cerber | b04036e4c638f832bdb553a11d740d76bc1cb7148f163856239c9f51943be352

Analysis

max time kernel
146s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20250207-en
resource tags

arch:x64arch:x86image:win10v2004-20250207-enlocale:en-usos:windows10-2004-x64system
submitted
17-02-2025 07:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b04036e4c638f832bdb553a11d740d76bc1cb7148f163856239c9f51943be352.exe
Size

264KB
MD5

5a002ac1a019b8fdcd52f7eab3f99ab6
SHA1

6439a947cea99391048029e757158a70b5c3fef6
SHA256

b04036e4c638f832bdb553a11d740d76bc1cb7148f163856239c9f51943be352
SHA512

42991564c84821a4f4dd80ffa769ae1603ab320fe0ab543ec513c75532fae48f369457677e063af80163c374f49d6068cdd85d85ceaf480447958d921084d276
SSDEEP

3072:oNY76rwprCqIW4JQXcNqxhNZzefd2yW4bvo3e5S7x3BbIHz5WSnrqoH8QVnhfsH:cdMrfSqcNqxhaFtdb55SDb05WqOocQG

Score

10^/10

cerber discovery ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Roaming\Microsoft\OneNote\16.0\_HELP_HELP_HELP_A9QX_.hta

Family

cerber

Ransom Note

<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <title>CERBER RANSOMWARE: Instructions</title> <HTA:APPLICATION APPLICATIONNAME="Instructions" SCROLL="yes" SINGLEINSTANCE="yes" WINDOWSTATE="maximize"> <style> a { color: #04a; text-decoration: none; } a:hover { text-decoration: underline; } body { background-color: #e7e7e7; color: #222; font-family: "Lucida Sans Unicode", "Lucida Grande", sans-serif; font-size: 13pt; line-height: 19pt; } body, h1 { margin: 0; padding: 0; } hr { color: #bda; height: 2pt; margin: 1.5%; } h1 { color: #555; font-size: 14pt; } ol { padding-left: 2.5%; } ol li { padding-bottom: 13pt; } small { color: #555; font-size: 11pt; } ul { list-style-type: none; margin: 0; padding: 0; } .button { color: #04a; cursor: pointer; } .button:hover { text-decoration: underline; } .container { background-color: #fff; border: 2pt solid #c7c7c7; margin: 5%; min-width: 850px; padding: 2.5%; } .header { border-bottom: 2pt solid #c7c7c7; margin-bottom: 2.5%; padding-bottom: 2.5%; } .hr { background: #bda; display: block; height: 2pt; margin-top: 1.5%; margin-bottom: 1.5%; overflow: hidden; width: 100%; } .info { background-color: #efe; border: 2pt solid #bda; display: inline-block; padding: 1.5%; text-align: center; } .updating { color: red; display: none; padding-left: 35px; background: url('data:image/gif;base64,R0lGODlhGQAZAKIEAMzMzJmZmTMzM2ZmZgAAAAAAAAAAAAAAACH/C05FVFNDQVBFMi4wAwEAAAAh+QQFAAAEACwAAAAAGQAZAAADVki63P4wSEiZvLXemRf4yhYoQ0l9aMiVLISCDms+L/DIwwnfc+c3qZ9g6Hn5hkhF7YgUKI2dpvNpExJ/WKquSoMCvd9geDeuBpcuGFrcQWep5Df7jU0AACH5BAUAAAQALAoAAQAOABQAAAMwSLDU/iu+Gdl0FbTAqeXg5YCdSJCBuZVqKw5wC8/qHJv2IN+uKvytn9AnFBCHx0cCACH5BAUAAAQALAoABAAOABQAAAMzSLoEzrC5F9Wk9YK6Jv8gEYzgaH4myaVBqYbfIINyHdcDI+wKniu7YG+2CPI4RgFI+EkAACH5BAUAAAQALAQACgAUAA4AAAMzSLrcBNDJBeuUNd6WwXbWtwnkFZwMqUpnu6il06IKLChDrsxBGufAHW0C1IlwxeMieEkAACH5BAUAAAQALAEACgAUAA4AAAM0SLLU/lAtFquctk6aIe5gGA1kBpwPqVZn66hl1KINPDRB3sxAGufAHc0C1IkIxcARZ4QkAAAh+QQFAAAEACwBAAQADgAUAAADMUhK0vurSfiko8oKHC//yyCCYvmVI4cOZAq+UCCDcv3VM4cHCuDHOZ/wI/xxigDQMAEAIfkEBQAABAAsAQABAA4AFAAAAzNIuizOkLgZ13xraHVF1puEKWBYlUP1pWrLBLALz+0cq3Yg324PAUAXcNgaBlVGgPAISQAAIfkEBQAABAAsAQABABQADgAAAzRIujzOMBJHpaXPksAVHoogMlzpZWK6lF2UjgobSK9AtjSs7QTg8xCfELgQ/og9I1IxXCYAADs=') left no-repeat; } #change_language { float: right; } #change_language, #texts div { display: none; } </style> </head> <body> <div class="container"> <div class="header"> <a id="change_language" href="#" onclick="return changeLanguage1();" title="English">☑ English</a> <h1>CERBER RANSOMWARE</h1> Instructions </div> <div id="languages"> ☑ Select your language <ul> <li><a href="#" title="English" onclick="return showBlock('en');">English</a></li> <li><a href="#" title="Arabic" onclick="return showBlock('ar');">العربية</a></li> <li><a href="#" title="Chinese" onclick="return showBlock('zh');">中文</a></li> <li><a href="#" title="Dutch" onclick="return showBlock('nl');">Nederlands</a></li> <li><a href="#" title="French" onclick="return showBlock('fr');">Français</a></li> <li><a href="#" title="German" onclick="return showBlock('de');">Deutsch</a></li> <li><a href="#" title="Italian" onclick="return showBlock('it');">Italiano</a></li> <li><a href="#" title="Japanese" onclick="return showBlock('ja');">日本語</a></li> <li><a href="#" title="Korean" onclick="return showBlock('ko');">한국어</a></li> <li><a href="#" title="Polish" onclick="return showBlock('pl');">Polski</a></li> <li><a href="#" title="Portuguese" onclick="return showBlock('pt');">Português</a></li> <li><a href="#" title="Spanish" onclick="return showBlock('es');">Español</a></li> <li><a href="#" title="Turkish" onclick="return showBlock('tr');">Türkçe</a></li> </ul> </div> <div id="texts"> <div id="en"> Can't you find the necessary files? Is the content of your files not readable? It is normal because the files' names and the data in your files have been encrypted by "Cerber Ransomware". It means your files are NOT damaged! Your files are modified only. This modification is reversible. From now it is not possible to use your files until they will be decrypted. The only way to decrypt your files safely is to buy the special decryption software "Cerber Decryptor". Any attempts to restore your files with the third-party software will be fatal for your files! <hr> You can proceed with purchasing of the decryption software at your personal page: Please wait...<a class="url" href="http://p27dokhpz2n7nvgr.tor2web.org/D762-1251-95BC-0006-47F5" target="_blank">http://p27dokhpz2n7nvgr.tor2web.org/D762-1251-95BC-0006-47F5</a><hr><a href="http://p27dokhpz2n7nvgr.onion.link/D762-1251-95BC-0006-47F5" target="_blank">http://p27dokhpz2n7nvgr.onion.link/D762-1251-95BC-0006-47F5</a><hr><a href="http://p27dokhpz2n7nvgr.onion.nu/D762-1251-95BC-0006-47F5" target="_blank">http://p27dokhpz2n7nvgr.onion.nu/D762-1251-95BC-0006-47F5</a><hr><a href="http://p27dokhpz2n7nvgr.onion.cab/D762-1251-95BC-0006-47F5" target="_blank">http://p27dokhpz2n7nvgr.onion.cab/D762-1251-95BC-0006-47F5</a><hr><a href="http://p27dokhpz2n7nvgr.onion.to/D762-1251-95BC-0006-47F5" target="_blank">http://p27dokhpz2n7nvgr.onion.to/D762-1251-95BC-0006-47F5</a> If this page cannot be opened  click here  to get a new address of your personal page. If the address of your personal page is the same as before after you tried to get a new one, you can try to get a new address in one hour. At this page you will receive the complete instructions how to buy the decryption software for restoring all your files. Also at this page you will be able to restore any one file for free to be sure "Cerber Decryptor" will help you. <hr> If your personal page is not available for a long period there is another way to open your personal page - installation and use of Tor Browser: <ol> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>enter or copy the address <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/download/download-easy.html.en</a> into the address bar of your browser and press ENTER;</li> <li>wait for the site loading;</li> <li>on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed;</li> <li>run Tor Browser;</li> <li>connect with the button "Connect" (if you use the English version);</li> <li>a normal Internet browser window will be opened after the initialization;</li> <li>type or copy the address http://p27dokhpz2n7nvgr.onion/D762-1251-95BC-0006-47F5 in this browser address bar;</li> <li>press ENTER;</li> <li>the site should be loaded; if for some reason the site is not loading wait for a moment and try again.</li> </ol> If you have any problems during installation or use of Tor Browser, please, visit <a href="https://www.youtube.com/results?search_query=Install+Tor+Browser+Windows" target="_blank">https://www.youtube.com</a> and type request in the search bar "Install Tor Browser Windows" and you will find a lot of training videos about Tor Browser installation and use. <hr> Additional information: You will find the instructions ("*_HELP_HELP_HELP_*.hta") for restoring your files in any folder with your encrypted files. The instructions "*_HELP_HELP_HELP_*.hta" in the folders with your encrypted files are not viruses! The instructions "*_HELP_HELP_HELP_*.hta" will help you to decrypt your files. Remember! The worst situation already happened and now the future of your files depends on your determination and speed of your actions. </div> <div id="ar" style="direction: rtl;"> لا يمكنك العثور على الملفات الضرورية؟ هل محتوى الملفات غير قابل للقراءة؟ هذا أمر طبيعي لأن أسماء الملفات والبيانات في الملفات قد تم تشفيرها بواسطة "Cerber Ransomware". وهذا يعني أن الملفات الخاصة بك ليست تالفة! فقد تم تعديل ملفاتك فقط. ويمكن التراجع عن هذا. ومن الآن فإنه لا يكن استخدام الملفات الخاصة بك حتى يتم فك تشفيرها. الطريقة الوحيدة لفك تشفير ملفاتك بأمان هو أن تشتري برنامج فك التشفير المتخصص "Cerber Decryptor". إن أية محاولات لاستعادة الملفات الخاصة بك بواسطة برامج من طرف ثالث سوف تكون مدمرة لملفاتك! <hr> يمكنك الشروع في شراء برنامج فك التشفير من صفحتك الشخصية: أرجو الإنتظار...<a class="url" href="http://p27dokhpz2n7nvgr.tor2web.org/D762-1251-95BC-0006-47F5" target="_blank">http://p27dokhpz2n7nvgr.tor2web.org/D762-1251-95BC-0006-47F5</a><hr><a href="http://p27dokhpz2n7nvgr.onion.link/D762-1251-95BC-0006-47F5" target="_blank">http://p27dokhpz2n7nvgr.onion.link/D762-1251-95BC-0006-47F5</a><hr><a href="http://p27dokhpz2n7nvgr.onion.nu/D762-1251-95BC-0006-47F5" target="_blank">http://p27dokhpz2n7nvgr.onion.nu/D762-1251-95BC-0006-47F5</a><hr><a href="http://p27dokhpz2n7nvgr.onion.cab/D762-1251-95BC-0006-47F5" target="_blank">http://p27dokhpz2n7nvgr.onion.cab/D762-1251-95BC-0006-47F5</a><hr><a href="http://p27dokhpz2n7nvgr.onion.to/D762-1251-95BC-0006-47F5" target="_blank">http://p27dokhpz2n7nvgr.onion.to/D762-1251-95BC-0006-47F5</a> في حالة تعذر فتح هذه الصفحة  انقر هنا  لإنشاء عنوان جديد لصفحتك الشخصية. في هذه الصفحة سوف تتلقى تعليمات كاملة حول كيفية شراء برنامج فك التشفير لاستعادة جميع الملفات الخاصة بك. في هذه الصفحة أيضًا سوف تتمكن من استعادة ملف واحد بشكل مجاني للتأكد من أن "Cerber Decryptor" سوف يساعدك. <hr> إذا كانت صفحتك الشخصية غير متاحة لفترة طويلة فإن ثمّة طريقة أخرى لفتح صفحتك الشخصية - تحميل واستخدام متصفح Tor: <ol> <li>قم بتشغيل متصفح الإنترنت الخاص بك (إذا كنت لا تعرف ما هو قم بتشغيل إنترنت إكسبلورر);</li> <li>قم بكتابة أو نسخ العنوان <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/download/download-easy.html.en</a> إلى شريط العنوان في المستعرض الخاص بك ثم اضغط ENTER;</li> <li>انتظر لتحميل الموقع;</li> <li>سوف يعرض عليك الموقع تحميل متصفح Tor. قم بتحميله وتشغيله، واتبع تعليمات التثبيت، وانتظر حتى اكتمال التثبيت;</li> <li>قم بتشغيل متصفح Tor;</li> <li>اضغط على الزر "Connect" (إذا كنت تستخدم النسخة الإنجليزية);</li> <li>سوف تُفتح نافذة متصفح الإنترنت العادي بعد البدء;</li> <li>قم بكتابة أو نسخ العنوان http://p27dokhpz2n7nvgr.onion/D762-1251-95BC-0006-47F5 في شريط العنوان في المتصفح;</li> <li>اضغط ENTER;</li> <li>يجب أن يتم تحميل الموقع؛ إذا لم يتم تحميل الموقع لأي سبب، انتظر للحظة وحاول مرة أخرى.</li> </ol> إذا كان لديك أية مشكلات أثناء عملية التثبيت أو استخدام متصفح Tor، يُرجى زيارة <a href="https://www.youtube.com/results?search_query=Install+Tor+Browser+Windows" target="_blank">https://www.youtube.com</a> واكتب الطلب "install tor browser windows" أو "تثبيت نوافذ متصفح Tor" في شريط البحث، وسوف تجد الكثير من أشرطة الفيديو للتدريب حول تثبيت متصفح Tor واستخدامه. <hr> معلومات إضافية: سوف تجد إرشادات استعادة الملفات الخاصة بك ("*_HELP_HELP_HELP_*") في أي مجلد مع ملفاتك المشفرة. الإرشادات ("*_HELP_HELP_HELP_*") الموجودة في المجلدات مع ملفاتك المشفرة ليست فيروسات والإرشادات ("*_HELP_HELP_HELP_*") سوف تساعدك على فك تشفير الملفات الخاصة بك. تذكر أن أسوأ موقف قد حدث بالفعل، والآن مستقبل ملفاتك يعتمد على عزيمتك وسرعة الإجراءات الخاصة بك. </div> <div id="zh"> 您找不到所需的文件？ 您文件的内容无法阅读？ 这是正常的，因为您文件的文件名和数据已经被“Cerber Ransomware”加密了。 这意味着您的文件并没有损坏！您的文件只是被修改了，这个修改是可逆的，解密之前您无法使用您的文件。 安全解密您文件的唯一方式是购买特别的解密软件“Cerber Decryptor”。 任何使用第三方软件恢复您文件的方式对您的文件来说都将是致命的！ <hr> 您可以在您的个人页面上购买解密软件： 请稍候...<a class="url" href="http://p27dokhpz2n7nvgr.tor2web.org/D762-1251-95BC-0006-47F5" target="_blank">http://p27dokhpz2n7nvgr.tor2web.org/D762-1251-95BC-0006-47F5</a><hr><a href="http://p27dokhpz2n7nvgr.onion.link/D762-1251-95BC-0006-47F5" target="_blank">http://p27dokhpz2n7nvgr.onion.link/D762-1251-95BC-0006-47F5</a><hr><a href="http://p27dokhpz2n7nvgr.onion.nu/D762-1251-95BC-0006-47F5" target="_blank">http://p27dokhpz2n7nvgr.onion.nu/D762-1251-95BC-0006-47F5</a><hr><a href="http://p27dokhpz2n7nvgr.onion.cab/D762-1251-95BC-0006-47F5" target="_blank">http://p27dokhpz2n7nvgr.onion.cab/D762-1251-95BC-0006-47F5</a><hr><a href="http://p27dokhpz2n7nvgr.onion.to/D762-1251-95BC-0006-47F5" target="_blank">http://p27dokhpz2n7nvgr.onion.to/D762-1251-95BC-0006-47F5</a> 如果这个页面无法打开，请 点击这里 生成您个人页面的新地址。 您将在这个页面上看到如何购买解密软件以恢复您的文件。 您可以在这个页面使用“Cerber Decryptor”免费恢复任何文件。 <hr> 如果您的个人页面长期不可用，有其他方法可以打开您的个人页面 - 安装并使用 Tor 浏览器： <ol> <li>使用您的上网浏览器（如果您不知道使用 Internet Explorer 的话）；</li> <li>在浏览器的地址栏输入或复制地址 <a href="https://www.torpro

Signatures

Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
ransomware cerber
Cerber family
cerber
Contacts a large (1108) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Downloads MZ/PE file 1 IoCs

flow	pid	Process
2457	4060	Process not Found

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000\Control Panel\International\Geo\Nation	b04036e4c638f832bdb553a11d740d76bc1cb7148f163856239c9f51943be352.exe

Drops startup file 1 IoCs

description	ioc	Process
File opened for modification	\??\c:\users\admin\appdata\roaming\microsoft\word\startup\	b04036e4c638f832bdb553a11d740d76bc1cb7148f163856239c9f51943be352.exe

Drops file in System32 directory 38 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\office	b04036e4c638f832bdb553a11d740d76bc1cb7148f163856239c9f51943be352.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\microsoft sql server	b04036e4c638f832bdb553a11d740d76bc1cb7148f163856239c9f51943be352.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\onenote	b04036e4c638f832bdb553a11d740d76bc1cb7148f163856239c9f51943be352.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\office	b04036e4c638f832bdb553a11d740d76bc1cb7148f163856239c9f51943be352.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\thunderbird	b04036e4c638f832bdb553a11d740d76bc1cb7148f163856239c9f51943be352.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\onenote	b04036e4c638f832bdb553a11d740d76bc1cb7148f163856239c9f51943be352.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\powerpoint	b04036e4c638f832bdb553a11d740d76bc1cb7148f163856239c9f51943be352.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\office	b04036e4c638f832bdb553a11d740d76bc1cb7148f163856239c9f51943be352.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\powerpoint	b04036e4c638f832bdb553a11d740d76bc1cb7148f163856239c9f51943be352.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\office	b04036e4c638f832bdb553a11d740d76bc1cb7148f163856239c9f51943be352.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\outlook	b04036e4c638f832bdb553a11d740d76bc1cb7148f163856239c9f51943be352.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\steam	b04036e4c638f832bdb553a11d740d76bc1cb7148f163856239c9f51943be352.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\documents	b04036e4c638f832bdb553a11d740d76bc1cb7148f163856239c9f51943be352.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\excel	b04036e4c638f832bdb553a11d740d76bc1cb7148f163856239c9f51943be352.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\outlook	b04036e4c638f832bdb553a11d740d76bc1cb7148f163856239c9f51943be352.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\word	b04036e4c638f832bdb553a11d740d76bc1cb7148f163856239c9f51943be352.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\word	b04036e4c638f832bdb553a11d740d76bc1cb7148f163856239c9f51943be352.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\desktop	b04036e4c638f832bdb553a11d740d76bc1cb7148f163856239c9f51943be352.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\powerpoint	b04036e4c638f832bdb553a11d740d76bc1cb7148f163856239c9f51943be352.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\thunderbird	b04036e4c638f832bdb553a11d740d76bc1cb7148f163856239c9f51943be352.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\excel	b04036e4c638f832bdb553a11d740d76bc1cb7148f163856239c9f51943be352.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\excel	b04036e4c638f832bdb553a11d740d76bc1cb7148f163856239c9f51943be352.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\microsoft sql server	b04036e4c638f832bdb553a11d740d76bc1cb7148f163856239c9f51943be352.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\onenote	b04036e4c638f832bdb553a11d740d76bc1cb7148f163856239c9f51943be352.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\outlook	b04036e4c638f832bdb553a11d740d76bc1cb7148f163856239c9f51943be352.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\word	b04036e4c638f832bdb553a11d740d76bc1cb7148f163856239c9f51943be352.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\excel	b04036e4c638f832bdb553a11d740d76bc1cb7148f163856239c9f51943be352.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft sql server	b04036e4c638f832bdb553a11d740d76bc1cb7148f163856239c9f51943be352.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\steam	b04036e4c638f832bdb553a11d740d76bc1cb7148f163856239c9f51943be352.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\the bat!	b04036e4c638f832bdb553a11d740d76bc1cb7148f163856239c9f51943be352.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft sql server	b04036e4c638f832bdb553a11d740d76bc1cb7148f163856239c9f51943be352.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\word	b04036e4c638f832bdb553a11d740d76bc1cb7148f163856239c9f51943be352.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\onenote	b04036e4c638f832bdb553a11d740d76bc1cb7148f163856239c9f51943be352.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\outlook	b04036e4c638f832bdb553a11d740d76bc1cb7148f163856239c9f51943be352.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\powerpoint	b04036e4c638f832bdb553a11d740d76bc1cb7148f163856239c9f51943be352.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\the bat!	b04036e4c638f832bdb553a11d740d76bc1cb7148f163856239c9f51943be352.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\bitcoin	b04036e4c638f832bdb553a11d740d76bc1cb7148f163856239c9f51943be352.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\bitcoin	b04036e4c638f832bdb553a11d740d76bc1cb7148f163856239c9f51943be352.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmpC98A.bmp"	b04036e4c638f832bdb553a11d740d76bc1cb7148f163856239c9f51943be352.exe

Drops file in Program Files directory 20 IoCs

description	ioc	Process
File opened for modification	\??\c:\program files (x86)\microsoft\word	b04036e4c638f832bdb553a11d740d76bc1cb7148f163856239c9f51943be352.exe
File opened for modification	\??\c:\program files (x86)\onenote	b04036e4c638f832bdb553a11d740d76bc1cb7148f163856239c9f51943be352.exe
File opened for modification	\??\c:\program files (x86)\word	b04036e4c638f832bdb553a11d740d76bc1cb7148f163856239c9f51943be352.exe
File opened for modification	\??\c:\program files (x86)\microsoft sql server	b04036e4c638f832bdb553a11d740d76bc1cb7148f163856239c9f51943be352.exe
File opened for modification	\??\c:\program files (x86)\microsoft\microsoft sql server	b04036e4c638f832bdb553a11d740d76bc1cb7148f163856239c9f51943be352.exe
File opened for modification	\??\c:\program files (x86)\microsoft\outlook	b04036e4c638f832bdb553a11d740d76bc1cb7148f163856239c9f51943be352.exe
File opened for modification	\??\c:\program files (x86)\the bat!	b04036e4c638f832bdb553a11d740d76bc1cb7148f163856239c9f51943be352.exe
File opened for modification	\??\c:\program files (x86)\bitcoin	b04036e4c638f832bdb553a11d740d76bc1cb7148f163856239c9f51943be352.exe
File opened for modification	\??\c:\program files (x86)\excel	b04036e4c638f832bdb553a11d740d76bc1cb7148f163856239c9f51943be352.exe
File opened for modification	\??\c:\program files (x86)\microsoft\office	b04036e4c638f832bdb553a11d740d76bc1cb7148f163856239c9f51943be352.exe
File opened for modification	\??\c:\program files (x86)\microsoft\onenote	b04036e4c638f832bdb553a11d740d76bc1cb7148f163856239c9f51943be352.exe
File opened for modification	\??\c:\program files (x86)\microsoft\powerpoint	b04036e4c638f832bdb553a11d740d76bc1cb7148f163856239c9f51943be352.exe
File opened for modification	\??\c:\program files (x86)\powerpoint	b04036e4c638f832bdb553a11d740d76bc1cb7148f163856239c9f51943be352.exe
File opened for modification	\??\c:\program files (x86)\steam	b04036e4c638f832bdb553a11d740d76bc1cb7148f163856239c9f51943be352.exe
File opened for modification	\??\c:\program files (x86)\thunderbird	b04036e4c638f832bdb553a11d740d76bc1cb7148f163856239c9f51943be352.exe
File opened for modification	\??\c:\program files\	b04036e4c638f832bdb553a11d740d76bc1cb7148f163856239c9f51943be352.exe
File opened for modification	\??\c:\program files (x86)\microsoft\excel	b04036e4c638f832bdb553a11d740d76bc1cb7148f163856239c9f51943be352.exe
File opened for modification	\??\c:\program files (x86)\office	b04036e4c638f832bdb553a11d740d76bc1cb7148f163856239c9f51943be352.exe
File opened for modification	\??\c:\program files (x86)\outlook	b04036e4c638f832bdb553a11d740d76bc1cb7148f163856239c9f51943be352.exe
File opened for modification	\??\c:\program files (x86)\	b04036e4c638f832bdb553a11d740d76bc1cb7148f163856239c9f51943be352.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\office	b04036e4c638f832bdb553a11d740d76bc1cb7148f163856239c9f51943be352.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\outlook	b04036e4c638f832bdb553a11d740d76bc1cb7148f163856239c9f51943be352.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\steam	b04036e4c638f832bdb553a11d740d76bc1cb7148f163856239c9f51943be352.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\word	b04036e4c638f832bdb553a11d740d76bc1cb7148f163856239c9f51943be352.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\documents	b04036e4c638f832bdb553a11d740d76bc1cb7148f163856239c9f51943be352.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\excel	b04036e4c638f832bdb553a11d740d76bc1cb7148f163856239c9f51943be352.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\office	b04036e4c638f832bdb553a11d740d76bc1cb7148f163856239c9f51943be352.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\word	b04036e4c638f832bdb553a11d740d76bc1cb7148f163856239c9f51943be352.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\onenote	b04036e4c638f832bdb553a11d740d76bc1cb7148f163856239c9f51943be352.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\steam	b04036e4c638f832bdb553a11d740d76bc1cb7148f163856239c9f51943be352.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\excel	b04036e4c638f832bdb553a11d740d76bc1cb7148f163856239c9f51943be352.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft sql server	b04036e4c638f832bdb553a11d740d76bc1cb7148f163856239c9f51943be352.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\outlook	b04036e4c638f832bdb553a11d740d76bc1cb7148f163856239c9f51943be352.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\powerpoint	b04036e4c638f832bdb553a11d740d76bc1cb7148f163856239c9f51943be352.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\powerpoint	b04036e4c638f832bdb553a11d740d76bc1cb7148f163856239c9f51943be352.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\office	b04036e4c638f832bdb553a11d740d76bc1cb7148f163856239c9f51943be352.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft sql server	b04036e4c638f832bdb553a11d740d76bc1cb7148f163856239c9f51943be352.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\microsoft sql server	b04036e4c638f832bdb553a11d740d76bc1cb7148f163856239c9f51943be352.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\microsoft sql server	b04036e4c638f832bdb553a11d740d76bc1cb7148f163856239c9f51943be352.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\powerpoint	b04036e4c638f832bdb553a11d740d76bc1cb7148f163856239c9f51943be352.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\the bat!	b04036e4c638f832bdb553a11d740d76bc1cb7148f163856239c9f51943be352.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\the bat!	b04036e4c638f832bdb553a11d740d76bc1cb7148f163856239c9f51943be352.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\excel	b04036e4c638f832bdb553a11d740d76bc1cb7148f163856239c9f51943be352.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\office	b04036e4c638f832bdb553a11d740d76bc1cb7148f163856239c9f51943be352.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\steam	b04036e4c638f832bdb553a11d740d76bc1cb7148f163856239c9f51943be352.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\thunderbird	b04036e4c638f832bdb553a11d740d76bc1cb7148f163856239c9f51943be352.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\thunderbird	b04036e4c638f832bdb553a11d740d76bc1cb7148f163856239c9f51943be352.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\bitcoin	b04036e4c638f832bdb553a11d740d76bc1cb7148f163856239c9f51943be352.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\outlook	b04036e4c638f832bdb553a11d740d76bc1cb7148f163856239c9f51943be352.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\word	b04036e4c638f832bdb553a11d740d76bc1cb7148f163856239c9f51943be352.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\outlook	b04036e4c638f832bdb553a11d740d76bc1cb7148f163856239c9f51943be352.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\microsoft sql server	b04036e4c638f832bdb553a11d740d76bc1cb7148f163856239c9f51943be352.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\powerpoint	b04036e4c638f832bdb553a11d740d76bc1cb7148f163856239c9f51943be352.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\word	b04036e4c638f832bdb553a11d740d76bc1cb7148f163856239c9f51943be352.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\desktop	b04036e4c638f832bdb553a11d740d76bc1cb7148f163856239c9f51943be352.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\bitcoin	b04036e4c638f832bdb553a11d740d76bc1cb7148f163856239c9f51943be352.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\excel	b04036e4c638f832bdb553a11d740d76bc1cb7148f163856239c9f51943be352.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\onenote	b04036e4c638f832bdb553a11d740d76bc1cb7148f163856239c9f51943be352.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\outlook	b04036e4c638f832bdb553a11d740d76bc1cb7148f163856239c9f51943be352.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\onenote	b04036e4c638f832bdb553a11d740d76bc1cb7148f163856239c9f51943be352.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\steam	b04036e4c638f832bdb553a11d740d76bc1cb7148f163856239c9f51943be352.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\word	b04036e4c638f832bdb553a11d740d76bc1cb7148f163856239c9f51943be352.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\outlook	b04036e4c638f832bdb553a11d740d76bc1cb7148f163856239c9f51943be352.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\powerpoint	b04036e4c638f832bdb553a11d740d76bc1cb7148f163856239c9f51943be352.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\excel	b04036e4c638f832bdb553a11d740d76bc1cb7148f163856239c9f51943be352.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\powerpoint	b04036e4c638f832bdb553a11d740d76bc1cb7148f163856239c9f51943be352.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\the bat!	b04036e4c638f832bdb553a11d740d76bc1cb7148f163856239c9f51943be352.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\thunderbird	b04036e4c638f832bdb553a11d740d76bc1cb7148f163856239c9f51943be352.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\thunderbird	b04036e4c638f832bdb553a11d740d76bc1cb7148f163856239c9f51943be352.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft sql server	b04036e4c638f832bdb553a11d740d76bc1cb7148f163856239c9f51943be352.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft sql server	b04036e4c638f832bdb553a11d740d76bc1cb7148f163856239c9f51943be352.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\microsoft sql server	b04036e4c638f832bdb553a11d740d76bc1cb7148f163856239c9f51943be352.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\powerpoint	b04036e4c638f832bdb553a11d740d76bc1cb7148f163856239c9f51943be352.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\office	b04036e4c638f832bdb553a11d740d76bc1cb7148f163856239c9f51943be352.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\onenote	b04036e4c638f832bdb553a11d740d76bc1cb7148f163856239c9f51943be352.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\word	b04036e4c638f832bdb553a11d740d76bc1cb7148f163856239c9f51943be352.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\documents	b04036e4c638f832bdb553a11d740d76bc1cb7148f163856239c9f51943be352.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\office	b04036e4c638f832bdb553a11d740d76bc1cb7148f163856239c9f51943be352.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\outlook	b04036e4c638f832bdb553a11d740d76bc1cb7148f163856239c9f51943be352.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\onenote	b04036e4c638f832bdb553a11d740d76bc1cb7148f163856239c9f51943be352.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\outlook	b04036e4c638f832bdb553a11d740d76bc1cb7148f163856239c9f51943be352.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\word	b04036e4c638f832bdb553a11d740d76bc1cb7148f163856239c9f51943be352.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\desktop	b04036e4c638f832bdb553a11d740d76bc1cb7148f163856239c9f51943be352.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\onenote	b04036e4c638f832bdb553a11d740d76bc1cb7148f163856239c9f51943be352.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b04036e4c638f832bdb553a11d740d76bc1cb7148f163856239c9f51943be352.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2260	MicrosoftEdgeUpdate.exe
2768	PING.EXE

Kills process with taskkill 1 IoCs

defense_evasion

pid	Process
4868	taskkill.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000_Classes\Local Settings	b04036e4c638f832bdb553a11d740d76bc1cb7148f163856239c9f51943be352.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2768	PING.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4048	b04036e4c638f832bdb553a11d740d76bc1cb7148f163856239c9f51943be352.exe
4048	b04036e4c638f832bdb553a11d740d76bc1cb7148f163856239c9f51943be352.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4048	b04036e4c638f832bdb553a11d740d76bc1cb7148f163856239c9f51943be352.exe
Token: SeCreatePagefilePrivilege	4048	b04036e4c638f832bdb553a11d740d76bc1cb7148f163856239c9f51943be352.exe
Token: 33	2616	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2616	AUDIODG.EXE
Token: SeDebugPrivilege	4868	taskkill.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4048 wrote to memory of 892	4048	b04036e4c638f832bdb553a11d740d76bc1cb7148f163856239c9f51943be352.exe	108
PID 4048 wrote to memory of 892	4048	b04036e4c638f832bdb553a11d740d76bc1cb7148f163856239c9f51943be352.exe	108
PID 4048 wrote to memory of 892	4048	b04036e4c638f832bdb553a11d740d76bc1cb7148f163856239c9f51943be352.exe	108
PID 4048 wrote to memory of 1860	4048	b04036e4c638f832bdb553a11d740d76bc1cb7148f163856239c9f51943be352.exe	117
PID 4048 wrote to memory of 1860	4048	b04036e4c638f832bdb553a11d740d76bc1cb7148f163856239c9f51943be352.exe	117
PID 4048 wrote to memory of 1860	4048	b04036e4c638f832bdb553a11d740d76bc1cb7148f163856239c9f51943be352.exe	117
PID 1860 wrote to memory of 4868	1860	cmd.exe	119
PID 1860 wrote to memory of 4868	1860	cmd.exe	119
PID 1860 wrote to memory of 4868	1860	cmd.exe	119
PID 1860 wrote to memory of 2768	1860	cmd.exe	120
PID 1860 wrote to memory of 2768	1860	cmd.exe	120
PID 1860 wrote to memory of 2768	1860	cmd.exe	120

C:\Users\Admin\AppData\Local\Temp\b04036e4c638f832bdb553a11d740d76bc1cb7148f163856239c9f51943be352.exe
"C:\Users\Admin\AppData\Local\Temp\b04036e4c638f832bdb553a11d740d76bc1cb7148f163856239c9f51943be352.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4048
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\_HELP_HELP_HELP_S8JJCP_.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
  2⤵
  - System Location Discovery: System Language Discovery
  PID:892
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1860
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "b04036e4c638f832bdb553a11d740d76bc1cb7148f163856239c9f51943be352.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4868
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 1 127.0.0.1
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2768

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7QUI1MThBQTQtNjM5OC00MjVCLUI1RjAtQjM2ODRDQjM2QTc3fSIgdXNlcmlkPSJ7NkI1NDQ5MkEtN0JFMi00QTFELUE2N0YtMjIzM0NEODc3MzEwfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7N0M0RkE4REUtQkYxQS00QTBDLThENzItMkExNzcwNzdCQTkxfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSI5IiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDU4NjAiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxODIxNjMwOTAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI0ODQ3MDM5NDY5Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:2260

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x384 0x4b8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Network Service Discovery

T1046

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\OneNote\16.0\_HELP_HELP_HELP_A9QX_.hta

Filesize
74KB

MD5
e6fc1b6775a5b7e4b919d8e341657981

SHA1
16c75931f9435926e725c8024dea40dddf3303e3

SHA256
a54233897031b2adf19626c0930ae75825cd8e22810b119f0861416347b88637

SHA512
9c2781132e384655b7461622ba3f2853997ff9cd4f256329db8f323a355160dad1bf34272e31b5e2c21c0446c59e90196423b7a0fa69c3018bb13be7cd105843

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\OneNote\16.0\_HELP_HELP_HELP_TCZ8_.png

Filesize
427KB

MD5
604030338d60d2210be6647d583bceb5

SHA1
be0db9f093f5fea043effc6455dab10ec1178470

SHA256
9675169b1820770562202a6c3c4b7786cb0084d431c19f3fb139965c6c46c380

SHA512
da05f49372f682461cc659dcd548e405ba9be1876124ae52ea644371d044ef62c9d01f5dc9d368795034dc995e1d60da690098023b11b370b894d8115986ed03

Download Submit
memory/4048-0-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4048-1-0x00000000005F0000-0x00000000005F1000-memory.dmp

Filesize
4KB

Download
memory/4048-4-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/4048-3-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4048-2-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4048-5-0x00000000005F0000-0x00000000005F1000-memory.dmp

Filesize
4KB

Download
memory/4048-6-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4048-375-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4048-383-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download