Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
sample.zip.zip

Overview

General Information

Sample name:sample.zip.zip
Analysis ID:1640292
MD5:1332c43485745628370701b0760d3032
SHA1:21245bbad71eb0545d5e1ab40f30a3b7a612ccbe
SHA256:e794dc7a34747ba78e6fe59e2c0146d50300bc4e63a014feae6803367490ba7f
Infos:

Detection

Globeimposter
Score:64
Range:0 - 100
Confidence:100%

Signatures

Yara detected Globeimposter Ransomware
Deletes shadow drive data (may be related to ransomware)
May disable shadow drive data (uses vssadmin)
Sigma detected: Shadow Copies Deletion Using Operating Systems Utilities
Uses bcdedit to modify the Windows boot settings
Checks for available system drives (often done to infect USB drives)
May check the online IP address of the machine
Queries disk information (often used to detect virtual machines)
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Suspicious Copy From or To System Directory
Uses a known web browser user agent for HTTP communication

Classification

  • System is w10x64_ra
  • rundll32.exe (PID: 6960 cmdline: C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding MD5: EF3179D498793BF4234F708D3BE28633)
  • 7zFM.exe (PID: 2324 cmdline: "C:\Program Files\7-Zip\7zFM.exe" MD5: 30AC0B832D75598FB3EC37B6F2A8C86A)
    • 7zG.exe (PID: 6480 cmdline: "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\user\Desktop\sample.zip\" -ad -an -ai#7zMap4049:76:7zEvent4724 MD5: 50F289DF0C19484E970849AAC4E6F977)
  • crypt154.exe (PID: 1952 cmdline: "C:\Users\user\Desktop\sample.zip\sample\Videos\crypt154.exe" MD5: EE91AEACFF16D4EF5FE74B7252291665)
    • conhost.exe (PID: 640 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 1152 cmdline: \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • cmd.exe (PID: 1504 cmdline: C:\Windows\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • vssadmin.exe (PID: 1956 cmdline: vssadmin.exe Delete Shadows /All /Quiet MD5: B58073DB8892B67A672906C9358020EC)
    • cmd.exe (PID: 4588 cmdline: \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • cmd.exe (PID: 3220 cmdline: C:\Windows\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • wbadmin.exe (PID: 2332 cmdline: wbadmin delete backup -keepVersion:0 -quiet MD5: F2AA55885A2C014DA99F1355F3F71E4A)
    • cmd.exe (PID: 1708 cmdline: \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • cmd.exe (PID: 1984 cmdline: C:\Windows\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • WMIC.exe (PID: 2336 cmdline: wmic.exe SHADOWCOPY /nointeractive" MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
    • cmd.exe (PID: 1632 cmdline: \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • cmd.exe (PID: 2200 cmdline: C:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • bcdedit.exe (PID: 2644 cmdline: bcdedit.exe /set {default} recoverynabled No MD5: 74F7B84B0A547592CA63A00A8C4AD583)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
GlobeImposterGlobeImposter is a ransomware application which is mainly distributed via "blank slate" spam (the spam has no message content and an attached ZIP file), exploits, malicious advertising, fake updates, and repacked installers. GlobeImposter mimics the Globe ransomware family.This malware may prevent execution of Anti-Virus solutions and other OS related security features and may prevent system restoration.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.globeimposter
SourceRuleDescriptionAuthorStrings
dropped/ConDrvJoeSecurity_GlobeimposterYara detected Globeimposter RansomwareJoe Security
    SourceRuleDescriptionAuthorStrings
    00000015.00000003.2157895210.000001C736584000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_GlobeimposterYara detected Globeimposter RansomwareJoe Security
      00000015.00000003.2158785971.000001C736584000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_GlobeimposterYara detected Globeimposter RansomwareJoe Security
        00000015.00000002.2225299060.000001C738260000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_GlobeimposterYara detected Globeimposter RansomwareJoe Security
          00000015.00000002.2223014962.000001C73657A000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_GlobeimposterYara detected Globeimposter RansomwareJoe Security

            System Summary

            barindex
            Source: Process startedAuthor: Florian Roth (Nextron Systems), Michael Haag, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community, Andreas Hunkeler (@Karneades): Data: Command: vssadmin.exe Delete Shadows /All /Quiet, CommandLine: vssadmin.exe Delete Shadows /All /Quiet, CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\vssadmin.exe, NewProcessName: C:\Windows\System32\vssadmin.exe, OriginalFileName: C:\Windows\System32\vssadmin.exe, ParentCommandLine: C:\Windows\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 1504, ParentProcessName: cmd.exe, ProcessCommandLine: vssadmin.exe Delete Shadows /All /Quiet, ProcessId: 1956, ProcessName: vssadmin.exe
            Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\Users\user\Desktop\sample.zip\sample\Videos\crypt154.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\sample.zip\sample\Videos\crypt154.exe, ProcessId: 1952, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BabyLockerKZ
            Source: Process startedAuthor: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems): Data: Command: \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive", CommandLine: \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\sample.zip\sample\Videos\crypt154.exe" , ParentImage: C:\Users\user\Desktop\sample.zip\sample\Videos\crypt154.exe, ParentProcessId: 1952, ParentProcessName: crypt154.exe, ProcessCommandLine: \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive", ProcessId: 1708, ProcessName: cmd.exe
            No Suricata rule has matched

            Click to jump to signature section

            Show All Signature Results
            Source: unknownHTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.16:49710 version: TLS 1.2
            Source: C:\Users\user\Desktop\sample.zip\sample\Videos\crypt154.exeFile opened: z:
            Source: C:\Users\user\Desktop\sample.zip\sample\Videos\crypt154.exeFile opened: x:
            Source: C:\Users\user\Desktop\sample.zip\sample\Videos\crypt154.exeFile opened: v:
            Source: C:\Users\user\Desktop\sample.zip\sample\Videos\crypt154.exeFile opened: t:
            Source: C:\Users\user\Desktop\sample.zip\sample\Videos\crypt154.exeFile opened: r:
            Source: C:\Users\user\Desktop\sample.zip\sample\Videos\crypt154.exeFile opened: p:
            Source: C:\Users\user\Desktop\sample.zip\sample\Videos\crypt154.exeFile opened: n:
            Source: C:\Users\user\Desktop\sample.zip\sample\Videos\crypt154.exeFile opened: l:
            Source: C:\Users\user\Desktop\sample.zip\sample\Videos\crypt154.exeFile opened: j:
            Source: C:\Users\user\Desktop\sample.zip\sample\Videos\crypt154.exeFile opened: h:
            Source: C:\Users\user\Desktop\sample.zip\sample\Videos\crypt154.exeFile opened: f:
            Source: C:\Users\user\Desktop\sample.zip\sample\Videos\crypt154.exeFile opened: b:
            Source: C:\Users\user\Desktop\sample.zip\sample\Videos\crypt154.exeFile opened: y:
            Source: C:\Users\user\Desktop\sample.zip\sample\Videos\crypt154.exeFile opened: w:
            Source: C:\Users\user\Desktop\sample.zip\sample\Videos\crypt154.exeFile opened: u:
            Source: C:\Users\user\Desktop\sample.zip\sample\Videos\crypt154.exeFile opened: s:
            Source: C:\Users\user\Desktop\sample.zip\sample\Videos\crypt154.exeFile opened: q:
            Source: C:\Users\user\Desktop\sample.zip\sample\Videos\crypt154.exeFile opened: o:
            Source: C:\Users\user\Desktop\sample.zip\sample\Videos\crypt154.exeFile opened: m:
            Source: C:\Users\user\Desktop\sample.zip\sample\Videos\crypt154.exeFile opened: k:
            Source: C:\Users\user\Desktop\sample.zip\sample\Videos\crypt154.exeFile opened: i:
            Source: C:\Users\user\Desktop\sample.zip\sample\Videos\crypt154.exeFile opened: g:
            Source: C:\Users\user\Desktop\sample.zip\sample\Videos\crypt154.exeFile opened: e:
            Source: C:\Users\user\Desktop\sample.zip\sample\Videos\crypt154.exeFile opened: c:
            Source: C:\Users\user\Desktop\sample.zip\sample\Videos\crypt154.exeFile opened: a:
            Source: C:\Users\user\Desktop\sample.zip\sample\Videos\crypt154.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\
            Source: C:\Users\user\Desktop\sample.zip\sample\Videos\crypt154.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\
            Source: C:\Users\user\Desktop\sample.zip\sample\Videos\crypt154.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\
            Source: C:\Users\user\Desktop\sample.zip\sample\Videos\crypt154.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\
            Source: C:\Users\user\Desktop\sample.zip\sample\Videos\crypt154.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\
            Source: C:\Users\user\Desktop\sample.zip\sample\Videos\crypt154.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\
            Source: unknownDNS query: name: api.ipify.org
            Source: unknownDNS query: name: api.ipify.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: api.ipify.orgConnection: Keep-Alive
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: api.ipify.orgConnection: Keep-Alive
            Source: global trafficDNS traffic detected: DNS query: api.ipify.org
            Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
            Source: unknownHTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.16:49710 version: TLS 1.2

