cb93ef8affa8e13b671190d1f8790aa08e0686097493d958e900659db2736841

Analysis

max time kernel
1558s
max time network
1559s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
11-11-2024 07:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2016-08-26-EITest-Rig-EK-payload-CryptFile2.exe
Size

127KB
MD5

a202914a34dc528aa137bd394518d9b0
SHA1

4724934b61687cb1abe96bab137c7b1d4476f271
SHA256

f110528a354648070a7ef4cbc43046ca427adced8aad6c936bdc9e8932e01225
SHA512

c18ece9e156c2020cc34e3aa77e00efaeda2cca2d5a99b0c0e6cf170b723a009dbaa775b14a7673ba076aefbb7aba1a0fec12e3db7d580c5b43841cb1659a8d6
SSDEEP

3072:KFk6+tT5BzOgfGxUPY/4/4OXAkn0bioX13JDDJ8uD:QkTHygKUPg4/zQCADvJ8uD

Score

10^/10

defense_evasion discovery execution impact persistence ransomware

Malware Config

Extracted

Path

C:\PerfLogs\HELP_DECRYPT_YOUR_FILES.TXT

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA-2048. More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA-2048 KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions: Contact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. For you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. Please do not waste your time! You have 72 hours only! After that The Main Server will double your price! So right now You have a chance to buy your individual private HardWare with a low price! E-MAIL1: [email protected] E-MAIL2: [email protected]

Emails

[email protected]

Extracted

Path

C:\PerfLogs\HELP_DECRYPT_YOUR_FILES.TXT

Ransom Note

Emails

[email protected]

Extracted

Path

C:\PerfLogs\HELP_DECRYPT_YOUR_FILES.HTML

Ransom Note

<!DOCTYPE html> <html> <head> <meta charset="utf-8"> <title>HELP_DECRYPT_YOUR_FILES</title> <style> .text { text-align: center; } </style> </head> <body> <div class="text"> NOT YOUR LANGUAGE? USE <a href="https://translate.google.com">https://translate.google.com</a> What happened to your files ? All of your files were protected by a strong encryption with RSA-2048. More information about the encryption keys using RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a> How did this happen ? !!! Specially for your PC was generated personal RSA-2048 KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions: Contact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. For you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. Please do not waste your time! You have 72 hours only! After that The Main Server will double your price! So right now You have a chance to buy your individual private HardWare with a low price! E-MAIL1: [email protected] E-MAIL2: [email protected]

Emails

[email protected]

Extracted

Path

C:\PerfLogs\HELP_DECRYPT_YOUR_FILES.HTML

Ransom Note

Emails

[email protected]

