a1f1f23d1080f1a68fb21018fab72c45b6d528c1a06a6391487c19a0c7aa2451

Resubmissions

04/04/2025, 01:22

250404-brjeysxwaz 10

04/04/2025, 01:20

250404-bqbcyszlz2 10

04/04/2025, 01:18

250404-bnzyjaxvgs 10

Analysis

max time kernel
57s
max time network
59s
platform
windows11-21h2_x64
resource
win11-20250314-it
resource tags

arch:x64arch:x86image:win11-20250314-itlocale:it-itos:windows11-21h2-x64systemwindows
submitted
04/04/2025, 01:20

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

Solaris.exe
Size

7.2MB
MD5

54259a70a86ba3add0d89979e62854cd
SHA1

7e4045edace566fbf9a0260d57b0f682f06a7e6b
SHA256

b0433f33e6ff471fb357941a07d5262e61ed6999d8d025031c2029092f4bfacc
SHA512

c553fc6aaacfc6d8bfce08e8636fd42fd98a40d6ff2c671e8ae82635894aed5c14eb50ce0fe811da89f8bc5a2a885d2a911ca086bf9a1dce290b75985d4b235d
SSDEEP

196608:WRhEG05ltetqEG/gGhj8aAkF8BpM8koCeIXFark6i9y8z:WRhG5lsqP4Yj8keBBkOIXFGk638z

Score

10^/10

bootkit discovery execution persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1678082226-3994841222-899489560-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\Temp\\465F.tmp\\LOCK.exe"	LOCK.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1678082226-3994841222-899489560-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\Temp\\465F.tmp\\LOCK.exe"	LOCK.exe

Executes dropped EXE 7 IoCs

pid	Process
672	qqq.exe
5644	fleeg2.0.exe
228	Maltoolkit.exe
5568	FlargOnDesktop.exe
3396	qw.exe
4448	LOCK.exe
2496	LOCK.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
3828	icacls.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	fleeg2.0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1678082226-3994841222-899489560-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\userini = "C:\\Users\\Admin\\AppData\\Local\\Temp\\465F.tmp\\LOCK.exe"	LOCK.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1678082226-3994841222-899489560-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\userini = "C:\\Users\\Admin\\AppData\\Local\\Temp\\465F.tmp\\LOCK.exe"	LOCK.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Q:	WScript.exe
File opened (read-only)	\??\R:	WScript.exe
File opened (read-only)	\??\W:	WScript.exe
File opened (read-only)	\??\I:	WScript.exe
File opened (read-only)	\??\N:	WScript.exe
File opened (read-only)	\??\S:	WScript.exe
File opened (read-only)	\??\U:	WScript.exe
File opened (read-only)	\??\Y:	WScript.exe
File opened (read-only)	\??\Z:	WScript.exe
File opened (read-only)	\??\A:	WScript.exe
File opened (read-only)	\??\E:	WScript.exe
File opened (read-only)	\??\O:	WScript.exe
File opened (read-only)	\??\P:	WScript.exe
File opened (read-only)	\??\T:	WScript.exe
File opened (read-only)	\??\B:	WScript.exe
File opened (read-only)	\??\G:	WScript.exe
File opened (read-only)	\??\H:	WScript.exe
File opened (read-only)	\??\J:	WScript.exe
File opened (read-only)	\??\K:	WScript.exe
File opened (read-only)	\??\V:	WScript.exe
File opened (read-only)	\??\X:	WScript.exe
File opened (read-only)	\??\L:	WScript.exe
File opened (read-only)	\??\M:	WScript.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	LOCK.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x001a00000002b2a6-24.dat	upx
behavioral1/memory/672-26-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/672-126-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/672-144-0x0000000000400000-0x0000000000410000-memory.dmp	upx

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
5104	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 26 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Solaris.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	label.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Maltoolkit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FlargOnDesktop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LOCK.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LOCK.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	help.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fleeg2.0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qqq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
2000	timeout.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	label.exe

Kills process with taskkill 3 IoCs

defense_evasion

pid	Process
5484	taskkill.exe
5572	taskkill.exe
720	taskkill.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "123"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe

Modifies registry class 26 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1678082226-3994841222-899489560-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\trust	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1678082226-3994841222-899489560-1000_Classes\Local Settings\MuiCache	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1678082226-3994841222-899489560-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1678082226-3994841222-899489560-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\CA\Certificates	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1678082226-3994841222-899489560-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\Disallowed	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1678082226-3994841222-899489560-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\Root\Certificates	BackgroundTransferHost.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1678082226-3994841222-899489560-1000\{5DF8A145-789C-4D3D-AC62-9A5011E77C0B}	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1678082226-3994841222-899489560-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1678082226-3994841222-899489560-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\CA\CRLs	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1678082226-3994841222-899489560-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\Root\CRLs	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1678082226-3994841222-899489560-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\TrustedPeople	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1678082226-3994841222-899489560-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1678082226-3994841222-899489560-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\trust\CTLs	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1678082226-3994841222-899489560-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\CA\CTLs	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1678082226-3994841222-899489560-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\Disallowed\Certificates	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1678082226-3994841222-899489560-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\Disallowed\CRLs	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1678082226-3994841222-899489560-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\Root	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1678082226-3994841222-899489560-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\Root\CTLs	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1678082226-3994841222-899489560-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\trust\Certificates	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1678082226-3994841222-899489560-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\trust\CRLs	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1678082226-3994841222-899489560-1000_Classes\Local Settings	cmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1678082226-3994841222-899489560-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1678082226-3994841222-899489560-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\CA	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1678082226-3994841222-899489560-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\Disallowed\CTLs	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1678082226-3994841222-899489560-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1678082226-3994841222-899489560-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	BackgroundTransferHost.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2356	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5104	powershell.exe
5104	powershell.exe
4448	LOCK.exe
4448	LOCK.exe
4448	LOCK.exe
4448	LOCK.exe
4448	LOCK.exe
4448	LOCK.exe
4448	LOCK.exe
4448	LOCK.exe
4448	LOCK.exe
4448	LOCK.exe
4448	LOCK.exe
4448	LOCK.exe
4448	LOCK.exe
4448	LOCK.exe
4448	LOCK.exe
4448	LOCK.exe
4448	LOCK.exe
4448	LOCK.exe
2496	LOCK.exe
2496	LOCK.exe
2496	LOCK.exe
2496	LOCK.exe
2496	LOCK.exe
2496	LOCK.exe
4448	LOCK.exe
4448	LOCK.exe
4448	LOCK.exe
4448	LOCK.exe
4448	LOCK.exe
4448	LOCK.exe
2496	LOCK.exe
2496	LOCK.exe
2496	LOCK.exe
2496	LOCK.exe
2496	LOCK.exe
2496	LOCK.exe
4448	LOCK.exe
4448	LOCK.exe
4448	LOCK.exe
4448	LOCK.exe
4448	LOCK.exe
4448	LOCK.exe
2496	LOCK.exe
2496	LOCK.exe
2496	LOCK.exe
2496	LOCK.exe
2496	LOCK.exe
2496	LOCK.exe
4448	LOCK.exe
4448	LOCK.exe
4448	LOCK.exe
4448	LOCK.exe
4448	LOCK.exe
4448	LOCK.exe
2496	LOCK.exe
2496	LOCK.exe
2496	LOCK.exe
2496	LOCK.exe
2496	LOCK.exe
2496	LOCK.exe
4448	LOCK.exe
4448	LOCK.exe

Suspicious use of AdjustPrivilegeToken 32 IoCs

description	pid	Process
Token: SeDebugPrivilege	5104	powershell.exe
Token: SeIncreaseQuotaPrivilege	5756	WMIC.exe
Token: SeSecurityPrivilege	5756	WMIC.exe
Token: SeTakeOwnershipPrivilege	5756	WMIC.exe
Token: SeLoadDriverPrivilege	5756	WMIC.exe
Token: SeSystemProfilePrivilege	5756	WMIC.exe
Token: SeSystemtimePrivilege	5756	WMIC.exe
Token: SeProfSingleProcessPrivilege	5756	WMIC.exe
Token: SeIncBasePriorityPrivilege	5756	WMIC.exe
Token: SeCreatePagefilePrivilege	5756	WMIC.exe
Token: SeBackupPrivilege	5756	WMIC.exe
Token: SeRestorePrivilege	5756	WMIC.exe
Token: SeShutdownPrivilege	5756	WMIC.exe
Token: SeDebugPrivilege	5756	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5756	WMIC.exe
Token: SeRemoteShutdownPrivilege	5756	WMIC.exe
Token: SeUndockPrivilege	5756	WMIC.exe
Token: SeManageVolumePrivilege	5756	WMIC.exe
Token: 33	5756	WMIC.exe
Token: 34	5756	WMIC.exe
Token: 35	5756	WMIC.exe
Token: 36	5756	WMIC.exe
Token: SeShutdownPrivilege	408	WScript.exe
Token: SeCreatePagefilePrivilege	408	WScript.exe
Token: 33	3148	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3148	AUDIODG.EXE
Token: SeDebugPrivilege	720	taskkill.exe
Token: SeShutdownPrivilege	408	WScript.exe
Token: SeCreatePagefilePrivilege	408	WScript.exe
Token: SeDebugPrivilege	5484	taskkill.exe
Token: SeDebugPrivilege	5572	taskkill.exe
Token: SeShutdownPrivilege	4448	LOCK.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4448	LOCK.exe
4448	LOCK.exe
4448	LOCK.exe
2496	LOCK.exe
4448	LOCK.exe
2496	LOCK.exe
4448	LOCK.exe
2496	LOCK.exe
4448	LOCK.exe
2496	LOCK.exe
4448	LOCK.exe
2496	LOCK.exe
4448	LOCK.exe
2496	LOCK.exe
4448	LOCK.exe
2496	LOCK.exe
4448	LOCK.exe
2496	LOCK.exe
4448	LOCK.exe
2496	LOCK.exe
4448	LOCK.exe
2496	LOCK.exe
4448	LOCK.exe
2496	LOCK.exe
4448	LOCK.exe
2496	LOCK.exe
4448	LOCK.exe
2496	LOCK.exe
4448	LOCK.exe
2496	LOCK.exe
4448	LOCK.exe
2496	LOCK.exe
4448	LOCK.exe
2496	LOCK.exe
4448	LOCK.exe
2496	LOCK.exe
4448	LOCK.exe
2496	LOCK.exe
4448	LOCK.exe
2496	LOCK.exe
4448	LOCK.exe
2496	LOCK.exe
4448	LOCK.exe
2496	LOCK.exe
4448	LOCK.exe
2496	LOCK.exe
4448	LOCK.exe
2496	LOCK.exe
4448	LOCK.exe
2496	LOCK.exe
4448	LOCK.exe
2496	LOCK.exe
4448	LOCK.exe
2496	LOCK.exe
4448	LOCK.exe
2496	LOCK.exe
4448	LOCK.exe
2496	LOCK.exe
4448	LOCK.exe
2496	LOCK.exe
4448	LOCK.exe
2496	LOCK.exe
4448	LOCK.exe
2496	LOCK.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3624	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1012 wrote to memory of 3440	1012	Solaris.exe	79
PID 1012 wrote to memory of 3440	1012	Solaris.exe	79
PID 1012 wrote to memory of 3440	1012	Solaris.exe	79
PID 3440 wrote to memory of 672	3440	cmd.exe	83
PID 3440 wrote to memory of 672	3440	cmd.exe	83
PID 3440 wrote to memory of 672	3440	cmd.exe	83
PID 3440 wrote to memory of 2000	3440	cmd.exe	84
PID 3440 wrote to memory of 2000	3440	cmd.exe	84
PID 3440 wrote to memory of 2000	3440	cmd.exe	84
PID 672 wrote to memory of 4808	672	qqq.exe	85
PID 672 wrote to memory of 4808	672	qqq.exe	85
PID 672 wrote to memory of 4808	672	qqq.exe	85
PID 4808 wrote to memory of 5104	4808	cmd.exe	87
PID 4808 wrote to memory of 5104	4808	cmd.exe	87
PID 4808 wrote to memory of 5104	4808	cmd.exe	87
PID 3440 wrote to memory of 2792	3440	cmd.exe	88
PID 3440 wrote to memory of 2792	3440	cmd.exe	88
PID 3440 wrote to memory of 2792	3440	cmd.exe	88
PID 3440 wrote to memory of 4600	3440	cmd.exe	90
PID 3440 wrote to memory of 4600	3440	cmd.exe	90
PID 3440 wrote to memory of 4600	3440	cmd.exe	90
PID 3440 wrote to memory of 5756	3440	cmd.exe	92
PID 3440 wrote to memory of 5756	3440	cmd.exe	92
PID 3440 wrote to memory of 5756	3440	cmd.exe	92
PID 3440 wrote to memory of 3868	3440	cmd.exe	96
PID 3440 wrote to memory of 3868	3440	cmd.exe	96
PID 3440 wrote to memory of 3868	3440	cmd.exe	96
PID 3440 wrote to memory of 3828	3440	cmd.exe	97
PID 3440 wrote to memory of 3828	3440	cmd.exe	97
PID 3440 wrote to memory of 3828	3440	cmd.exe	97
PID 3440 wrote to memory of 3624	3440	cmd.exe	99
PID 3440 wrote to memory of 3624	3440	cmd.exe	99
PID 3440 wrote to memory of 3624	3440	cmd.exe	99
PID 3440 wrote to memory of 5644	3440	cmd.exe	101
PID 3440 wrote to memory of 5644	3440	cmd.exe	101
PID 3440 wrote to memory of 5644	3440	cmd.exe	101
PID 5644 wrote to memory of 4040	5644	fleeg2.0.exe	102
PID 5644 wrote to memory of 4040	5644	fleeg2.0.exe	102
PID 5644 wrote to memory of 4040	5644	fleeg2.0.exe	102
PID 3440 wrote to memory of 408	3440	cmd.exe	106
PID 3440 wrote to memory of 408	3440	cmd.exe	106
PID 3440 wrote to memory of 408	3440	cmd.exe	106
PID 2984 wrote to memory of 1992	2984	cmd.exe	107
PID 2984 wrote to memory of 1992	2984	cmd.exe	107
PID 4040 wrote to memory of 228	4040	cmd.exe	108
PID 4040 wrote to memory of 228	4040	cmd.exe	108
PID 4040 wrote to memory of 228	4040	cmd.exe	108
PID 3440 wrote to memory of 4796	3440	cmd.exe	109
PID 3440 wrote to memory of 4796	3440	cmd.exe	109
PID 3440 wrote to memory of 4796	3440	cmd.exe	109
PID 3440 wrote to memory of 5568	3440	cmd.exe	110
PID 3440 wrote to memory of 5568	3440	cmd.exe	110
PID 3440 wrote to memory of 5568	3440	cmd.exe	110
PID 3440 wrote to memory of 3396	3440	cmd.exe	111
PID 3440 wrote to memory of 3396	3440	cmd.exe	111
PID 3440 wrote to memory of 3396	3440	cmd.exe	111
PID 3440 wrote to memory of 2880	3440	cmd.exe	113
PID 3440 wrote to memory of 2880	3440	cmd.exe	113
PID 3440 wrote to memory of 2880	3440	cmd.exe	113
PID 3440 wrote to memory of 2356	3440	cmd.exe	114
PID 3440 wrote to memory of 2356	3440	cmd.exe	114
PID 3440 wrote to memory of 2356	3440	cmd.exe	114
PID 3440 wrote to memory of 4448	3440	cmd.exe	115
PID 3440 wrote to memory of 4448	3440	cmd.exe	115

C:\Users\Admin\AppData\Local\Temp\Solaris.exe
"C:\Users\Admin\AppData\Local\Temp\Solaris.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1012
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\465F.tmp\main.cmd" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3440
- - C:\Users\Admin\AppData\Local\Temp\465F.tmp\qqq.exe
    qqq.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:672
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7DCB.tmp\msg.cmd" "
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4808
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -AssemblyName PresentationFramework; [System.Windows.MessageBox]::Show('You stepped into the wrong executable', 'lmao', [System.Windows.MessageBoxButton]::OK, [System.Windows.MessageBoxImage]::Error)"
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5104
- - C:\Windows\SysWOW64\timeout.exe
    timeout 3
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:2000
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /K time
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2792
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4600
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:5756
- - C:\Windows\SysWOW64\help.exe
    help
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3868
- - C:\Windows\SysWOW64\icacls.exe
    icacls
    3⤵
    - Modifies file permissions
    - System Location Discovery: System Language Discovery
    PID:3828
- - C:\Windows\SysWOW64\label.exe
    label qqqqqqqq
    3⤵
    - System Location Discovery: System Language Discovery
    - Enumerates system info in registry
    PID:3624
- - C:\Users\Admin\AppData\Local\Temp\465F.tmp\fleeg2.0.exe
    fleeg2.0
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:5644
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c Maltoolkit.exe --shreadinggdipayloadrainbowgdipayloadtunnelgdipayloadscreeninvertingpayloadpixelatedgdiglitchesinversegdipayload500
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4040
    - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Maltoolkit.exe
        
        Maltoolkit.exe --shreadinggdipayloadrainbowgdipayloadtunnelgdipayloadscreeninvertingpayloadpixelatedgdiglitchesinversegdipayload500
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:228
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\465F.tmp\flarg.vbs"
    3⤵
    - Enumerates connected drives
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    PID:408
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\465F.tmp\z.vbs"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4796
- - C:\Users\Admin\AppData\Local\Temp\465F.tmp\FlargOnDesktop.exe
    FlargOnDesktop
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5568
- - C:\Users\Admin\AppData\Local\Temp\465F.tmp\qw.exe
    qw
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3396
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\465F.tmp\speech.vbs"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2880
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\465F.tmp\can.txt
    3⤵
    - System Location Discovery: System Language Discovery
    - Opens file in notepad (likely ransom note)
    PID:2356
- - C:\Users\Admin\AppData\Local\Temp\465F.tmp\LOCK.exe
    LOCK
    3⤵
    - Modifies WinLogon for persistence
    - Executes dropped EXE
    - Adds Run key to start application
    - Writes to the Master Boot Record (MBR)
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:4448
- - C:\Windows\SysWOW64\taskkill.exe
    TASKKILL /F /IM taskmgr.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:720
- - C:\Windows\SysWOW64\taskkill.exe
    TASKKILL /F /IM tm.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5484
- - C:\Windows\SysWOW64\taskkill.exe
    TASKKILL /F /IM explorer.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5572

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:2604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\"
1⤵
- Suspicious use of WriteProcessMemory
PID:2984
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\"
  2⤵
  PID:1992

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x0000000000000488 0x00000000000004D4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\465F.tmp\LOCK.exe
1⤵
PID:3580
- C:\Users\Admin\AppData\Local\Temp\465F.tmp\LOCK.exe
  C:\Users\Admin\AppData\Local\Temp\465F.tmp\LOCK.exe
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  PID:2496

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4644

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa39c1855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:3624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
256KB

MD5
87246d37d2c484408cb174983b2fc4a1

SHA1
10e2594f37bf49ea75ee810fa10666d146db6e69

SHA256
0ab28f48eac6891ccaf063a7d2aa8f60854f91bff91bf8491e7039b2cc315ca5

SHA512
76997d56a31fa1f649f4d293e9fbb2a52e73d034cc153f0840352e07ae99b4e7f11042d792e3f170bb3bd1b0a28345bb245459d16f6fc599f3521693c84e89f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Temp\465F.tmp\FlargOnDesktop.exe

Filesize
1.1MB

MD5
6c8df8f1fcaedb5b286b0e737f338a39

SHA1
efc745fe9e385bb0eaaf63ab1158bcdd85645816

SHA256
65fda63c738c3a5a97a023cc2e73d5c7ffcbefce406ec65b9a7e65f62f32cdb7

SHA512
fe03b91b21588b98a699016fefb49f32a624f4729b7e8ec3a3cc37b627eafda3020934affba3f73d0d3b80abcf4511f409e0e25be857a362f9c52e57a17df35b

Download Submit
C:\Users\Admin\AppData\Local\Temp\465F.tmp\LOCK.exe

Filesize
436KB

MD5
e9a942cf4bcd733d5679aac39588157c

SHA1
42aa229d3903dd28b60eeef67024e0e01d81eacd

SHA256
4ede23ec10bbab66b8ce2f86d7f11dbe44f16b86885eed44b17c2908453b64d9

SHA512
b489eae39aa305e3de733ec1866b80c12a2e0abacc58cff225a0bc52dc170d4bc63783b3eab881910d2382b0a33742bf5b5f5e685375cab73df20cfafce2df52

Download Submit
C:\Users\Admin\AppData\Local\Temp\465F.tmp\can.txt

Filesize
25B

MD5
401de424470ac4e20c7abba02ff9fecf

SHA1
2f9cb2cf54f9445a2f6d488ecf6aa4586dea985a

SHA256
16cfd3079338d4cc392e8a024bbbb3112782e3b80dc135a4b25bed9a1444e3c5

SHA512
463e5c0cebfa6046302ae9e46d436580ee1f40e16e79266f2e91403f0e45bb0819694037026ada1fe89c13cd3121384f4201684d80f5bef2b610e105508f347f

Download Submit
C:\Users\Admin\AppData\Local\Temp\465F.tmp\flarg.mp3

Filesize
4.5MB

MD5
a432a5d232380da0e958ebf33bd29487

SHA1
b2c215807614da9ef51088a5f182050a6a467981

SHA256
da25c8c729131d2d644d8c70e19a1e5c26aaf87877525a57f3d3d23bd0e7009b

SHA512
3572f37d087d202fdb3a1ce7f9e945c280bc6481b8c765dc5f641bdfa5d3d5c5a34c4e076182e6b3fb57e90e6434da5c083c3cb69b737482bcc30bda68994194

Download Submit
C:\Users\Admin\AppData\Local\Temp\465F.tmp\flarg.vbs

Filesize
210B

MD5
e0820a415681528513a1b9d1ac270666

SHA1
bc923c6dcecb782bccd11e791d189ae127704974

SHA256
4f51b27a5bafbba078ff27c86ad1da68f830caf6b74165deb3b5a974ddc53198

SHA512
1ad8a6d2c4924607ba36a47d65d0b9dbec050d612c30633f8dc28bb5c37b0886f9e4b2ac410c08fc1e5534c4743d0def1ac0592e4e141e37b435eeb3df3c90e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\465F.tmp\fleeg2.0.exe

Filesize
672KB

MD5
ba50cddfee7f588f4459a92e13cd003a

SHA1
939eddf430071cf857c1a2fbca4d233db0a28f9a

SHA256
8c7890605137fa302db210882508074030b4d6919dcc2c7247e7c6e995201682

SHA512
a90814ea833f7d30b9678190f2ff50023644a323891bb8fa4609dc5d956e493cf0d5cbed511c52a60fadbe16bb96990661bd26b4d922205c2a304ecf3510bc53

Download Submit
C:\Users\Admin\AppData\Local\Temp\465F.tmp\main.cmd

Filesize
327B

MD5
7d7f9229dcef2075732eb132378adb7e

SHA1
cda7b85e6f2847dfdf5a2aa5a203369e4d68f126

SHA256
58215e2a988edd8554dac257f44e3ca4bc956b4bb2d5fb8e8fb04577bd96effb

SHA512
24bc65cb4691794401d86d1e066cc5eae181be7ec3de50957746ab5539c637885f848fcc7113725be5b2ac02e1bded9fcc1caa8a9ff550b431d99e27c9df9505

Download Submit
C:\Users\Admin\AppData\Local\Temp\465F.tmp\qqq.exe

Filesize
21KB

MD5
27b6d2f4c468208ff87638c76ea38c62

SHA1
216a697bac98db88d1734521e48398417c247e53

SHA256
b78f81ab0e49f98ad8f607c6e9ad111a87a60fef471873c6bef2546fe28c953c

SHA512
620fdb01ee3a3d40fd112c1df8dfa319c895f696c11a176466a14c0cb2545c226e50859d36174f3548728c5d3a5f8ec43a961a8fbf182f38effd630a0cd4e036

Download Submit
C:\Users\Admin\AppData\Local\Temp\465F.tmp\qw.exe

Filesize
461KB

MD5
1cd26deb7230d7573199eaf6766573b9

SHA1
ea019ff0c8a538aa979a49ab8432bfc55485036b

SHA256
bf77b3f707ca602c647d8052bdb1a35ac58b30e46abe38887e3d7f75578a3fc6

SHA512
432a057eae64807428d4a20390be8a79eb195bc78d55bfc1804c681da898b73a17502ecc3ef4191c9577b90b0991f9ba0d6bd39db079d39f629233977237713d

Download Submit
C:\Users\Admin\AppData\Local\Temp\465F.tmp\speech.vbs

Filesize
278B

MD5
b2096d95195af08f640c47f3b9e03d38

SHA1
999aac238a62a9d2f6387c1eede5df59a2d0577f

SHA256
060d61d1ee7e65da381fdcbd1e35e0f6688b823018348081df0f78923cab6769

SHA512
564bdbe0e9acd1e8406330b7daed6067ea04fab4a9fc93868dc1e30983b46971fbf62caae1ee09876744fcc19df5adb93c4034e407b0e17e717efaba765f5e39

Download Submit
C:\Users\Admin\AppData\Local\Temp\465F.tmp\z.vbs

Filesize
31B

MD5
4aada262983b85642a5ff90733594485

SHA1
7fbd7f09f16a82f6cd137d7e6adcb63de0706987

SHA256
a4d005bfff2eea789d1ccf419cfbf8e5c243fea0135e09631a2c268b4b8805c9

SHA512
43e0be9d5409b3eaff499d6d370f76cf6cf0d2fc7a1ab7d41825033cb4b4f6542676b964c0aecc6c755d5a1773d973810ebdb98ba05f387d9d2dbbdadece94ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\7DCB.tmp\msg.cmd

Filesize
232B

MD5
a9e4467ccb1cfc8e041b75047f985c8d

SHA1
6755cb4209b4d26c0b7adc066b25de3cb7175dfb

SHA256
481527e9562d29c7e8a372f0f3806a46f9bdd7173cded7e60d5755248bdcef56

SHA512
e1c691386d59eea1fc63ba0df21b88fe0a6953c4d01ef709a72a8edbe05879c1131248ecf8b89e4c03c19c7619aad006ae2bc767adccb343212961ceec2a69f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Maltoolkit.exe

Filesize
599KB

MD5
d4163d85ba71a09b181dea459744698c

SHA1
002efbdaf3b87a486cd1b577b219a36995a66489

SHA256
1fd51d6dd83f903b81c2fe5ee5811a32f4eeddae97b02c89659e6f0e7da16b1e

SHA512
f6740689391249a5a123cc2184b3b20bca15662d4b35f0158dfbb61a926f8d3d86f19cfadf2f411a5f43a904566a2b236f8fa6c1c30e2b7edeb29eb615e4dd58

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_txtpyi2c.emj.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\FlargOnDesktop\flarg.png

Filesize
34KB

MD5
5144c96662a803704aceeb2620f0bbcb

SHA1
8f211f9ee8739b4c94b249075f4c7277a6326817

SHA256
611b0f0f79493ae5a191e96749bc021684e348f80af363b85e18e8857a765f0b

SHA512
196626d94af55b9fa66c663d617b1ff8ea7693c209622e10b1d2caf0cbc12ad076cdd7937bbc979d30bd9f2f43c17ca976ca180d358bf342458bbd88cfe33944

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Speech\Files\UserLexicons\SP_862020AEE9B44204A5084879EB91F1D1.dat

Filesize
940B

MD5
14b75cc76b1075250c27c35c257c2061

SHA1
b6176792657436ffa5d6e1add426e4b6afe66d09

SHA256
8ab427f233674e58b3129eab1b1d9c80c4c915661542fbba40ac52008f0206c6

SHA512
5d774bb612aa4275cabebdc3584b81681b2f9ff4677f295e31674026ac867276461a553cfef5d6ed5576fc99d607f9d9b5ebc8922002cf7fe695f5906bdef738

Download Submit
memory/228-73-0x0000000005CD0000-0x0000000006276000-memory.dmp

Filesize
5.6MB

Download
memory/228-69-0x0000000000D30000-0x0000000000DCA000-memory.dmp

Filesize
616KB

Download
memory/228-75-0x0000000005680000-0x00000000056AC000-memory.dmp

Filesize
176KB

Download
memory/228-100-0x0000000006AC0000-0x0000000006B6A000-memory.dmp

Filesize
680KB

Download
memory/228-77-0x0000000005840000-0x00000000058D2000-memory.dmp

Filesize
584KB

Download
memory/228-84-0x0000000005810000-0x000000000581A000-memory.dmp

Filesize
40KB

Download
memory/408-105-0x0000000006150000-0x0000000006160000-memory.dmp

Filesize
64KB

Download
memory/408-97-0x0000000006150000-0x0000000006160000-memory.dmp

Filesize
64KB

Download
memory/408-98-0x0000000006150000-0x0000000006160000-memory.dmp

Filesize
64KB

Download
memory/408-99-0x0000000006150000-0x0000000006160000-memory.dmp

Filesize
64KB

Download
memory/408-106-0x0000000006150000-0x0000000006160000-memory.dmp

Filesize
64KB

Download
memory/408-96-0x0000000006150000-0x0000000006160000-memory.dmp

Filesize
64KB

Download
memory/672-126-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/672-26-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/672-144-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2496-129-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2496-134-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2496-142-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/3396-76-0x0000000000490000-0x0000000000508000-memory.dmp

Filesize
480KB

Download
memory/4448-128-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/4448-141-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/4448-133-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/5104-46-0x0000000005C70000-0x0000000005FC7000-memory.dmp

Filesize
3.3MB

Download
memory/5104-36-0x0000000005B90000-0x0000000005BF6000-memory.dmp

Filesize
408KB

Download
memory/5104-33-0x0000000005290000-0x00000000058BA000-memory.dmp

Filesize
6.2MB

Download
memory/5104-32-0x0000000004C20000-0x0000000004C56000-memory.dmp

Filesize
216KB

Download
memory/5104-52-0x00000000067C0000-0x00000000067DA000-memory.dmp

Filesize
104KB

Download
memory/5104-37-0x0000000005C00000-0x0000000005C66000-memory.dmp

Filesize
408KB

Download
memory/5104-47-0x0000000005B40000-0x0000000005B50000-memory.dmp

Filesize
64KB

Download
memory/5104-48-0x0000000006120000-0x0000000006222000-memory.dmp

Filesize
1.0MB

Download
memory/5104-34-0x0000000005100000-0x0000000005182000-memory.dmp

Filesize
520KB

Download
memory/5104-49-0x0000000006280000-0x000000000629E000-memory.dmp

Filesize
120KB

Download
memory/5104-35-0x00000000058F0000-0x0000000005912000-memory.dmp

Filesize
136KB

Download
memory/5104-50-0x00000000062A0000-0x00000000062EC000-memory.dmp

Filesize
304KB

Download
memory/5104-51-0x00000000078C0000-0x0000000007F3A000-memory.dmp

Filesize
6.5MB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads