b1442e85b03bdcaf66dc58c7abb98745dd2687d86350be9a298a1d9382ac849b

Resubmissions

23/01/2025, 02:51

250123-dcffvsyley 4

23/01/2025, 02:39

250123-c5b4gaxrez 3

Analysis

max time kernel
417s
max time network
846s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
23/01/2025, 02:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fumareply.gif
Size

43B
MD5

325472601571f31e1bf00674c368d335
SHA1

2daeaa8b5f19f0bc209d976c02bd6acb51b00b0a
SHA256

b1442e85b03bdcaf66dc58c7abb98745dd2687d86350be9a298a1d9382ac849b
SHA512

717ea0ff7f3f624c268eccb244e24ec1305ab21557abb3d6f1a7e183ff68a2d28f13d1d2af926c9ef6d1fb16dd8cbe34cd98cacf79091dddc7874dcee21ecfdc

Score

4^/10

discovery

Malware Config

Signatures

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OIS.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Zoom\ZoomFactor = "100000"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 00187dfc416ddb01	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\PageSetup\margin_right = "0.750000"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\PageSetup\footer = "&u&b&d"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\SuppressScriptDebuggerDialog = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000da9dbb9ad506d0448578c53efee018d0000000000200000000001066000000010000200000002e7fd491eb2933dcc38dab03a5629a64f0bb50d7d41c3461241defce4ce2579c000000000e80000000020000200000000815fb883368edea0131e24a277078d407f3626cb52a26aa174ebf31052e431d20000000a566e8b41c0659eceb6195d6b8978cd7c6322212502dc7d8b82103b4e42a807a40000000123a51ef125880c82e03734a04cd6f349ca8227728bd2bb0fd6a07743521ca39682c14ee35e1803d3e33cf8945323bccc7d58c6dc89fa3e12b0dbfe5c0293355	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\PageSetup\margin_bottom = "0.750000"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\PageSetup\Shrink_To_Fit = "yes"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\SuppressScriptDebuggerDialog = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{27ED83D1-D935-11EF-A4C8-72E661693B4A} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000000700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000009acbbc286be63c4682a409f320de94d7	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\PageSetup\Print_Background = "no"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\PageSetup\header = "&w&bPage &p of &P"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\PageSetup\margin_top = "0.750000"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "443762647"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\PageSetup\margin_left = "0.750000"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Zoom\ZoomFactor = "100000"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000da9dbb9ad506d0448578c53efee018d000000000020000000000106600000001000020000000f5419c7fd44bc0a85817ae1923860211639d4658b2546f6ec04d503eaec62b7d000000000e800000000200002000000048bcb51baab9faa917975a4398e38a149152b193aa2fcc6c8feba122ed15b66c90000000f68a65e576343ec634979eb44659b43af628b3a5ac2c4671060df600e50b036356feb248edc27c723cab1e0f61c39b939fc5efcfed7b35462af6fa4c6f5fc318f619090eeeb8549537feeb6d9134e89d54c3a546550f788c5e52d74c7180ac9e5f018c84694067266caf7f3dc4c120a37fdd748de32a31ffb1bf1841fb97c74cc3774efeaaddacaf602cc6e65710a30d40000000009e6377cdf630744d1008be4eed4c2bf923157853a3b236d5c28439682a3518c2e579835cf88750efd7ecf18d0aff70f3b6132682041657b8aacfa73e32274d	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\OISjpegfile\shell\Open\command\ = "\"C:\\PROGRA~2\\MICROS~1\\Office14\\OIS.EXE\" /shellOpen \"%1\""	OIS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\OISpngfile\shell\Edit	OIS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\OISbmpfile\shell\Edit\command\ = "\"C:\\PROGRA~2\\MICROS~1\\Office14\\OIS.EXE\" /shellEdit \"%1\""	OIS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\OISpngfile	OIS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\OISpngfile\DefaultIcon\ = "\"C:\\PROGRA~2\\MICROS~1\\Office14\\OIS.EXE\",4"	OIS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\OISpngfile\shell	OIS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\OISgiffile\shell	OIS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.dib	OIS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\OISbmpfile\shell\Open\command	OIS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\OISgiffile\shell\Preview	OIS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.dib\ = "OISbmpfile"	OIS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\OISgiffile\ = "GIF Image"	OIS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\OISgiffile\shell\Preview\command\ = "\"C:\\PROGRA~2\\MICROS~1\\Office14\\OIS.EXE\" /shellPreview \"%1\""	OIS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\OISbmpfile\shell\Preview	OIS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\OISbmpfile\shell\Edit\command	OIS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.png	OIS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.jfif	OIS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\OISjpegfile\shell\Preview	OIS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.gif\ = "OISgiffile"	OIS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\OISpngfile\ = "PNG Image"	OIS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.jfif\ = "OISjpegfile"	OIS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\OISjpegfile\ = "JPEG Image"	OIS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\OISjpegfile\shell\Preview\MuiVerb = "@shimgvw.dll,-550"	OIS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\OISgiffile\DefaultIcon\ = "\"C:\\PROGRA~2\\MICROS~1\\Office14\\OIS.EXE\",2"	OIS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.bmp\ = "OISbmpfile"	OIS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\OISjpegfile\shell	OIS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.jpg	OIS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.jpeg	OIS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.png\ = "OISpngfile"	OIS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\OISpngfile\DefaultIcon	OIS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\OISpngfile\shell\Preview\MuiVerb = "@shimgvw.dll,-550"	OIS.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.bmp	OIS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\OISbmpfile\DefaultIcon\ = "\"C:\\PROGRA~2\\MICROS~1\\Office14\\OIS.EXE\",3"	OIS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\OISbmpfile\shell\Edit	OIS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\OISgiffile\shell\Edit	OIS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\OISbmpfile\shell	OIS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\OISbmpfile\shell\Preview\MuiVerb = "@shimgvw.dll,-550"	OIS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\OISbmpfile\shell\Open\command\ = "\"C:\\PROGRA~2\\MICROS~1\\Office14\\OIS.EXE\" /shellOpen \"%1\""	OIS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.jpg\ = "OISjpegfile"	OIS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\OISjpegfile\shell\Preview\command	OIS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\OISgiffile\shell\Open\command\ = "\"C:\\PROGRA~2\\MICROS~1\\Office14\\OIS.EXE\" /shellOpen \"%1\""	OIS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\OISjpegfile\shell\Edit	OIS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\OISgiffile\shell\Edit\command	OIS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\OISjpegfile\DefaultIcon	OIS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\OISjpegfile\shell\Preview\command\ = "\"C:\\PROGRA~2\\MICROS~1\\Office14\\OIS.EXE\" /shellPreview \"%1\""	OIS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\OISjpegfile\shell\Open\command	OIS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\OISpngfile\shell\Preview\command\ = "\"C:\\PROGRA~2\\MICROS~1\\Office14\\OIS.EXE\" /shellPreview \"%1\""	OIS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\OISpngfile\shell\Open	OIS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\OISpngfile\shell\Open\command\ = "\"C:\\PROGRA~2\\MICROS~1\\Office14\\OIS.EXE\" /shellOpen \"%1\""	OIS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\OISjpegfile\shell\Open	OIS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.jpe	OIS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\OISgiffile\shell\Open\command	OIS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\OISgiffile\shell\Preview\command	OIS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\OISbmpfile\ = "Bitmap Image"	OIS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\OISpngfile\shell\Edit\command\ = "\"C:\\PROGRA~2\\MICROS~1\\Office14\\OIS.EXE\" /shellEdit \"%1\""	OIS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\OISjpegfile	OIS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.jpe\ = "OISjpegfile"	OIS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\OISjpegfile\shell\Edit\command	OIS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\OISgiffile\DefaultIcon	OIS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\OISbmpfile	OIS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\OISpngfile\shell\Preview	OIS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\OISpngfile\shell\Preview\command	OIS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\OISpngfile\shell\Edit\command	OIS.EXE

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
884	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 4 IoCs

pid	Process
1588	iexplore.exe
2824	OIS.EXE
2008	rundll32.exe
2772	rundll32.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeShutdownPrivilege	2888	chrome.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
1256	iexplore.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe

Suspicious use of SetWindowsHookEx 26 IoCs

pid	Process
1256	iexplore.exe
1256	iexplore.exe
2388	IEXPLORE.EXE
2388	IEXPLORE.EXE
2388	IEXPLORE.EXE
2388	IEXPLORE.EXE
2388	IEXPLORE.EXE
2388	IEXPLORE.EXE
2388	IEXPLORE.EXE
2388	IEXPLORE.EXE
1588	iexplore.exe
1588	iexplore.exe
1588	iexplore.exe
2388	IEXPLORE.EXE
2388	IEXPLORE.EXE
3020	IEXPLORE.EXE
3020	IEXPLORE.EXE
2804	iexplore.exe
2804	iexplore.exe
2268	mspaint.exe
2268	mspaint.exe
2268	mspaint.exe
2268	mspaint.exe
2824	OIS.EXE
2824	OIS.EXE
2824	OIS.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2888 wrote to memory of 2892	2888	chrome.exe	30
PID 2888 wrote to memory of 2892	2888	chrome.exe	30
PID 2888 wrote to memory of 2892	2888	chrome.exe	30
PID 2888 wrote to memory of 2616	2888	chrome.exe	32
PID 2888 wrote to memory of 2616	2888	chrome.exe	32
PID 2888 wrote to memory of 2616	2888	chrome.exe	32
PID 2888 wrote to memory of 2616	2888	chrome.exe	32
PID 2888 wrote to memory of 2616	2888	chrome.exe	32
PID 2888 wrote to memory of 2616	2888	chrome.exe	32
PID 2888 wrote to memory of 2616	2888	chrome.exe	32
PID 2888 wrote to memory of 2616	2888	chrome.exe	32
PID 2888 wrote to memory of 2616	2888	chrome.exe	32
PID 2888 wrote to memory of 2616	2888	chrome.exe	32
PID 2888 wrote to memory of 2616	2888	chrome.exe	32
PID 2888 wrote to memory of 2616	2888	chrome.exe	32
PID 2888 wrote to memory of 2616	2888	chrome.exe	32
PID 2888 wrote to memory of 2616	2888	chrome.exe	32
PID 2888 wrote to memory of 2616	2888	chrome.exe	32
PID 2888 wrote to memory of 2616	2888	chrome.exe	32
PID 2888 wrote to memory of 2616	2888	chrome.exe	32
PID 2888 wrote to memory of 2616	2888	chrome.exe	32
PID 2888 wrote to memory of 2616	2888	chrome.exe	32
PID 2888 wrote to memory of 2616	2888	chrome.exe	32
PID 2888 wrote to memory of 2616	2888	chrome.exe	32
PID 2888 wrote to memory of 2616	2888	chrome.exe	32
PID 2888 wrote to memory of 2616	2888	chrome.exe	32
PID 2888 wrote to memory of 2616	2888	chrome.exe	32
PID 2888 wrote to memory of 2616	2888	chrome.exe	32
PID 2888 wrote to memory of 2616	2888	chrome.exe	32
PID 2888 wrote to memory of 2616	2888	chrome.exe	32
PID 2888 wrote to memory of 2616	2888	chrome.exe	32
PID 2888 wrote to memory of 2616	2888	chrome.exe	32
PID 2888 wrote to memory of 2616	2888	chrome.exe	32
PID 2888 wrote to memory of 2616	2888	chrome.exe	32
PID 2888 wrote to memory of 2616	2888	chrome.exe	32
PID 2888 wrote to memory of 2616	2888	chrome.exe	32
PID 2888 wrote to memory of 2616	2888	chrome.exe	32
PID 2888 wrote to memory of 2616	2888	chrome.exe	32
PID 2888 wrote to memory of 2616	2888	chrome.exe	32
PID 2888 wrote to memory of 2616	2888	chrome.exe	32
PID 2888 wrote to memory of 2616	2888	chrome.exe	32
PID 2888 wrote to memory of 2616	2888	chrome.exe	32
PID 2888 wrote to memory of 2868	2888	chrome.exe	33
PID 2888 wrote to memory of 2868	2888	chrome.exe	33
PID 2888 wrote to memory of 2868	2888	chrome.exe	33
PID 2888 wrote to memory of 2704	2888	chrome.exe	34
PID 2888 wrote to memory of 2704	2888	chrome.exe	34
PID 2888 wrote to memory of 2704	2888	chrome.exe	34
PID 2888 wrote to memory of 2704	2888	chrome.exe	34
PID 2888 wrote to memory of 2704	2888	chrome.exe	34
PID 2888 wrote to memory of 2704	2888	chrome.exe	34
PID 2888 wrote to memory of 2704	2888	chrome.exe	34
PID 2888 wrote to memory of 2704	2888	chrome.exe	34
PID 2888 wrote to memory of 2704	2888	chrome.exe	34
PID 2888 wrote to memory of 2704	2888	chrome.exe	34
PID 2888 wrote to memory of 2704	2888	chrome.exe	34
PID 2888 wrote to memory of 2704	2888	chrome.exe	34
PID 2888 wrote to memory of 2704	2888	chrome.exe	34
PID 2888 wrote to memory of 2704	2888	chrome.exe	34
PID 2888 wrote to memory of 2704	2888	chrome.exe	34
PID 2888 wrote to memory of 2704	2888	chrome.exe	34
PID 2888 wrote to memory of 2704	2888	chrome.exe	34
PID 2888 wrote to memory of 2704	2888	chrome.exe	34
PID 2888 wrote to memory of 2704	2888	chrome.exe	34

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument C:\Users\Admin\AppData\Local\Temp\fumareply.gif
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef7c19758,0x7fef7c19768,0x7fef7c19778
  2⤵
  PID:2892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1164 --field-trial-handle=1240,i,10677386116571883848,10662417350217005471,131072 /prefetch:2
  2⤵
  PID:2616
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1520 --field-trial-handle=1240,i,10677386116571883848,10662417350217005471,131072 /prefetch:8
  2⤵
  PID:2868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1636 --field-trial-handle=1240,i,10677386116571883848,10662417350217005471,131072 /prefetch:8
  2⤵
  PID:2704
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2268 --field-trial-handle=1240,i,10677386116571883848,10662417350217005471,131072 /prefetch:1
  2⤵
  PID:2496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2280 --field-trial-handle=1240,i,10677386116571883848,10662417350217005471,131072 /prefetch:1
  2⤵
  PID:844
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1000 --field-trial-handle=1240,i,10677386116571883848,10662417350217005471,131072 /prefetch:2
  2⤵
  PID:2476
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2988 --field-trial-handle=1240,i,10677386116571883848,10662417350217005471,131072 /prefetch:8
  2⤵
  PID:2180
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=3012 --field-trial-handle=1240,i,10677386116571883848,10662417350217005471,131072 /prefetch:1
  2⤵
  PID:1680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3256 --field-trial-handle=1240,i,10677386116571883848,10662417350217005471,131072 /prefetch:1
  2⤵
  PID:680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3752 --field-trial-handle=1240,i,10677386116571883848,10662417350217005471,131072 /prefetch:8
  2⤵
  PID:876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=3776 --field-trial-handle=1240,i,10677386116571883848,10662417350217005471,131072 /prefetch:1
  2⤵
  PID:2756

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2736

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1276

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\fumareply.gif
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1256
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1256 CREDAT:275457 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2388
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:1968
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:1256 CREDAT:275475 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:1588
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1256 CREDAT:275478 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:3020
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:1256 CREDAT:472075 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2804

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\AppData\Local\Temp\fumareply.gif"
1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2268

C:\PROGRA~2\MICROS~1\Office14\OIS.EXE
"C:\PROGRA~2\MICROS~1\Office14\OIS.EXE" /shellOpen "C:\Users\Admin\AppData\Local\Temp\fumareply.gif"
1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2824

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\fumareply.gif
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
PID:2008
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\fumareply.gif
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:884

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\fumareply.gif
1⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:2772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
035cb2ac2a9a8878f1ef77aa88f72254

SHA1
675e6160e827a80ce40e656fcbd65f6fac9f3719

SHA256
068a98ab3de37a129ef2167774f00dac618ce406a8945fef52f21c988038530a

SHA512
712669ca57a5b3ab58e1d814aa0bf01b363de50301d0850c9adf2f0bb3d5285f562521131268789da9c2c2af17a05ad80030c97fda46310402e5d238c0ac6bcf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
79b823c64f30dff5824e00b189742ffa

SHA1
0616bd2e75bb616dabec6cd8e95ca9c4ef9e17ab

SHA256
d98c7fa155a7dece83c7f1fe2d3949d4304f878a5feae2666805336b08198c18

SHA512
b9e1ac9c04e56ed40968495ede2fbd6b3ccc59c649d075a249be1f09004a7531525bd593ad1538226efd08ee24230395db6ae4de5b731613400705f1a0cd2e2e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f20ee2f9dfcf1dbaa0b06b3163dd4f71

SHA1
8a390ccc207ea09b79d2bc086a842d10f07d18e8

SHA256
79c2dfba3436839d73e4285af64d1bc86b5ddf233e5c74ccef8bc4dff847abc0

SHA512
71a355653fa4139892512e18c155361c17e360e8a306eb7736497e6030ad0d15490b2b2ce3138d573480cf3e30e0fce1899cece8862b73282e5747d4621436fa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
79957ff4a2956372bee74dd0e710a2f5

SHA1
d4e259788b857c20695a34065d195ee7ee3a37ba

SHA256
69d8d544cf30e6a0f454d35ab440027f408bfb2f7fc13d63a738847f211fc140

SHA512
596399b71188cb97faeab6ff3c003efa7d82029cfcf6eae20c4230ad60a268f230619d935df352f2d4bfed12737394c7308268f64333f8811840866a98ba9920

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
05d7952db4aaa3527b452f1847214ffe

SHA1
6e481f846babfced9019b6860f4509126e1ee1f9

SHA256
693c828714a0e970c4853e05c6fcbb69f4eda0942aec7513a8af2f6db74a9c65

SHA512
4f3fe8e3c6695f40a6e5e259c9dbae619ed30268bce8590b40de8d7b96ce279820b2f25ab86d2db43d18753689132caba96fbe69504b0945c3c64d693b304a77

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e3a31f16c3cee7d9e9ced3c7e2156c9c

SHA1
accd0ed131b3869a454895a3224b19b26bc2b7b4

SHA256
641c8675267fdb69cea02f402171b54e85d519185fa7f612aec0e1185b488adb

SHA512
502cbca5fc542d7b99417ffd65dadeaf40df7e57af26eb5ee1c8b0cd9fcdc96088df79627ac07e8c5ba1156a623f72d676bccf795d79ba870a58daf261a4a22e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
39134fcdd22c47c75e17fbcb1c30688e

SHA1
d1cbe87ebdd189638ff9ebd453739c23945e83af

SHA256
8236969a79e96b95040ecbb3ad46ca90c1b5d46004d254201c983eff69d9ca34

SHA512
ec1bf0a01b1e0311fdbbbdea35fe1fe860571661f5600029677c5a2428ba8e90346f9d76c9323b78a284743e666f1089c1d24610b52a4ae8aa05333b4c523768

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3177078992f4eb3f00e5358d47fb7570

SHA1
20c11b764b74d63cfc03be415a91ef7ac2406ccc

SHA256
28d7db02759dbbab494823c80f31ca7d7737afc31cc3720eec106a3a92786f1a

SHA512
50dcd4e248807cf66eb9469cf8388f41ccc28daf62a67f4b0d7a32ef64594158c82ea31d111e5c827ddbcc8786d4c2c3e224d38c8df514be560f4013053765cf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c058bc24558fdf0b43be668256d8f2ca

SHA1
1ea0363a96140d140aa8c825ee5001a2fc2171ae

SHA256
c41478ee0986b262fd50a80716a8c5b5d7d2618cc999e35f57c5c8c51f35a952

SHA512
2deec728fb817704bd1dd76bf5f776cbf56e1bc3d4b7bbc80c35b639f13a085053665a1cf3c1d05d8bc6357266542c15aae1ac8211908a40cd2292c51b049d97

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a34236869f33114c2f978e20208ec147

SHA1
14013d0739bce5cb8c8ef1c0ef54be162404476e

SHA256
7805e70305a71f87e4ed2ccd8ad0dac2ef912a869ad3fbfee2e266b8afefb875

SHA512
2180fc20ec99f7a314e611108f6bf3c03a4115593eae5205551c65dbca95421742f6d45bb771ca5b7b5806a6376ec1adcc4a214cff36a7cf6b3fe0bb19a2b3c4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
15f8b2694fd4349f5b84c3260e280711

SHA1
926d125ac8e6c509fa40821913ff64974dccb123

SHA256
c277bd1f726e49771c58de699238f111d1bd2f036f3e9ae03aab915c303d8708

SHA512
6a76ac7ba7a4b7530a740bdeff1287c49a2ff93996da4d8bb737606e5dae62591b4207015a6d6cde2478fb16e8dcf04186090109de4d9de8a327cebdfd5b129e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
79f41c7e07209e56ba8387f6ffa240b8

SHA1
275d48e8b40db51bc3d591ebb0235ee83ba38d78

SHA256
149657553bb007ea3f9ae29dd08a07e3be01defad82800477c89ed7e0d5b6f2d

SHA512
8d989e28c3c0db3abf16a93cbee3e356106f0cdb28ddbdb05bd9f9596056d04cfb0ff7f0f55e4a585bfe95f56651baae4db105b19209d47a6eef0c12833dc953

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fd077eaff0fd95cdd89744d1578adfa2

SHA1
2d7f9bc9ee18dca8db2d1d44b9d87cd6a7d73d48

SHA256
bf4f2ca127e9c44e0c9212007620ed162cb8042ab09e7cc92f7a240de94a2b4c

SHA512
927f4014f45f5a1961d7f052c6e2b7680a82c56045f43015b32ff4f5df44bf238a7379e287387a3d694c75e6f8d6e9698f0cd39ca8c4c87a746dfc07104e65ef

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
57ab3858b3a0e9c8cbf4b5ce359e8de7

SHA1
73de39e183c9fdc4a439e8629319cbce1d9c8a07

SHA256
dca3b55b4916ce9b86f79b67d21041adfcf4ba29841e1ce8f6faa1bf726d86ab

SHA512
8275e08fe5353f08611637dd2f042e13647bad8f7a9060816b2717273833d1c6ba80444464443e12eda74e9738f7b63258c7df6c3a29a3e4299c989036f93319

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2507750a75833a4ed08ac7002470f327

SHA1
a209407eeaa160d269815e393465e5b2817a9d90

SHA256
6cef595c6a439c297642ae67af362fe425f5d4b0b9b896d15ebee68343b8a4f7

SHA512
c7014e61f90d72ce53b6c40b5a457c9baad08eafb7e5aacaa7c0be847e0615bbad837da6819dc4b3d5be06f4c682c076e39e6508d5eb9acd51854b38943684b1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
868a6a125d2c7d75abd3736b25d3988e

SHA1
f183d16d4f9d69ed6250f3dca345c98a3258b70c

SHA256
ef50d59a6a9552d03b7dc96cda6b5dd360a8aaee15deaf61b85d00116807613b

SHA512
75f82f0d812a863c8e65f69f7d1165a543106e2c24b970e782c460d626b788a4fa4de20a1acf06e8c4ad339c89569908974323044d0ac9d8ca473fe2d4898ff4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6720fc01c8e1a60d83d1e68b7bd3150e

SHA1
f4c73f7c89890eb629d945e87411b8a8b5f95e7f

SHA256
86d051b3141665917fc4c9a516e4ac23a5d6f277b4f62c1df2a2c4153ff05036

SHA512
9cb3dbb387cb883b6bb4cd2489701812796583023b1d5962936fa13826141f24d1c0954b8e0419f974fcd7aec4b1e055fb9faa11742baa9dd0755fd3d778b162

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a227a0cd956ad8dd90e09b96b8f32959

SHA1
7c5467e124a0d287608f2c99c63b725a556740aa

SHA256
5906894a7b94b632698a99342d982d0b73f7ebda9d19bed02c933a07440694da

SHA512
e01be3ddecc71ae47c59366162281df6bdf5a0542640bb12f4abeee6a45e649deac4e9e70b0a1fd848902e13785b103d84e6e2c9e0946a87adc40071bc142915

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
05d5105cc6a3a1096c4f4ea8229cac9a

SHA1
472452db933ce6321cc239351ebec0d33271dced

SHA256
c7057f95aaed00818becc265853c0389ccf267b2c17668f68b0097451c52e5f4

SHA512
b2e4933898ee22fb729e744b01d2edaba720863e035b576366c3070cc868ef73436a59b91f6255701653cfbdde1cdcf23adb05fe9ffff4a501d6646f7e58e239

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001

Filesize
215KB

MD5
d474ec7f8d58a66420b6daa0893a4874

SHA1
4314642571493ba983748556d0e76ec6704da211

SHA256
553a19b6f44f125d9594c02231e4217e9d74d92b7065dc996d92f1e53f6bcb69

SHA512
344062d1be40db095abb7392b047b16f33ea3043158690cf66a2fa554aa2db79c4aa68de1308f1eddf6b9140b9ac5de70aad960b4e8e8b91f105213c4aace348

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
e08b7f5af5cb1eff345b39ebc2527791

SHA1
82d3dcbf05ece363d2211d12d6f7631a4fa529a9

SHA256
b7d256417a8519cc6bb7349873973d5540e8242229185d5d06f759d9df14fc5e

SHA512
0595ff6a9a3d34f5af2e6c15b15802c00c3e55f3a2bdfdaa96c889a4b0c67576d0f0eddaadc58c8243d33e7b85c5689d086c0f2d527ecb0529799ad27fc385d0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
973c687b4a627ae7ebd8296e92595357

SHA1
1bbfc79240fb729603bf1115a56bf2f9f8c2e9b7

SHA256
9a00f5cb8467a9772246b8aa656694beb1d4e828e797d6abda4eba199d194092

SHA512
9d48e42fa23bb0fa3cc799c9e4dacac0609ac9e9ea4aa782087aefdbea4eb7f140c48c10c9ddec0638f7e95e3cc9dc2cd80215b41ed4577f949097df492e5e49

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
4427c9cce7f67f826005301b2778c216

SHA1
35c269e2a1fdf844787f8769cd89c6efecbb1228

SHA256
8c854b3e726a43fb498e0a6cb30fac76f5deb70c285d640b048feca1a84ca46d

SHA512
108b91c1af3e418e71aa543a7a6930a417a308d9f293e4b576ace56a29e7c9e0eb71bd7ca232c5e33c90e591892c839b3122b29f880947ef2d1008e54813b86d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
62ec657b237cbccd7c479d1cf3027dd8

SHA1
228fd9ca0e983880163b9934e33321f8564d2db0

SHA256
1d8bde6df10c25d6a69c6bf11ec566f2a9e378c897947a1316d7feb308eeab80

SHA512
75122abe26f1022ffedf36a472dedb8a93014d5d0fb11d5ede4f03a3a0a73c6a4f1f05bc0bd9f361ab98f0a4deec175423e677bac69cd3a9b81a2eff786037ea

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
d369920747fd81a235a9fa962995081c

SHA1
f675306db7e7567a1818099e1345f44b87c62969

SHA256
1550aea11c20f7052a5f4937e572ef130f7f816f00bd6886ad6660f738cfb52c

SHA512
2284d0ef5aacbd3886bd7d94a9e9f2ac5f268f45116d49f477c62012d2a24be0fefb73baab75a1b658a6a00782be39bb654d477f85763ab2f468c408e1e387a1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
161KB

MD5
fe1b7548f72a4f702693a8cb5f7de48e

SHA1
9c198d25530c0d1b7e4ae3ab21289c2fd27ec711

SHA256
98cc715d514305b32448dc6b5fa0fb85fe3ea64e512d5b6670564aaa54469af8

SHA512
67fe4946acfa5a7c8689cbe2ce5f24a0ebe3e3136a173846be5ab28959c60ab1129f3cd0b378a5a8b0f358f037bf00dd3d969251ffdce5ed255e35cfd34f9193

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
161KB

MD5
01019ca6de1b529975988c98c3860f5e

SHA1
9ff3bbc5b73ef0103df5df8de3c5177b61a0935f

SHA256
68838090960d3eb52bad61c8a26e6b1b8283476d76ebfee6ca260c73cb69d709

SHA512
9d4140b45e0ac35280acda14f3746213d5afd186e8dbbbf830ab2f622c1255366fed5e0bcb72136925a38c2e521191fa5e9fd0aad3d21f97595cf4498c627b25

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\40WV1DY9\plugin[1]

Filesize
721B

MD5
2059709fb1d149cb7ac8286dfe3290bd

SHA1
bb221ffcdc093c292d21c7587229dd694dff425c

SHA256
d03025c04024346cfc8ee8f9373940b97a468bf63e68d3ecc77e8decd955cd06

SHA512
a0e549778f418f524faac4da64707ba520cee0516513c15f9ebf8435c6e00ee2b7a82a87e589aeb5513d20941717b599cfc9f1fd4d25c889ddc4682f4b119bbd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8B420DKQ\plugin.f12[1]

Filesize
373KB

MD5
4728cc3d8e07da601a019e7a514f15da

SHA1
9eaaba1d74b209e28d938282461f2961a83e0ec8

SHA256
e689de995a544938a9dd11bf411ad1a31843ad399d78c3aba4e94718ede265ae

SHA512
596f9cacfaea5c8355b81c45a7ca6ed9b3d500845c35a3ff14d59c2ba8c124dce54edb816848fabf858ce4dd56930efb8c63637b07359a8a32343a9a39e94aa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabF807.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\S1PVFXJO.htm

Filesize
533B

MD5
bdcad2b3e5b6aad4422450fd42410060

SHA1
08ee0c8861873985b92686284329d4a1c67516da

SHA256
b7051468e98a7c7db7d8179f7c0da95d14e24f4df4d1007254f6d1a08ce3964a

SHA512
38184ced420024365ff065dfde648e0bcf7f7a11d72d3722518d7c1b0f38a455055efd402489bff9fdffd75246fac35c9764748b9e8e4aa4c2d6630a5b7dab21

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarF878.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
memory/2268-1190-0x000007FEF25E0000-0x000007FEF262C000-memory.dmp

Filesize
304KB

Download
memory/2268-1191-0x0000000002810000-0x0000000002811000-memory.dmp

Filesize
4KB

Download
memory/2268-1204-0x000007FEF25E0000-0x000007FEF262C000-memory.dmp

Filesize
304KB

Download
memory/2772-1205-0x00000000038D0000-0x00000000038E0000-memory.dmp

Filesize
64KB

Download
memory/2824-1199-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download