Signatures

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\Chrome Reader UpdateHardWare = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\2016-08-26-EITest-Rig-EK-payload-CryptFile2.exe\""	2016-08-26-EITest-Rig-EK-payload-CryptFile2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\*Chrome Reader Update32 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\2016-08-26-EITest-Rig-EK-payload-CryptFile2.exe\""	2016-08-26-EITest-Rig-EK-payload-CryptFile2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\ChromeFlashPlayersHardWare = "\"C:\\Users\\Admin\\AppData\\Roaming\\ChromeFlashPlayer_e938089d1c9b74ea.exe\""	2016-08-26-EITest-Rig-EK-payload-CryptFile2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\*ChromeFlashPlayers32 = "\"C:\\Users\\Admin\\AppData\\Roaming\\ChromeFlashPlayer_e938089d1c9b74ea.exe\""	2016-08-26-EITest-Rig-EK-payload-CryptFile2.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\L:	2016-08-26-EITest-Rig-EK-payload-CryptFile2.exe
File opened (read-only)	\??\P:	2016-08-26-EITest-Rig-EK-payload-CryptFile2.exe
File opened (read-only)	\??\S:	2016-08-26-EITest-Rig-EK-payload-CryptFile2.exe
File opened (read-only)	\??\A:	2016-08-26-EITest-Rig-EK-payload-CryptFile2.exe
File opened (read-only)	\??\H:	2016-08-26-EITest-Rig-EK-payload-CryptFile2.exe
File opened (read-only)	\??\J:	2016-08-26-EITest-Rig-EK-payload-CryptFile2.exe
File opened (read-only)	\??\R:	2016-08-26-EITest-Rig-EK-payload-CryptFile2.exe
File opened (read-only)	\??\T:	2016-08-26-EITest-Rig-EK-payload-CryptFile2.exe
File opened (read-only)	\??\U:	2016-08-26-EITest-Rig-EK-payload-CryptFile2.exe
File opened (read-only)	\??\Y:	2016-08-26-EITest-Rig-EK-payload-CryptFile2.exe
File opened (read-only)	\??\G:	2016-08-26-EITest-Rig-EK-payload-CryptFile2.exe
File opened (read-only)	\??\E:	2016-08-26-EITest-Rig-EK-payload-CryptFile2.exe
File opened (read-only)	\??\I:	2016-08-26-EITest-Rig-EK-payload-CryptFile2.exe
File opened (read-only)	\??\M:	2016-08-26-EITest-Rig-EK-payload-CryptFile2.exe
File opened (read-only)	\??\N:	2016-08-26-EITest-Rig-EK-payload-CryptFile2.exe
File opened (read-only)	\??\V:	2016-08-26-EITest-Rig-EK-payload-CryptFile2.exe
File opened (read-only)	\??\W:	2016-08-26-EITest-Rig-EK-payload-CryptFile2.exe
File opened (read-only)	\??\B:	2016-08-26-EITest-Rig-EK-payload-CryptFile2.exe
File opened (read-only)	\??\O:	2016-08-26-EITest-Rig-EK-payload-CryptFile2.exe
File opened (read-only)	\??\Q:	2016-08-26-EITest-Rig-EK-payload-CryptFile2.exe
File opened (read-only)	\??\X:	2016-08-26-EITest-Rig-EK-payload-CryptFile2.exe
File opened (read-only)	\??\Z:	2016-08-26-EITest-Rig-EK-payload-CryptFile2.exe
File opened (read-only)	\??\K:	2016-08-26-EITest-Rig-EK-payload-CryptFile2.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\HELP_DECRYPT_YOUR_FILES.HTML	2016-08-26-EITest-Rig-EK-payload-CryptFile2.exe
File created	C:\Program Files (x86)\HELP_DECRYPT_YOUR_FILES.TXT	2016-08-26-EITest-Rig-EK-payload-CryptFile2.exe
File opened for modification	C:\Program Files (x86)\HELP_DECRYPT_YOUR_FILES.TXT	2016-08-26-EITest-Rig-EK-payload-CryptFile2.exe
File created	C:\Program Files (x86)\HELP_DECRYPT_YOUR_FILES.HTML	2016-08-26-EITest-Rig-EK-payload-CryptFile2.exe
File opened for modification	C:\Program Files (x86)\HELP_DECRYPT_YOUR_FILES.HTML	2016-08-26-EITest-Rig-EK-payload-CryptFile2.exe
File created	C:\Program Files\HELP_DECRYPT_YOUR_FILES.TXT	2016-08-26-EITest-Rig-EK-payload-CryptFile2.exe
File opened for modification	C:\Program Files\HELP_DECRYPT_YOUR_FILES.TXT	2016-08-26-EITest-Rig-EK-payload-CryptFile2.exe
File created	C:\Program Files\HELP_DECRYPT_YOUR_FILES.HTML	2016-08-26-EITest-Rig-EK-payload-CryptFile2.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\HELP_DECRYPT_YOUR_FILES.TXT	2016-08-26-EITest-Rig-EK-payload-CryptFile2.exe
File opened for modification	C:\Windows\HELP_DECRYPT_YOUR_FILES.TXT	2016-08-26-EITest-Rig-EK-payload-CryptFile2.exe
File created	C:\Windows\HELP_DECRYPT_YOUR_FILES.HTML	2016-08-26-EITest-Rig-EK-payload-CryptFile2.exe
File opened for modification	C:\Windows\HELP_DECRYPT_YOUR_FILES.HTML	2016-08-26-EITest-Rig-EK-payload-CryptFile2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2016-08-26-EITest-Rig-EK-payload-CryptFile2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe

Interacts with shadow copies 3 TTPs 27 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
1928	vssadmin.exe
1372	vssadmin.exe
2548	vssadmin.exe
548	vssadmin.exe
1352	vssadmin.exe
2000	vssadmin.exe
1356	vssadmin.exe
388	vssadmin.exe
2536	vssadmin.exe
344	vssadmin.exe
1104	vssadmin.exe
1156	vssadmin.exe
2232	vssadmin.exe
1628	vssadmin.exe
2052	vssadmin.exe
2716	vssadmin.exe
1796	vssadmin.exe
1968	vssadmin.exe
2396	vssadmin.exe
2920	vssadmin.exe
1328	vssadmin.exe
2724	vssadmin.exe
1916	vssadmin.exe
880	vssadmin.exe
2096	vssadmin.exe
348	vssadmin.exe
2732	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "437471400"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a7e3310a2b0e6e498bd88e48ec67abf600000000020000000000106600000001000020000000e8e4125c8666c6c09739cb037f801bcf08f1e1700c1bc196887515d5301d12ea000000000e80000000020000200000005b0cf2bc7bdb39d77de55d5033ddfa89032df2573190565fb751143714c63457900000008821411845f948825c98f2f67e199c95d3b8f450ea062536847fbc5733dd57b6920bc4169356d3dbc3085d93b47ae2221e8f4cbb716ce22a078bbb799681ddb1224e42ae939887bdc80eb9039347c20cf5ffbf7e6a36b675b9a9251c7b97e1fe03e9320fed88aae6aebaf121795d9941c080def32afa31c0297a820cb5e2b99ff8e45d198788d8c14dab1fd4a2c3a50d4000000086a8a2c431502a500863012ea4c3190d6b4cdf953b720d9af11becde4be5958b59667256e5f68a24d90e5974816cafb3f16d80e11ecd26f0fb8f532ddf72ae6b	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f06fd6080a34db01	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{34341EE1-9FFD-11EF-A6EB-D60C98DC526F} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a7e3310a2b0e6e498bd88e48ec67abf6000000000200000000001066000000010000200000006f1e73e21c114991bdfdf8a4f356c0f0d6fa880db42c85b2654039231bffd02b000000000e8000000002000020000000df60ae0fe6a7e46736df114df570898c1f3d50e9a42d89eeafd7416297574ab6200000005e39178b1638b77e6c1d0f95ff0eaea031a8167fe67f9457feeb37d0c1ce88dd4000000032c6b33774687187c0791e370cf2eb24975bf2b5be6a83765c476180f9dfa185e8212b4be1df7866b24a4a39b9ce435876a22f0518d100e287dcc6434613a9ca	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2920	NOTEPAD.EXE