            Spam, unwanted Advertisements and Ransom Demands

            barindex
            Source: Yara matchFile source: 00000015.00000003.2157895210.000001C736584000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000015.00000003.2158785971.000001C736584000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000015.00000002.2225299060.000001C738260000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000015.00000002.2223014962.000001C73657A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: dropped/ConDrv, type: DROPPED
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\vssadmin.exe vssadmin.exe Delete Shadows /All /Quiet
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\vssadmin.exe vssadmin.exe Delete Shadows /All /Quiet
            Source: classification engineClassification label: mal64.rans.winZIP@22/5@1/2
            Source: C:\Program Files\7-Zip\7zG.exeFile created: C:\Users\user\Desktop\sample.zip
            Source: C:\Program Files\7-Zip\7zFM.exeFile read: C:\Users\desktop.ini
            Source: C:\Windows\System32\rundll32.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
            Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
            Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
            Source: unknownProcess created: C:\Program Files\7-Zip\7zFM.exe "C:\Program Files\7-Zip\7zFM.exe"
            Source: C:\Program Files\7-Zip\7zFM.exeProcess created: C:\Program Files\7-Zip\7zG.exe "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\user\Desktop\sample.zip\" -ad -an -ai#7zMap4049:76:7zEvent4724
            Source: C:\Program Files\7-Zip\7zFM.exeProcess created: C:\Program Files\7-Zip\7zG.exe "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\user\Desktop\sample.zip\" -ad -an -ai#7zMap4049:76:7zEvent4724
            Source: unknownProcess created: C:\Users\user\Desktop\sample.zip\sample\Videos\crypt154.exe "C:\Users\user\Desktop\sample.zip\sample\Videos\crypt154.exe"
            Source: C:\Users\user\Desktop\sample.zip\sample\Videos\crypt154.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\sample.zip\sample\Videos\crypt154.exeProcess created: C:\Windows\SysWOW64\cmd.exe \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet
            Source: C:\Users\user\Desktop\sample.zip\sample\Videos\crypt154.exeProcess created: C:\Windows\SysWOW64\cmd.exe \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet
            Source: C:\Users\user\Desktop\sample.zip\sample\Videos\crypt154.exeProcess created: C:\Windows\SysWOW64\cmd.exe \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive"
            Source: C:\Users\user\Desktop\sample.zip\sample\Videos\crypt154.exeProcess created: C:\Windows\SysWOW64\cmd.exe \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\vssadmin.exe vssadmin.exe Delete Shadows /All /Quiet
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic.exe SHADOWCOPY /nointeractive"
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbadmin.exe wbadmin delete backup -keepVersion:0 -quiet
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\bcdedit.exe bcdedit.exe /set {default} recoverynabled No
            Source: C:\Users\user\Desktop\sample.zip\sample\Videos\crypt154.exeProcess created: C:\Windows\SysWOW64\cmd.exe \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet
            Source: C:\Users\user\Desktop\sample.zip\sample\Videos\crypt154.exeProcess created: C:\Windows\SysWOW64\cmd.exe \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet
            Source: C:\Users\user\Desktop\sample.zip\sample\Videos\crypt154.exeProcess created: C:\Windows\SysWOW64\cmd.exe \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive"
            Source: C:\Users\user\Desktop\sample.zip\sample\Videos\crypt154.exeProcess created: C:\Windows\SysWOW64\cmd.exe \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No
            Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: uxtheme.dll
            Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: kernel.appcore.dll
            Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: textshaping.dll
            Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: windows.storage.dll
            Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: wldp.dll
            Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: windowscodecs.dll
            Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: profapi.dll
            Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: propsys.dll
            Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: thumbcache.dll
            Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: policymanager.dll
            Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: msvcp110_win.dll
            Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: textinputframework.dll
            Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: coreuicomponents.dll
            Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: coremessaging.dll
            Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: ntmarta.dll
            Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: wintypes.dll
            Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: wintypes.dll
            Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: wintypes.dll
            Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: dataexchange.dll
            Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: d3d11.dll
            Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: dcomp.dll
            Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: dxgi.dll
            Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: twinapi.appcore.dll
            Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: mrmcorer.dll
            Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: iertutil.dll
            Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: windows.staterepositorycore.dll
            Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: appxdeploymentclient.dll
            Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: bcp47mrm.dll
            Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: windows.ui.dll
            Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: windowmanagementapi.dll
            Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: inputhost.dll
            Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: appxdeploymentclient.dll
            Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: edputil.dll
            Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: windows.staterepositoryps.dll
            Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: wkscli.dll
            Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: netutils.dll
            Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: provsvc.dll
            Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: apphelp.dll
            Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: onecoreuapcommonproxystub.dll
            Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: appxdeploymentclient.dll
            Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: appxdeploymentclient.dll
            Source: C:\Program Files\7-Zip\7zG.exeSection loaded: kernel.appcore.dll
            Source: C:\Program Files\7-Zip\7zG.exeSection loaded: uxtheme.dll
            Source: C:\Program Files\7-Zip\7zG.exeSection loaded: cryptbase.dll
            Source: C:\Program Files\7-Zip\7zG.exeSection loaded: explorerframe.dll
            Source: C:\Program Files\7-Zip\7zG.exeSection loaded: textshaping.dll
            Source: C:\Program Files\7-Zip\7zG.exeSection loaded: textinputframework.dll
            Source: C:\Program Files\7-Zip\7zG.exeSection loaded: coreuicomponents.dll
            Source: C:\Program Files\7-Zip\7zG.exeSection loaded: coremessaging.dll
            Source: C:\Program Files\7-Zip\7zG.exeSection loaded: ntmarta.dll
            Source: C:\Program Files\7-Zip\7zG.exeSection loaded: coremessaging.dll
            Source: C:\Program Files\7-Zip\7zG.exeSection loaded: wintypes.dll
            Source: C:\Program Files\7-Zip\7zG.exeSection loaded: wintypes.dll
            Source: C:\Program Files\7-Zip\7zG.exeSection loaded: wintypes.dll
            Source: C:\Users\user\Desktop\sample.zip\sample\Videos\crypt154.exeSection loaded: apphelp.dll
            Source: C:\Users\user\Desktop\sample.zip\sample\Videos\crypt154.exeSection loaded: rstrtmgr.dll
            Source: C:\Users\user\Desktop\sample.zip\sample\Videos\crypt154.exeSection loaded: urlmon.dll
            Source: C:\Users\user\Desktop\sample.zip\sample\Videos\crypt154.exeSection loaded: mpr.dll
            Source: C:\Users\user\Desktop\sample.zip\sample\Videos\crypt154.exeSection loaded: ncrypt.dll
            Source: C:\Users\user\Desktop\sample.zip\sample\Videos\crypt154.exeSection loaded: iertutil.dll
            Source: C:\Users\user\Desktop\sample.zip\sample\Videos\crypt154.exeSection loaded: srvcli.dll
            Source: C:\Users\user\Desktop\sample.zip\sample\Videos\crypt154.exeSection loaded: netutils.dll
            Source: C:\Users\user\Desktop\sample.zip\sample\Videos\crypt154.exeSection loaded: ntasn1.dll
            Source: C:\Users\user\Desktop\sample.zip\sample\Videos\crypt154.exeSection loaded: windows.storage.dll
            Source: C:\Users\user\Desktop\sample.zip\sample\Videos\crypt154.exeSection loaded: wldp.dll
            Source: C:\Users\user\Desktop\sample.zip\sample\Videos\crypt154.exeSection loaded: profapi.dll
            Source: C:\Users\user\Desktop\sample.zip\sample\Videos\crypt154.exeSection loaded: cryptsp.dll
            Source: C:\Users\user\Desktop\sample.zip\sample\Videos\crypt154.exeSection loaded: rsaenh.dll
            Source: C:\Users\user\Desktop\sample.zip\sample\Videos\crypt154.exeSection loaded: cryptbase.dll
            Source: C:\Users\user\Desktop\sample.zip\sample\Videos\crypt154.exeSection loaded: kernel.appcore.dll
            Source: C:\Users\user\Desktop\sample.zip\sample\Videos\crypt154.exeSection loaded: uxtheme.dll
            Source: C:\Users\user\Desktop\sample.zip\sample\Videos\crypt154.exeSection loaded: wininet.dll
            Source: C:\Users\user\Desktop\sample.zip\sample\Videos\crypt154.exeSection loaded: sspicli.dll
            Source: C:\Users\user\Desktop\sample.zip\sample\Videos\crypt154.exeSection loaded: ondemandconnroutehelper.dll
            Source: C:\Users\user\Desktop\sample.zip\sample\Videos\crypt154.exeSection loaded: winhttp.dll
            Source: C:\Users\user\Desktop\sample.zip\sample\Videos\crypt154.exeSection loaded: mswsock.dll
            Source: C:\Users\user\Desktop\sample.zip\sample\Videos\crypt154.exeSection loaded: iphlpapi.dll
            Source: C:\Users\user\Desktop\sample.zip\sample\Videos\crypt154.exeSection loaded: winnsi.dll
            Source: C:\Users\user\Desktop\sample.zip\sample\Videos\crypt154.exeSection loaded: dnsapi.dll
            Source: C:\Users\user\Desktop\sample.zip\sample\Videos\crypt154.exeSection loaded: rasadhlp.dll
            Source: C:\Users\user\Desktop\sample.zip\sample\Videos\crypt154.exeSection loaded: fwpuclnt.dll
            Source: C:\Users\user\Desktop\sample.zip\sample\Videos\crypt154.exeSection loaded: schannel.dll
            Source: C:\Users\user\Desktop\sample.zip\sample\Videos\crypt154.exeSection loaded: mskeyprotect.dll
            Source: C:\Users\user\Desktop\sample.zip\sample\Videos\crypt154.exeSection loaded: msasn1.dll
            Source: C:\Users\user\Desktop\sample.zip\sample\Videos\crypt154.exeSection loaded: dpapi.dll
            Source: C:\Users\user\Desktop\sample.zip\sample\Videos\crypt154.exeSection loaded: gpapi.dll
            Source: C:\Users\user\Desktop\sample.zip\sample\Videos\crypt154.exeSection loaded: ncryptsslp.dll
            Source: C:\Users\user\Desktop\sample.zip\sample\Videos\crypt154.exeSection loaded: ntmarta.dll
            Source: C:\Users\user\Desktop\sample.zip\sample\Videos\crypt154.exeSection loaded: propsys.dll
            Source: C:\Program Files\7-Zip\7zFM.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0E5AAE11-A475-4c5b-AB00-C66DE400274E}\InProcServer32
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: sample.zip.zipStatic file information: File size 22211431 > 1048576

