cb93ef8affa8e13b671190d1f8790aa08e0686097493d958e900659db2736841

Analysis

max time kernel
1560s
max time network
1561s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
11-11-2024 07:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2016-08-30-EITest-Rig-EK-payload-CryptFile2.exe
Size

132KB
MD5

e3c267738f67276083b24d569757da8b
SHA1

6d57305a13e7d811166e0daaf0cd7eac0772f726
SHA256

51dbbfc5afb2b6e9f4ca37906d84b4f3807d7c79727c71d6ee5827a197644580
SHA512

5579b33753fa100a83e8247339a45c49df1316f4c25c1ab9a161c61e543e2e51e94323ed705690bb1da8515565984e23030e924c217d55b57e975d794a7ea97e
SSDEEP

3072:6FV9aY52irPvMIi+tOXAkn0bioX13JDDNq2HDbD:6BaYl4TQCADvVDb

Score

10^/10

defense_evasion discovery execution impact persistence ransomware

Malware Config

Extracted

Path

C:\PerfLogs\HELP_DECRYPT_YOUR_FILES.TXT

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA-2048. More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA-2048 KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions: Contact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. For you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. Please do not waste your time! You have 72 hours only! After that The Main Server will double your price! So right now You have a chance to buy your individual private HardWare with a low price! E-MAIL1: [email protected] E-MAIL2: [email protected]

Emails

[email protected]

Extracted

Path

C:\PerfLogs\HELP_DECRYPT_YOUR_FILES.TXT

Ransom Note

Emails

[email protected]

Extracted

Path

C:\PerfLogs\HELP_DECRYPT_YOUR_FILES.HTML

Ransom Note

<!DOCTYPE html> <html> <head> <meta charset="utf-8"> <title>HELP_DECRYPT_YOUR_FILES</title> <style> .text { text-align: center; } </style> </head> <body> <div class="text"> NOT YOUR LANGUAGE? USE <a href="https://translate.google.com">https://translate.google.com</a> What happened to your files ? All of your files were protected by a strong encryption with RSA-2048. More information about the encryption keys using RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a> How did this happen ? !!! Specially for your PC was generated personal RSA-2048 KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions: Contact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours. For you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. Please do not waste your time! You have 72 hours only! After that The Main Server will double your price! So right now You have a chance to buy your individual private HardWare with a low price! E-MAIL1: [email protected] E-MAIL2: [email protected]

Emails

[email protected]

Extracted

Path

C:\PerfLogs\HELP_DECRYPT_YOUR_FILES.HTML

Ransom Note

Emails

[email protected]