Runs net.exe

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2260	WMIC.exe
Token: SeSecurityPrivilege	2260	WMIC.exe
Token: SeTakeOwnershipPrivilege	2260	WMIC.exe
Token: SeLoadDriverPrivilege	2260	WMIC.exe
Token: SeSystemProfilePrivilege	2260	WMIC.exe
Token: SeSystemtimePrivilege	2260	WMIC.exe
Token: SeProfSingleProcessPrivilege	2260	WMIC.exe
Token: SeIncBasePriorityPrivilege	2260	WMIC.exe
Token: SeCreatePagefilePrivilege	2260	WMIC.exe
Token: SeBackupPrivilege	2260	WMIC.exe
Token: SeRestorePrivilege	2260	WMIC.exe
Token: SeShutdownPrivilege	2260	WMIC.exe
Token: SeDebugPrivilege	2260	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2260	WMIC.exe
Token: SeRemoteShutdownPrivilege	2260	WMIC.exe
Token: SeUndockPrivilege	2260	WMIC.exe
Token: SeManageVolumePrivilege	2260	WMIC.exe
Token: 33	2260	WMIC.exe
Token: 34	2260	WMIC.exe
Token: 35	2260	WMIC.exe
Token: SeBackupPrivilege	556	vssvc.exe
Token: SeRestorePrivilege	556	vssvc.exe
Token: SeAuditPrivilege	556	vssvc.exe
Token: SeIncreaseQuotaPrivilege	2260	WMIC.exe
Token: SeSecurityPrivilege	2260	WMIC.exe
Token: SeTakeOwnershipPrivilege	2260	WMIC.exe
Token: SeLoadDriverPrivilege	2260	WMIC.exe
Token: SeSystemProfilePrivilege	2260	WMIC.exe
Token: SeSystemtimePrivilege	2260	WMIC.exe
Token: SeProfSingleProcessPrivilege	2260	WMIC.exe
Token: SeIncBasePriorityPrivilege	2260	WMIC.exe
Token: SeCreatePagefilePrivilege	2260	WMIC.exe
Token: SeBackupPrivilege	2260	WMIC.exe
Token: SeRestorePrivilege	2260	WMIC.exe
Token: SeShutdownPrivilege	2260	WMIC.exe
Token: SeDebugPrivilege	2260	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2260	WMIC.exe
Token: SeRemoteShutdownPrivilege	2260	WMIC.exe
Token: SeUndockPrivilege	2260	WMIC.exe
Token: SeManageVolumePrivilege	2260	WMIC.exe
Token: 33	2260	WMIC.exe
Token: 34	2260	WMIC.exe
Token: 35	2260	WMIC.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1760	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1760	iexplore.exe
1760	iexplore.exe
1952	IEXPLORE.EXE
1952	IEXPLORE.EXE
1952	IEXPLORE.EXE
1952	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1984 wrote to memory of 2216	1984	2016-08-26-EITest-Rig-EK-payload-CryptFile2.exe	33
PID 1984 wrote to memory of 2216	1984	2016-08-26-EITest-Rig-EK-payload-CryptFile2.exe	33
PID 1984 wrote to memory of 2216	1984	2016-08-26-EITest-Rig-EK-payload-CryptFile2.exe	33
PID 1984 wrote to memory of 2216	1984	2016-08-26-EITest-Rig-EK-payload-CryptFile2.exe	33
PID 1984 wrote to memory of 1196	1984	2016-08-26-EITest-Rig-EK-payload-CryptFile2.exe	35
PID 1984 wrote to memory of 1196	1984	2016-08-26-EITest-Rig-EK-payload-CryptFile2.exe	35
PID 1984 wrote to memory of 1196	1984	2016-08-26-EITest-Rig-EK-payload-CryptFile2.exe	35
PID 1984 wrote to memory of 1196	1984	2016-08-26-EITest-Rig-EK-payload-CryptFile2.exe	35
PID 1984 wrote to memory of 1308	1984	2016-08-26-EITest-Rig-EK-payload-CryptFile2.exe	36
PID 1984 wrote to memory of 1308	1984	2016-08-26-EITest-Rig-EK-payload-CryptFile2.exe	36
PID 1984 wrote to memory of 1308	1984	2016-08-26-EITest-Rig-EK-payload-CryptFile2.exe	36
PID 1984 wrote to memory of 1308	1984	2016-08-26-EITest-Rig-EK-payload-CryptFile2.exe	36
PID 1984 wrote to memory of 656	1984	2016-08-26-EITest-Rig-EK-payload-CryptFile2.exe	39
PID 1984 wrote to memory of 656	1984	2016-08-26-EITest-Rig-EK-payload-CryptFile2.exe	39
PID 1984 wrote to memory of 656	1984	2016-08-26-EITest-Rig-EK-payload-CryptFile2.exe	39
PID 1984 wrote to memory of 656	1984	2016-08-26-EITest-Rig-EK-payload-CryptFile2.exe	39
PID 1984 wrote to memory of 1804	1984	2016-08-26-EITest-Rig-EK-payload-CryptFile2.exe	40
PID 1984 wrote to memory of 1804	1984	2016-08-26-EITest-Rig-EK-payload-CryptFile2.exe	40
PID 1984 wrote to memory of 1804	1984	2016-08-26-EITest-Rig-EK-payload-CryptFile2.exe	40
PID 1984 wrote to memory of 1804	1984	2016-08-26-EITest-Rig-EK-payload-CryptFile2.exe	40
PID 2216 wrote to memory of 1372	2216	cmd.exe	42
PID 2216 wrote to memory of 1372	2216	cmd.exe	42
PID 2216 wrote to memory of 1372	2216	cmd.exe	42
PID 2216 wrote to memory of 1372	2216	cmd.exe	42
PID 1308 wrote to memory of 1628	1308	cmd.exe	125
PID 1308 wrote to memory of 1628	1308	cmd.exe	125
PID 1308 wrote to memory of 1628	1308	cmd.exe	125
PID 1308 wrote to memory of 1628	1308	cmd.exe	125
PID 1984 wrote to memory of 1760	1984	2016-08-26-EITest-Rig-EK-payload-CryptFile2.exe	144
PID 1984 wrote to memory of 1760	1984	2016-08-26-EITest-Rig-EK-payload-CryptFile2.exe	144
PID 1984 wrote to memory of 1760	1984	2016-08-26-EITest-Rig-EK-payload-CryptFile2.exe	144
PID 1984 wrote to memory of 1760	1984	2016-08-26-EITest-Rig-EK-payload-CryptFile2.exe	144
PID 1984 wrote to memory of 1656	1984	2016-08-26-EITest-Rig-EK-payload-CryptFile2.exe	47
PID 1984 wrote to memory of 1656	1984	2016-08-26-EITest-Rig-EK-payload-CryptFile2.exe	47
PID 1984 wrote to memory of 1656	1984	2016-08-26-EITest-Rig-EK-payload-CryptFile2.exe	47
PID 1984 wrote to memory of 1656	1984	2016-08-26-EITest-Rig-EK-payload-CryptFile2.exe	47
PID 1196 wrote to memory of 2260	1196	cmd.exe	46
PID 1196 wrote to memory of 2260	1196	cmd.exe	46
PID 1196 wrote to memory of 2260	1196	cmd.exe	46
PID 1196 wrote to memory of 2260	1196	cmd.exe	46
PID 1984 wrote to memory of 688	1984	2016-08-26-EITest-Rig-EK-payload-CryptFile2.exe	49
PID 1984 wrote to memory of 688	1984	2016-08-26-EITest-Rig-EK-payload-CryptFile2.exe	49
PID 1984 wrote to memory of 688	1984	2016-08-26-EITest-Rig-EK-payload-CryptFile2.exe	49
PID 1984 wrote to memory of 688	1984	2016-08-26-EITest-Rig-EK-payload-CryptFile2.exe	49
PID 1804 wrote to memory of 1104	1804	cmd.exe	52
PID 1804 wrote to memory of 1104	1804	cmd.exe	52
PID 1804 wrote to memory of 1104	1804	cmd.exe	52
PID 1804 wrote to memory of 1104	1804	cmd.exe	52
PID 1984 wrote to memory of 2156	1984	2016-08-26-EITest-Rig-EK-payload-CryptFile2.exe	53
PID 1984 wrote to memory of 2156	1984	2016-08-26-EITest-Rig-EK-payload-CryptFile2.exe	53
PID 1984 wrote to memory of 2156	1984	2016-08-26-EITest-Rig-EK-payload-CryptFile2.exe	53
PID 1984 wrote to memory of 2156	1984	2016-08-26-EITest-Rig-EK-payload-CryptFile2.exe	53
PID 656 wrote to memory of 1796	656	cmd.exe	54
PID 656 wrote to memory of 1796	656	cmd.exe	54
PID 656 wrote to memory of 1796	656	cmd.exe	54
PID 656 wrote to memory of 1796	656	cmd.exe	54
PID 1760 wrote to memory of 2548	1760	cmd.exe	143
PID 1760 wrote to memory of 2548	1760	cmd.exe	143
PID 1760 wrote to memory of 2548	1760	cmd.exe	143
PID 1760 wrote to memory of 2548	1760	cmd.exe	143
PID 1656 wrote to memory of 348	1656	cmd.exe	57
PID 1656 wrote to memory of 348	1656	cmd.exe	57
PID 1656 wrote to memory of 348	1656	cmd.exe	57
PID 1656 wrote to memory of 348	1656	cmd.exe	57

