA134d3986a5c99168980a23e21ac48316a231d554d
SHA2563af0d487f24d2b0308e5b8e3261c27131098cfeb8597a20d33e91f5238b987ad
SHA5129c17e3fcf97fdaa93d4edbe5ab1ef6af0088584dc5e7aacfad2d18a374469a5edb50738d2ed89133ad061fc512ba4ba3ab20b61ee6df8155fb68b43070b6b1c9
-
Filesize
3KB
MD53ef54b3b66608ada63f81b14d9c0274b
SHA103f2f01a1cc6adb40f92a76482c4cc47788a1a9c
SHA256ed60e2c2423d8cff460adae4db811857f3141e7f59cdcc8e5a649faa8f68569c
SHA5128c24bb681158279df2396291966f7c53ac08170dbed8d47a745f5b5e41f28b476a7805028865a5453386e2bb1fd6693dca205aa3147789c3e261d4b9004fa59e
-
Filesize
52B
MD5dfcb8dc1e74a5f6f8845bcdf1e3dee6c
SHA1ba515dc430c8634db4900a72e99d76135145d154
SHA256161510bd3ea26ff17303de536054637ef1de87a9bd6966134e85d47fc4448b67
SHA512c0eff5861c2df0828f1c1526536ec6a5a2e625a60ab75e7051a54e6575460c3af93d1452e75ca9a2110f38a84696c7e0e1e44fb13daa630ffcdda83db08ff78d
-
Filesize
88KB
-
Filesize
584KB
-
Filesize
472KB
-
Filesize
120KB
-
Filesize
112KB
-
Filesize
152KB