Signatures

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\ChromeFlashPlayersHardWare = "\"C:\\Users\\Admin\\AppData\\Roaming\\ChromeFlashPlayer_c8e8c66d1c9b74ea.exe\""	2016-08-30-EITest-Rig-EK-payload-CryptFile2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\*ChromeFlashPlayers32 = "\"C:\\Users\\Admin\\AppData\\Roaming\\ChromeFlashPlayer_c8e8c66d1c9b74ea.exe\""	2016-08-30-EITest-Rig-EK-payload-CryptFile2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\Chrome Reader UpdateHardWare = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\2016-08-30-EITest-Rig-EK-payload-CryptFile2.exe\""	2016-08-30-EITest-Rig-EK-payload-CryptFile2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\*Chrome Reader Update32 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\2016-08-30-EITest-Rig-EK-payload-CryptFile2.exe\""	2016-08-30-EITest-Rig-EK-payload-CryptFile2.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	2016-08-30-EITest-Rig-EK-payload-CryptFile2.exe
File opened (read-only)	\??\L:	2016-08-30-EITest-Rig-EK-payload-CryptFile2.exe
File opened (read-only)	\??\M:	2016-08-30-EITest-Rig-EK-payload-CryptFile2.exe
File opened (read-only)	\??\P:	2016-08-30-EITest-Rig-EK-payload-CryptFile2.exe
File opened (read-only)	\??\V:	2016-08-30-EITest-Rig-EK-payload-CryptFile2.exe
File opened (read-only)	\??\W:	2016-08-30-EITest-Rig-EK-payload-CryptFile2.exe
File opened (read-only)	\??\Y:	2016-08-30-EITest-Rig-EK-payload-CryptFile2.exe
File opened (read-only)	\??\E:	2016-08-30-EITest-Rig-EK-payload-CryptFile2.exe
File opened (read-only)	\??\B:	2016-08-30-EITest-Rig-EK-payload-CryptFile2.exe
File opened (read-only)	\??\J:	2016-08-30-EITest-Rig-EK-payload-CryptFile2.exe
File opened (read-only)	\??\K:	2016-08-30-EITest-Rig-EK-payload-CryptFile2.exe
File opened (read-only)	\??\O:	2016-08-30-EITest-Rig-EK-payload-CryptFile2.exe
File opened (read-only)	\??\S:	2016-08-30-EITest-Rig-EK-payload-CryptFile2.exe
File opened (read-only)	\??\U:	2016-08-30-EITest-Rig-EK-payload-CryptFile2.exe
File opened (read-only)	\??\X:	2016-08-30-EITest-Rig-EK-payload-CryptFile2.exe
File opened (read-only)	\??\A:	2016-08-30-EITest-Rig-EK-payload-CryptFile2.exe
File opened (read-only)	\??\I:	2016-08-30-EITest-Rig-EK-payload-CryptFile2.exe
File opened (read-only)	\??\Q:	2016-08-30-EITest-Rig-EK-payload-CryptFile2.exe
File opened (read-only)	\??\T:	2016-08-30-EITest-Rig-EK-payload-CryptFile2.exe
File opened (read-only)	\??\Z:	2016-08-30-EITest-Rig-EK-payload-CryptFile2.exe
File opened (read-only)	\??\G:	2016-08-30-EITest-Rig-EK-payload-CryptFile2.exe
File opened (read-only)	\??\R:	2016-08-30-EITest-Rig-EK-payload-CryptFile2.exe
File opened (read-only)	\??\N:	2016-08-30-EITest-Rig-EK-payload-CryptFile2.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\HELP_DECRYPT_YOUR_FILES.HTML	2016-08-30-EITest-Rig-EK-payload-CryptFile2.exe
File opened for modification	C:\Program Files (x86)\HELP_DECRYPT_YOUR_FILES.HTML	2016-08-30-EITest-Rig-EK-payload-CryptFile2.exe
File created	C:\Program Files\HELP_DECRYPT_YOUR_FILES.TXT	2016-08-30-EITest-Rig-EK-payload-CryptFile2.exe
File opened for modification	C:\Program Files\HELP_DECRYPT_YOUR_FILES.TXT	2016-08-30-EITest-Rig-EK-payload-CryptFile2.exe
File created	C:\Program Files\HELP_DECRYPT_YOUR_FILES.HTML	2016-08-30-EITest-Rig-EK-payload-CryptFile2.exe
File opened for modification	C:\Program Files\HELP_DECRYPT_YOUR_FILES.HTML	2016-08-30-EITest-Rig-EK-payload-CryptFile2.exe
File created	C:\Program Files (x86)\HELP_DECRYPT_YOUR_FILES.TXT	2016-08-30-EITest-Rig-EK-payload-CryptFile2.exe
File opened for modification	C:\Program Files (x86)\HELP_DECRYPT_YOUR_FILES.TXT	2016-08-30-EITest-Rig-EK-payload-CryptFile2.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\HELP_DECRYPT_YOUR_FILES.TXT	2016-08-30-EITest-Rig-EK-payload-CryptFile2.exe
File opened for modification	C:\Windows\HELP_DECRYPT_YOUR_FILES.TXT	2016-08-30-EITest-Rig-EK-payload-CryptFile2.exe
File created	C:\Windows\HELP_DECRYPT_YOUR_FILES.HTML	2016-08-30-EITest-Rig-EK-payload-CryptFile2.exe
File opened for modification	C:\Windows\HELP_DECRYPT_YOUR_FILES.HTML	2016-08-30-EITest-Rig-EK-payload-CryptFile2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe

Interacts with shadow copies 3 TTPs 27 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
2832	vssadmin.exe
2416	vssadmin.exe
752	vssadmin.exe
1476	vssadmin.exe
2156	vssadmin.exe
748	vssadmin.exe
968	vssadmin.exe
1568	vssadmin.exe
2296	vssadmin.exe
2848	vssadmin.exe
480	vssadmin.exe
2448	vssadmin.exe
2528	vssadmin.exe
1492	vssadmin.exe
2140	vssadmin.exe
3056	vssadmin.exe
1504	vssadmin.exe
2620	vssadmin.exe
2268	vssadmin.exe
2664	vssadmin.exe
1512	vssadmin.exe
1260	vssadmin.exe
2468	vssadmin.exe
572	vssadmin.exe
1744	vssadmin.exe
756	vssadmin.exe
1416	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "437471354"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{1926ACD1-9FFD-11EF-B8EC-E699F793024F} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000953bd8210872ea40aad5946cc0771cd300000000020000000000106600000001000020000000c88c448d63c35143f265dda5db58fa6209eeca0f9df192588984bb35a1a25117000000000e800000000200002000000010c6388adddee3f0c1741b9725cf3f6159130e69b7a963e9e0db27def0bbecd62000000000eac4a801e47c2cb78eebcb6d35cd8bb6b9d29488311b510bf0c65c4f93bd3e400000008886d7d995113d616c0f277e33401f704e3f880da915d9e0c34a5e0476160691d5f2d20d9929e6fffb26029c88cfbedc04460b2dcbd801d69df9cff13b37699a	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e04d92ed0934db01	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000953bd8210872ea40aad5946cc0771cd3000000000200000000001066000000010000200000007d1425c9152925f4513587922b7b3960908239330930be2d91db8e6793d92a4f000000000e80000000020000200000001f612b6ed1bcd2b23f34840a6c3cd1f80b2c81d3a162c7100de58970d0fce825900000000b39b6f88b469c46c2b1511b993a5cb7497fddda937f3dd3928a39ab5959668c49911c348c0cbb25eb48a1fae0beaab85bd2c73642cdf99b05f2b7e45b51c29a90605b7564f8a057a2b24d9460bba3448b436b0ce51dd3acc9718163d80b632aff9b5471bceed1790c052cf041d06ba3af8dfeb0bd07c785bf6204fccaf5d676949064211d1ab809c6b3313a81f58c984000000024dd47bacad69b49f352669af982ad5d73725ce6032ffacd46701ea9d3322293d285635ab3c0acf18a579f0cb04802a189ea3cfdb22da3671fa2384f65d13b9f	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2988	NOTEPAD.EXE