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2016-08-26-EITest-Rig-EK-payload-CryptFile2.exe
"C:\Users\Admin\AppData\Local\Temp\2016-08-26-EITest-Rig-EK-payload-CryptFile2.exe"
1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1984
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin.exe Delete Shadows /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2216
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin.exe Delete Shadows /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:1372
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C wmic shadowcopy delete
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1196
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic shadowcopy delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2260
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=Z: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1308
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=Z: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:1628
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=Y: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:656
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=Y: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:1796
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=X: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1804
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=X: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:1104
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=W: /All /Quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1760
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=W: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:2548
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=V: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1656
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=V: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:348
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=U: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:688
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=U: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:2396
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=T: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2156
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=T: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:1968
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=S: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1052
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=S: /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:1356
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=R: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:352
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=R: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:2724
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=Q: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2680
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=Q: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:2920
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=P: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2100
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=P: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:2732
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=O: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1260
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=O: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:1352
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=N: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2332
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=N: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:388
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=M: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2640
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=M: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:548
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=L: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2616
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=L: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:1156
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=K: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3052
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=K: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:2052
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=J: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1920
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=J: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:1916
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=I: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2916
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=I: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:1928
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=H: /All /Quiet
  2⤵
  PID:1044
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=H: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:2000
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=G: /All /Quiet
  2⤵
  PID:1644
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=G: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:880
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=F: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2248
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=F: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:2232
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=E: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:692
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=E: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:2536
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=D: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1600
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=D: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:1328
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=C: /All /Quiet
  2⤵
  PID:3032
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=C: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:344
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=B: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1992
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=B: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:2096
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=A: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:768
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=A: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:2716
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop vss
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1936
- - C:\Windows\SysWOW64\net.exe
    net stop vss
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2744
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop vss
      4⤵
      System Location Discovery: System Language Discovery
      PID:2264
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} recoveryenabled No
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2512
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2396
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" bcdedit /set {default} recoveryenabled No
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1628
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" bcdedit /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  - System Location Discovery: System Language Discovery
  PID:544
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" bcdedit /set bootstatuspolicy ignoreallfailures
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2764
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C bcdedit /set bootstatuspolicy ignoreallfailures
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1052
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" bcdedit /set recoveryenabled NO
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1548
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C bcdedit /set recoveryenabled NO
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1568
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2980
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" wbadmin delete catalog -quiet
  2⤵
  PID:656
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Documents\HELP_DECRYPT_YOUR_FILES.HTML
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:1760
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1760 CREDAT:275457 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1952
- C:\Windows\SysWOW64\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Documents\HELP_DECRYPT_YOUR_FILES.TXT
  2⤵
  - System Location Discovery: System Language Discovery
  - Opens file in notepad (likely ransom note)
  PID:2920

