cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536

Analysis

max time kernel
142s
max time network
133s
platform
windows7_x64
resource
win7v20201028
submitted
18/02/2021, 17:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe
Size

369KB
MD5

df919a46da2377f913e99fa5d4997ae9
SHA1

03cd2235f0e68f297020dd40ad48395fad78bd8d
SHA256

cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536
SHA512

22870750ef402c958353faefaaa77d4549c3d3a6f1f0bf36da77d881db0d0f5ebdb758e5cef21629f407d80e155dad62de747c472624424436125ba3835e9a61

Score

10^/10

evasion persistence ransomware spyware

Malware Config

Extracted

Path

C:\$Recycle.Bin\S-1-5-21-3825035466-2522850611-591511364-1000\HOW_TO_RETURN_FILES.txt

Ransom Note

Dear manager, your database server has been locked, your databases files are encrypted and you have unfortunately "lost" all your data, Encryption was produced using unique key AES-256 generated for this server. To decrypt files you need to obtain the decryption key and tool. All encrypted files ends with .charm To obtain the program for this server, which will decrypt all files, you need to write me to email: "[email protected]" Before payment you can send us one small file (100..500 kilobytes) and we will decrypt it - it's your guarantee that we have decryption tool. And send us your userkey We don't know who are you, All what we need is some money. Don't panic if we don't answer you during 24 hours. It means that we didn't received your letter and write us again. You can use one of that bitcoin exchangers for transfering bitcoin: https://localbitcoins.com https://www.kraken.com You dont need install bitcoin programs - you need only use one of this exchangers or other exchanger that you can find in www.google.com for your country. Please use english language in your letters. If you don't speak english then use https://translate.google.com to translate your letter on english language. You don't have enough time to think each day payment will increase and after one week your key will be deleted and your files will be locked forever. USERKEY: kZLnCucHvzB6094DFvYv/scHXO3lH8+q2SlGrWjRi80WNMlBxDbT/2H/petXbjN4frj+i1RsgLBAdbiVS5IXGLR8dt7hERf5SKyiDzD3+2q00PjYosmxkNzs+ysI82jmvdOvlVKCejlbKSCXF59JKhKxjYPxjzrLLExIkyplTbu3liT+sJ6/DSeQENfWrVLzk9aL/LNB8Njw/oUp/LinIVTA7e2prhrWwOG5xfSVyQaxlt1pjP9XiOmP2cAhRjImlc9ICG7QWR68ZhAHLKhtKWFRM7dpI2fgFSDxnTbikpGHO70BBp1GoXK6rJSdJt4OAu4adwxrVZsjBR08HtlAlQ==

Emails

"[email protected]"

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Modifies Installed Components in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Modifies extensions of user files 14 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\DenySuspend.tif => C:\Users\Admin\Pictures\DenySuspend.tif.cnhelp	cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe
File renamed	C:\Users\Admin\Pictures\PushSet.tiff => C:\Users\Admin\Pictures\PushSet.tiff.cnhelp	cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe
File renamed	C:\Users\Admin\Pictures\SetUnblock.crw => C:\Users\Admin\Pictures\SetUnblock.crw.cnhelp	cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe
File renamed	C:\Users\Admin\Pictures\DenyLock.tiff => C:\Users\Admin\Pictures\DenyLock.tiff.cnhelp	cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe
File renamed	C:\Users\Admin\Pictures\MeasureTrace.crw => C:\Users\Admin\Pictures\MeasureTrace.crw.cnhelp	cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe
File opened for modification	C:\Users\Admin\Pictures\PushSet.tiff	cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe
File renamed	C:\Users\Admin\Pictures\RestartClear.tif => C:\Users\Admin\Pictures\RestartClear.tif.cnhelp	cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe
File renamed	C:\Users\Admin\Pictures\RestoreApprove.tiff => C:\Users\Admin\Pictures\RestoreApprove.tiff.cnhelp	cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe
File renamed	C:\Users\Admin\Pictures\SetRegister.crw => C:\Users\Admin\Pictures\SetRegister.crw.cnhelp	cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe
File opened for modification	C:\Users\Admin\Pictures\RestoreApprove.tiff	cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe
File opened for modification	C:\Users\Admin\Pictures\DenyLock.tiff	cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe
File opened for modification	C:\Users\Admin\Pictures\InvokeRename.tiff	cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe
File renamed	C:\Users\Admin\Pictures\InvokeRename.tiff => C:\Users\Admin\Pictures\InvokeRename.tiff.cnhelp	cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe
File renamed	C:\Users\Admin\Pictures\MountHide.raw => C:\Users\Admin\Pictures\MountHide.raw.cnhelp	cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HOW_TO_RETURN_FILES.txt	cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Reference Assemblies\HOW_TO_RETURN_FILES.txt	cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe
File created	C:\Program Files\VideoLAN\VLC\lua\HOW_TO_RETURN_FILES.txt	cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe
File opened for modification	C:\Program Files\Windows Media Player\Network Sharing\ConnectionManager.xml	cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21482_.GIF	cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\NotifierDisableUpArrow.jpg	cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\META-INF\HOW_TO_RETURN_FILES.txt	cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe
File opened for modification	C:\Program Files\Java\jre7\lib\cmm\LINEAR_RGB.pf	cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\pt_BR\LC_MESSAGES\vlc.mo	cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\intf\modules\httprequests.luac	cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.config	cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Waveform.eftx	cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_ON.GIF	cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\HOW_TO_RETURN_FILES.txt	cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_de_DE.jar	cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HM00114_.WMF	cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\HOW_TO_RETURN_FILES.txt	cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-spi-quicksearch.xml	cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD10253_.GIF	cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\POST.CFG	cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\THIRDPARTYLICENSEREADME.txt	cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099159.WMF	cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21427_.GIF	cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\MSPUB.DEV_K_COL.HXK	cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\js\settings.js	cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\br\LC_MESSAGES\vlc.mo	cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0185818.WMF	cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0217262.WMF	cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME50.CSS	cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Chicago	cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-autoupdate-services_ja.jar	cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-It.otf	cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\OPHPROXY.DLL	cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0285820.WMF	cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0295241.GIF	cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN090.XML	cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.swt.win32.win32.x86_64.nl_ja_4.4.0.v20140623020002.jar	cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105506.WMF	cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\bin\dblook	cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe
File opened for modification	C:\Program Files\Java\jre7\lib\ext\localedata.jar	cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\ink\HWRCustomization\HOW_TO_RETURN_FILES.txt	cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\HOW_TO_RETURN_FILES.txt	cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\GrooveFormsMetaData.xml	cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSPPT.OLB	cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\AdjacencyMergeLetter.dotx	cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationUp_ButtonGraphic.png	cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-io-ui_zh_CN.jar	cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\icon.png	cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SPRING\SPRING.INF	cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107364.WMF	cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN097.XML	cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_ko_KR.jar	cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\eclipse.inf	cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.touchpoint.eclipse.nl_zh_4.4.0.v20140623020002.jar	cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe
File created	C:\Program Files\Windows Media Player\HOW_TO_RETURN_FILES.txt	cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\flower_h.png	cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21297_.GIF	cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\720x480blacksquare.png	cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00306_.WMF	cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0281640.WMF	cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00068_.WMF	cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\ONENOTE_F_COL.HXK	cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\WSSFilesToolIconImagesMask.bmp	cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\ReadOutLoud.api	cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe
File created	C:\Program Files\VideoLAN\VLC\locale\zh_CN\LC_MESSAGES\HOW_TO_RETURN_FILES.txt	cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\SC_Reader.exe	Explorer.EXE
File opened for modification	\??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\sc_reader.exe	Explorer.EXE

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1748	1260	WerFault.exe	11

Kills process with taskkill 4 IoCs

evasion

pid	Process
1836	taskkill.exe
1940	taskkill.exe
636	taskkill.exe
1040	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	Explorer.EXE

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_Classes\Local Settings	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	Explorer.EXE

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
1924	NOTEPAD.EXE

Runs net.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1432	cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe
1748	WerFault.exe
1748	WerFault.exe
1748	WerFault.exe
1748	WerFault.exe
1748	WerFault.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1396	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 61 IoCs

description	pid	Process
Token: SeDebugPrivilege	1836	taskkill.exe
Token: SeDebugPrivilege	1940	taskkill.exe
Token: SeDebugPrivilege	636	taskkill.exe
Token: SeDebugPrivilege	1040	taskkill.exe
Token: SeIncreaseQuotaPrivilege	1500	WMIC.exe
Token: SeSecurityPrivilege	1500	WMIC.exe
Token: SeTakeOwnershipPrivilege	1500	WMIC.exe
Token: SeLoadDriverPrivilege	1500	WMIC.exe
Token: SeSystemProfilePrivilege	1500	WMIC.exe
Token: SeSystemtimePrivilege	1500	WMIC.exe
Token: SeProfSingleProcessPrivilege	1500	WMIC.exe
Token: SeIncBasePriorityPrivilege	1500	WMIC.exe
Token: SeCreatePagefilePrivilege	1500	WMIC.exe
Token: SeBackupPrivilege	1500	WMIC.exe
Token: SeRestorePrivilege	1500	WMIC.exe
Token: SeShutdownPrivilege	1500	WMIC.exe
Token: SeDebugPrivilege	1500	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1500	WMIC.exe
Token: SeRemoteShutdownPrivilege	1500	WMIC.exe
Token: SeUndockPrivilege	1500	WMIC.exe
Token: SeManageVolumePrivilege	1500	WMIC.exe
Token: 33	1500	WMIC.exe
Token: 34	1500	WMIC.exe
Token: 35	1500	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1500	WMIC.exe
Token: SeSecurityPrivilege	1500	WMIC.exe
Token: SeTakeOwnershipPrivilege	1500	WMIC.exe
Token: SeLoadDriverPrivilege	1500	WMIC.exe
Token: SeSystemProfilePrivilege	1500	WMIC.exe
Token: SeSystemtimePrivilege	1500	WMIC.exe
Token: SeProfSingleProcessPrivilege	1500	WMIC.exe
Token: SeIncBasePriorityPrivilege	1500	WMIC.exe
Token: SeCreatePagefilePrivilege	1500	WMIC.exe
Token: SeBackupPrivilege	1500	WMIC.exe
Token: SeRestorePrivilege	1500	WMIC.exe
Token: SeShutdownPrivilege	1500	WMIC.exe
Token: SeDebugPrivilege	1500	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1500	WMIC.exe
Token: SeRemoteShutdownPrivilege	1500	WMIC.exe
Token: SeUndockPrivilege	1500	WMIC.exe
Token: SeManageVolumePrivilege	1500	WMIC.exe
Token: 33	1500	WMIC.exe
Token: 34	1500	WMIC.exe
Token: 35	1500	WMIC.exe
Token: SeBackupPrivilege	1324	vssvc.exe
Token: SeRestorePrivilege	1324	vssvc.exe
Token: SeAuditPrivilege	1324	vssvc.exe
Token: SeDebugPrivilege	1748	WerFault.exe
Token: SeShutdownPrivilege	1396	Explorer.EXE
Token: SeShutdownPrivilege	1396	Explorer.EXE
Token: SeShutdownPrivilege	1396	Explorer.EXE
Token: SeShutdownPrivilege	1396	Explorer.EXE
Token: SeShutdownPrivilege	1396	Explorer.EXE
Token: SeShutdownPrivilege	1396	Explorer.EXE
Token: 33	1708	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1708	AUDIODG.EXE
Token: 33	1708	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1708	AUDIODG.EXE
Token: SeShutdownPrivilege	1396	Explorer.EXE
Token: SeShutdownPrivilege	1396	Explorer.EXE
Token: SeShutdownPrivilege	1396	Explorer.EXE

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1396	Explorer.EXE
1396	Explorer.EXE
1396	Explorer.EXE
1396	Explorer.EXE
1396	Explorer.EXE
1396	Explorer.EXE
1396	Explorer.EXE
1396	Explorer.EXE
1396	Explorer.EXE
1396	Explorer.EXE
1396	Explorer.EXE
1396	Explorer.EXE
1396	Explorer.EXE
1396	Explorer.EXE
1396	Explorer.EXE
1396	Explorer.EXE
1396	Explorer.EXE
1396	Explorer.EXE
1396	Explorer.EXE
1396	Explorer.EXE
1396	Explorer.EXE
1396	Explorer.EXE
1396	Explorer.EXE
1396	Explorer.EXE
1396	Explorer.EXE
1396	Explorer.EXE

Suspicious use of SendNotifyMessage 26 IoCs

pid	Process
1396	Explorer.EXE
1396	Explorer.EXE
1396	Explorer.EXE
1396	Explorer.EXE
1396	Explorer.EXE
1396	Explorer.EXE
1396	Explorer.EXE
1396	Explorer.EXE
1396	Explorer.EXE
1396	Explorer.EXE
1396	Explorer.EXE
1396	Explorer.EXE
1396	Explorer.EXE
1396	Explorer.EXE
1396	Explorer.EXE
1396	Explorer.EXE
1396	Explorer.EXE
1396	Explorer.EXE
1396	Explorer.EXE
1396	Explorer.EXE
1396	Explorer.EXE
1396	Explorer.EXE
1396	Explorer.EXE
1396	Explorer.EXE
1396	Explorer.EXE
1396	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1432 wrote to memory of 1428	1432	cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe	29
PID 1432 wrote to memory of 1428	1432	cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe	29
PID 1432 wrote to memory of 1428	1432	cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe	29
PID 1432 wrote to memory of 1428	1432	cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe	29
PID 1428 wrote to memory of 1116	1428	cmd.exe	31
PID 1428 wrote to memory of 1116	1428	cmd.exe	31
PID 1428 wrote to memory of 1116	1428	cmd.exe	31
PID 1428 wrote to memory of 1116	1428	cmd.exe	31
PID 1116 wrote to memory of 1968	1116	net.exe	32
PID 1116 wrote to memory of 1968	1116	net.exe	32
PID 1116 wrote to memory of 1968	1116	net.exe	32
PID 1116 wrote to memory of 1968	1116	net.exe	32
PID 1432 wrote to memory of 2004	1432	cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe	33
PID 1432 wrote to memory of 2004	1432	cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe	33
PID 1432 wrote to memory of 2004	1432	cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe	33
PID 1432 wrote to memory of 2004	1432	cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe	33
PID 2004 wrote to memory of 1932	2004	cmd.exe	35
PID 2004 wrote to memory of 1932	2004	cmd.exe	35
PID 2004 wrote to memory of 1932	2004	cmd.exe	35
PID 2004 wrote to memory of 1932	2004	cmd.exe	35
PID 1932 wrote to memory of 1912	1932	net.exe	36
PID 1932 wrote to memory of 1912	1932	net.exe	36
PID 1932 wrote to memory of 1912	1932	net.exe	36
PID 1932 wrote to memory of 1912	1932	net.exe	36
PID 1432 wrote to memory of 2040	1432	cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe	38
PID 1432 wrote to memory of 2040	1432	cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe	38
PID 1432 wrote to memory of 2040	1432	cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe	38
PID 1432 wrote to memory of 2040	1432	cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe	38
PID 2040 wrote to memory of 1220	2040	cmd.exe	39
PID 2040 wrote to memory of 1220	2040	cmd.exe	39
PID 2040 wrote to memory of 1220	2040	cmd.exe	39
PID 2040 wrote to memory of 1220	2040	cmd.exe	39
PID 1220 wrote to memory of 364	1220	net.exe	40
PID 1220 wrote to memory of 364	1220	net.exe	40
PID 1220 wrote to memory of 364	1220	net.exe	40
PID 1220 wrote to memory of 364	1220	net.exe	40
PID 1432 wrote to memory of 332	1432	cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe	41
PID 1432 wrote to memory of 332	1432	cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe	41
PID 1432 wrote to memory of 332	1432	cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe	41
PID 1432 wrote to memory of 332	1432	cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe	41
PID 332 wrote to memory of 592	332	cmd.exe	43
PID 332 wrote to memory of 592	332	cmd.exe	43
PID 332 wrote to memory of 592	332	cmd.exe	43
PID 332 wrote to memory of 592	332	cmd.exe	43
PID 592 wrote to memory of 1608	592	net.exe	44
PID 592 wrote to memory of 1608	592	net.exe	44
PID 592 wrote to memory of 1608	592	net.exe	44
PID 592 wrote to memory of 1608	592	net.exe	44
PID 1432 wrote to memory of 820	1432	cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe	45
PID 1432 wrote to memory of 820	1432	cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe	45
PID 1432 wrote to memory of 820	1432	cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe	45
PID 1432 wrote to memory of 820	1432	cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe	45
PID 820 wrote to memory of 1444	820	cmd.exe	47
PID 820 wrote to memory of 1444	820	cmd.exe	47
PID 820 wrote to memory of 1444	820	cmd.exe	47
PID 820 wrote to memory of 1444	820	cmd.exe	47
PID 1444 wrote to memory of 1040	1444	net.exe	48
PID 1444 wrote to memory of 1040	1444	net.exe	48
PID 1444 wrote to memory of 1040	1444	net.exe	48
PID 1444 wrote to memory of 1040	1444	net.exe	48
PID 1432 wrote to memory of 816	1432	cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe	49
PID 1432 wrote to memory of 816	1432	cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe	49
PID 1432 wrote to memory of 816	1432	cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe	49
PID 1432 wrote to memory of 816	1432	cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe	49

C:\Users\Admin\AppData\Local\Temp\cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe
"C:\Users\Admin\AppData\Local\Temp\cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe"
1⤵
- Modifies extensions of user files
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1432
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c NET stop MSSQLSERVER /Y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1428
- - C:\Windows\SysWOW64\net.exe
    NET stop MSSQLSERVER /Y
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1116
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQLSERVER /Y
      4⤵
      PID:1968
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c NET stop MSSQL$SQLEXPRESS /Y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2004
- - C:\Windows\SysWOW64\net.exe
    NET stop MSSQL$SQLEXPRESS /Y
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1932
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQL$SQLEXPRESS /Y
      4⤵
      PID:1912
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c NET STOP acrsch2svc /Y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2040
- - C:\Windows\SysWOW64\net.exe
    NET STOP acrsch2svc /Y
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1220
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP acrsch2svc /Y
      4⤵
      PID:364
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c NET STOP acronisagent /Y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:332
- - C:\Windows\SysWOW64\net.exe
    NET STOP acronisagent /Y
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:592
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP acronisagent /Y
      4⤵
      PID:1608
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c NET STOP arsm /Y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:820
- - C:\Windows\SysWOW64\net.exe
    NET STOP arsm /Y
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1444
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP arsm /Y
      4⤵
      PID:1040
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c NET STOP FirebirdServerDefaultInstance /Y
  2⤵
  PID:816
- - C:\Windows\SysWOW64\net.exe
    NET STOP FirebirdServerDefaultInstance /Y
    3⤵
    PID:1500
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP FirebirdServerDefaultInstance /Y
      4⤵
      PID:1132
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c NET STOP FirebirdGuardianDefaultInstance /Y
  2⤵
  PID:580
- - C:\Windows\SysWOW64\net.exe
    NET STOP FirebirdGuardianDefaultInstance /Y
    3⤵
    PID:1372
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP FirebirdGuardianDefaultInstance /Y
      4⤵
      PID:308
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c NET STOP MuzzleServer /Y
  2⤵
  PID:2028
- - C:\Windows\SysWOW64\net.exe
    NET STOP MuzzleServer /Y
    3⤵
    PID:1036
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP MuzzleServer /Y
      4⤵
      PID:1120
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /im 1cv7s.exe /T /F
  2⤵
  PID:1620
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im 1cv7s.exe /T /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1836
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /im 1cv8s.exe /T /F
  2⤵
  PID:2012
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im 1cv8s.exe /T /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1940
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /im 1cv7.exe /T /F
  2⤵
  PID:1236
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im 1cv7.exe /T /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:636
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /im 1cv8.exe /T /F
  2⤵
  PID:240
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im 1cv8.exe /T /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1040
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic shadowcopy delete
  2⤵
  PID:304
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic shadowcopy delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1500
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop "Acronis VSS Provider" /y
  2⤵
  PID:1972
- - C:\Windows\SysWOW64\sc.exe
    sc stop "Acronis VSS Provider" /y
    3⤵
    PID:1664
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop "Enterprise Client Service" /y
  2⤵
  PID:1860
- - C:\Windows\SysWOW64\sc.exe
    sc stop "Enterprise Client Service" /y
    3⤵
    PID:1588
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop "Sophos Agent" /y
  2⤵
  PID:1080
- - C:\Windows\SysWOW64\sc.exe
    sc stop "Sophos Agent" /y
    3⤵
    PID:2004
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop "Sophos AutoUpdate Service" /y
  2⤵
  PID:1932
- - C:\Windows\SysWOW64\sc.exe
    sc stop "Sophos AutoUpdate Service" /y
    3⤵
    PID:576
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop "Sophos Clean Service" /y
  2⤵
  PID:2040
- - C:\Windows\SysWOW64\sc.exe
    sc stop "Sophos Clean Service" /y
    3⤵
    PID:1444
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop "Sophos Device Control Service" /y
  2⤵
  PID:1636
- - C:\Windows\SysWOW64\sc.exe
    sc stop "Sophos Device Control Service" /y
    3⤵
    PID:1084
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop "Sophos File Scanner Service" /y
  2⤵
  PID:1760
- - C:\Windows\SysWOW64\sc.exe
    sc stop "Sophos File Scanner Service" /y
    3⤵
    PID:524
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop "Sophos Health Service" /y
  2⤵
  PID:304
- - C:\Windows\SysWOW64\sc.exe
    sc stop "Sophos Health Service" /y
    3⤵
    PID:1968
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop "Sophos MCS Agent" /y
  2⤵
  PID:896
- - C:\Windows\SysWOW64\sc.exe
    sc stop "Sophos MCS Agent" /y
    3⤵
    PID:1928
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop "Sophos MCS Client" /y
  2⤵
  PID:1620
- - C:\Windows\SysWOW64\sc.exe
    sc stop "Sophos MCS Client" /y
    3⤵
    PID:432

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1324

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1260 -s 2864
1⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1748
- C:\Windows\Explorer.EXE
  "C:\Windows\Explorer.EXE"
  2⤵
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1396
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\HOW_TO_RETURN_FILES.txt
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:1924

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x590
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1708

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1396-95-0x00000000040A0000-0x00000000040A1000-memory.dmp

Filesize
4KB

Download
memory/1396-60-0x000007FEFB431000-0x000007FEFB433000-memory.dmp

Filesize
8KB

Download
memory/1748-56-0x000007FEFBB21000-0x000007FEFBB23000-memory.dmp

Filesize
8KB

Download
memory/1748-57-0x0000000001DA0000-0x0000000001DB1000-memory.dmp

Filesize
68KB

Download
memory/1748-58-0x0000000002380000-0x0000000002381000-memory.dmp

Filesize
4KB

Download
memory/1808-98-0x000007FEF74A0000-0x000007FEF771A000-memory.dmp

Filesize
2.5MB

Download