Runs net.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	896	WMIC.exe
Token: SeSecurityPrivilege	896	WMIC.exe
Token: SeTakeOwnershipPrivilege	896	WMIC.exe
Token: SeLoadDriverPrivilege	896	WMIC.exe
Token: SeSystemProfilePrivilege	896	WMIC.exe
Token: SeSystemtimePrivilege	896	WMIC.exe
Token: SeProfSingleProcessPrivilege	896	WMIC.exe
Token: SeIncBasePriorityPrivilege	896	WMIC.exe
Token: SeCreatePagefilePrivilege	896	WMIC.exe
Token: SeBackupPrivilege	896	WMIC.exe
Token: SeRestorePrivilege	896	WMIC.exe
Token: SeShutdownPrivilege	896	WMIC.exe
Token: SeDebugPrivilege	896	WMIC.exe
Token: SeSystemEnvironmentPrivilege	896	WMIC.exe
Token: SeRemoteShutdownPrivilege	896	WMIC.exe
Token: SeUndockPrivilege	896	WMIC.exe
Token: SeManageVolumePrivilege	896	WMIC.exe
Token: 33	896	WMIC.exe
Token: 34	896	WMIC.exe
Token: 35	896	WMIC.exe
Token: SeBackupPrivilege	2412	vssvc.exe
Token: SeRestorePrivilege	2412	vssvc.exe
Token: SeAuditPrivilege	2412	vssvc.exe
Token: SeIncreaseQuotaPrivilege	896	WMIC.exe
Token: SeSecurityPrivilege	896	WMIC.exe
Token: SeTakeOwnershipPrivilege	896	WMIC.exe
Token: SeLoadDriverPrivilege	896	WMIC.exe
Token: SeSystemProfilePrivilege	896	WMIC.exe
Token: SeSystemtimePrivilege	896	WMIC.exe
Token: SeProfSingleProcessPrivilege	896	WMIC.exe
Token: SeIncBasePriorityPrivilege	896	WMIC.exe
Token: SeCreatePagefilePrivilege	896	WMIC.exe
Token: SeBackupPrivilege	896	WMIC.exe
Token: SeRestorePrivilege	896	WMIC.exe
Token: SeShutdownPrivilege	896	WMIC.exe
Token: SeDebugPrivilege	896	WMIC.exe
Token: SeSystemEnvironmentPrivilege	896	WMIC.exe
Token: SeRemoteShutdownPrivilege	896	WMIC.exe
Token: SeUndockPrivilege	896	WMIC.exe
Token: SeManageVolumePrivilege	896	WMIC.exe
Token: 33	896	WMIC.exe
Token: 34	896	WMIC.exe
Token: 35	896	WMIC.exe
Token: SeBackupPrivilege	1472	vssvc.exe
Token: SeRestorePrivilege	1472	vssvc.exe
Token: SeAuditPrivilege	1472	vssvc.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2052	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2052	iexplore.exe
2052	iexplore.exe
1020	IEXPLORE.EXE
1020	IEXPLORE.EXE
1020	IEXPLORE.EXE
1020	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2628 wrote to memory of 2828	2628	2016-08-30-EITest-Rig-EK-payload-CryptFile2.exe	33
PID 2628 wrote to memory of 2828	2628	2016-08-30-EITest-Rig-EK-payload-CryptFile2.exe	33
PID 2628 wrote to memory of 2828	2628	2016-08-30-EITest-Rig-EK-payload-CryptFile2.exe	33
PID 2628 wrote to memory of 2828	2628	2016-08-30-EITest-Rig-EK-payload-CryptFile2.exe	33
PID 2628 wrote to memory of 1632	2628	2016-08-30-EITest-Rig-EK-payload-CryptFile2.exe	35
PID 2628 wrote to memory of 1632	2628	2016-08-30-EITest-Rig-EK-payload-CryptFile2.exe	35
PID 2628 wrote to memory of 1632	2628	2016-08-30-EITest-Rig-EK-payload-CryptFile2.exe	35
PID 2628 wrote to memory of 1632	2628	2016-08-30-EITest-Rig-EK-payload-CryptFile2.exe	35
PID 2628 wrote to memory of 1100	2628	2016-08-30-EITest-Rig-EK-payload-CryptFile2.exe	38
PID 2628 wrote to memory of 1100	2628	2016-08-30-EITest-Rig-EK-payload-CryptFile2.exe	38
PID 2628 wrote to memory of 1100	2628	2016-08-30-EITest-Rig-EK-payload-CryptFile2.exe	38
PID 2628 wrote to memory of 1100	2628	2016-08-30-EITest-Rig-EK-payload-CryptFile2.exe	38
PID 2828 wrote to memory of 2832	2828	cmd.exe	37
PID 2828 wrote to memory of 2832	2828	cmd.exe	37
PID 2828 wrote to memory of 2832	2828	cmd.exe	37
PID 2828 wrote to memory of 2832	2828	cmd.exe	37
PID 2628 wrote to memory of 1616	2628	2016-08-30-EITest-Rig-EK-payload-CryptFile2.exe	40
PID 2628 wrote to memory of 1616	2628	2016-08-30-EITest-Rig-EK-payload-CryptFile2.exe	40
PID 2628 wrote to memory of 1616	2628	2016-08-30-EITest-Rig-EK-payload-CryptFile2.exe	40
PID 2628 wrote to memory of 1616	2628	2016-08-30-EITest-Rig-EK-payload-CryptFile2.exe	40
PID 2628 wrote to memory of 1148	2628	2016-08-30-EITest-Rig-EK-payload-CryptFile2.exe	42
PID 2628 wrote to memory of 1148	2628	2016-08-30-EITest-Rig-EK-payload-CryptFile2.exe	42
PID 2628 wrote to memory of 1148	2628	2016-08-30-EITest-Rig-EK-payload-CryptFile2.exe	42
PID 2628 wrote to memory of 1148	2628	2016-08-30-EITest-Rig-EK-payload-CryptFile2.exe	42
PID 1632 wrote to memory of 896	1632	cmd.exe	43
PID 1632 wrote to memory of 896	1632	cmd.exe	43
PID 1632 wrote to memory of 896	1632	cmd.exe	43
PID 1632 wrote to memory of 896	1632	cmd.exe	43
PID 1100 wrote to memory of 748	1100	cmd.exe	44
PID 1100 wrote to memory of 748	1100	cmd.exe	44
PID 1100 wrote to memory of 748	1100	cmd.exe	44
PID 1100 wrote to memory of 748	1100	cmd.exe	44
PID 2628 wrote to memory of 1732	2628	2016-08-30-EITest-Rig-EK-payload-CryptFile2.exe	47
PID 2628 wrote to memory of 1732	2628	2016-08-30-EITest-Rig-EK-payload-CryptFile2.exe	47
PID 2628 wrote to memory of 1732	2628	2016-08-30-EITest-Rig-EK-payload-CryptFile2.exe	47
PID 2628 wrote to memory of 1732	2628	2016-08-30-EITest-Rig-EK-payload-CryptFile2.exe	47
PID 2628 wrote to memory of 1540	2628	2016-08-30-EITest-Rig-EK-payload-CryptFile2.exe	49
PID 2628 wrote to memory of 1540	2628	2016-08-30-EITest-Rig-EK-payload-CryptFile2.exe	49
PID 2628 wrote to memory of 1540	2628	2016-08-30-EITest-Rig-EK-payload-CryptFile2.exe	49
PID 2628 wrote to memory of 1540	2628	2016-08-30-EITest-Rig-EK-payload-CryptFile2.exe	49
PID 1616 wrote to memory of 2848	1616	cmd.exe	115
PID 1616 wrote to memory of 2848	1616	cmd.exe	115
PID 1616 wrote to memory of 2848	1616	cmd.exe	115
PID 1616 wrote to memory of 2848	1616	cmd.exe	115
PID 1148 wrote to memory of 2140	1148	cmd.exe	52
PID 1148 wrote to memory of 2140	1148	cmd.exe	52
PID 1148 wrote to memory of 2140	1148	cmd.exe	52
PID 1148 wrote to memory of 2140	1148	cmd.exe	52
PID 2628 wrote to memory of 2296	2628	2016-08-30-EITest-Rig-EK-payload-CryptFile2.exe	113
PID 2628 wrote to memory of 2296	2628	2016-08-30-EITest-Rig-EK-payload-CryptFile2.exe	113
PID 2628 wrote to memory of 2296	2628	2016-08-30-EITest-Rig-EK-payload-CryptFile2.exe	113
PID 2628 wrote to memory of 2296	2628	2016-08-30-EITest-Rig-EK-payload-CryptFile2.exe	113
PID 2628 wrote to memory of 1588	2628	2016-08-30-EITest-Rig-EK-payload-CryptFile2.exe	55
PID 2628 wrote to memory of 1588	2628	2016-08-30-EITest-Rig-EK-payload-CryptFile2.exe	55
PID 2628 wrote to memory of 1588	2628	2016-08-30-EITest-Rig-EK-payload-CryptFile2.exe	55
PID 2628 wrote to memory of 1588	2628	2016-08-30-EITest-Rig-EK-payload-CryptFile2.exe	55
PID 2628 wrote to memory of 2152	2628	2016-08-30-EITest-Rig-EK-payload-CryptFile2.exe	57
PID 2628 wrote to memory of 2152	2628	2016-08-30-EITest-Rig-EK-payload-CryptFile2.exe	57
PID 2628 wrote to memory of 2152	2628	2016-08-30-EITest-Rig-EK-payload-CryptFile2.exe	57
PID 2628 wrote to memory of 2152	2628	2016-08-30-EITest-Rig-EK-payload-CryptFile2.exe	57
PID 1732 wrote to memory of 3056	1732	cmd.exe	58
PID 1732 wrote to memory of 3056	1732	cmd.exe	58
PID 1732 wrote to memory of 3056	1732	cmd.exe	58
PID 1732 wrote to memory of 3056	1732	cmd.exe	58