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:556

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:1356

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2131224706-1048792986-1579954571-1252472856-920379767292643524-5737739721928305541"
1⤵
PID:2548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\HELP_DECRYPT_YOUR_FILES.HTML

Filesize
2KB

MD5
10ee9b6ee2895938c85148fffdb5c7aa

SHA1
e550b3bafef70109307f2ec8077eb8cb17ea7e05

SHA256
87fc30798187259e50b7215a10c4c6a6d4cb95ce039ff7c62d3d1737e76326c7

SHA512
89eb994f2ff7634a61f03e35653c052a0bf20abf16f05f2f75247bb4392677ced5163b68c712a10a44dad0f8aa155be14951a77bf76c86cd46e6fff7e2f2cd62

Download Submit
C:\PerfLogs\HELP_DECRYPT_YOUR_FILES.HTML

Filesize
2KB

MD5
b641ae5fb5ed7440dc58f0b8ade23b7e

SHA1
5a9af7e453285c0b740d2772113f4915d86acf2d

SHA256
0e3f95ec8ec456be23916d1b7c1f76eac7b18cb7cfc8755415a214392d7bc4ec

SHA512
c0ce565890859906bb14a059d0f2c7c0e627343a4da69999053308a87d72283e9ad82bd9d1ec48ca2d93d0750edacab2f830104a394e5aa2edf9271c47fbd4b5

Download Submit
C:\PerfLogs\HELP_DECRYPT_YOUR_FILES.TXT

Filesize
3KB

MD5
22078a160a280d9f13e5026a38c8d496

SHA1
9ab7b3e8a4dacda8a33e5896c4086ce46924f926

SHA256
f4de07bb0992ae4c421927c1348ac6e49aa5fd31343787e9734c5e8bfaab2c4b

SHA512
841ea8eb3e65eefe30daf2ff26c95563b0d924a3568fae595258924cbc0159eb16c9e39109b3c9b9db9ba9058d5ace61e29788a955cc86f8d0b3eb496777446d

Download Submit
C:\PerfLogs\HELP_DECRYPT_YOUR_FILES.TXT

Filesize
3KB

MD5
7f58bcf368f9fb50fe93526734c2d614

SHA1
fa3e7ec69944678205c8938400d4d1a4ad3d49f8

SHA256
d5b55261c676024f7f778dd5e2d48d336c6b793c84267c9d4e3117e363043409

SHA512
f49f0ffbec9ae5fec31af1c4b93f7b15d14dfc7f3167c71ee158274cbfb24ac0d121f66448a2b8fd4c8e182eed50bf28da36d2a9fb4c227a2667af09e8d8dfd9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9dfdf5463284521f32d9510d49c3a29e

SHA1
db5be5c6c92b70df5433397b6dbe3ab67a3480ab

SHA256
339c6f83f37ede57c8d878de60252570125c9de0ade4d757e7fcaf10bbde64db

SHA512
6be44952adf6a8cdcc3478a5fb5a1aa8639c0d07e047ccac0efdeb81a4b0eb03f34bae71e453dcbd7978eec39eb3c962c9747dcb576aeff89bc79efc6d6cfcaf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d24ddf10a11d19c381666d500406a56d

SHA1
29cd2f46e535475ac838448dd98847a6c4242990

SHA256
284ecb5b28cab62873d8368fbde5c630847f4ca1eb62bd7addf86c9493ce954e

SHA512
c1c310e146e9161c7b161af5527074221f62d242c08425cd1a87043606cec2f8abc9837b9f528f6726f225b1ff714d995b94a99cf135b46791370f2c2a90b81f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
156e8cd54fb96b95623b59fd8aab6260

SHA1
33de8fff6ead6e53a7a9b6ecbc2723e73fc62768

SHA256
5d2189d91586092de6027926336ed482d1058b2415267201217588013369e34a

SHA512
6991c15a01ee4cb28768cc8d71000fd8ac70327965f9cc1ece3f0a18bb19464d066c89de4fb6150cb8c419b8d3b2fc0bd3a2874c554a291022c2e0ca34398141

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cc517c7c676879edce05d14257dfa24c

SHA1
cfc06699bf619e4371823e7bda58aa11a16e8fa0

SHA256
2864bb46743a4d3d2f59e150816478e728f688cd831269565848861438805fea

SHA512
6c737eb2c2b95b82e4ec94c2b2957bc675f2b60a37bbd9066b8dfb69c6c10ae969f73a5d5cc6e9d07bd8c13cb51e0e89c65cc8ff29b4f9d1e45a7c8db45cfefa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b302b782f32ec1f1be849dcd2883f83c

SHA1
a30adef64ac1c6fe7a54cc7e93a86b26c64c6224

SHA256
82fc720d34d514c9744a4d49c1ba79b25abeeb086c54d8d9b4e09d30cb5fe3d8

SHA512
0efe75d1ea295d966e8b7913de61f16762407dbc2a64b6fc693dd33d7e0c7812374ebdeff05561398dbd306f775e27f7a6333f729d9df3fea14bcc5e2c9b6c70

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
09b98ce502cbc6c83ede4eeae126f313

SHA1
8e5e8dc1ba19f280ebbda20682569ed0d815d5ed

SHA256
116d0c5560d7c04a62636060b20bced22c0dc9eacacbb2c3e67bdb1627282d93

SHA512
6c8d68ed7f4c35f024598966777a82f0c0b9872c960e85083736556987134c611a6433a4ffbf02a33b8dfd9610a538d54e826fd769cefd7c86a2f0c2695d9c3d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b84c2550f218f8c779c318b84459cd1f

SHA1
40cb4e45ccae12ad1b9f7181513d0f3cb18b2698

SHA256
eecd4b5aab0a4ee5836b7a68897d5ed0c9d07b7eda1a4db413787f0f69665584

SHA512
85af2183b8d8099614a26090fa574a67049933e96a785ca9e10a34231dc8a70166c9ce034a7622d43825a0205bf3ae9c0089aff149e5cc39f0c380daa1479905

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
56c3ed144c6ce8564c641c74105c1d10

SHA1
f3e5a51b462c06104ac763fc3f365d590e06b68d

SHA256
43b1972ab6072b7fc28ac6bac5c98b508e8e0c1e5be35939681c3362f6873c15

SHA512
e781947d8f9f90e7dffc8907d0ac27c82e5bc19a81aebdc186fc223500aac53241800870cba0eeba32f71e8f729a0ca10e85452922424d8d9c36e6aaa56745cd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6f0f4f72414b00bc9e37b1f431f8891a

SHA1
df701b2b6149a225485225cc1a7e47c6127392bf

SHA256
2d27e28a41c52fa2bc224e40d5ca415d0a60859fc0e20c2459504ee6491e839c

SHA512
0c2ca0c21bad6ffd63dfbd52a2e71d6959cebf9f1468257c97a90e0bc8b7b66ee47455888a0cef1f7d9d4d9cebb367db0a0c7ed651c4390b7b0e16988a5a95fa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ba4516eacff3460e53bbab8569ddb2ce

SHA1
d57429e714fd61716532387cc2b1296725ae1c09

SHA256
3398e34b1be0aa7458cb47c0fae83ef8914dc97969f09cb1b2cf409d98d3b170

SHA512
9cfe7dee1f79f7f9bf38bf02ef49b55fe4ae3b3f7301e22060d97ad58b576dc628cb8c96b0cfdc4b56f745553bfedbc07ba51a76f8acb3ec73f6e908fb388135

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
eb8035cf5c7974817bb8ca19a34c4eeb

SHA1
aa0a759fbac3daf9c609fc4a435b0361071ba5ae

SHA256
a0ea80b09aa3af7a5fb3435ce27888a4177b9cc59ed9a00818e610b7b0347a2c

SHA512
cba7c1a6858f6ca456c73217e0abe266ab7a45d439470dc5939df33d7c0c3aa802191ca76c233031491f1d89a67bb2a3629e29987b00acd018a381481fda4599

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
64246aa2af85676c541bb8f792c7a3f1

SHA1
a88c194078e3e69b30a9fcf8cb7039be58bb185a

SHA256
b006496e4fe9e400e7245076e37581c45f580cf5b8478e8624aabc21abc478f0

SHA512
2c604658529c3743648123339a327c391c969d691ab896507e3c9ca3e1f5db30f8e6ea1814b426559e9c0a031a9443596433eb0546bf06791f742d68f73dd284

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
414bc34d16b20a0d8f513c26d4173de4

SHA1
3afb35a2db5296de686571065d55bbb385fef994

SHA256
4dfe9bc90a622621082021ea97e3a182bf453d5e3cc59467a3c4608d7b062e48

SHA512
f9f0444a1bacb85399e9e2b966d41eb3037338171b05c39481d1641f5dfb969e54c9b0a804f13028faf68a36b9427fe7aa2aee57082470b63573fbde35fe4a40

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6ff168da81a091c5a305c1380b5cb188

SHA1
2a0744e0132f0a779ed0c80ff70422f656dd0be7

SHA256
bcf604e30cf376f98773e9e90fa82b805ca0d82cd82e63064b4f1a6388bfcfa4

SHA512
0e3eb73fbb6e9f55718c4a1ff4a64fc6959be1456d729c3bec9cead3e0b1ab053db29a4b756384a94adfd09ab04519d99399aa321f96f36b1d97e2d5f44951dc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dbee3f705c8736363691d8d8742cb46a

SHA1
765f9e47f3248a24242b3e2c840f7ce3db3103d3

SHA256
ee5c5e3c60d0354c1c8a482587a9c0717f523f8726cb5642a7042eb97cf78a5d

SHA512
6868f3dba71b71eaf4bad4c785d31a06c589e40a43b69d268e766a3175acd935cf77a76bf0c381d4bb944abe3d44cd8d84997d49372cd869c10bbb01b93e3044

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e0194331c963d0da9e24797846742df9

SHA1
113b9a8a81701837f8d0a9c7c3e4dcb00cc6342d

SHA256
b212d5ec18ce40bac3c69e85a0672b416062225891b45f54b23b1c5088fa3f3f

SHA512
dac4a197b078c44081cf9e1e1be4e1a987271c95d711df38f60a848cc380107902e5656e5c2865d6695a1c8326388d2c4bea344f344ead4d63147fc07188cebc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5f5570f2fbd4717486482d55168c6628

SHA1
9fefde2550a489a054b5818dda5518a797c5fbd0

SHA256
4ea806e66aaea11716d8d1ab54340657270dd3a0285c7c301a31364f27c979dc

SHA512
9c3eba16836edfd57b70123bb0cacde1c353aa3a402be70de871dc047fff2a4edf55db2db9d364e1076cecde607499eaf00ad7141169e6ff4b2f170d51c33cb7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d165c64c4585b9ca33298a4084b4323e

SHA1
d631bc5ffa0278ad4d501becc5eb75855948ad5c

SHA256
0773f963c9deaeebb59a668f3f688d3da54f4a735a3cb49f15cb840e8e37da90

SHA512
355cb28a2c20aad3d47b6e36232f3f681b4e1f320b58455ea98de3babd492f94b42ae0bf0ade9a3e109c81e54b1b0ffd8c0da6b4ad8e8f1c81b7517c9dbd43ad

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
463839c6c04f6a4c678f60bfdc2448c9

SHA1
cf9b5d232b6cfc8db44b25f5611d9f62e850cf1a

SHA256
f53b737fd2dde2bdaae2c543698d297f4632bf70f2dcc583ee64c9a0a1b178b9

SHA512
bc5e529783b21961d2c8c56a163c91d0ef5421a115289e66641e90a280d4bf352325f5c7cc70abc17cc866f6bc8008929fc88e45fcd8afa52a5a351f43b7434b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0da94f8cff3aa2fcfc8ab1dacf08322f

SHA1
6b136e9f2b186111dd6ace81db2f39ee669f8824

SHA256
eec75a728a74d0e3248b0382a520d22a0b895efafc46268a2588cb57abff8902

SHA512
a8f356db54edf8d67ce4585ec394e950d23eb4d83fd0f6cd7a099a2da3d581e1440e5a688f9796def506b5b10f2b25eb44fcd958842b259d0925c27731fab2c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabD108.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarD178.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
memory/1984-0-0x0000000000080000-0x000000000008B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads