38bc13ef112b2f17d4d1a80243fac6a521b5d58228984aae0752d79487fa3b66

Resubmissions

01/03/2025, 18:58

250301-xmhhrayp15 10

01/03/2025, 18:55

250301-xkqrcaypx7 10

Analysis

max time kernel
802s
max time network
851s
platform
windows10-2004_x64
resource
win10v2004-20250207-en
resource tags

arch:x64arch:x86image:win10v2004-20250207-enlocale:en-usos:windows10-2004-x64system
submitted
16/02/2025, 01:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
Size

669KB
MD5

ead18f3a909685922d7213714ea9a183
SHA1

1270bd7fd62acc00447b30f066bb23f4745869bf
SHA256

5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18
SHA512

6e532d9c3d186e4dac38823ae9152056346e283613f0caf088b21a1b3e5f4f6cf3bad8c407168b1072895a386e3be0b8c11ad1cb326d3d3ff0eb8562052def91
SSDEEP

6144:bLUHLyHlwFjxDi2nEZkQ4NXxp0XMgkBWPqdN/jGdfYY7SRA7j4YlvfYAAjJ:4uFi02nEZh4jp0XLuxGdgTm73vL

Score

10^/10

discovery persistence ransomware upx

Malware Config

Extracted

Path

C:\Users\Public\Documents\_readme.txt

Ransom Note

ATTENTION! Don't worry my friend, you can return all your files! All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-T9WE5uiVT6 Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 046Sdsd3273yifhsisySD60h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1

Emails

[email protected]

URLs

https://we.tl/t-T9WE5uiVT6

Signatures

Renames multiple (212) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Downloads MZ/PE file 3 IoCs

flow	pid	Process
53	1856	Process not Found
124	1856	Process not Found
123	3080	Process not Found

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000\Control Panel\International\Geo\Nation	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe

Executes dropped EXE 12 IoCs

pid	Process
1644	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
4520	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
2200	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
4332	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
1808	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
4880	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
3904	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
1932	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
4620	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
1544	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
4760	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
4116	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
3400	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\e62cc969-0181-49de-8473-8b92e1048a99\\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe\" --AutoStart"	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe

Drops desktop.ini file(s) 35 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\desktop.ini	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
File opened for modification	C:\Users\Admin\3D Objects\desktop.ini	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\desktop.ini	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe

Looks up external IP address via web service 19 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
129	api.2ip.ua
108	api.2ip.ua
109	api.2ip.ua
110	api.2ip.ua
111	api.2ip.ua
121	api.2ip.ua
9	api.2ip.ua
29	api.2ip.ua
118	api.2ip.ua
120	api.2ip.ua
119	api.2ip.ua
7	api.2ip.ua
56	api.2ip.ua
66	api.2ip.ua
98	api.2ip.ua
57	api.2ip.ua
112	api.2ip.ua
130	api.2ip.ua
131	api.2ip.ua

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral24/memory/1336-0-0x0000000000400000-0x00000000004A9000-memory.dmp	upx
behavioral24/files/0x000400000001daef-13.dat	upx
behavioral24/memory/5076-14-0x0000000000400000-0x00000000004A9000-memory.dmp	upx
behavioral24/memory/5076-19-0x0000000000400000-0x00000000004A9000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 17 IoCs

pid	pid_target	Process	procid_target
2320	1336	WerFault.exe	86
4176	1652	WerFault.exe	107
1040	856	WerFault.exe	104
640	896	WerFault.exe	105
3792	5076	WerFault.exe	90
3404	2200	WerFault.exe	138
4720	1644	WerFault.exe	127
1220	4332	WerFault.exe	139
2300	4520	WerFault.exe	137
2748	3904	WerFault.exe	156
4392	1808	WerFault.exe	154
2172	1932	WerFault.exe	158
3320	4880	WerFault.exe	155
4792	4760	WerFault.exe	175
1112	4620	WerFault.exe	173
3156	4116	WerFault.exe	176
1720	1544	WerFault.exe	174

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2708	MicrosoftEdgeUpdate.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-194335498-2604837297-537231065-1000\{0758037F-6DA3-494D-B803-F6290A7B051E}	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe

Suspicious behavior: EnumeratesProcesses 34 IoCs

pid	Process
1336	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
1336	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
5076	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
5076	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
896	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
896	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
856	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
856	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
1652	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
1652	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
1644	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
1644	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
4520	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
4520	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
2200	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
2200	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
4332	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
4332	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
1808	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
1808	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
4880	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
4880	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
1932	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
1932	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
3904	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
3904	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
4620	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
4620	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
1544	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
1544	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
4760	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
4760	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
4116	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
4116	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2704	explorer.exe
Token: SeCreatePagefilePrivilege	2704	explorer.exe
Token: SeShutdownPrivilege	2704	explorer.exe
Token: SeCreatePagefilePrivilege	2704	explorer.exe
Token: SeShutdownPrivilege	2704	explorer.exe
Token: SeCreatePagefilePrivilege	2704	explorer.exe
Token: SeShutdownPrivilege	2704	explorer.exe
Token: SeCreatePagefilePrivilege	2704	explorer.exe
Token: SeShutdownPrivilege	2704	explorer.exe
Token: SeCreatePagefilePrivilege	2704	explorer.exe
Token: SeShutdownPrivilege	2704	explorer.exe
Token: SeCreatePagefilePrivilege	2704	explorer.exe
Token: SeShutdownPrivilege	2704	explorer.exe
Token: SeCreatePagefilePrivilege	2704	explorer.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe

Suspicious use of SendNotifyMessage 8 IoCs

pid	Process
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 1336 wrote to memory of 3400	1336	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	89
PID 1336 wrote to memory of 3400	1336	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	89
PID 1336 wrote to memory of 3400	1336	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	89
PID 1336 wrote to memory of 5076	1336	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	90
PID 1336 wrote to memory of 5076	1336	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	90
PID 1336 wrote to memory of 5076	1336	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	90
PID 5076 wrote to memory of 856	5076	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	104
PID 5076 wrote to memory of 856	5076	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	104
PID 5076 wrote to memory of 856	5076	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	104
PID 5076 wrote to memory of 896	5076	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	105
PID 5076 wrote to memory of 896	5076	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	105
PID 5076 wrote to memory of 896	5076	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	105
PID 856 wrote to memory of 1652	856	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	107
PID 856 wrote to memory of 1652	856	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	107
PID 856 wrote to memory of 1652	856	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	107
PID 1644 wrote to memory of 4520	1644	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	137
PID 1644 wrote to memory of 4520	1644	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	137
PID 1644 wrote to memory of 4520	1644	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	137
PID 1644 wrote to memory of 2200	1644	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	138
PID 1644 wrote to memory of 2200	1644	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	138
PID 1644 wrote to memory of 2200	1644	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	138
PID 4520 wrote to memory of 4332	4520	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	139
PID 4520 wrote to memory of 4332	4520	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	139
PID 4520 wrote to memory of 4332	4520	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	139
PID 1808 wrote to memory of 4880	1808	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	155
PID 1808 wrote to memory of 4880	1808	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	155
PID 1808 wrote to memory of 4880	1808	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	155
PID 1808 wrote to memory of 3904	1808	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	156
PID 1808 wrote to memory of 3904	1808	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	156
PID 1808 wrote to memory of 3904	1808	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	156
PID 4880 wrote to memory of 1932	4880	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	158
PID 4880 wrote to memory of 1932	4880	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	158
PID 4880 wrote to memory of 1932	4880	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	158
PID 4620 wrote to memory of 1544	4620	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	174
PID 4620 wrote to memory of 1544	4620	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	174
PID 4620 wrote to memory of 1544	4620	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	174
PID 4620 wrote to memory of 4760	4620	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	175
PID 4620 wrote to memory of 4760	4620	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	175
PID 4620 wrote to memory of 4760	4620	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	175
PID 1544 wrote to memory of 4116	1544	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	176
PID 1544 wrote to memory of 4116	1544	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	176
PID 1544 wrote to memory of 4116	1544	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	176

C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
"C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1336
- C:\Windows\SysWOW64\icacls.exe
  icacls "C:\Users\Admin\AppData\Local\e62cc969-0181-49de-8473-8b92e1048a99" /deny *S-1-1-0:(OI)(CI)(DE,DC)
  2⤵
  - Modifies file permissions
  - System Location Discovery: System Language Discovery
  PID:3400
- C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
  "C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --Admin IsNotAutoStart IsNotTask
  2⤵
  - Drops desktop.ini file(s)
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:5076
- - C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    "C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --ForNetRes "FsnDCf1u1wJvLcqbFxxtOchBf2V2lgtk24oM5mt2" 0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1 IsNotAutoStart IsNotTask
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:856
  - - C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
      "C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --Service 856 "FsnDCf1u1wJvLcqbFxxtOchBf2V2lgtk24oM5mt2" 0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1652
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1652 -s 1092
        5⤵
        Program crash
        
        PID:4176
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 856 -s 1684
      4⤵
      Program crash
      PID:1040
- - C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    "C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --Service 5076 "FsnDCf1u1wJvLcqbFxxtOchBf2V2lgtk24oM5mt2" 0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:896
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 896 -s 1568
      4⤵
      Program crash
      PID:640
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5076 -s 1688
    3⤵
    - Program crash
    PID:3792
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1336 -s 1636
  2⤵
  - Program crash
  PID:2320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1336 -ip 1336
1⤵
PID:1176

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7RjIzRTQ0RkMtQkYxRS00RUIyLUI4MjMtMjE1MkIyRDkzMTRCfSIgdXNlcmlkPSJ7MkMyRDE4OTctRkM3Qi00NUIwLThDOUUtREY4QThBRUVDQTQ0fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7OUJGN0FCRDMtMjRDOS00MjY4LTkzNkEtODEzRTFDQzAwQThEfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSI4IiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDcxNzgiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxOTY4MDM3MTAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MTAxNDMwOTA3Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:2708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1652 -ip 1652
1⤵
PID:592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 856 -ip 856
1⤵
PID:4312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 896 -ip 896
1⤵
PID:2656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 5076 -ip 5076
1⤵
PID:3928

C:\Users\Admin\AppData\Local\e62cc969-0181-49de-8473-8b92e1048a99\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
C:\Users\Admin\AppData\Local\e62cc969-0181-49de-8473-8b92e1048a99\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe --Task
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1644
- C:\Users\Admin\AppData\Local\e62cc969-0181-49de-8473-8b92e1048a99\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
  "C:\Users\Admin\AppData\Local\e62cc969-0181-49de-8473-8b92e1048a99\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --ForNetRes "FsnDCf1u1wJvLcqbFxxtOchBf2V2lgtk24oM5mt2" 0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1 IsNotAutoStart IsTask
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4520
- - C:\Users\Admin\AppData\Local\e62cc969-0181-49de-8473-8b92e1048a99\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    "C:\Users\Admin\AppData\Local\e62cc969-0181-49de-8473-8b92e1048a99\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --Service 4520 "FsnDCf1u1wJvLcqbFxxtOchBf2V2lgtk24oM5mt2" 0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4332
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4332 -s 1616
      4⤵
      Program crash
      PID:1220
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4520 -s 1656
    3⤵
    - Program crash
    PID:2300
- C:\Users\Admin\AppData\Local\e62cc969-0181-49de-8473-8b92e1048a99\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
  "C:\Users\Admin\AppData\Local\e62cc969-0181-49de-8473-8b92e1048a99\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --Service 1644 "FsnDCf1u1wJvLcqbFxxtOchBf2V2lgtk24oM5mt2" 0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2200
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2200 -s 1156
    3⤵
    - Program crash
    PID:3404
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1644 -s 1652
  2⤵
  - Program crash
  PID:4720

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2200 -ip 2200
1⤵
PID:2404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 1644 -ip 1644
1⤵
PID:3872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4332 -ip 4332
1⤵
PID:3660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 4520 -ip 4520
1⤵
PID:3280

C:\Users\Admin\AppData\Local\e62cc969-0181-49de-8473-8b92e1048a99\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
C:\Users\Admin\AppData\Local\e62cc969-0181-49de-8473-8b92e1048a99\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe --Task
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1808
- C:\Users\Admin\AppData\Local\e62cc969-0181-49de-8473-8b92e1048a99\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
  "C:\Users\Admin\AppData\Local\e62cc969-0181-49de-8473-8b92e1048a99\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --ForNetRes "FsnDCf1u1wJvLcqbFxxtOchBf2V2lgtk24oM5mt2" 0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1 IsNotAutoStart IsTask
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4880
- - C:\Users\Admin\AppData\Local\e62cc969-0181-49de-8473-8b92e1048a99\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    "C:\Users\Admin\AppData\Local\e62cc969-0181-49de-8473-8b92e1048a99\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --Service 4880 "FsnDCf1u1wJvLcqbFxxtOchBf2V2lgtk24oM5mt2" 0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1932
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1932 -s 1076
      4⤵
      Program crash
      PID:2172
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4880 -s 1644
    3⤵
    - Program crash
    PID:3320
- C:\Users\Admin\AppData\Local\e62cc969-0181-49de-8473-8b92e1048a99\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
  "C:\Users\Admin\AppData\Local\e62cc969-0181-49de-8473-8b92e1048a99\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --Service 1808 "FsnDCf1u1wJvLcqbFxxtOchBf2V2lgtk24oM5mt2" 0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3904
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3904 -s 1608
    3⤵
    - Program crash
    PID:2748
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1808 -s 1520
  2⤵
  - Program crash
  PID:4392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3904 -ip 3904
1⤵
PID:4964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1808 -ip 1808
1⤵
PID:3352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1932 -ip 1932
1⤵
PID:4468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4880 -ip 4880
1⤵
PID:2372

C:\Users\Admin\AppData\Local\e62cc969-0181-49de-8473-8b92e1048a99\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
C:\Users\Admin\AppData\Local\e62cc969-0181-49de-8473-8b92e1048a99\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe --Task
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4620
- C:\Users\Admin\AppData\Local\e62cc969-0181-49de-8473-8b92e1048a99\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
  "C:\Users\Admin\AppData\Local\e62cc969-0181-49de-8473-8b92e1048a99\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --ForNetRes "FsnDCf1u1wJvLcqbFxxtOchBf2V2lgtk24oM5mt2" 0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1 IsNotAutoStart IsTask
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1544
- - C:\Users\Admin\AppData\Local\e62cc969-0181-49de-8473-8b92e1048a99\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    "C:\Users\Admin\AppData\Local\e62cc969-0181-49de-8473-8b92e1048a99\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --Service 1544 "FsnDCf1u1wJvLcqbFxxtOchBf2V2lgtk24oM5mt2" 0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4116
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4116 -s 1612
      4⤵
      Program crash
      PID:3156
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1544 -s 1656
    3⤵
    - Program crash
    PID:1720
- C:\Users\Admin\AppData\Local\e62cc969-0181-49de-8473-8b92e1048a99\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
  "C:\Users\Admin\AppData\Local\e62cc969-0181-49de-8473-8b92e1048a99\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --Service 4620 "FsnDCf1u1wJvLcqbFxxtOchBf2V2lgtk24oM5mt2" 0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4760
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4760 -s 1168
    3⤵
    - Program crash
    PID:4792
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4620 -s 1636
  2⤵
  - Program crash
  PID:1112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4760 -ip 4760
1⤵
PID:2412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4620 -ip 4620
1⤵
PID:4180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4116 -ip 4116
1⤵
PID:5012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 1544 -ip 1544
1⤵
PID:4764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Network\Downloader\edbtmp.log

Filesize
1.3MB

MD5
f782b09fd215d3d9bb898d61ea2e7a37

SHA1
a382348e9592bdf93dd10c49773b815a992fa7c7

SHA256
7bd4646090dff9875e08ea00e5727b11be19fcb850344856e66360c152835694

SHA512
9342bd7a0cbabd7e699ea545897a6403371a0034e4bea067a9662dad9e492c5fa9b27efa4c850e1c001c79d6a76ffe0dacb6831010e41c8d5e2a92bd5b898606

Download Submit
C:\ProgramData\Microsoft\Windows\Caches\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000003.db

Filesize
289KB

MD5
8371e2c5f50981d45da1d2ac011151e4

SHA1
207585c4ce4a8688d77e3806f0b13b0bc9951e7d

SHA256
9e0d2763e84ca2810f700b6e5df470a7789f5566a5fe960ee48a761c77676b5b

SHA512
e1ed56af0c3291c16a1a6d3add0e25ac0a97766d62a59f8f7941760ba6b015176e268132d1c08c2e84a11e3cde2759c051ebf81ae1b5a4981ddad770574229a9

Download Submit
C:\ProgramData\Microsoft\Windows\Caches\{8DCFE24C-7A15-4389-86A9-1434EEF7ED83}.2.ver0x0000000000000002.db

Filesize
1KB

MD5
a510a83da9bbfb7d36892097a48e33b7

SHA1
06a23f1849ed511f22694e39b25cf2034181e43f

SHA256
177f4bd3c2d393a54a23e9043ab0214a95b156ca4b5a4d8eaa78aeda02888528

SHA512
0758985b1e9ad6e0233cdea9e172d7b48275ed9555679d68d93c7351d48700f585ee696a3f421be5733a04300fe3dd1975de247e4eece8b8a343b3cd41308114

Download Submit
C:\ProgramData\Microsoft\Windows\Caches\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db.kropun

Filesize
622KB

MD5
4e6518161cc338011531e6ec335401e2

SHA1
6d221aae3781af873141e6bbc6790c7ffb20259e

SHA256
a47f41aa7bcec0354731bea88367b16ea9010ff199298e613b6e3aee6744beca

SHA512
549c082c5d737f1b1ffcabea6b7f5c44d87efbc9864081afb02a10fa33ffb7c4a081956814e0ccbf9f0ed8a590c4ee9bad782ca49bd63ec9818a25e5b3af1382

Download Submit
C:\ProgramData\Package Cache\{3A96B93E-763F-41E7-85C7-1F3CCC37EF27}v48.108.8828\dotnet-host-6.0.27-win-x64.msi

Filesize
736KB

MD5
c3c0fe1bf5f38a6c89cead208307b99c

SHA1
df5d4f184c3124d4749c778084f35a2c00066b0b

SHA256
f4f6d008e54b5a6bac3998fc3fe8e632c347d6b598813e3524d5489b84bd2eaf

SHA512
0f3e96d16c512e37025b04ff7989d60126c3d65fe868dbcfbeae4dac910ce04fc52d1089f0e41ce85c2def0182a927fdcc349094e74cdd21b45a42fde7f01806

Download Submit
C:\ProgramData\Package Cache\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\packages\vcRuntimeMinimum_amd64\vc_runtimeMinimum_x64.msi

Filesize
180KB

MD5
b2e47100abd58190e40c8b6f9f672a36

SHA1
a754a78021b16e63d9e606cacc6de4fcf6872628

SHA256
889217bcb971387bc3cb6d76554646d2b0822eceb102320d40adf2422c829128

SHA512
d30da8c901e063df5901d011b22a01f884234ddddd44b9e81b3c43d93a51e10342074523339d155d69ff03a03a1df66c7d19e0137a16f47735b5b600616ca2a9

Download Submit
C:\ProgramData\Package Cache\{CE4D7AE0-FCBA-486F-A58F-DBA3626FBE4B}v56.64.8781\dotnet-runtime-7.0.16-win-x64.msi

Filesize
26.0MB

MD5
078fdfc06d675c9476796f61e8d8b396

SHA1
183e0f30aad003e5443fc282813f349ebd7bb1c8

SHA256
71474bbf9ec8997bb0ec65853cb095b000f1cdd52aa3f53b486a994588a4b7f7

SHA512
ec1b7bb3993e7022b600557fb63f405cca68fa269ebf9cebb4c699c7e35ac3bdafac44c12b60b67c01987d499023a2b5cfea0bdb66684eff4d67546ec5952a68

Download Submit
C:\ProgramData\Package Cache\{E634F316-BEB6-4FB3-A612-F7102F576165}v48.108.8836\windowsdesktop-runtime-6.0.27-win-x64.msi

Filesize
28.5MB

MD5
01bc6dc2e63ba4656e64f83debbc1f4e

SHA1
823cb85a326995b562bd02e26996a4a841795322

SHA256
b96e7138eee33474e5ec02c855673b56f78f0773d10fb962b7c9d015597db689

SHA512
90f0a9df306c83c3c10cdc7cb03110bb75796b3462a3562743a5a4cf9366d85e157cdf7b60bf6458051a0deec9275ae30fc49d19f83aebaae01ec908b3335175

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
1KB

MD5
c9be626e9715952e9b70f92f912b9787

SHA1
aa2e946d9ad9027172d0d321917942b7562d6abe

SHA256
c13e8d22800c200915f87f71c31185053e4e60ca25de2e41e160e09cd2d815d4

SHA512
7581b7c593785380e9db3ae760af85c1a889f607a3cd2aa5a2695a0e5a0fe8ee751578e88f7d8c997faeda804e2fc2655d859bee2832eace526ed4379edaa3f5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8

Filesize
436B

MD5
971c514f84bba0785f80aa1c23edfd79

SHA1
732acea710a87530c6b08ecdf32a110d254a54c8

SHA256
f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895

SHA512
43dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
174B

MD5
a1c72c21e5f915020c27dc2b144de200

SHA1
6abdbff341e0a3e0e3aee86cfccba70b75e1b61a

SHA256
a17fb3ba97b327eb355572eda402ccf5a5fca4823ab56ff06c475d293e1385af

SHA512
8645ee30dd3010379ef05f287f878efa62e41e6df0b9a98eb195c8fabed428f1d9c4b6e528161f769d4e8a441ce68cccec95f432c448c7b5cb9ee575b46dd0d0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8

Filesize
170B

MD5
298902e5d051a81e24b6d985ba726a71

SHA1
edeec6a4ffae41cc36b7b24af3b6e2a80482dedb

SHA256
c828dd9bcda7b53680a860ba95ac9643a13ecf8d8cfc77995527439607659e11

SHA512
13c538ce31628c5c1ed5bcc20e3987931ba539b6e147ad9c141d67ac22099374bb6a1acb21d21d5000859d8ebecaf2482436fbb6a8ed766335f4b75f30d4e2fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\6NG3XLY0\geo[1].json

Filesize
542B

MD5
794f37d6fcc52e598a6b9b993bfa8922

SHA1
f31f03ba70324db01078cc41a06b6bcf3f07056e

SHA256
3356f73006fee0c1448598764560c334e02d4eccc556bd4ed6f5f1537476cc33

SHA512
192888f5b6fbd0fcd308752edb8023ee1db8c3a813183b496785dc18de6e76484aba883ccf3c6df925a624133cf01bd6f1e278c5bd0e883d654a3eda13e3e399

Download Submit
C:\Users\Admin\AppData\Local\e62cc969-0181-49de-8473-8b92e1048a99\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe

Filesize
669KB

MD5
ead18f3a909685922d7213714ea9a183

SHA1
1270bd7fd62acc00447b30f066bb23f4745869bf

SHA256
5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18

SHA512
6e532d9c3d186e4dac38823ae9152056346e283613f0caf088b21a1b3e5f4f6cf3bad8c407168b1072895a386e3be0b8c11ad1cb326d3d3ff0eb8562052def91

Download Submit
C:\Users\Public\Documents\_readme.txt

Filesize
1KB

MD5
d75064cfaac9c92f52aadf373dc7e463

SHA1
36ea05181d9b037694929ec81f276f13c7d2655c

SHA256
163ec5b903b6baadd32d560c44c1ea4dce241579a7493eb32c632eae9085d508

SHA512
43387299749f31c623c5dd4a53ff4d2eff5edfeb80fd4e2edd45860b5c9367d2767ae2ee9b60824b57301999dd2bd995b7d3bd5e7187e447aed76106272559d1

Download Submit
memory/856-49-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/856-39-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/856-42-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/896-1172-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/896-41-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/1336-0-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/1336-3-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/1336-2-0x00000000007C0000-0x00000000008C0000-memory.dmp

Filesize
1024KB

Download
memory/1336-17-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/1336-16-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/1544-1249-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/1544-1253-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/1644-1195-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/1644-1181-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/1644-1179-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/1644-1176-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/1644-1177-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/1652-48-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/1652-47-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/1808-1215-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/1808-1225-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/1808-1203-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/1808-1204-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/1932-1227-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/1932-1223-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/2200-1194-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/3904-1218-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/3904-1224-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/4116-1252-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/4116-1251-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/4332-1198-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/4332-1199-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/4520-1200-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/4520-1196-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/4620-1231-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/4620-1247-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/4620-1232-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/4760-1246-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/4880-1220-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/4880-1217-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/4880-1228-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/5076-28-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/5076-1173-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/5076-27-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/5076-20-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/5076-19-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/5076-30-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/5076-31-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/5076-14-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download