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2016-08-30-EITest-Rig-EK-payload-CryptFile2.exe
"C:\Users\Admin\AppData\Local\Temp\2016-08-30-EITest-Rig-EK-payload-CryptFile2.exe"
1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2628
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin.exe Delete Shadows /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2828
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin.exe Delete Shadows /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:2832
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C wmic shadowcopy delete
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1632
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic shadowcopy delete
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:896
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=Z: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1100
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=Z: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:748
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=Y: /All /Quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1616
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=Y: /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:2848
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=X: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1148
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=X: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:2140
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=W: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1732
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=W: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:3056
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=V: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1540
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=V: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:2268
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=U: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2296
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=U: /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:968
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=T: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1588
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=T: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:1260
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=S: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2152
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=S: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:1504
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=R: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1280
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=R: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:2664
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=Q: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2284
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=Q: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:2448
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=P: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2952
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=P: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:2528
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=O: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:992
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=O: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:1512
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=N: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2724
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=N: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:2416
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=M: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2568
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=M: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:572
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=L: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2560
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=L: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:2468
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=K: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2564
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=K: /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:480
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=J: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1480
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=J: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:1744
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=I: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2000
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=I: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:2620
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=H: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1840
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=H: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:752
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=G: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1952
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=G: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:1476
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=F: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2492
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=F: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:756
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=E: /All /Quiet
  2⤵
  PID:2084
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=E: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:2156
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=D: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1764
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=D: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:1568
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=C: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2732
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=C: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:2296
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=B: /All /Quiet
  2⤵
  PID:1368
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=B: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:1492
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=A: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2848
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=A: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:1416
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop vss
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2808
- - C:\Windows\SysWOW64\net.exe
    net stop vss
    3⤵
    PID:1648
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop vss
      4⤵
      System Location Discovery: System Language Discovery
      PID:1908
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} recoveryenabled No
  2⤵
  - System Location Discovery: System Language Discovery
  PID:616
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1312
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" bcdedit /set {default} recoveryenabled No
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2096
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" bcdedit /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1948
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" bcdedit /set bootstatuspolicy ignoreallfailures
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1940
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C bcdedit /set bootstatuspolicy ignoreallfailures
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2984
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" bcdedit /set recoveryenabled NO
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2064
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C bcdedit /set recoveryenabled NO
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1080
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1220
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" wbadmin delete catalog -quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2016
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Documents\HELP_DECRYPT_YOUR_FILES.HTML
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:2052
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2052 CREDAT:275457 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1020
- C:\Windows\SysWOW64\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Documents\HELP_DECRYPT_YOUR_FILES.TXT
  2⤵
  - System Location Discovery: System Language Discovery
  - Opens file in notepad (likely ransom note)
  PID:2988

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2412

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1858630544-1954133313-107911703910047594931776999925-14972117243281515-1921857489"
1⤵
PID:1504

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "5630003121363208009-10652615611848250054-1624367044-8736913021215700284-436420083"
1⤵
PID:2568

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\HELP_DECRYPT_YOUR_FILES.HTML

Filesize
2KB

MD5
d38e7372ed502360c5324c3e96891fb4

SHA1
b60d4e2f7c72ad54d2fe3f0abaeb053acbabd0e7

SHA256
af8de0d569b06055813d53e9c97733e008a63204ee3c948d4cdc68b54dfecafc

SHA512
f4b24f3096d6deb262cd3e31ee33d355c6b9cde97df2ef933d86c37c3dfc622656cacb41a0b8712246298d8d6c4b3c137de8b72edb771f0253707c0572a2430e

Download Submit
C:\PerfLogs\HELP_DECRYPT_YOUR_FILES.HTML

Filesize
2KB

MD5
6a97401b4de8fa12f2481385713053df

SHA1
b8d066fb573f4ea440effc260d676241bf10ac8a

SHA256
a7dd0b3c74e29ee67339a23eeb8e4c8a34dd306c268515a62fe0b5fa7e14b0d7

SHA512
58c1a67562b6d0a28885a53fbd688e2c08fbc01d4ac0356a77d643dd4b2e124681b18a6b29367611f222345bec05dc75ddbcf582b6b9385abbddfbbb5bd48682

Download Submit
C:\PerfLogs\HELP_DECRYPT_YOUR_FILES.TXT

Filesize
3KB

MD5
3b4e3762bb007b4e2389d951b84491bd

SHA1
e43fbf4e02a04578c5bd28cb4535329196e8b933

SHA256
d55a359c8ea16c8d87f83bb9158653b57b2d46470fa605e1301d2d4924a32f15

SHA512
81471288929abed0a8417173cfd51ead81a6ad686dddd4b4f2389f457976c590b45fdaa491e37fe022d95f3d95ee2fcef3d44fc33feaa10844046ff9d6b41081

Download Submit
C:\PerfLogs\HELP_DECRYPT_YOUR_FILES.TXT

Filesize
3KB

MD5
6853f73d588ada6c2923cf5bff36353b

SHA1
f83f2b94ee32e7d282bc4192013a7a5913fa17ac

SHA256
3ff7860cd75f3ec27f9ea2b42ab0bfd5d4abc5421e954295c36d67d6afa1f63c

SHA512
ed85a97fde1c980ad5550f8bcdf51a5cbd772120f2c96f009c52d4ed4279aa52709a7bd75cfbc9b19cef4c170245385356d792534d075a713b40189e64d255cc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2c8e875f47ac8c85dd6e51d89d7e4c10

SHA1
ce74a5e132aeb148c6f34b40148964a2063312e1

SHA256
9afb04f4897bf9c114111684218daf0648bcb37cb95ed750616e45e5a1b09ff8

SHA512
9e90e2998ff60ac071ec7cd0dfa3408be425ccf305c46152787d7ffa80299b9cb1085705f2ece18f98e1a8ea0e278ed54d6f01a90370563636522686ed3be956

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
67feb3768254df001d49ae151241e242

SHA1
5f0a040a77f1c78fa62868dae02dc409472e1bef

SHA256
6269a45f6be05f6b6f21d9654d98028d3b587ac24127a026f9cc459dba6a08c7

SHA512
1925ab4eee93e1b71074df46f83c01f8e2e9d78d1414fcd1a27af60cd4c4fe34d691ce8df88f09a4bf247e90cfb8f66815dc5fe9c91798bd1c2fc7f9be9c4107

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e79cc81c7aaa08bb7ce0a2515b7412a9

SHA1
574005b8bac0a5c5093416ad0fa63cae23bc4f86

SHA256
31de474c576dbaf6177adf8189b019a2adf0cc456231a97a23a0a20cd2ab2f22

SHA512
5c4a6b1c2b1edd8a4cad5112aff20dc84aea297152137a56493a2615837f42662690ae60397a4b751099f72a33217a58d88f0f6c4314e8726cf415d0fc7dac38

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2c4dd4b646732ec4a534b805750ec1f5

SHA1
725c0d21bc2ff8998e751883e565e2abe84abcba

SHA256
2f0990aacb6e5b7f2e0e4882b44cef3dc60a956958ba1cddad37cf10f2538873

SHA512
72959ff44c0f987ef04d42a61397f0d49a58864fd2f5923ceb3620fd447f1b57b0d30b94334a710fb702e2b39d1a30f4be470042000316bccf6c0be4c2701c1c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0b0de1a7fd7f25f41c72aa62d39076c5

SHA1
5653c0d49de5fd543ee67b22d0ae0f6b5e93028a

SHA256
a9ead6f4cb51eb39caaca703abdc00d7044c981cbc12c64be6b72f2afa0c9e5f

SHA512
9903bd58a0af96f3c9c6420680f506bb44b56a3475d767625caaa92108e8aeaf6cba4cc6695fc2bc98c268d72d4de09e97b4dce178c54ca0fd20ad467bbec149

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8cd4d93a0f68122274cbec241d9bc35e

SHA1
d782b65e0865b1e0ee7a18db810ee2f38a361cf3

SHA256
24bd5ff317b32bd919a2a63678cc7e068050900be7a3d1c234e98466b197dcbd

SHA512
640fad23d2a89597605ec8914a9eff6f79d43da25373d85149c7bc6f7e7488f309472afed4a6b8bf03c04b417bb01874717e7307c9ad042458eab74f9029edb4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f7e0f14da88658092c4c6af93a17c54c

SHA1
0b87b29743e26592830d47e1b0603523a6fd39c4

SHA256
c6de14bb6e6aa868c9cf5c16c6cf40fea962830369ad96027085ac0164c131f7

SHA512
4a0544917473936634e96c45789a203dd465f35c9e123125d12a4083d46a1dc67afc12d0ac6b8e3cdb13f939eef824a21df92058d57a7f2b15740d426d9d50a8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a005db01ccc4d158e3e78c7704b4cb0c

SHA1
995d30750dfe8e80718f1201a27528442e729b6e

SHA256
91cabd996448a48ea471b50602cc66bebd9acc44c3137257665068f7f13ada6a

SHA512
37e0136f50df791ab3c3e13ad7f5b32999ec7b4b29d5424043dccfc235113ced83e14203c485f494da69ebba7830ca9b8978922decf4a557f2e4a4075c7cc5bf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
81ec7638a1e06f8da6fee602e06a90d9

SHA1
b78d41ec7dd9162325984ac66fc59622dad0db70

SHA256
c187b7df271379693fdc6308870da6e609c50c3afcc5480da48a7f82f410f9a0

SHA512
c240989c2b8a165e491757440d70becfbde0290c1ab2375c2a83f5cd013ae4e48a6359953f05754b4a2d1a2dbe5c806a56658f00aa02590417e96978e8400cc1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
060867a94505de5959e7d59ad9d52695

SHA1
09de324c6449800f766390ece351355ef95f4aaa

SHA256
c6fa1ccc0b60b59f3381de47e225f7faf7853df4f2b67b54ded4e2ff71e18866

SHA512
398a5ce1758d7931d8f66e081034c9fc383d2942be996415bd203626cfb492c61f5f2a3b77d80fd1f30c176d60c25dba4017c8875392e75d84db111b3a22bab2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1ef07aca51a61866d125d92617965ed9

SHA1
9fd28427c1e3f7716a4e2e8c02c00bbe094d9246

SHA256
04e5652cf8e0db1bc9e1aeadb70c206b117489b5f6357d95cbf17cd331e995f4

SHA512
329c171c8f534fceddc48418c21cd5b871721309e1951573cfce859d603252fc7fc89e8c8de4fbacbe742fce137096c6e6a32902bdde7c5208bd970ec3f5851e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9518e7ddf3f9869e07e768b62b2351d1

SHA1
8cf1c30e74635c9ccf0652b265bd0c988f8a7bd4

SHA256
f5c4d7ef4c43cb86083d294301ecb6ef611447b9314cae00d5ef88193a7404b1

SHA512
ad7a83d9598a42bf12cb35d23c8dd56791960bdc7bd04801f265f7bcb82f5fa920b5daf25c46623e10c77cb7a6468621ab96e713446df33f522b21c6d7ad9278

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d6921971eecf13952f3f0b3fee846774

SHA1
f51dce6d3c7e0c2adfef0f2e49f6f119916cc5a7

SHA256
d45f4049cd37cce6dc79a36ae011a0c77ca50c1f9133714ecfa6438106530c1e

SHA512
7d4d890f277316c7a894e93cf828129be2d8afa5f34e893f25ea3f8d5a4c02a284205838bb7cc947b42ae2079320bc5bfaaaa452bd6beb889960a1050ed6d44d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
db71caf0848cc9f696b058454b30cfe6

SHA1
bebcfab3f7a1416e233b7dae247be779ab0066cc

SHA256
8c307b04cd13758d23b694128b65ec9a9d2d1e8fcc8cfbc25fc7d584dcdeead1

SHA512
02c7649b48132dc5166294ccc4918b437f6155f8ba037dfda120ab78e0adc99c258a0822d217deecc105b7633a82e455fde11989feee5dfe475726bcdd529ae2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4bb7bae6d131a0deacc9b8fac19afb02

SHA1
8e321e147e3f835ce58c89f442512f6765a0e8d7

SHA256
761dd54ea2d7c4cd1598cc2032edd6ed79ac8a5f100a76645326000d1da4abe6

SHA512
d062503455d1d88e96820f7dce2ee943a08b9f8789c8b44377e1942acc3ea1a36643e37a9921ee40e36833b3fdc0d2910f29a5141ce0ef99c361e5b018d3ac86

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6631e987bae5e089e22e08b830cb5836

SHA1
593c642818cc6399a339caeaff3f3fe213655c21

SHA256
e586540578c84ae98b223631e67cf9e9ec9c68151547e26e8f6ebd1d56bdd7a8

SHA512
141557b791dd33f842d0f70597ca190ecd1a5fc1d2864ecfe083f497ba53dee0c5019d14674d9c44b9a2b50ea7d28e9063867d53ea6f6d2c016b3a5ddb218d1d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d94a1d58cf7115a6a97d5af7df1aca03

SHA1
7affdc77e75c0221343623baad9dd188b747eab3

SHA256
15d4972b9584ca0540e1a5b7838a5dcff99b13bc59a397ff7aa3838908321e22

SHA512
a470e1b0947f9ac52223fdd747534029bd46572cd74c8cefa4662105a6d22208dec87778c0f98e2ed9788d5926491c054948140d8b536267e41a9d1c3140a75a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
24618dba86153636612c73dc1ccebfb3

SHA1
f689f063587fd8bcdee1b7bad24336d5790260c5

SHA256
3391d55ca020cea466ee5137c1bd9e8fb6f771d5ed9bd378e4a8140786896f6f

SHA512
58814574180eaeeacc6813fcfda93aefa7b0cbb5eaae333acc5c8cac2862cd08516c00b56cc00629f051775e9cfa683937e96df63ebfd939150a1547e08fe461

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
41ea929100084c1ce9b71400e60aaa69

SHA1
057710874e68914914cc7c90a7fb81c91827abae

SHA256
8bd8c523eeb9369bf7025161c4d9a71b339289e2b030bf5dae6bf850ecde0f62

SHA512
9457e209d1bcf2f7316957940113e395f3d0e11131a17fd0fad809b33ada4ed27d283a5da8cc8a159a8a05a228e5ab46fb066ddd0aa65b3a90aa853fc04e283c

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabA180.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarA1D1.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
memory/2628-0-0x0000000000100000-0x000000000010B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads