infinitylock | f5d002bfe80b48386a6c99c41528931b7f5df736cd34094463c3f85dde0180bf

Resubmissions

22-01-2025 14:01

250122-rbhfqazrgq 10

22-01-2025 13:55

250122-q8fgysyrgz 10

Analysis

max time kernel
93s
max time network
86s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-01-2025 14:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

InfinityCrypt.exe
Size

211KB
MD5

b805db8f6a84475ef76b795b0d1ed6ae
SHA1

7711cb4873e58b7adcf2a2b047b090e78d10c75b
SHA256

f5d002bfe80b48386a6c99c41528931b7f5df736cd34094463c3f85dde0180bf
SHA512

62a2c329b43d186c4c602c5f63efc8d2657aa956f21184334263e4f6d0204d7c31f86bda6e85e65e3b99b891c1630d805b70997731c174f6081ecc367ccf9416
SSDEEP

1536:YoCFfC303p22fkZrRQpnqjoi7l832fbu9ZXILwVENbM:rCVC303p22sZrRQpnviB832Du9WMON

Score

10^/10

infinitylock discovery ransomware

Malware Config

Signatures

InfinityLock Ransomware
Also known as InfinityCrypt. Based on the open-source HiddenTear ransomware.
ransomware infinitylock
Infinitylock family
infinitylock

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Microsoft.SharePoint.BusinessData.Administration.Client.dll.F45C2425695CDA675327AD3C57344FD5AF55510C889639FEAF0F809807D4680D	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormToolImages.jpg.F45C2425695CDA675327AD3C57344FD5AF55510C889639FEAF0F809807D4680D	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\goopdateres_th.dll.F45C2425695CDA675327AD3C57344FD5AF55510C889639FEAF0F809807D4680D	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\MP00132_.WMF.F45C2425695CDA675327AD3C57344FD5AF55510C889639FEAF0F809807D4680D	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PSSKETSM.WMF.F45C2425695CDA675327AD3C57344FD5AF55510C889639FEAF0F809807D4680D	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\J0115865.GIF.F45C2425695CDA675327AD3C57344FD5AF55510C889639FEAF0F809807D4680D	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0090390.WMF.F45C2425695CDA675327AD3C57344FD5AF55510C889639FEAF0F809807D4680D	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0146142.JPG.F45C2425695CDA675327AD3C57344FD5AF55510C889639FEAF0F809807D4680D	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.CO.IN.XML.F45C2425695CDA675327AD3C57344FD5AF55510C889639FEAF0F809807D4680D	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\PULLQUOTEBB.DPV.F45C2425695CDA675327AD3C57344FD5AF55510C889639FEAF0F809807D4680D	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_FileHigh.jpg.F45C2425695CDA675327AD3C57344FD5AF55510C889639FEAF0F809807D4680D	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PROOF\MSHY7EN.LEX.F45C2425695CDA675327AD3C57344FD5AF55510C889639FEAF0F809807D4680D	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00487_.WMF.F45C2425695CDA675327AD3C57344FD5AF55510C889639FEAF0F809807D4680D	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\OIS_COL.HXC.F45C2425695CDA675327AD3C57344FD5AF55510C889639FEAF0F809807D4680D	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\REFINED\PREVIEW.GIF.F45C2425695CDA675327AD3C57344FD5AF55510C889639FEAF0F809807D4680D	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101867.BMP.F45C2425695CDA675327AD3C57344FD5AF55510C889639FEAF0F809807D4680D	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0153089.WMF.F45C2425695CDA675327AD3C57344FD5AF55510C889639FEAF0F809807D4680D	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341557.JPG.F45C2425695CDA675327AD3C57344FD5AF55510C889639FEAF0F809807D4680D	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME01.CSS.F45C2425695CDA675327AD3C57344FD5AF55510C889639FEAF0F809807D4680D	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR51B.GIF.F45C2425695CDA675327AD3C57344FD5AF55510C889639FEAF0F809807D4680D	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\QuickStyles\Newsprint.dotx.F45C2425695CDA675327AD3C57344FD5AF55510C889639FEAF0F809807D4680D	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01180_.WMF.F45C2425695CDA675327AD3C57344FD5AF55510C889639FEAF0F809807D4680D	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0290548.WMF.F45C2425695CDA675327AD3C57344FD5AF55510C889639FEAF0F809807D4680D	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02790_.WMF.F45C2425695CDA675327AD3C57344FD5AF55510C889639FEAF0F809807D4680D	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0212701.WMF.F45C2425695CDA675327AD3C57344FD5AF55510C889639FEAF0F809807D4680D	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152602.WMF.F45C2425695CDA675327AD3C57344FD5AF55510C889639FEAF0F809807D4680D	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PARNT_05.MID.F45C2425695CDA675327AD3C57344FD5AF55510C889639FEAF0F809807D4680D	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_ContactLowMask.bmp.F45C2425695CDA675327AD3C57344FD5AF55510C889639FEAF0F809807D4680D	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsViewFrame.html.F45C2425695CDA675327AD3C57344FD5AF55510C889639FEAF0F809807D4680D	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.COM.SG.XML.F45C2425695CDA675327AD3C57344FD5AF55510C889639FEAF0F809807D4680D	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\AboutBox.zip.F45C2425695CDA675327AD3C57344FD5AF55510C889639FEAF0F809807D4680D	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\goopdateres_zh-CN.dll.F45C2425695CDA675327AD3C57344FD5AF55510C889639FEAF0F809807D4680D	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00077_.WMF.F45C2425695CDA675327AD3C57344FD5AF55510C889639FEAF0F809807D4680D	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00361_.WMF.F45C2425695CDA675327AD3C57344FD5AF55510C889639FEAF0F809807D4680D	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18227_.WMF.F45C2425695CDA675327AD3C57344FD5AF55510C889639FEAF0F809807D4680D	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\EXPSRV.DLL.F45C2425695CDA675327AD3C57344FD5AF55510C889639FEAF0F809807D4680D	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\BG_ADOBE.GIF.F45C2425695CDA675327AD3C57344FD5AF55510C889639FEAF0F809807D4680D	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\WSS\1100.accdt.F45C2425695CDA675327AD3C57344FD5AF55510C889639FEAF0F809807D4680D	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\AppConfigurationInternal.zip.F45C2425695CDA675327AD3C57344FD5AF55510C889639FEAF0F809807D4680D	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EDGE\EDGE.INF.F45C2425695CDA675327AD3C57344FD5AF55510C889639FEAF0F809807D4680D	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21313_.GIF.F45C2425695CDA675327AD3C57344FD5AF55510C889639FEAF0F809807D4680D	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\ACTIVITS.ICO.F45C2425695CDA675327AD3C57344FD5AF55510C889639FEAF0F809807D4680D	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR30F.GIF.F45C2425695CDA675327AD3C57344FD5AF55510C889639FEAF0F809807D4680D	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\bg_Casual.gif.F45C2425695CDA675327AD3C57344FD5AF55510C889639FEAF0F809807D4680D	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Part\1 Right.accdt.F45C2425695CDA675327AD3C57344FD5AF55510C889639FEAF0F809807D4680D	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0217262.WMF.F45C2425695CDA675327AD3C57344FD5AF55510C889639FEAF0F809807D4680D	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Trek.xml.F45C2425695CDA675327AD3C57344FD5AF55510C889639FEAF0F809807D4680D	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18193_.WMF.F45C2425695CDA675327AD3C57344FD5AF55510C889639FEAF0F809807D4680D	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR47B.GIF.F45C2425695CDA675327AD3C57344FD5AF55510C889639FEAF0F809807D4680D	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00728_.WMF.F45C2425695CDA675327AD3C57344FD5AF55510C889639FEAF0F809807D4680D	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\WWINTL.DLL.F45C2425695CDA675327AD3C57344FD5AF55510C889639FEAF0F809807D4680D	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\bg_OliveGreen.gif.F45C2425695CDA675327AD3C57344FD5AF55510C889639FEAF0F809807D4680D	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\QuickStyles\Simple.dotx.F45C2425695CDA675327AD3C57344FD5AF55510C889639FEAF0F809807D4680D	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\PICTIM32.FLT.F45C2425695CDA675327AD3C57344FD5AF55510C889639FEAF0F809807D4680D	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\OPTINPS.DLL.F45C2425695CDA675327AD3C57344FD5AF55510C889639FEAF0F809807D4680D	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099179.WMF.F45C2425695CDA675327AD3C57344FD5AF55510C889639FEAF0F809807D4680D	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02389_.WMF.F45C2425695CDA675327AD3C57344FD5AF55510C889639FEAF0F809807D4680D	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ACCWIZ\ACWZLIB.ACCDE.F45C2425695CDA675327AD3C57344FD5AF55510C889639FEAF0F809807D4680D	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00603_.WMF.F45C2425695CDA675327AD3C57344FD5AF55510C889639FEAF0F809807D4680D	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.CA.XML.F45C2425695CDA675327AD3C57344FD5AF55510C889639FEAF0F809807D4680D	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Microsoft.mshtml.dll.F45C2425695CDA675327AD3C57344FD5AF55510C889639FEAF0F809807D4680D	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\Contracts\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.dll.F45C2425695CDA675327AD3C57344FD5AF55510C889639FEAF0F809807D4680D	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD08773_.WMF.F45C2425695CDA675327AD3C57344FD5AF55510C889639FEAF0F809807D4680D	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382961.JPG.F45C2425695CDA675327AD3C57344FD5AF55510C889639FEAF0F809807D4680D	InfinityCrypt.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	InfinityCrypt.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	InfinityCrypt.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	InfinityCrypt.exe

Modifies registry class 11 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\F45C2425695CDA675327AD3C57344FD5AF55510C889639FEAF0F809807D4680D_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\F45C2425695CDA675327AD3C57344FD5AF55510C889639FEAF0F809807D4680D_auto_file\shell\Open\command	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\F45C2425695CDA675327AD3C57344FD5AF55510C889639FEAF0F809807D4680D_auto_file\shell\Open\command\ = "\"C:\\Program Files\\VideoLAN\\VLC\\vlc.exe\" --started-from-file \"%1\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_Classes\Local Settings	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\F45C2425695CDA675327AD3C57344FD5AF55510C889639FEAF0F809807D4680D_auto_file\	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\.F45C2425695CDA675327AD3C57344FD5AF55510C889639FEAF0F809807D4680D\ = "F45C2425695CDA675327AD3C57344FD5AF55510C889639FEAF0F809807D4680D_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\F45C2425695CDA675327AD3C57344FD5AF55510C889639FEAF0F809807D4680D_auto_file\shell\Open	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\F45C2425695CDA675327AD3C57344FD5AF55510C889639FEAF0F809807D4680D_auto_file	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\.F45C2425695CDA675327AD3C57344FD5AF55510C889639FEAF0F809807D4680D	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\F45C2425695CDA675327AD3C57344FD5AF55510C889639FEAF0F809807D4680D_auto_file\shell\Open\ = "Play with VLC media player"	rundll32.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1864	vlc.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
2740	taskmgr.exe
2740	taskmgr.exe
2740	taskmgr.exe
2740	taskmgr.exe
2740	taskmgr.exe
2740	taskmgr.exe
2740	taskmgr.exe
2740	taskmgr.exe
2740	taskmgr.exe
2740	taskmgr.exe
2740	taskmgr.exe
2740	taskmgr.exe
2740	taskmgr.exe
2740	taskmgr.exe
2740	taskmgr.exe
2740	taskmgr.exe
2740	taskmgr.exe
2740	taskmgr.exe
2740	taskmgr.exe
2740	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1864	vlc.exe
2740	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1508	InfinityCrypt.exe
Token: SeDebugPrivilege	2740	taskmgr.exe

Suspicious use of FindShellTrayWindow 43 IoCs

pid	Process
1864	vlc.exe
1864	vlc.exe
1864	vlc.exe
1864	vlc.exe
1864	vlc.exe
1864	vlc.exe
1864	vlc.exe
1864	vlc.exe
1864	vlc.exe
1864	vlc.exe
1864	vlc.exe
1864	vlc.exe
1864	vlc.exe
1864	vlc.exe
1864	vlc.exe
2740	taskmgr.exe
2740	taskmgr.exe
2740	taskmgr.exe
2740	taskmgr.exe
2740	taskmgr.exe
2740	taskmgr.exe
2740	taskmgr.exe
2740	taskmgr.exe
2740	taskmgr.exe
2740	taskmgr.exe
2740	taskmgr.exe
2740	taskmgr.exe
2740	taskmgr.exe
2740	taskmgr.exe
2740	taskmgr.exe
2740	taskmgr.exe
2740	taskmgr.exe
2740	taskmgr.exe
2740	taskmgr.exe
2740	taskmgr.exe
2740	taskmgr.exe
2740	taskmgr.exe
2740	taskmgr.exe
2740	taskmgr.exe
2740	taskmgr.exe
2740	taskmgr.exe
2740	taskmgr.exe
2740	taskmgr.exe

Suspicious use of SendNotifyMessage 42 IoCs

pid	Process
1864	vlc.exe
1864	vlc.exe
1864	vlc.exe
1864	vlc.exe
1864	vlc.exe
1864	vlc.exe
1864	vlc.exe
1864	vlc.exe
1864	vlc.exe
1864	vlc.exe
1864	vlc.exe
1864	vlc.exe
1864	vlc.exe
1864	vlc.exe
2740	taskmgr.exe
2740	taskmgr.exe
2740	taskmgr.exe
2740	taskmgr.exe
2740	taskmgr.exe
2740	taskmgr.exe
2740	taskmgr.exe
2740	taskmgr.exe
2740	taskmgr.exe
2740	taskmgr.exe
2740	taskmgr.exe
2740	taskmgr.exe
2740	taskmgr.exe
2740	taskmgr.exe
2740	taskmgr.exe
2740	taskmgr.exe
2740	taskmgr.exe
2740	taskmgr.exe
2740	taskmgr.exe
2740	taskmgr.exe
2740	taskmgr.exe
2740	taskmgr.exe
2740	taskmgr.exe
2740	taskmgr.exe
2740	taskmgr.exe
2740	taskmgr.exe
2740	taskmgr.exe
2740	taskmgr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1864	vlc.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1980 wrote to memory of 1864	1980	rundll32.exe	36
PID 1980 wrote to memory of 1864	1980	rundll32.exe	36
PID 1980 wrote to memory of 1864	1980	rundll32.exe	36

C:\Users\Admin\AppData\Local\Temp\InfinityCrypt.exe
"C:\Users\Admin\AppData\Local\Temp\InfinityCrypt.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1508

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2716

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\StepInvoke.docx.F45C2425695CDA675327AD3C57344FD5AF55510C889639FEAF0F809807D4680D
1⤵
- Modifies registry class
PID:552

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\DisconnectWait.bmp.F45C2425695CDA675327AD3C57344FD5AF55510C889639FEAF0F809807D4680D
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1980
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\DisconnectWait.bmp.F45C2425695CDA675327AD3C57344FD5AF55510C889639FEAF0F809807D4680D"
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:1864

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightYellow\TAB_OFF.GIF.F45C2425695CDA675327AD3C57344FD5AF55510C889639FEAF0F809807D4680D

Filesize
352B

MD5
a1e6b3dd9ca89b306c8630e545f33d65

SHA1
e827cf4bdf74f4344f31839cb424f09d1abc78f8

SHA256
fc8b2f8b5760fd037f3d7c2e7f389fa269ba6f1f441f43adee235405cd770847

SHA512
5236e9fb7d0abb8cf3eb0a8fcd227601a00df55fd40fd340f6b5b085ca029e058959c53ff9435c5ba23eda3f432d8cdcbce34255c35254edf91c135440cb1a1b

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightYellow\TAB_ON.GIF.F45C2425695CDA675327AD3C57344FD5AF55510C889639FEAF0F809807D4680D

Filesize
224B

MD5
113ae08cf3f4296a54ce008e5776c958

SHA1
13eedf6ee36722056a4432df468a86d4df27e88c

SHA256
261e4a51763b45725d317f06266bb922685a273cd2bea21880f1c21414716634

SHA512
da02794b33044c9b6c1ad1bd00f8f8da733ce5d9c928dd3e8df08e8808031f9a1faadadc1a4315acc2f8cf649ed358427f15be0a61dd9f719392db62668cfb8d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\INFOPATH_F_COL.HXK.F45C2425695CDA675327AD3C57344FD5AF55510C889639FEAF0F809807D4680D

Filesize
128B

MD5
714503b48fa4c9e9743161160128f04d

SHA1
d93a3a4d5edabceb03936bac900bab6ce759dc09

SHA256
fea0cd7b8dae35b599002bda80d6f0bb48e4b95ef06866f4d805ba2b96c21c80

SHA512
a19a48ce07bbcaa6ec40ea47a64b75f012adab3bb32201e2ced74464daa707fe2327fb34db389f28f5cc23739bbb0b7eb18b0f696ad7845d0ec3e922586e1a4f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\INFOPATH_K_COL.HXK.F45C2425695CDA675327AD3C57344FD5AF55510C889639FEAF0F809807D4680D

Filesize
128B

MD5
c4d40f3f53ed715207a09bd330343b01

SHA1
8ddecb7bf8eed56fa7f83fb0ba6a76c9df7a5357

SHA256
07db577c0d7af69251b84cea6222a88a1f898a191fcb8992d4f08be693877dcc

SHA512
aa18e1de2996deace0405880f82555522d435805afa54d9ce8080acd48fbb73b3ed0b6e9861609e33ae7de8647263a20fe4d583f398022f3e21d8de8e856e6a3

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BabyBlue\BUTTON.GIF.F45C2425695CDA675327AD3C57344FD5AF55510C889639FEAF0F809807D4680D

Filesize
192B

MD5
fbc060ca932801bbd77bbdb95c0a27b9

SHA1
b5e380dc9b8cef07d101edb48982cf07add80e0b

SHA256
ffc758fbce45eff5f1cc04b94bd2a1b71db1ef240bc472534216432e8b3f9e9a

SHA512
90e9227df5f17b137dd4aa5442fde7bbc9f7efbe13bd116bde72faf1b431b4a6a2ffb13e980c41e0a1341a014d4dfb2db50276c9ef43c6f55aa54c94d596570b

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\TAB_OFF.GIF.F45C2425695CDA675327AD3C57344FD5AF55510C889639FEAF0F809807D4680D

Filesize
512B

MD5
b29daa7bc35d97419d20bcf0648ff4fe

SHA1
8d3078ec936ed27214d4c9d90f286ad210995042

SHA256
7ef7f3ab89aa6a05136bcbbd2743b879f07b291e026fc7c3e5ffe9cc893f5922

SHA512
28e66c920356440e1710ffb2b36c9f0001f12a951461bc8da5feb785b7573660624ecd64826c9659068950b7e72cd3b2da0f1e9e769fc87da100b92bf86cb363

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\TAB_ON.GIF.F45C2425695CDA675327AD3C57344FD5AF55510C889639FEAF0F809807D4680D

Filesize
1KB

MD5
25b0b606d200eb1be8659d05e6fc5119

SHA1
520b28c4752778417df0699f55dfea4b1a9aaaf8

SHA256
f40db953afe86b6709cc515b1cfcfc88dff91f9afb34d35eb7ac0cf7456990af

SHA512
5f30881d27a598c0efec84c7aab683df94e21d8f3eff81a496127df3943f8ee630d57a89cefcd3201c5b96429de103a5529910f3be064f6ceec3a4fc47efdbb3

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.NO.XML.F45C2425695CDA675327AD3C57344FD5AF55510C889639FEAF0F809807D4680D

Filesize
816B

MD5
3f08a567a404cd2f038cd8a379e07ca0

SHA1
2adf8f9338559a59cebc7118c987363e313db2fb

SHA256
fddec878f03b30fe663df764d2c0f47d9d999447dbe1d98e332b5f19c8f119bd

SHA512
09ed8e7fee9d7a38837d06dddc1e5efa0aa9fa1638dfb5bf4ae1f0847e08278851d7894d609434cc3fa35927d2ce0307ced6c14d34b66241b1a3a380b867c8f8

Download Submit
C:\Users\Admin\Desktop\DisconnectWait.bmp.F45C2425695CDA675327AD3C57344FD5AF55510C889639FEAF0F809807D4680D

Filesize
387KB

MD5
fd192ab9309d09d88602bd203d5d9fbc

SHA1
586908487d0cba66b0ec02d7eab835f6755f7828

SHA256
3a2c9a64ca53e9042fdf4bbc4a5ae23ea5d7cf878e305250f84958f62ed4c691

SHA512
fd088ffb9be2991eb197e58af4880797852828f47b0ceb29f2ba294252473d270cbb605d6a442a0aa0f1d234cf3791a83a885cd080fc74bc6c7bce8c7ed36d74

Download Submit
memory/1508-5386-0x0000000074490000-0x0000000074B7E000-memory.dmp

Filesize
6.9MB

Download
memory/1508-561-0x000000007449E000-0x000000007449F000-memory.dmp

Filesize
4KB

Download
memory/1508-2-0x0000000074490000-0x0000000074B7E000-memory.dmp

Filesize
6.9MB

Download
memory/1508-1-0x0000000000A80000-0x0000000000ABC000-memory.dmp

Filesize
240KB

Download
memory/1508-0-0x000000007449E000-0x000000007449F000-memory.dmp

Filesize
4KB

Download
memory/1508-5355-0x0000000074490000-0x0000000074B7E000-memory.dmp

Filesize
6.9MB

Download
memory/1508-5356-0x0000000074490000-0x0000000074B7E000-memory.dmp

Filesize
6.9MB

Download
memory/1508-563-0x0000000074490000-0x0000000074B7E000-memory.dmp

Filesize
6.9MB

Download
memory/1864-5380-0x000000013F250000-0x000000013F348000-memory.dmp

Filesize
992KB

Download
memory/1864-5382-0x000007FEF6D40000-0x000007FEF6FF6000-memory.dmp

Filesize
2.7MB

Download
memory/1864-5383-0x000007FEF5020000-0x000007FEF60D0000-memory.dmp

Filesize
16.7MB

Download
memory/1864-5381-0x000007FEF7220000-0x000007FEF7254000-memory.dmp

Filesize
208KB

Download
memory/2740-5384-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2740-5385-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2740-5387-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2740-5388-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download