fantom | 61ecaf7009675e044f87dfe1d91ac4697812b68112ff52bf8ca90bae96cd495e

Analysis

max time kernel
620s
max time network
638s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
08-02-2025 12:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

yell talk.txt
Size

2KB
MD5

d9cdff5e3d3346eb6655e22a295968b0
SHA1

bc73870a38539b18c98ebbabfea3187253fe52e3
SHA256

61ecaf7009675e044f87dfe1d91ac4697812b68112ff52bf8ca90bae96cd495e
SHA512

d82c9976dd41933ccaf4d37bc856cfe7a70fc819137a171ac339ba38fdf74a5a80b7d6a565c21ea7525ad5d2c69d6e70b59ce6753b126a5fea55867b0fc58a45

Score

10^/10

fantom defense_evasion discovery ransomware

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\DECRYPT_YOUR_FILES.HTML

Ransom Note

<html> <head> <style> body{ background-color: #3366CC; } h1 { background-color: RGB(249, 201, 16); } p { background-color: maroon; color: white; } </style> </head> <body> <center> <h1><b> Attention ! All your files </b> have been encrypted. </h1></br> <p> Due encrypting was used algoritm RSA-4096 and AES-256, used for protection military secrets.</br> That means > RESTORE YOU DATA POSIBLE ONLY BUYING decryption passwords from us.</br> Getting a decryption of your files is - SIMPLY task.</br></br> That all what you need:</br> 1. Sent Your ID_KEY on mailbox [email protected] or [email protected] </br> 2. For test, decrypt 2 small files, to be sure that we can decrypt you files.</br> 3. Pay our services. </br> 4. GET software with passwords for decrypt you files.</br> 5. Make measures to prevent this type situations again.</br></br> IMPORTANT(1)</br> Do not try restore files without our help, this is useless, and can destroy you data permanetly.</br></br> IMPORTANT(2) </br> We Cant hold you decryption passwords forever. </br>ALL DECRYPTION PASSWORDS, for what wasn`t we receive reward, will destroy after week of moment of encryption. </p> <p> Your ID_KEY: <br> </p> <table width="1024" border="0"> <tbody> <tr> <td><p>Ljj8WZ8sBY5hYcrps2TbivQ3D1j9SOa5jzLEtRkSK07lYlv8i3pqxuJoup8oN5INnTkxEY6Fgc3KvElzcvaOeNWKryATNW0ntpVfyKwumzT2L4mSECDQb8hdqiiljmXRRwEe5GkRxtMLHKOEtbZVzYD+tJeJIwwMc+4YpvPGwgxLMGvumtrOop4djqVfGX/0cgcbKk8xMz6mSqcsnnpz+P6SAm2Y6lzFP7xgxeqXnPIUVnmdRzNESm3AhHXAG4ZtxuloMCYrU0lOC43pgB/19TE744YxPfrwdXu26RnRJkNtETrOkA7TLyvu+ZYpsdB5UYx5CGFT2CplHPV9P6HZeg==ZW4tVVM=</p></td> </tr> </tbody> </table> </center></html></body>

Emails

[email protected]

Extracted

Path

C:\PerfLogs\DECRYPT_YOUR_FILES.HTML

Ransom Note

Attention ! All your files have been encrypted. Due encrypting was used algoritm RSA-4096 and AES-256, used for protection military secrets. That means > RESTORE YOU DATA POSIBLE ONLY BUYING decryption passwords from us. Getting a decryption of your files is - SIMPLY task. That all what you need: 1. Sent Your ID_KEY on mailbox [email protected] or [email protected] 2. For test, decrypt 2 small files, to be sure that we can decrypt you files. 3. Pay our services. 4. GET software with passwords for decrypt you files. 5. Make measures to prevent this type situations again. IMPORTANT(1) Do not try restore files without our help, this is useless, and can destroy you data permanetly. IMPORTANT(2) We Cant hold you decryption passwords forever. ALL DECRYPTION PASSWORDS, for what wasn`t we receive reward, will destroy after week of moment of encryption. Your ID_KEY: Zi6Yh2cM/KGMew75St9lVX20fCJRH/N5L8SDowTPy/J6//SJivLxMYlyyLuCO29P/euDP8C2oYGcxoqKQC3/HpIKD7ivAtN4STGO6Eybf8KMq77zyCzuxtJd6eDKEDBGdQ0+FJ0adVlzsRsGPYhZhFir62GOuyBwqqR8AkMhCEEH5bGDUM6MQhfXqfKBejELe/yqOjoe/0h6WpT5iTJNsQNwPKZIozKdGifB4Q1cz3Idfl8IRI5Xx3v6fRQLxGLc+ZuWrerkLfSuC44EDGH1mVGtK5efFgxqTIcpcIBooQMNg7DSaV7R9P0Mp8lZaCaavvQFaZSuUaDm/dpQtmOyIw==ZW4tVVM=

Emails

[email protected]

Extracted

Path

C:\PerfLogs\DECRYPT_YOUR_FILES.HTML

Ransom Note

Attention ! All your files have been encrypted. Due encrypting was used algoritm RSA-4096 and AES-256, used for protection military secrets. That means > RESTORE YOU DATA POSIBLE ONLY BUYING decryption passwords from us. Getting a decryption of your files is - SIMPLY task. That all what you need: 1. Sent Your ID_KEY on mailbox [email protected] or [email protected] 2. For test, decrypt 2 small files, to be sure that we can decrypt you files. 3. Pay our services. 4. GET software with passwords for decrypt you files. 5. Make measures to prevent this type situations again. IMPORTANT(1) Do not try restore files without our help, this is useless, and can destroy you data permanetly. IMPORTANT(2) We Cant hold you decryption passwords forever. ALL DECRYPTION PASSWORDS, for what wasn`t we receive reward, will destroy after week of moment of encryption. Your ID_KEY: VYk00RxSdZ5RXE0P8x3Sia8cjYtpRJpnKJi7i+IE18JmSyAFYzzCGHjC+UFMJOncP0tErArlu9Zyr6gCzHtcM6hHq9i2TV6817cv++c/j8epFhC4SZOrAFqTYqmWBYpy61QQpZ5vKmSJMogBnyNJwXbJh6D+/CVFxI3f8DWaJJpmtzkODpZj+xrjuS68TF5LMBWWFWa+zNu2pfQ44Jo+gcpbdpLZOCb3RUp270mNkq+AmsRqY2INL34+pqAbNYjbUJigkWHd03QagzjNrxuIX+TCjbWev5GlzVLZ7SMGfr2aJXDKpZP4hjZypb83vCLCf8QyKxhHXBd/L1H+qjfClQ==ZW4tVVM=

Emails

[email protected]

Signatures

Fantom
Ransomware which hides encryption process behind fake Windows Update screen.
ransomware fantom
Fantom family
fantom
Renames multiple (270) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Disables Task Manager via registry modification
defense_evasion

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Notepad.lnk	svchost.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LOGON.exe	DeriaLock.exe

Executes dropped EXE 1 IoCs

pid	Process
2904	WindowsUpdate.exe

Loads dropped DLL 1 IoCs

pid	Process
2352	Fantom.exe

Drops desktop.ini file(s) 7 IoCs

description	ioc	Process
File opened for modification	C:\Users\Public\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	wmplayer.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\T:	wmplayer.exe
File opened (read-only)	\??\V:	wmplayer.exe
File opened (read-only)	\??\Y:	wmplayer.exe
File opened (read-only)	\??\Z:	wmplayer.exe
File opened (read-only)	\??\G:	wmplayer.exe
File opened (read-only)	\??\S:	wmplayer.exe
File opened (read-only)	\??\O:	wmplayer.exe
File opened (read-only)	\??\E:	wmplayer.exe
File opened (read-only)	\??\N:	wmplayer.exe
File opened (read-only)	\??\K:	wmplayer.exe
File opened (read-only)	\??\L:	wmplayer.exe
File opened (read-only)	\??\M:	wmplayer.exe
File opened (read-only)	\??\P:	wmplayer.exe
File opened (read-only)	\??\Q:	wmplayer.exe
File opened (read-only)	\??\W:	wmplayer.exe
File opened (read-only)	\??\H:	wmplayer.exe
File opened (read-only)	\??\J:	wmplayer.exe
File opened (read-only)	\??\I:	wmplayer.exe
File opened (read-only)	\??\R:	wmplayer.exe
File opened (read-only)	\??\U:	wmplayer.exe
File opened (read-only)	\??\X:	wmplayer.exe
File opened (read-only)	\??\A:	wmplayer.exe
File opened (read-only)	\??\B:	wmplayer.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 64 IoCs

Web Service

T1102

flow	ioc
112	camo.githubusercontent.com
99	raw.githubusercontent.com
185	raw.githubusercontent.com
187	raw.githubusercontent.com
622	camo.githubusercontent.com
739	camo.githubusercontent.com
752	camo.githubusercontent.com
91	raw.githubusercontent.com
165	raw.githubusercontent.com
742	camo.githubusercontent.com
761	raw.githubusercontent.com
1007	raw.githubusercontent.com
106	raw.githubusercontent.com
108	camo.githubusercontent.com
171	raw.githubusercontent.com
624	camo.githubusercontent.com
626	raw.githubusercontent.com
762	raw.githubusercontent.com
1071	raw.githubusercontent.com
104	raw.githubusercontent.com
195	raw.githubusercontent.com
621	camo.githubusercontent.com
744	camo.githubusercontent.com
1008	raw.githubusercontent.com
634	camo.githubusercontent.com
90	raw.githubusercontent.com
109	camo.githubusercontent.com
115	camo.githubusercontent.com
147	raw.githubusercontent.com
191	raw.githubusercontent.com
620	camo.githubusercontent.com
628	raw.githubusercontent.com
750	camo.githubusercontent.com
179	raw.githubusercontent.com
189	raw.githubusercontent.com
758	raw.githubusercontent.com
105	camo.githubusercontent.com
107	raw.githubusercontent.com
188	raw.githubusercontent.com
635	camo.githubusercontent.com
741	camo.githubusercontent.com
753	camo.githubusercontent.com
116	camo.githubusercontent.com
169	raw.githubusercontent.com
172	raw.githubusercontent.com
190	raw.githubusercontent.com
199	raw.githubusercontent.com
619	raw.githubusercontent.com
625	camo.githubusercontent.com
1072	raw.githubusercontent.com
110	camo.githubusercontent.com
113	camo.githubusercontent.com
200	raw.githubusercontent.com
111	camo.githubusercontent.com
173	raw.githubusercontent.com
740	camo.githubusercontent.com
743	camo.githubusercontent.com
166	raw.githubusercontent.com
633	camo.githubusercontent.com
1111	raw.githubusercontent.com
1112	raw.githubusercontent.com
114	camo.githubusercontent.com
186	raw.githubusercontent.com
198	raw.githubusercontent.com

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_widescreen_Thumbnail.bmp	Fantom.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\nav_leftarrow.png	Fantom.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\16_9-frame-image-mask.png	Fantom.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationLeft_ButtonGraphic.png	Fantom.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationUp_ButtonGraphic.png	Fantom.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\NavigationLeft_ButtonGraphic.png	Fantom.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng.txt	Fantom.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\TitleButtonSubpicture.png	Fantom.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\16to9Squareframe_Buttongraphic.png	Fantom.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Perf_Scenes_Mask1.png	Fantom.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\1047x576black.png	Fantom.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_jpn.xml	Fantom.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Peacock.jpg	Fantom.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\bandwidth.png	Fantom.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Small_News.jpg	Fantom.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ipsesp.xml	Fantom.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ipsnld.xml	Fantom.exe
File created	C:\Program Files\DVD Maker\it-IT\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ja.txt	Fantom.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Pretty_Peacock.jpg	Fantom.exe
File created	C:\Program Files\7-Zip\Lang\tg.txt	Fantom.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationUp_SelectionSubpicture.png	Fantom.exe
File opened for modification	C:\Program Files\Common Files\System\ado\es-ES\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationRight_ButtonGraphic.png	Fantom.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bn.txt	Fantom.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Program Files\Common Files\System\ja-JP\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\layers.png	Fantom.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationLeft_ButtonGraphic.png	Fantom.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base.xml	Fantom.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Orange Circles.htm	Fantom.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\de-DE\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_trans_rgb.wmv	Fantom.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationRight_SelectionSubpicture.png	Fantom.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_image-frame-border.png	Fantom.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lij.txt	Fantom.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Small_News.jpg	Fantom.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Notes_INTRO_BG.wmv	Fantom.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\btn-back-static.png	Fantom.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-delete.avi	Fantom.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Blue_Gradient.jpg	Fantom.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-previous-static.png	Fantom.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-next-static.png	Fantom.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\oskpredbase.xml	Fantom.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\DVD Maker\Shared\DissolveNoise.png	Fantom.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationRight_ButtonGraphic.png	Fantom.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationRight_SelectionSubpicture.png	Fantom.exe
File opened for modification	C:\Program Files\OpenWait.dot	Fantom.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_frame-imageMask.png	Fantom.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy.jar	Fantom.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_ca.xml	Fantom.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\full.png	Fantom.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\16_9-frame-highlight.png	Fantom.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\15x15dot.png	Fantom.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\sk.pak	Fantom.exe
File opened for modification	C:\Program Files\BlockLimit.mov	Fantom.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-next-over-select.png	Fantom.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\passportcover.png	Fantom.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fantom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DeriaLock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmplayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpshare.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fantom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fantom.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-wmplayer	wmplayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-wmplayer\CLSID = "{cd3afa96-b84f-48f0-9393-7edc34128127}"	wmplayer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1440	DeriaLock.exe
1440	DeriaLock.exe
1440	DeriaLock.exe
1440	DeriaLock.exe
1440	DeriaLock.exe
1440	DeriaLock.exe
1440	DeriaLock.exe
1440	DeriaLock.exe
1440	DeriaLock.exe
1440	DeriaLock.exe
1440	DeriaLock.exe
1440	DeriaLock.exe
1440	DeriaLock.exe
1440	DeriaLock.exe
1440	DeriaLock.exe
1440	DeriaLock.exe
1440	DeriaLock.exe
1440	DeriaLock.exe
1440	DeriaLock.exe
1440	DeriaLock.exe
1440	DeriaLock.exe
1440	DeriaLock.exe
1440	DeriaLock.exe
1440	DeriaLock.exe
1440	DeriaLock.exe
1440	DeriaLock.exe
1440	DeriaLock.exe
1440	DeriaLock.exe
1440	DeriaLock.exe
1440	DeriaLock.exe
1440	DeriaLock.exe
1440	DeriaLock.exe
1440	DeriaLock.exe
1440	DeriaLock.exe
1440	DeriaLock.exe
1440	DeriaLock.exe
1440	DeriaLock.exe
1440	DeriaLock.exe
2352	Fantom.exe
1440	DeriaLock.exe
1440	DeriaLock.exe
1440	DeriaLock.exe
1440	DeriaLock.exe
1440	DeriaLock.exe
1440	DeriaLock.exe
1440	DeriaLock.exe
1440	DeriaLock.exe
1440	DeriaLock.exe
1440	DeriaLock.exe
1440	DeriaLock.exe
1440	DeriaLock.exe
1440	DeriaLock.exe
1440	DeriaLock.exe
1440	DeriaLock.exe
1440	DeriaLock.exe
1440	DeriaLock.exe
1440	DeriaLock.exe
1440	DeriaLock.exe
1440	DeriaLock.exe
1440	DeriaLock.exe
1440	DeriaLock.exe
1440	DeriaLock.exe
1440	DeriaLock.exe
1440	DeriaLock.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1412	wmplayer.exe

Suspicious use of AdjustPrivilegeToken 31 IoCs

description	pid	Process
Token: SeDebugPrivilege	2520	svchost.exe
Token: 33	2520	svchost.exe
Token: SeIncBasePriorityPrivilege	2520	svchost.exe
Token: SeDebugPrivilege	2208	svchost.exe
Token: 33	2208	svchost.exe
Token: SeIncBasePriorityPrivilege	2208	svchost.exe
Token: SeDebugPrivilege	2364	svchost.exe
Token: 33	2364	svchost.exe
Token: SeIncBasePriorityPrivilege	2364	svchost.exe
Token: SeDebugPrivilege	2664	svchost.exe
Token: 33	2664	svchost.exe
Token: SeIncBasePriorityPrivilege	2664	svchost.exe
Token: SeDebugPrivilege	1236	svchost.exe
Token: 33	1236	svchost.exe
Token: SeIncBasePriorityPrivilege	1236	svchost.exe
Token: SeDebugPrivilege	1040	svchost.exe
Token: 33	1040	svchost.exe
Token: SeIncBasePriorityPrivilege	1040	svchost.exe
Token: SeDebugPrivilege	1668	svchost.exe
Token: 33	1668	svchost.exe
Token: SeIncBasePriorityPrivilege	1668	svchost.exe
Token: 33	572	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	572	AUDIODG.EXE
Token: 33	572	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	572	AUDIODG.EXE
Token: 33	1412	wmplayer.exe
Token: SeIncBasePriorityPrivilege	1412	wmplayer.exe
Token: SeDebugPrivilege	2352	Fantom.exe
Token: SeDebugPrivilege	2708	Fantom.exe
Token: SeDebugPrivilege	1920	Fantom.exe
Token: SeDebugPrivilege	1440	DeriaLock.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1412	wmplayer.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1412 wrote to memory of 1236	1412	wmplayer.exe	62
PID 1412 wrote to memory of 1236	1412	wmplayer.exe	62
PID 1412 wrote to memory of 1236	1412	wmplayer.exe	62
PID 1412 wrote to memory of 1236	1412	wmplayer.exe	62
PID 2484 wrote to memory of 1960	2484	cmd.exe	82
PID 2484 wrote to memory of 1960	2484	cmd.exe	82
PID 2484 wrote to memory of 1960	2484	cmd.exe	82
PID 2484 wrote to memory of 2428	2484	cmd.exe	83
PID 2484 wrote to memory of 2428	2484	cmd.exe	83
PID 2484 wrote to memory of 2428	2484	cmd.exe	83
PID 2552 wrote to memory of 2340	2552	cmd.exe	86
PID 2552 wrote to memory of 2340	2552	cmd.exe	86
PID 2552 wrote to memory of 2340	2552	cmd.exe	86
PID 2552 wrote to memory of 2084	2552	cmd.exe	87
PID 2552 wrote to memory of 2084	2552	cmd.exe	87
PID 2552 wrote to memory of 2084	2552	cmd.exe	87
PID 2352 wrote to memory of 2904	2352	Fantom.exe	108
PID 2352 wrote to memory of 2904	2352	Fantom.exe	108
PID 2352 wrote to memory of 2904	2352	Fantom.exe	108
PID 2352 wrote to memory of 2904	2352	Fantom.exe	108

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE "C:\Users\Admin\AppData\Local\Temp\yell talk.txt"
1⤵
PID:1844

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3392 --field-trial-handle=1156,i,1413614740476690094,12754689456311946116,131072 /prefetch:8
1⤵
PID:2384

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3596 --field-trial-handle=1156,i,1413614740476690094,12754689456311946116,131072 /prefetch:8
1⤵
PID:2484

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4164 --field-trial-handle=1156,i,1413614740476690094,12754689456311946116,131072 /prefetch:8
1⤵
PID:1624

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --mojo-platform-channel-handle=4180 --field-trial-handle=1156,i,1413614740476690094,12754689456311946116,131072 /prefetch:1
1⤵
PID:964

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --mojo-platform-channel-handle=2520 --field-trial-handle=1156,i,1413614740476690094,12754689456311946116,131072 /prefetch:1
1⤵
PID:920

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=2404 --field-trial-handle=1156,i,1413614740476690094,12754689456311946116,131072 /prefetch:8
1⤵
PID:2632

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --mojo-platform-channel-handle=2948 --field-trial-handle=1156,i,1413614740476690094,12754689456311946116,131072 /prefetch:1
1⤵
PID:592

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --mojo-platform-channel-handle=2912 --field-trial-handle=1156,i,1413614740476690094,12754689456311946116,131072 /prefetch:1
1⤵
PID:1608

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --mojo-platform-channel-handle=4128 --field-trial-handle=1156,i,1413614740476690094,12754689456311946116,131072 /prefetch:1
1⤵
PID:1540

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --mojo-platform-channel-handle=2360 --field-trial-handle=1156,i,1413614740476690094,12754689456311946116,131072 /prefetch:1
1⤵
PID:2228

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --mojo-platform-channel-handle=4332 --field-trial-handle=1156,i,1413614740476690094,12754689456311946116,131072 /prefetch:1
1⤵
PID:2432

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --mojo-platform-channel-handle=2704 --field-trial-handle=1156,i,1413614740476690094,12754689456311946116,131072 /prefetch:1
1⤵
PID:3068

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --mojo-platform-channel-handle=2020 --field-trial-handle=1156,i,1413614740476690094,12754689456311946116,131072 /prefetch:1
1⤵
PID:1756

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2436 --field-trial-handle=1156,i,1413614740476690094,12754689456311946116,131072 /prefetch:8
1⤵
PID:1688

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --mojo-platform-channel-handle=1844 --field-trial-handle=1156,i,1413614740476690094,12754689456311946116,131072 /prefetch:1
1⤵
PID:2644

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2544 --field-trial-handle=1156,i,1413614740476690094,12754689456311946116,131072 /prefetch:8
1⤵
PID:840

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2936 --field-trial-handle=1156,i,1413614740476690094,12754689456311946116,131072 /prefetch:8
1⤵
PID:3044

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --mojo-platform-channel-handle=1120 --field-trial-handle=1156,i,1413614740476690094,12754689456311946116,131072 /prefetch:1
1⤵
PID:880

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --mojo-platform-channel-handle=2996 --field-trial-handle=1156,i,1413614740476690094,12754689456311946116,131072 /prefetch:1
1⤵
PID:560

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4588 --field-trial-handle=1156,i,1413614740476690094,12754689456311946116,131072 /prefetch:8
1⤵
PID:2312

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4720 --field-trial-handle=1156,i,1413614740476690094,12754689456311946116,131072 /prefetch:8
1⤵
PID:1340

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:1
1⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1412
- C:\Program Files (x86)\Windows Media Player\wmpshare.exe
  "C:\Program Files (x86)\Windows Media Player\wmpshare.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1236

C:\Users\Admin\Downloads\Ransomware.Petrwrap\svchost.exe
"C:\Users\Admin\Downloads\Ransomware.Petrwrap\svchost.exe"
1⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
PID:2520

C:\Users\Admin\Downloads\Ransomware.Petrwrap\svchost.exe
"C:\Users\Admin\Downloads\Ransomware.Petrwrap\svchost.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2208

C:\Users\Admin\Downloads\Ransomware.Petrwrap\svchost.exe
"C:\Users\Admin\Downloads\Ransomware.Petrwrap\svchost.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2364

C:\Users\Admin\Downloads\Ransomware.Petrwrap\svchost.exe
"C:\Users\Admin\Downloads\Ransomware.Petrwrap\svchost.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2664

C:\Users\Admin\Downloads\Ransomware.Petrwrap\svchost.exe
"C:\Users\Admin\Downloads\Ransomware.Petrwrap\svchost.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1236

C:\Users\Admin\Downloads\Ransomware.Petrwrap\svchost.exe
"C:\Users\Admin\Downloads\Ransomware.Petrwrap\svchost.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1040

C:\Users\Admin\Downloads\Ransomware.Petrwrap\svchost.exe
"C:\Users\Admin\Downloads\Ransomware.Petrwrap\svchost.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1668

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x49c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:572

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2700 --field-trial-handle=1156,i,1413614740476690094,12754689456311946116,131072 /prefetch:8
1⤵
PID:2716

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\Downloads\hosts-master\hosts-master\disable-dnscache-service-win.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:2484
- C:\Windows\system32\cacls.exe
  "C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
  2⤵
  PID:1960
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\services\Dnscache" /v Start /t REG_DWORD /d 4 /f
  2⤵
  PID:2428

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\Downloads\hosts-master\hosts-master\disable-dnscache-service-win.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:2552
- C:\Windows\system32\cacls.exe
  "C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
  2⤵
  PID:2340
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\services\Dnscache" /v Start /t REG_DWORD /d 4 /f
  2⤵
  PID:2084

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=31 --mojo-platform-channel-handle=4488 --field-trial-handle=1156,i,1413614740476690094,12754689456311946116,131072 /prefetch:1
1⤵
PID:1232

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=32 --mojo-platform-channel-handle=1336 --field-trial-handle=1156,i,1413614740476690094,12754689456311946116,131072 /prefetch:1
1⤵
PID:184

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4512 --field-trial-handle=1156,i,1413614740476690094,12754689456311946116,131072 /prefetch:8
1⤵
PID:1076

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=856 --field-trial-handle=1156,i,1413614740476690094,12754689456311946116,131072 /prefetch:8
1⤵
PID:2360

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4632 --field-trial-handle=1156,i,1413614740476690094,12754689456311946116,131072 /prefetch:8
1⤵
PID:964

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4240 --field-trial-handle=1156,i,1413614740476690094,12754689456311946116,131072 /prefetch:8
1⤵
PID:1756

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=852 --field-trial-handle=1156,i,1413614740476690094,12754689456311946116,131072 /prefetch:8
1⤵
PID:2196

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2532 --field-trial-handle=1156,i,1413614740476690094,12754689456311946116,131072 /prefetch:8
1⤵
PID:1144

C:\Users\Admin\Downloads\Fantom.exe
"C:\Users\Admin\Downloads\Fantom.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2352
- C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe
  "C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe"
  2⤵
  - Executes dropped EXE
  PID:2904

C:\Users\Admin\Downloads\Fantom.exe
"C:\Users\Admin\Downloads\Fantom.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2708

C:\Users\Admin\Downloads\Fantom.exe
"C:\Users\Admin\Downloads\Fantom.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1920

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4524 --field-trial-handle=1156,i,1413614740476690094,12754689456311946116,131072 /prefetch:8
1⤵
PID:1020

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4544 --field-trial-handle=1156,i,1413614740476690094,12754689456311946116,131072 /prefetch:8
1⤵
PID:1776

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2544 --field-trial-handle=1156,i,1413614740476690094,12754689456311946116,131072 /prefetch:8
1⤵
PID:3000

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4752 --field-trial-handle=1156,i,1413614740476690094,12754689456311946116,131072 /prefetch:8
1⤵
PID:2196

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4656 --field-trial-handle=1156,i,1413614740476690094,12754689456311946116,131072 /prefetch:8
1⤵
PID:2992

C:\Users\Admin\Downloads\DeriaLock.exe
"C:\Users\Admin\Downloads\DeriaLock.exe"
1⤵
- Drops startup file
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1440

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2540 --field-trial-handle=1156,i,1413614740476690094,12754689456311946116,131072 /prefetch:8
1⤵
PID:1012

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\DECRYPT_YOUR_FILES.HTML

Filesize
1KB

MD5
5df42ffe0947290538b2a9e6c4de8a06

SHA1
7351151489884b2774d0a4dee3c563741aea545d

SHA256
8f32c616ed16a4085b73b94844e127fe7c43eb0f0426893a9008aeb3524cb48c

SHA512
3f2dc511ad9e8eeb487671e23c345d1d186972ed60e767a10fb92fbadea9fb2bdd01a4f58f5271eb2edc21f8537507dd4b6840e559aa307d36f710ca3ef9bb13

Download Submit
C:\PerfLogs\DECRYPT_YOUR_FILES.HTML

Filesize
1KB

MD5
96e0fe50b2741adf1d93f10c7b81bf9f

SHA1
cd4d38e2ff263cae83db09da0e289d205b7dcb5a

SHA256
0e33979585079866dc528a4f866ca78a2ec3e8522e0a5aa3b672e854064b207b

SHA512
19c5ad1c3f37137429d065f18cffd3130698c7ee30c09959452ecb89601ee0e897a798a607cabcdab21673506cee89517fa5731c8d3de089217d8f8506ce7a4c

Download Submit
C:\PerfLogs\DECRYPT_YOUR_FILES.HTML

Filesize
1KB

MD5
b286842cefe9fc183c02497a24658a0b

SHA1
e80ce11c3d04955927f9e3846bb233b826aec0f3

SHA256
0688e714eb30cd807af484b62698b2465038904b64c3960fd9772b1a7b313825

SHA512
dac9593a340618c40af2a3f92b43a60976a0fcd06e553e726c8c392b8afd94dba4811132637d3f52c9446346c9306d36fa17f683efb48bb9cd4996b662e4dd85

Download Submit
C:\Program Files\7-Zip\Lang\an.txt

Filesize
7KB

MD5
dd4015f99d8ca0300a4e210800bd8065

SHA1
46728229070bc83a67932dbf230f0469942cd458

SHA256
3cf9e7661c55d215faace1cda6d364ac541c0dcf871e9a6283a28b9d96669f8e

SHA512
71ebc1852bfbc12092701e727f91440c648b945b86613d3105e64335abbb96eb0ba12a19d7762735d383464de3095692724e5475ec9ccef55f4365fc2c1c8faf

Download Submit
C:\Program Files\7-Zip\Lang\bn.txt

Filesize
14KB

MD5
ec2ed89a03bb3bbceb3606288af054b4

SHA1
9f1a077cf91b934a18372c233fee97f7c2040a4a

SHA256
11bccbd7e749c29087cc3327d68baa4cbe939bf7587831ce48cf5518588373e9

SHA512
630e5a124b76137145fb9d2ca1516a233c586967dd4701462e717d3cab857dee9e2820dbf692279ee50128aa47c03115a012ec0038b8023979017b8c2b7858d1

Download Submit
C:\Program Files\7-Zip\Lang\hr.txt

Filesize
8KB

MD5
eef6342ba1410eb7bc1bee6c20c384cb

SHA1
6a4f5c77793f4946a56bab1d0af66730cf017862

SHA256
670f21ede71f1afed7a90a724e3c8bb24226fde4016a79b7d5b72c30d29a902b

SHA512
9789572e3680436aae7760235f64a05f10ea4be466b16e50f81b6bafb1bea466a9b0eb06aa8a124594e7b630c5dd4938cf1e70d7dd478b82bc50a9c230631b67

Download Submit
C:\Program Files\7-Zip\License.txt

Filesize
3KB

MD5
2c3b82ad05096b0ab7dd12ba560007ad

SHA1
391db667e7fe3e76d9b55abde060a5db96557da4

SHA256
b1e153620ad47bdf8b1c5c5be880cdbea56283b0b2f346f8a46bb1b479f44a1c

SHA512
fc0469becd3af7dc3ec294b689b48124e727c548986b16006e9131cef1ac60d2a2243aaef27353a2d84a8874a12809f153ebc5367d59d6db79008bcaa9c3e520

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\Art Cache\LocalMLS\{0261A917-219F-4788-B1DB-16A0DABF9800}.jpg

Filesize
22KB

MD5
35e787587cd3fa8ed360036c9fca3df2

SHA1
84c76a25c6fe336f6559c033917a4c327279886d

SHA256
98c49a68ee578e10947209ebc17c0ad188ed39c7d0c91a2b505f317259c0c9b2

SHA512
aeec3eed5a52670f4cc35935005bb04bb435964a1975e489b8e101adfbce278142fd1a6c475860b7ccb414afe5e24613361a66d92f457937de9b21a7a112e1f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\Art Cache\LocalMLS\{75E319E8-F55B-4230-98FB-C95C26E2F992}.jpg

Filesize
23KB

MD5
fd5fd28e41676618aac733b243ad54db

SHA1
b2d69ad6a2e22c30ef1806ac4f990790c3b44763

SHA256
a26544648ef8ceffad6c789a3677031be3c515918627d7c8f8e0587d3033c431

SHA512
4c32623796679be7066b719f231d08d24341784ecfd5d6461e8140379f5b394216e446865df56e05b5f1e36962c9d34d2b5041275366aeabcd606f4536217fe4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\74d7f43c1561fc1e.customDestinations-ms~RFf7b2397.TMP

Filesize
1KB

MD5
ef95e833e793aca1bd06d517c56a38aa

SHA1
54164b8a7b34227b6652a99475b84195dc8e8769

SHA256
4f29ca20902412dc848557a6dab62176d02385220459f834a169a86bcab0ad4a

SHA512
6f84f2413f97db799a45b50e5886c5c777caa1a12ec3b5e78a12c6e44efd79a8557d794025da47673587808f05882894cd0e545b80d5a443b9cfcb0e8178527f

Download Submit
C:\Users\Admin\Downloads\hosts-master\hosts-master\data\add.Spam\readme.md.deria

Filesize
208B

MD5
4c0ed6b9f66946a2faca7393250186c6

SHA1
72499c3ae82271e8488f3d59081043c3406cfeac

SHA256
4a6d83a500a670d4df992ba8d4cad423b90178754c91338eafbb3381fa760ce1

SHA512
fcc961e823a889db3be0a8f83e70b4a959fb36092f55137d21ce6f4e3439e76e84bd82a43e5fdf654108db9d21245c4d844092fdc8684f75e9a3fa6d5d854bd3

Download Submit
C:\Users\Public\Music\Sample Music\AlbumArt_{5FA05D35-A682-4AF6-96F7-0773E42D4D16}_Large.jpg

Filesize
32KB

MD5
84bba83cfbc0233517407678bb842686

SHA1
1c617de788de380d28c52dc733ad580c3745a1c1

SHA256
6ecf98adb3cd0931ec803f3a56a9563c7d60bb86ec1886b21e3d0f7eb25198d9

SHA512
a6a80c00a28c43c1c427018e6fb6dac4682d299d2f50202f520af0b1bca803546c850f04094ed2f532ff8775f6d45f2a40e4f5e069937bcaa0326a80bd818e0e

Download Submit
\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe

Filesize
21KB

MD5
fec89e9d2784b4c015fed6f5ae558e08

SHA1
581fd9fb59bd42fbe7bd065cf0e6ff6d4d0daba2

SHA256
489f2546a4ad1e0e0147d1ca2fd8801785689f67fb850171ccbaa6306a152065

SHA512
e3bbf89cc0a955a2819455137e540952c55f417732a596ef314a46d5312b3bed644ac7595f75d3639ebc30e85f0f210dba0ef5b013d1b83bafd2c17a9d685a24

Download Submit
memory/1412-2-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/1412-68-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/1440-494-0x00000000008A0000-0x0000000000922000-memory.dmp

Filesize
520KB

Download
memory/1920-369-0x0000000001F60000-0x0000000001F92000-memory.dmp

Filesize
200KB

Download
memory/1920-368-0x0000000001EB0000-0x0000000001EE2000-memory.dmp

Filesize
200KB

Download
memory/2352-143-0x0000000001F20000-0x0000000001F4B000-memory.dmp

Filesize
172KB

Download
memory/2352-124-0x0000000001F20000-0x0000000001F4B000-memory.dmp

Filesize
172KB

Download
memory/2352-162-0x0000000001F20000-0x0000000001F4B000-memory.dmp

Filesize
172KB

Download
memory/2352-160-0x0000000001F20000-0x0000000001F4B000-memory.dmp

Filesize
172KB

Download
memory/2352-158-0x0000000001F20000-0x0000000001F4B000-memory.dmp

Filesize
172KB

Download
memory/2352-156-0x0000000001F20000-0x0000000001F4B000-memory.dmp

Filesize
172KB

Download
memory/2352-154-0x0000000001F20000-0x0000000001F4B000-memory.dmp

Filesize
172KB

Download
memory/2352-152-0x0000000001F20000-0x0000000001F4B000-memory.dmp

Filesize
172KB

Download
memory/2352-148-0x0000000001F20000-0x0000000001F4B000-memory.dmp

Filesize
172KB

Download
memory/2352-144-0x0000000001F20000-0x0000000001F4B000-memory.dmp

Filesize
172KB

Download
memory/2352-166-0x0000000001F20000-0x0000000001F4B000-memory.dmp

Filesize
172KB

Download
memory/2352-140-0x0000000001F20000-0x0000000001F4B000-memory.dmp

Filesize
172KB

Download
memory/2352-139-0x0000000001F20000-0x0000000001F4B000-memory.dmp

Filesize
172KB

Download
memory/2352-136-0x0000000001F20000-0x0000000001F4B000-memory.dmp

Filesize
172KB

Download
memory/2352-135-0x0000000001F20000-0x0000000001F4B000-memory.dmp

Filesize
172KB

Download
memory/2352-132-0x0000000001F20000-0x0000000001F4B000-memory.dmp

Filesize
172KB

Download
memory/2352-131-0x0000000001F20000-0x0000000001F4B000-memory.dmp

Filesize
172KB

Download
memory/2352-128-0x0000000001F20000-0x0000000001F4B000-memory.dmp

Filesize
172KB

Download
memory/2352-126-0x0000000001F20000-0x0000000001F4B000-memory.dmp

Filesize
172KB

Download
memory/2352-165-0x0000000001F20000-0x0000000001F4B000-memory.dmp

Filesize
172KB

Download
memory/2352-122-0x0000000001F20000-0x0000000001F4B000-memory.dmp

Filesize
172KB

Download
memory/2352-120-0x0000000001F20000-0x0000000001F4B000-memory.dmp

Filesize
172KB

Download
memory/2352-176-0x0000000001F20000-0x0000000001F4B000-memory.dmp

Filesize
172KB

Download
memory/2352-119-0x0000000001F20000-0x0000000001F4B000-memory.dmp

Filesize
172KB

Download
memory/2352-117-0x0000000001ED0000-0x0000000001F02000-memory.dmp

Filesize
200KB

Download
memory/2352-168-0x0000000001F20000-0x0000000001F4B000-memory.dmp

Filesize
172KB

Download
memory/2352-171-0x0000000001F20000-0x0000000001F4B000-memory.dmp

Filesize
172KB

Download
memory/2352-172-0x0000000001F20000-0x0000000001F4B000-memory.dmp

Filesize
172KB

Download
memory/2352-174-0x0000000001F20000-0x0000000001F4B000-memory.dmp

Filesize
172KB

Download
memory/2352-938-0x0000000002000000-0x000000000200E000-memory.dmp

Filesize
56KB

Download
memory/2352-178-0x0000000001F20000-0x0000000001F4B000-memory.dmp

Filesize
172KB

Download
memory/2352-118-0x0000000001F20000-0x0000000001F52000-memory.dmp

Filesize
200KB

Download
memory/2352-180-0x0000000001F20000-0x0000000001F4B000-memory.dmp

Filesize
172KB

Download
memory/2352-182-0x0000000001F20000-0x0000000001F4B000-memory.dmp

Filesize
172KB

Download
memory/2352-150-0x0000000001F20000-0x0000000001F4B000-memory.dmp

Filesize
172KB

Download
memory/2352-146-0x0000000001F20000-0x0000000001F4B000-memory.dmp

Filesize
172KB

Download
memory/2520-81-0x0000000002140000-0x0000000002192000-memory.dmp

Filesize
328KB

Download
memory/2708-243-0x0000000001E00000-0x0000000001E32000-memory.dmp

Filesize
200KB

Download
memory/2904-949-0x00000000012C0000-0x00000000012CC000-memory.dmp

Filesize
48KB

Download