            Persistence and Installation Behavior

            barindex
            Source: C:\Users\user\Desktop\sample.zip\sample\Videos\crypt154.exeProcess created: C:\Windows\SysWOW64\cmd.exe \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\bcdedit.exe bcdedit.exe /set {default} recoverynabled No
            Source: C:\Users\user\Desktop\sample.zip\sample\Videos\crypt154.exeProcess created: C:\Windows\SysWOW64\cmd.exe \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No
            Source: C:\Users\user\Desktop\sample.zip\sample\Videos\crypt154.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run BabyLockerKZ
            Source: C:\Users\user\Desktop\sample.zip\sample\Videos\crypt154.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run BabyLockerKZ
            Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\sample.zip\sample\Videos\crypt154.exeFile opened: PhysicalDrive0
            Source: C:\Program Files\7-Zip\7zFM.exeFile Volume queried: C:\ FullSizeInformation
            Source: C:\Users\user\Desktop\sample.zip\sample\Videos\crypt154.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\
            Source: C:\Users\user\Desktop\sample.zip\sample\Videos\crypt154.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\
            Source: C:\Users\user\Desktop\sample.zip\sample\Videos\crypt154.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\
            Source: C:\Users\user\Desktop\sample.zip\sample\Videos\crypt154.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\
            Source: C:\Users\user\Desktop\sample.zip\sample\Videos\crypt154.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\
            Source: C:\Users\user\Desktop\sample.zip\sample\Videos\crypt154.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\
            Source: C:\Users\user\Desktop\sample.zip\sample\Videos\crypt154.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
            Source: C:\Users\user\Desktop\sample.zip\sample\Videos\crypt154.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
            Source: C:\Program Files\7-Zip\7zFM.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Program Files\7-Zip\7zFM.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Program Files\7-Zip\7zFM.exeQueries volume information: C:\Documents and Settings VolumeInformation
            Source: C:\Program Files\7-Zip\7zFM.exeQueries volume information: C:\Users\All Users VolumeInformation
            Source: C:\Program Files\7-Zip\7zFM.exeQueries volume information: C:\Users\Default User VolumeInformation
            Source: C:\Program Files\7-Zip\7zFM.exeQueries volume information: C:\Users\user\Application Data VolumeInformation
            Source: C:\Program Files\7-Zip\7zFM.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Program Files\7-Zip\7zFM.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Users\user\Desktop\sample.zip\sample\Videos\crypt154.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire Infrastructure1
            Replication Through Removable Media
            Windows Management Instrumentation1
            Registry Run Keys / Startup Folder
            1
            Process Injection
            1
            Masquerading
            OS Credential Dumping1
            Security Software Discovery
            Remote ServicesData from Local System1
            Encrypted Channel
            Exfiltration Over Other Network Medium1
            Inhibit System Recovery
            CredentialsDomainsDefault AccountsScheduled Task/Job1
            DLL Side-Loading
            1
            Registry Run Keys / Startup Folder
            1
            Virtualization/Sandbox Evasion
            LSASS Memory1
            Virtualization/Sandbox Evasion
            Remote Desktop ProtocolData from Removable Media1
            Ingress Tool Transfer
            Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
            DLL Side-Loading
            1
            Process Injection
            Security Account Manager11
            Peripheral Device Discovery
            SMB/Windows Admin SharesData from Network Shared Drive2
            Non-Application Layer Protocol
            Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
            Rundll32
            NTDS1
            System Network Configuration Discovery
            Distributed Component Object ModelInput Capture13
            Application Layer Protocol
            Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            DLL Side-Loading
            LSA Secrets2
            File and Directory Discovery
            SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            File Deletion
            Cached Domain Credentials33
            System Information Discovery
            VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.