updated.exe

General
Target

updated.exe

Filesize

5MB

Completed

05-04-2021 09:16

Score
10 /10
MD5

e3749a1c5284b28ad7ded54ed747b6e0

SHA1

c516f5af4ab59ec6750ac86d11f06ee1dd47a1dd

SHA256

430039aeee4362784600b6b6994b72395c2666aa6d1ad30e6cbf1ed89ecbeaa9

Malware Config

Extracted

Path C:\READ-ME-NOW.txt
Family jormungand
Ransom Note
Attention! infortrend!!!!!!! --------------------------------- What happened? We are Jormungand ransomware Your project source code and customer information. Important information has been downloaded. If you do not redeem it as soon as possible, it will be exposed and you will be responsible for the consequences. --------------------------------- How to get my files back? --------------------------------- The only way to recover the file is to contact us to buy the private key. Please contact us with your Unique Identifiler Key --------------------------------- What about guarantees? --------------------------------- We understand your stress and worry. So you have a FREE opportunity to test a service by instantly decrypting for free three files on your computer ! --------------------------------- Our email address: DYAQrvHmy@protonmail.com ----------------- Your Unique Identifiler Key: F+uF3xzMWQ+x5N6VatsrzEXEwkD3azstMMoi1LkueA2kDHmIwyDYufNzBzuR0bZznbZJ9zmP61AjwgSaa4CrDm/VOttbpSU4vUcNPpP+FQT4Uarabq1TdlJ+AmI8jFNhelKn3tufUx0dyb8jMEENI4f8glBSJiv5pfxh5dll13Q=
Emails

DYAQrvHmy@protonmail.com

Signatures 14

Filter: none

Collection
Credential Access
  • Jormungand Ransomware

    Description

    Ransomware family first observed in March 2021.

  • Drops file in Drivers directory
    updated.exe

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Windows\SysWOW64\drivers\en-US\READ-ME-NOW.txtupdated.exe
    File opened for modificationC:\Windows\SysWOW64\drivers\READ-ME-NOW.txtupdated.exe
    File opened for modificationC:\Windows\SysWOW64\drivers\UMDF\READ-ME-NOW.txtupdated.exe
    File opened for modificationC:\Windows\SysWOW64\drivers\UMDF\en-US\READ-ME-NOW.txtupdated.exe
  • Modifies extensions of user files
    updated.exe

    Description

    Ransomware generally changes the extension on encrypted files.

    Tags

    Reported IOCs

    descriptioniocprocess
    File renamedC:\Users\Admin\Pictures\HideCompare.tif => C:\Users\Admin\Pictures\HideCompare.tif.glockupdated.exe
    File renamedC:\Users\Admin\Pictures\OptimizeOut.crw => C:\Users\Admin\Pictures\OptimizeOut.crw.glockupdated.exe
    File renamedC:\Users\Admin\Pictures\SkipResume.png => C:\Users\Admin\Pictures\SkipResume.png.glockupdated.exe
    File renamedC:\Users\Admin\Pictures\UnpublishExpand.crw => C:\Users\Admin\Pictures\UnpublishExpand.crw.glockupdated.exe
    File renamedC:\Users\Admin\Pictures\CompareEnter.raw => C:\Users\Admin\Pictures\CompareEnter.raw.glockupdated.exe
    File renamedC:\Users\Admin\Pictures\CompleteRegister.crw => C:\Users\Admin\Pictures\CompleteRegister.crw.glockupdated.exe
    File renamedC:\Users\Admin\Pictures\DisableCheckpoint.raw => C:\Users\Admin\Pictures\DisableCheckpoint.raw.glockupdated.exe
    File renamedC:\Users\Admin\Pictures\FormatWait.png => C:\Users\Admin\Pictures\FormatWait.png.glockupdated.exe
  • Drops startup file
    updated.exe

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\READ-ME-NOW.txtupdated.exe
    File opened for modificationC:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\READ-ME-NOW.txtupdated.exe
  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    TTPs

    Data from Local SystemCredentials in Files
  • Drops desktop.ini file(s)
    updated.exe

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Users\Admin\Favorites\desktop.iniupdated.exe
    File opened for modificationC:\Users\Admin\Videos\desktop.iniupdated.exe
    File opened for modificationC:\Users\Public\Pictures\desktop.iniupdated.exe
    File opened for modificationC:\Users\Admin\Downloads\desktop.iniupdated.exe
    File opened for modificationC:\Users\Public\AccountPictures\desktop.iniupdated.exe
    File opened for modificationC:\Users\Admin\Saved Games\desktop.iniupdated.exe
    File opened for modificationC:\Users\Admin\Contacts\desktop.iniupdated.exe
    File opened for modificationC:\Users\Admin\Links\desktop.iniupdated.exe
    File opened for modificationC:\Users\Admin\Pictures\Saved Pictures\desktop.iniupdated.exe
    File opened for modificationC:\Users\Public\Videos\desktop.iniupdated.exe
    File opened for modificationC:\Users\Admin\Desktop\desktop.iniupdated.exe
    File opened for modificationC:\Users\Admin\OneDrive\desktop.iniupdated.exe
    File opened for modificationC:\Users\Admin\Searches\desktop.iniupdated.exe
    File opened for modificationC:\Program Files\desktop.iniupdated.exe
    File opened for modificationC:\Users\Admin\Pictures\desktop.iniupdated.exe
    File opened for modificationC:\Users\Public\Music\desktop.iniupdated.exe
    File opened for modificationC:\Users\Admin\Documents\desktop.iniupdated.exe
    File opened for modificationC:\Users\Admin\Pictures\Camera Roll\desktop.iniupdated.exe
    File opened for modificationC:\Users\Public\Desktop\desktop.iniupdated.exe
    File opened for modificationC:\Users\Public\Documents\desktop.iniupdated.exe
    File opened for modificationC:\Users\Public\desktop.iniupdated.exe
    File opened for modificationC:\Users\Admin\Music\desktop.iniupdated.exe
    File opened for modificationC:\Program Files (x86)\desktop.iniupdated.exe
    File opened for modificationC:\Users\Admin\Favorites\Links\desktop.iniupdated.exe
    File opened for modificationC:\Program Files\Common Files\microsoft shared\Stationery\Desktop.iniupdated.exe
    File opened for modificationC:\Users\Public\Downloads\desktop.iniupdated.exe
    File opened for modificationC:\Users\Public\Libraries\desktop.iniupdated.exe
  • Drops file in System32 directory
    updated.exe

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Windows\System32\DriverStore\FileRepository\mdmcomp.inf_amd64_c85f2acdcfd80e25\READ-ME-NOW.txtupdated.exe
    File opened for modificationC:\Windows\System32\DriverStore\FileRepository\usb.inf_amd64_9d11c732890f6cba\READ-ME-NOW.txtupdated.exe
    File opened for modificationC:\Windows\System32\DriverStore\FileRepository\wiaca00j.inf_amd64_2b730d5c3b5d1ba1\amd64\MG2100\READ-ME-NOW.txtupdated.exe
    File opened for modificationC:\Windows\SysWOW64\zh-CN\READ-ME-NOW.txtupdated.exe
    File opened for modificationC:\Windows\System32\DriverStore\FileRepository\mdmaiwa3.inf_amd64_082c965d06fa01ba\READ-ME-NOW.txtupdated.exe
    File opened for modificationC:\Windows\System32\DriverStore\FileRepository\mdmracal.inf_amd64_8601091f0497cbd2\READ-ME-NOW.txtupdated.exe
    File opened for modificationC:\Windows\System32\DriverStore\FileRepository\prnms002.inf_amd64_07ee1bb78d96a8d3\READ-ME-NOW.txtupdated.exe
    File opened for modificationC:\Windows\System32\DriverStore\FileRepository\bthprint.inf_amd64_ec8d0fdfe67e99bf\READ-ME-NOW.txtupdated.exe
    File opened for modificationC:\Windows\System32\DriverStore\FileRepository\wiaca00j.inf_amd64_2b730d5c3b5d1ba1\amd64\MG5200\READ-ME-NOW.txtupdated.exe
    File opened for modificationC:\Windows\SysWOW64\IME\IMEKR\APPLETS\READ-ME-NOW.txtupdated.exe
    File opened for modificationC:\Windows\System32\DriverStore\FileRepository\volmgr.inf_amd64_84149a6ef7112aa8\READ-ME-NOW.txtupdated.exe
    File opened for modificationC:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetEventPacketCapture\READ-ME-NOW.txtupdated.exe
    File opened for modificationC:\Windows\System32\DriverStore\FileRepository\usbhub3.inf_amd64_6ea6830940f8f4e2\READ-ME-NOW.txtupdated.exe
    File opened for modificationC:\Windows\System32\DriverStore\FileRepository\wgencounter.inf_amd64_bdd64cbba1f77e90\READ-ME-NOW.txtupdated.exe
    File opened for modificationC:\Windows\SysWOW64\Printing_Admin_Scripts\en-US\READ-ME-NOW.txtupdated.exe
    File opened for modificationC:\Windows\System32\DriverStore\FileRepository\mdmhandy.inf_amd64_bb9338851f6bc758\READ-ME-NOW.txtupdated.exe
    File opened for modificationC:\Windows\SysWOW64\config\RegBack\READ-ME-NOW.txtupdated.exe
    File opened for modificationC:\Windows\System32\DriverStore\FileRepository\netevbda.inf_amd64_5b0a2c55b7945304\READ-ME-NOW.txtupdated.exe
    File opened for modificationC:\Windows\System32\DriverStore\FileRepository\prnms001.inf_amd64_6df3b80c4f6b8f8d\READ-ME-NOW.txtupdated.exe
    File opened for modificationC:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\READ-ME-NOW.txtupdated.exe
    File opened for modificationC:\Windows\System32\DriverStore\FileRepository\1394.inf_amd64_c9bb1e2e78735498\READ-ME-NOW.txtupdated.exe
    File opened for modificationC:\Windows\System32\DriverStore\FileRepository\c_fscontinuousbackup.inf_amd64_fc73a166bb2171a9\READ-ME-NOW.txtupdated.exe
    File opened for modificationC:\Windows\System32\DriverStore\FileRepository\c_sensor.inf_amd64_91be02124b0e8e01\READ-ME-NOW.txtupdated.exe
    File opened for modificationC:\Windows\System32\DriverStore\FileRepository\c_sdhost.inf_amd64_d05c1c54ae75d39c\READ-ME-NOW.txtupdated.exe
    File opened for modificationC:\Windows\System32\DriverStore\FileRepository\prncacla.inf_amd64_65d72b0cf837d4c1\READ-ME-NOW.txtupdated.exe
    File opened for modificationC:\Windows\SysWOW64\Tasks\Microsoft\Windows\WCM\READ-ME-NOW.txtupdated.exe
    File opened for modificationC:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.ODataUtils\READ-ME-NOW.txtupdated.exe
    File opened for modificationC:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_WaitForAny\READ-ME-NOW.txtupdated.exe
    File opened for modificationC:\Windows\System32\DriverStore\FileRepository\c_monitor.inf_amd64_2fb715161c068cfa\READ-ME-NOW.txtupdated.exe
    File opened for modificationC:\Windows\SysWOW64\sysprep\en-US\READ-ME-NOW.txtupdated.exe
    File opened for modificationC:\Windows\System32\DriverStore\FileRepository\hidbthle.inf_amd64_792724380f6ef57c\READ-ME-NOW.txtupdated.exe
    File opened for modificationC:\Windows\System32\DriverStore\FileRepository\wiaca00j.inf_amd64_2b730d5c3b5d1ba1\amd64\CNQ2414\READ-ME-NOW.txtupdated.exe
    File opened for modificationC:\Windows\System32\DriverStore\FileRepository\prndlclf.inf_amd64_efe1d550b7437499\READ-ME-NOW.txtupdated.exe
    File opened for modificationC:\Windows\System32\DriverStore\FileRepository\storufs.inf_amd64_f25a0ad42f53c0f2\READ-ME-NOW.txtupdated.exe
    File opened for modificationC:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\READ-ME-NOW.txtupdated.exe
    File opened for modificationC:\Windows\SysWOW64\fr-FR\READ-ME-NOW.txtupdated.exe
    File opened for modificationC:\Windows\System32\DriverStore\FileRepository\mdmnis2u.inf_amd64_258d58dc848b3bfb\READ-ME-NOW.txtupdated.exe
    File opened for modificationC:\Windows\System32\DriverStore\FileRepository\netwsw00.inf_amd64_24d55504ae3587aa\READ-ME-NOW.txtupdated.exe
    File opened for modificationC:\Windows\System32\DriverStore\FileRepository\iagpio.inf_amd64_8df3c3e4f563fd12\READ-ME-NOW.txtupdated.exe
    File opened for modificationC:\Windows\System32\DriverStore\FileRepository\mbtr8897w81x64.inf_amd64_fd074d03451ecbb5\READ-ME-NOW.txtupdated.exe
    File opened for modificationC:\Windows\System32\DriverStore\FileRepository\netathr10x.inf_amd64_d271ba5a9c993ac3\READ-ME-NOW.txtupdated.exe
    File opened for modificationC:\Windows\SysWOW64\Speech_OneCore\Engines\READ-ME-NOW.txtupdated.exe
    File opened for modificationC:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\CimCmdlets\READ-ME-NOW.txtupdated.exe
    File opened for modificationC:\Windows\SysWOW64\en-US\Licenses\OEM\Professional\READ-ME-NOW.txtupdated.exe
    File opened for modificationC:\Windows\System32\DriverStore\FileRepository\c_display.inf_amd64_23eb64caf422f130\READ-ME-NOW.txtupdated.exe
    File opened for modificationC:\Windows\System32\DriverStore\FileRepository\wiaca00j.inf_amd64_2b730d5c3b5d1ba1\amd64\MP640\READ-ME-NOW.txtupdated.exe
    File opened for modificationC:\Windows\SysWOW64\spp\tokens\READ-ME-NOW.txtupdated.exe
    File opened for modificationC:\Windows\System32\DriverStore\FileRepository\c_fsreplication.inf_amd64_794a10b0906dcc25\READ-ME-NOW.txtupdated.exe
    File opened for modificationC:\Windows\System32\DriverStore\FileRepository\netrndis.inf_amd64_b32102a0c2920c07\READ-ME-NOW.txtupdated.exe
    File opened for modificationC:\Windows\System32\DriverStore\FileRepository\tpm.inf_amd64_7d5f89afdf3873b2\READ-ME-NOW.txtupdated.exe
    File opened for modificationC:\Windows\System32\DriverStore\FileRepository\uicciso.inf_amd64_ab77a5dd693a6343\READ-ME-NOW.txtupdated.exe
    File opened for modificationC:\Windows\System32\DriverStore\FileRepository\wiaep003.inf_amd64_c58a04f11ce74cd7\READ-ME-NOW.txtupdated.exe
    File opened for modificationC:\Windows\SysWOW64\Licenses\neutral\Volume\Professional\READ-ME-NOW.txtupdated.exe
    File opened for modificationC:\Windows\SysWOW64\bg-BG\READ-ME-NOW.txtupdated.exe
    File opened for modificationC:\Windows\SysWOW64\ko-KR\READ-ME-NOW.txtupdated.exe
    File opened for modificationC:\Windows\System32\DriverStore\FileRepository\sensorsalsdriver.inf_amd64_afaf2df0cb2e7db6\READ-ME-NOW.txtupdated.exe
    File opened for modificationC:\Windows\System32\DriverStore\FileRepository\c_fsactivitymonitor.inf_amd64_9b02583544c39f62\READ-ME-NOW.txtupdated.exe
    File opened for modificationC:\Windows\System32\DriverStore\FileRepository\c_netclient.inf_amd64_40468abc5559cc75\READ-ME-NOW.txtupdated.exe
    File opened for modificationC:\Windows\System32\DriverStore\FileRepository\cdrom.inf_amd64_8343533b38a2a0da\READ-ME-NOW.txtupdated.exe
    File opened for modificationC:\Windows\System32\DriverStore\FileRepository\modemcsa.inf_amd64_301c39e3c1162ee0\READ-ME-NOW.txtupdated.exe
    File opened for modificationC:\Windows\System32\DriverStore\FileRepository\ndiscap.inf_amd64_960a76222168b3fa\READ-ME-NOW.txtupdated.exe
    File opened for modificationC:\Windows\SysWOW64\InstallShield\setupdir\000b\READ-ME-NOW.txtupdated.exe
    File opened for modificationC:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\READ-ME-NOW.txtupdated.exe
    File opened for modificationC:\Windows\System32\DriverStore\FileRepository\c_fshsm.inf_amd64_5701a150984e2034\READ-ME-NOW.txtupdated.exe
  • Drops file in Program Files directory
    updated.exe

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Program Files\Common Files\microsoft shared\Stationery\ShadesOfBlue.jpgupdated.exe
    File opened for modificationC:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\LinkedInboxMediumTile.scale-400.pngupdated.exe
    File opened for modificationC:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\GenericMailLargeTile.scale-200.pngupdated.exe
    File opened for modificationC:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\telemetryrules\hxcalendarappimm.exe_Rules.xmlupdated.exe
    File opened for modificationC:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\lib\locale\READ-ME-NOW.txtupdated.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\READ-ME-NOW.txtupdated.exe
    File opened for modificationC:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.director.nl_zh_4.4.0.v20140623020002.jarupdated.exe
    File opened for modificationC:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarAppList.targetsize-80.pngupdated.exe
    File opened for modificationC:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\models\en-GB.mail.configupdated.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\convertpdf-selector.jsupdated.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\hr-hr\ui-strings.jsupdated.exe
    File opened for modificationC:\Program Files\VideoLAN\VLC\locale\tl\READ-ME-NOW.txtupdated.exe
    File opened for modificationC:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-editor-mimelookup-impl.xmlupdated.exe
    File opened for modificationC:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarAppList.scale-400.pngupdated.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\images\example_icons2x.pngupdated.exe
    File opened for modificationC:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Resources\1033\READ-ME-NOW.txtupdated.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_1.1702.21039.0_x64__8wekyb3d8bbwe\Assets\Images\READ-ME-NOW.txtupdated.exe
    File opened for modificationC:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\2876_20x20x32.pngupdated.exe
    File opened for modificationC:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\7813_40x40x32.pngupdated.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\images\rhp_world_icon_2x.pngupdated.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Welcome.pdfupdated.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\it-it\READ-ME-NOW.txtupdated.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\fi-fi\READ-ME-NOW.txtupdated.exe
    File opened for modificationC:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\Office365LogoWLockup.scale-100.pngupdated.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\SearchEmail.pngupdated.exe
    File opened for modificationC:\Program Files\WindowsPowerShell\Modules\PSReadline\1.2\READ-ME-NOW.txtupdated.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\GamePlayAssets\FreeCell\READ-ME-NOW.txtupdated.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\da-dk\ui-strings.jsupdated.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\READ-ME-NOW.txtupdated.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\zh-cn\READ-ME-NOW.txtupdated.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\READ-ME-NOW.txtupdated.exe
    File opened for modificationC:\Program Files\Windows Media Player\Media Renderer\RenderingControl.xmlupdated.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\en-ae\ui-strings.jsupdated.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\sl-sl\READ-ME-NOW.txtupdated.exe
    File opened for modificationC:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxA-Advanced-Dark.scale-125.pngupdated.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\it-it\ui-strings.jsupdated.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\css\tool-view.cssupdated.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_1.1702.21039.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\READ-ME-NOW.txtupdated.exe
    File opened for modificationC:\Program Files\7-Zip\Lang\id.txtupdated.exe
    File opened for modificationC:\Program Files\Java\jdk1.8.0_66\jre\README.txtupdated.exe
    File opened for modificationC:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.addons.swt.nl_ja_4.4.0.v20140623020002.jarupdated.exe
    File opened for modificationC:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\FileAttachmentPlaceholder.pngupdated.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_ellipses_selected-hover.svgupdated.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\Toast.svgupdated.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_listview_selected.svgupdated.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\LTR\contrast-white\READ-ME-NOW.txtupdated.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1702.301.0_x64__8wekyb3d8bbwe\READ-ME-NOW.txtupdated.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\jquery.ui.touch-punch\0.2.2\READ-ME-NOW.txtupdated.exe
    File opened for modificationC:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303\feature.xmlupdated.exe
    File opened for modificationC:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.databinding.property.nl_zh_4.4.0.v20140623020002.jarupdated.exe
    File opened for modificationC:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Advanced-Light.scale-200.pngupdated.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\eu-es\ui-strings.jsupdated.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\ru_get.svgupdated.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\nb-no\READ-ME-NOW.txtupdated.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\ro-ro\READ-ME-NOW.txtupdated.exe
    File opened for modificationC:\Program Files\7-Zip\Lang\lv.txtupdated.exe
    File opened for modificationC:\Program Files\Java\jre1.8.0_66\lib\fonts\LucidaSansRegular.ttfupdated.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\faf-main.jsupdated.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\READ-ME-NOW.txtupdated.exe
    File opened for modificationC:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.metadata_2.2.0.v20131211-1531.jarupdated.exe
    File opened for modificationC:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.swt.win32.win32.x86_64_3.103.1.v20140903-1947.jarupdated.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\fr_get.svgupdated.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\de-de\READ-ME-NOW.txtupdated.exe
    File opened for modificationC:\Program Files (x86)\MSBuild\READ-ME-NOW.txtupdated.exe
  • Drops file in Windows directory
    updated.exe

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.GPowerShell.Resources\READ-ME-NOW.txtupdated.exe
    File opened for modificationC:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Uev.ManagedAgentWmi.WinRT\v4.0_10.0.0.0__31bf3856ad364e35\READ-ME-NOW.txtupdated.exe
    File opened for modificationC:\Windows\WinSxS\amd64_microsoft-windows-d..al-chinese-moimeexe_31bf3856ad364e35_10.0.15063.0_none_425f31447fe3181d\READ-ME-NOW.txtupdated.exe
    File opened for modificationC:\Windows\WinSxS\amd64_microsoft-windows-feclient_31bf3856ad364e35_10.0.15063.0_none_cfedea6490638e48\READ-ME-NOW.txtupdated.exe
    File opened for modificationC:\Windows\WinSxS\amd64_microsoft-windows-i..timezones.resources_31bf3856ad364e35_10.0.15063.0_he-il_c24178b31a3047c3\READ-ME-NOW.txtupdated.exe
    File opened for modificationC:\Windows\WinSxS\amd64_netfx4-system.windo..input.manipulations_b03f5f7f11d50a3a_4.0.14917.0_none_2df1f127673ef9f0\READ-ME-NOW.txtupdated.exe
    File opened for modificationC:\Windows\WinSxS\x86_microsoft-windows-wusa_31bf3856ad364e35_10.0.15063.0_none_61f5cf32990e235e\READ-ME-NOW.txtupdated.exe
    File opened for modificationC:\Windows\WinSxS\amd64_microsoft-windows-f..ruetype-comicsansms_31bf3856ad364e35_10.0.15063.0_none_ed68fcfc73314d2d\READ-ME-NOW.txtupdated.exe
    File opened for modificationC:\Windows\WinSxS\amd64_microsoft-windows-s..uphandler.resources_31bf3856ad364e35_10.0.15063.0_en-us_e01c1cb240edb0d7\READ-ME-NOW.txtupdated.exe
    File opened for modificationC:\Windows\WinSxS\amd64_netfx4-alink_dll_b03f5f7f11d50a3a_4.0.15552.17062_none_c470ccf6d7f2d864\READ-ME-NOW.txtupdated.exe
    File opened for modificationC:\Windows\WinSxS\x86_microsoft-windows-cdosys.resources_31bf3856ad364e35_10.0.15063.0_hu-hu_ff335bcc19ba2859\READ-ME-NOW.txtupdated.exe
    File opened for modificationC:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\speech\0c0a\READ-ME-NOW.txtupdated.exe
    File opened for modificationC:\Windows\WinSxS\amd64_microsoft-windows-a..on-wizard.resources_31bf3856ad364e35_10.0.15063.0_en-us_50e3df9cff649a72\READ-ME-NOW.txtupdated.exe
    File opened for modificationC:\Windows\WinSxS\amd64_microsoft-windows-d..owershell.resources_31bf3856ad364e35_10.0.15063.0_en-us_47b5e34aaf315973\READ-ME-NOW.txtupdated.exe
    File opened for modificationC:\Windows\WinSxS\amd64_microsoft-windows-font-fms.resources_31bf3856ad364e35_10.0.15063.0_pt-pt_16167d44ab9d7d48\READ-ME-NOW.txtupdated.exe
    File opened for modificationC:\Windows\WinSxS\msil_system.runtime.serialization.json_b03f5f7f11d50a3a_4.0.14917.0_none_57ad03792915f188\READ-ME-NOW.txtupdated.exe
    File opened for modificationC:\Windows\WinSxS\x86_microsoft-windows-halftone-ui_31bf3856ad364e35_10.0.15063.0_none_8fd556771b8e0358\READ-ME-NOW.txtupdated.exe
    File opened for modificationC:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\InputPersonalization\TrainedDataStore\READ-ME-NOW.txtupdated.exe
    File opened for modificationC:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\views\READ-ME-NOW.txtupdated.exe
    File opened for modificationC:\Windows\WinSxS\amd64_microsoft-windows-i..timezones.resources_31bf3856ad364e35_10.0.15063.0_sr-..-rs_691da48bfc92e6b3\READ-ME-NOW.txtupdated.exe
    File opened for modificationC:\Windows\WinSxS\amd64_microsoft-windows-mlang.resources_31bf3856ad364e35_10.0.15063.0_sl-si_7ea4ba26925669fa\READ-ME-NOW.txtupdated.exe
    File opened for modificationC:\Windows\WinSxS\amd64_microsoft-windows-s..ingstack-base-extra_31bf3856ad364e35_10.0.15063.0_none_3018c456fc224bc5\READ-ME-NOW.txtupdated.exe
    File opened for modificationC:\Windows\WinSxS\x86_microsoft-windows-g..zards-mui.resources_31bf3856ad364e35_10.0.15063.0_en-us_0ca347faaf94422e\READ-ME-NOW.txtupdated.exe
    File opened for modificationC:\Windows\WinSxS\x86_microsoft-windows-i..plication.resources_31bf3856ad364e35_11.0.15063.0_en-us_3e442547fad7f6e6\READ-ME-NOW.txtupdated.exe
    File opened for modificationC:\Windows\Boot\PCAT\zh-TW\READ-ME-NOW.txtupdated.exe
    File opened for modificationC:\Windows\WinSxS\x86_microsoft-windows-d..evicecontexthandler_31bf3856ad364e35_10.0.15063.0_none_526c3d63b2b9be9f\READ-ME-NOW.txtupdated.exe
    File opened for modificationC:\Windows\WinSxS\amd64_microsoft-windows-i..ional-codepage-1252_31bf3856ad364e35_10.0.15063.0_none_332fa831431abc8e\READ-ME-NOW.txtupdated.exe
    File opened for modificationC:\Windows\WinSxS\amd64_microsoft-windows-performance.resources_31bf3856ad364e35_10.0.15063.0_en-us_57c7495250910b4d\READ-ME-NOW.txtupdated.exe
    File opened for modificationC:\Windows\WinSxS\msil_microsoft.visualc_b03f5f7f11d50a3a_4.0.14917.0_none_405a915394fb2568\READ-ME-NOW.txtupdated.exe
    File opened for modificationC:\Windows\WinSxS\wow64_microsoft-windows-p..r-library.resources_31bf3856ad364e35_10.0.15063.0_en-us_2cda21d46795ac97\READ-ME-NOW.txtupdated.exe
    File opened for modificationC:\Windows\WinSxS\x86_netfx35linq-system.data.services.design_31bf3856ad364e35_10.0.15063.0_none_aec5804f2e7edcc2\READ-ME-NOW.txtupdated.exe
    File opened for modificationC:\Windows\WinSxS\amd64_microsoft-windows-i..lprovider.resources_31bf3856ad364e35_10.0.15063.0_en-us_a1cee114be590b8f\READ-ME-NOW.txtupdated.exe
    File opened for modificationC:\Windows\WinSxS\wow64_microsoft-windows-searchfolder-library_31bf3856ad364e35_10.0.15063.0_none_ab3c90f5da661b6b\READ-ME-NOW.txtupdated.exe
    File opened for modificationC:\Windows\diagnostics\system\WindowsMediaPlayerConfiguration\READ-ME-NOW.txtupdated.exe
    File opened for modificationC:\Windows\WinSxS\amd64_microsoft-windows-font-truetype-yibaiti_31bf3856ad364e35_10.0.15063.0_none_69559982f36cf9b2\READ-ME-NOW.txtupdated.exe
    File opened for modificationC:\Windows\WinSxS\amd64_multipoint-station_31bf3856ad364e35_10.0.15063.0_none_3db9505992926e35\READ-ME-NOW.txtupdated.exe
    File opened for modificationC:\Windows\WinSxS\amd64_microsoft-windows-charmap.resources_31bf3856ad364e35_10.0.15063.0_en-us_f852cda3309c14d5\READ-ME-NOW.txtupdated.exe
    File opened for modificationC:\Windows\WinSxS\amd64_microsoft-windows-m..agnostics.resources_31bf3856ad364e35_10.0.15063.0_nl-nl_f73767e372a1f4b0\READ-ME-NOW.txtupdated.exe
    File opened for modificationC:\Windows\WinSxS\amd64_microsoft-windows-m..dac-rds-persist-dll_31bf3856ad364e35_10.0.15063.0_none_a5c104f160245808\READ-ME-NOW.txtupdated.exe
    File opened for modificationC:\Windows\WinSxS\amd64_microsoft-windows-s..enterpriseg-license_31bf3856ad364e35_10.0.15063.0_none_2dec83a8bf6eebcb\READ-ME-NOW.txtupdated.exe
    File opened for modificationC:\Windows\WinSxS\amd64_windows-defender-service_31bf3856ad364e35_10.0.15063.0_none_d6b9fc078f9b4d5a\READ-ME-NOW.txtupdated.exe
    File opened for modificationC:\Windows\WinSxS\wow64_microsoft-windows-i..l-keyboard-00000447_31bf3856ad364e35_10.0.15063.0_none_055377cacfb1b69b\READ-ME-NOW.txtupdated.exe
    File opened for modificationC:\Windows\WinSxS\x86_microsoft-windows-comdlg32.resources_31bf3856ad364e35_10.0.15063.0_ru-ru_e90c83a541642cb5\READ-ME-NOW.txtupdated.exe
    File opened for modificationC:\Windows\InfusedApps\Packages\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Images\READ-ME-NOW.txtupdated.exe
    File opened for modificationC:\Windows\InfusedApps\Packages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\LTR\contrast-black\READ-ME-NOW.txtupdated.exe
    File opened for modificationC:\Windows\WinSxS\amd64_microsoft-windows-clouddomainjoinaug_31bf3856ad364e35_10.0.15063.0_none_17f0ea3e297abdaa\READ-ME-NOW.txtupdated.exe
    File opened for modificationC:\Windows\WinSxS\amd64_microsoft-windows-e..iewer-adm.resources_31bf3856ad364e35_10.0.15063.0_en-us_5a4a84c5cc965674\READ-ME-NOW.txtupdated.exe
    File opened for modificationC:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ComponentModel.EventBasedAsync\READ-ME-NOW.txtupdated.exe
    File opened for modificationC:\Windows\WinSxS\amd64_microsoft-onecore-notificationcontroller_31bf3856ad364e35_10.0.15063.0_none_141eb2b4724c6d6d\READ-ME-NOW.txtupdated.exe
    File opened for modificationC:\Windows\WinSxS\amd64_microsoft-windows-cloudstore.resources_31bf3856ad364e35_10.0.15063.0_en-us_66e1da8727e9ccef\READ-ME-NOW.txtupdated.exe
    File opened for modificationC:\Windows\WinSxS\amd64_microsoft-windows-sx-shared_31bf3856ad364e35_10.0.15063.0_none_49b79a14525917ad\READ-ME-NOW.txtupdated.exe
    File opened for modificationC:\Windows\WinSxS\wow64_microsoft-windows-i..l-keyboard-0000046f_31bf3856ad364e35_10.0.15063.0_none_1a2b1bacc24bbea6\READ-ME-NOW.txtupdated.exe
    File opened for modificationC:\Windows\WinSxS\x86_microsoft-windows-l2gpstore-mof_31bf3856ad364e35_10.0.15063.0_none_f4ad09ba99aba77d\READ-ME-NOW.txtupdated.exe
    File opened for modificationC:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\READ-ME-NOW.txtupdated.exe
    File opened for modificationC:\Windows\WinSxS\amd64_netfx-aspnet_uninstallsqlstatetem_b03f5f7f11d50a3a_10.0.15063.0_none_7645d20f4286a665\READ-ME-NOW.txtupdated.exe
    File opened for modificationC:\Windows\WinSxS\amd64_windows-gaming-prev..esenumeration-winrt_31bf3856ad364e35_10.0.15063.0_none_5ed5e2ee46bb800d\READ-ME-NOW.txtupdated.exe
    File opened for modificationC:\Windows\WinSxS\x86_microsoft-windows-s..ngstack-onecorebase_31bf3856ad364e35_10.0.15063.0_none_a57a337f62556507\READ-ME-NOW.txtupdated.exe
    File opened for modificationC:\Windows\assembly\GAC_MSIL\Microsoft_VsaVb\8.0.0.0__b03f5f7f11d50a3a\READ-ME-NOW.txtupdated.exe
    File opened for modificationC:\Windows\WinSxS\amd64_microsoft-windows-computer-name-ui_31bf3856ad364e35_10.0.15063.0_none_1f1b00c82751e7ca\READ-ME-NOW.txtupdated.exe
    File opened for modificationC:\Windows\WinSxS\wow64_microsoft.windows.winhttp.resources_31bf3856ad364e35_6.0.15063.0_en-us_6dffadf883c9e255\READ-ME-NOW.txtupdated.exe
    File opened for modificationC:\Windows\WinSxS\x86_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.15063.0_sk-sk_e4534a2525509eff\READ-ME-NOW.txtupdated.exe
    File opened for modificationC:\Windows\WinSxS\x86_netfx4-msvcr120_clr_dll_31bf3856ad364e35_4.0.15552.17081_none_cd147ad90d25379b\READ-ME-NOW.txtupdated.exe
    File opened for modificationC:\Windows\WinSxS\wow64_microsoft-windows-e..d-keyboardfilterwmi_31bf3856ad364e35_10.0.15063.0_none_77d21830e6444e76\READ-ME-NOW.txtupdated.exe
    File opened for modificationC:\Windows\INF\ESENT\READ-ME-NOW.txtupdated.exe
  • GoLang User-Agent

    Description

    Uses default user-agent string defined by GoLang HTTP packages.

    Reported IOCs

    descriptionflowioc
    HTTP User-Agent header11Go-http-client/1.1
  • Kills process with taskkill
    taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

    Tags

    Reported IOCs

    pidprocess
    852taskkill.exe
    4604taskkill.exe
    3464taskkill.exe
    5004taskkill.exe
    1772taskkill.exe
    188taskkill.exe
    2248taskkill.exe
    3924taskkill.exe
    1660taskkill.exe
    4492taskkill.exe
    4148taskkill.exe
    4172taskkill.exe
    4596taskkill.exe
    3024taskkill.exe
    2832taskkill.exe
    3960taskkill.exe
    4636taskkill.exe
    5112taskkill.exe
    3148taskkill.exe
    4220taskkill.exe
    4360taskkill.exe
    4812taskkill.exe
    1748taskkill.exe
    5156taskkill.exe
    3984taskkill.exe
    2272taskkill.exe
    1296taskkill.exe
    3980taskkill.exe
    1956taskkill.exe
    2200taskkill.exe
    3848taskkill.exe
    3916taskkill.exe
    4868taskkill.exe
    4944taskkill.exe
    5072taskkill.exe
    640taskkill.exe
    4400taskkill.exe
    4296taskkill.exe
    4680taskkill.exe
    4740taskkill.exe
    5016taskkill.exe
  • Suspicious use of AdjustPrivilegeToken
    taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege852taskkill.exe
    Token: SeDebugPrivilege1296taskkill.exe
    Token: SeDebugPrivilege640taskkill.exe
    Token: SeDebugPrivilege3148taskkill.exe
    Token: SeDebugPrivilege3980taskkill.exe
    Token: SeDebugPrivilege1772taskkill.exe
    Token: SeDebugPrivilege188taskkill.exe
    Token: SeDebugPrivilege2832taskkill.exe
    Token: SeDebugPrivilege2248taskkill.exe
    Token: SeDebugPrivilege1956taskkill.exe
    Token: SeDebugPrivilege3024taskkill.exe
    Token: SeDebugPrivilege3924taskkill.exe
    Token: SeDebugPrivilege3960taskkill.exe
    Token: SeDebugPrivilege2200taskkill.exe
    Token: SeDebugPrivilege3464taskkill.exe
    Token: SeDebugPrivilege2272taskkill.exe
    Token: SeDebugPrivilege1660taskkill.exe
    Token: SeDebugPrivilege3984taskkill.exe
    Token: SeDebugPrivilege3848taskkill.exe
    Token: SeDebugPrivilege4172taskkill.exe
    Token: SeDebugPrivilege3916taskkill.exe
    Token: SeDebugPrivilege4220taskkill.exe
    Token: SeDebugPrivilege4148taskkill.exe
    Token: SeDebugPrivilege4296taskkill.exe
    Token: SeDebugPrivilege4360taskkill.exe
    Token: SeDebugPrivilege4492taskkill.exe
    Token: SeDebugPrivilege4400taskkill.exe
    Token: SeDebugPrivilege4596taskkill.exe
    Token: SeDebugPrivilege4680taskkill.exe
    Token: SeDebugPrivilege4636taskkill.exe
    Token: SeDebugPrivilege4740taskkill.exe
    Token: SeDebugPrivilege4812taskkill.exe
    Token: SeDebugPrivilege5072taskkill.exe
    Token: SeDebugPrivilege4868taskkill.exe
    Token: SeDebugPrivilege4944taskkill.exe
    Token: SeDebugPrivilege5016taskkill.exe
    Token: SeDebugPrivilege1748taskkill.exe
    Token: SeDebugPrivilege5004taskkill.exe
    Token: SeDebugPrivilege4604taskkill.exe
    Token: SeDebugPrivilege5112taskkill.exe
    Token: SeDebugPrivilege5156taskkill.exe
  • Suspicious use of FindShellTrayWindow
    NOTEPAD.EXE

    Reported IOCs

    pidprocess
    6892NOTEPAD.EXE
  • Suspicious use of WriteProcessMemory
    updated.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1152 wrote to memory of 4881152updated.exemode.com
    PID 1152 wrote to memory of 4881152updated.exemode.com
    PID 1152 wrote to memory of 4881152updated.exemode.com
    PID 1152 wrote to memory of 12961152updated.exetaskkill.exe
    PID 1152 wrote to memory of 12961152updated.exetaskkill.exe
    PID 1152 wrote to memory of 12961152updated.exetaskkill.exe
    PID 1152 wrote to memory of 8521152updated.exetaskkill.exe
    PID 1152 wrote to memory of 8521152updated.exetaskkill.exe
    PID 1152 wrote to memory of 8521152updated.exetaskkill.exe
    PID 1152 wrote to memory of 6401152updated.exetaskkill.exe
    PID 1152 wrote to memory of 6401152updated.exetaskkill.exe
    PID 1152 wrote to memory of 6401152updated.exetaskkill.exe
    PID 1152 wrote to memory of 31481152updated.exetaskkill.exe
    PID 1152 wrote to memory of 31481152updated.exetaskkill.exe
    PID 1152 wrote to memory of 31481152updated.exetaskkill.exe
    PID 1152 wrote to memory of 17721152updated.exetaskkill.exe
    PID 1152 wrote to memory of 17721152updated.exetaskkill.exe
    PID 1152 wrote to memory of 17721152updated.exetaskkill.exe
    PID 1152 wrote to memory of 39801152updated.exetaskkill.exe
    PID 1152 wrote to memory of 39801152updated.exetaskkill.exe
    PID 1152 wrote to memory of 39801152updated.exetaskkill.exe
    PID 1152 wrote to memory of 28321152updated.exetaskkill.exe
    PID 1152 wrote to memory of 28321152updated.exetaskkill.exe
    PID 1152 wrote to memory of 28321152updated.exetaskkill.exe
    PID 1152 wrote to memory of 1881152updated.exetaskkill.exe
    PID 1152 wrote to memory of 1881152updated.exetaskkill.exe
    PID 1152 wrote to memory of 1881152updated.exetaskkill.exe
    PID 1152 wrote to memory of 22481152updated.exetaskkill.exe
    PID 1152 wrote to memory of 22481152updated.exetaskkill.exe
    PID 1152 wrote to memory of 22481152updated.exetaskkill.exe
    PID 1152 wrote to memory of 30241152updated.exetaskkill.exe
    PID 1152 wrote to memory of 30241152updated.exetaskkill.exe
    PID 1152 wrote to memory of 30241152updated.exetaskkill.exe
    PID 1152 wrote to memory of 19561152updated.exetaskkill.exe
    PID 1152 wrote to memory of 19561152updated.exetaskkill.exe
    PID 1152 wrote to memory of 19561152updated.exetaskkill.exe
    PID 1152 wrote to memory of 39241152updated.exetaskkill.exe
    PID 1152 wrote to memory of 39241152updated.exetaskkill.exe
    PID 1152 wrote to memory of 39241152updated.exetaskkill.exe
    PID 1152 wrote to memory of 39601152updated.exetaskkill.exe
    PID 1152 wrote to memory of 39601152updated.exetaskkill.exe
    PID 1152 wrote to memory of 39601152updated.exetaskkill.exe
    PID 1152 wrote to memory of 22001152updated.exetaskkill.exe
    PID 1152 wrote to memory of 22001152updated.exetaskkill.exe
    PID 1152 wrote to memory of 22001152updated.exetaskkill.exe
    PID 1152 wrote to memory of 34641152updated.exetaskkill.exe
    PID 1152 wrote to memory of 34641152updated.exetaskkill.exe
    PID 1152 wrote to memory of 34641152updated.exetaskkill.exe
    PID 1152 wrote to memory of 16601152updated.exetaskkill.exe
    PID 1152 wrote to memory of 16601152updated.exetaskkill.exe
    PID 1152 wrote to memory of 16601152updated.exetaskkill.exe
    PID 1152 wrote to memory of 22721152updated.exetaskkill.exe
    PID 1152 wrote to memory of 22721152updated.exetaskkill.exe
    PID 1152 wrote to memory of 22721152updated.exetaskkill.exe
    PID 1152 wrote to memory of 38481152updated.exetaskkill.exe
    PID 1152 wrote to memory of 38481152updated.exetaskkill.exe
    PID 1152 wrote to memory of 38481152updated.exetaskkill.exe
    PID 1152 wrote to memory of 39161152updated.exetaskkill.exe
    PID 1152 wrote to memory of 39161152updated.exetaskkill.exe
    PID 1152 wrote to memory of 39161152updated.exetaskkill.exe
    PID 1152 wrote to memory of 39841152updated.exetaskkill.exe
    PID 1152 wrote to memory of 39841152updated.exetaskkill.exe
    PID 1152 wrote to memory of 39841152updated.exetaskkill.exe
    PID 1152 wrote to memory of 41481152updated.exetaskkill.exe
Processes 45
  • C:\Users\Admin\AppData\Local\Temp\updated.exe
    "C:\Users\Admin\AppData\Local\Temp\updated.exe"
    Drops file in Drivers directory
    Modifies extensions of user files
    Drops startup file
    Drops desktop.ini file(s)
    Drops file in System32 directory
    Drops file in Program Files directory
    Drops file in Windows directory
    Suspicious use of WriteProcessMemory
    PID:1152
    • C:\Windows\SysWOW64\mode.com
      mode con cp select=125 vssadmin delete shadows /all
      PID:488
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill.exe /f /im msaccess.exe
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1296
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill.exe /f /im mspub.exe
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:640
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill.exe /f /im sqlagent.exe
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:852
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill.exe /f /im tbirdconfig.exe
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1772
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill.exe /f /im sqlbrowser.exe
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3980
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill.exe /f /im mydesktopqos.exe
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2832
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill.exe /f /im dbsnmp.exe
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:188
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill.exe /f /im thebat64.exe
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2248
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill.exe /f /im sqbcoreservice.exe
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1956
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill.exe /f /im encsvc.exe
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3924
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill.exe /f /im dbeng50.exe
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2200
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill.exe /f /im winword.exe
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3960
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill.exe /f /im ocautoupds.exe
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1660
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill.exe /f /im firefoxconfig.exe
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3848
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill.exe /f /im sqlservr.exe
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3916
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill.exe /f /im infopath.exe
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3984
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill.exe /f /im thebat.exe
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4148
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill.exe /f /im outlook.exe
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4220
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill.exe /f /im notepad.exe
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4360
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill.exe /f /im sqlserver.exe
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4400
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill.exe /f /im mysqld.exe
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4296
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill.exe /f /im excel.exe
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4172
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill.exe /f /im visio.exe
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2272
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill.exe /f /im powerpnt.exe
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4492
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill.exe /f /im msftesql.exe
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4596
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill.exe /f /im xfsssvccon.exe
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4636
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill.exe /f /im onenote.exe
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4680
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill.exe /f /im notepad++.exe
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4740
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill.exe /f /im synctime.exe
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4812
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill.exe /f /im agntsvc.exe
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4868
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill.exe /f /im sqlwriter.exe
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4944
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill.exe /f /im mysql-nt.exe
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:5016
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill.exe /f /im isqlplussvc.exe
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:5112
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill.exe /f /im wordpad.exe
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:5072
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill.exe /f /im mydesktopservice.exe
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1748
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill.exe /f /im oracle.exe
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4604
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill.exe /f /im steam.exe
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:5004
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill.exe /f /im mysql-opt.exe
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:5156
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill.exe /f /im ocomm.exe
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3464
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill.exe /f /im thunderdird.exe
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3024
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill.exe /f /im ocssd.exe
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3148
    • C:\Windows\SysWOW64\mode.com
      mode con cp select=125 vssadmin delete shadows /all
      PID:6688
  • C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\READ-ME-NOW.txt
    Suspicious use of FindShellTrayWindow
    PID:6892
Network
MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Defense Evasion
      Discovery
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Persistence
                    Privilege Escalation
                      Replay Monitor
                      00:00 00:00
                      Downloads
                      • C:\Users\Public\Desktop\READ-ME-NOW.txt

                        MD5

                        80f5783486fa96c294b1c04105468093

                        SHA1

                        94e76e300ceace5d7bea7856894d91d003dccde9

                        SHA256

                        c9cc8a2c05f78dd4af4a798ee7b0665f73ae5f8ffeb92091fea842f4b3d62fa7

                        SHA512

                        dc99b897181e5a45a4f63e189e2e762c8e729c37ddd7f7d159c8760662aa8854900e04322be4975c942d9e01c2aaaf722a565970d7d57a6eb9295889f9d5e31b

                      • memory/188-17-0x0000000000000000-mapping.dmp

                      • memory/488-9-0x0000000000000000-mapping.dmp

                      • memory/640-12-0x0000000000000000-mapping.dmp

                      • memory/852-11-0x0000000000000000-mapping.dmp

                      • memory/1152-2-0x0000000000400000-0x000000000092D000-memory.dmp

                      • memory/1296-10-0x0000000000000000-mapping.dmp

                      • memory/1660-25-0x0000000000000000-mapping.dmp

                      • memory/1748-47-0x0000000000000000-mapping.dmp

                      • memory/1772-14-0x0000000000000000-mapping.dmp

                      • memory/1956-20-0x0000000000000000-mapping.dmp

                      • memory/2200-23-0x0000000000000000-mapping.dmp

                      • memory/2248-18-0x0000000000000000-mapping.dmp

                      • memory/2272-26-0x0000000000000000-mapping.dmp

                      • memory/2832-16-0x0000000000000000-mapping.dmp

                      • memory/3024-19-0x0000000000000000-mapping.dmp

                      • memory/3148-13-0x0000000000000000-mapping.dmp

                      • memory/3464-24-0x0000000000000000-mapping.dmp

                      • memory/3848-27-0x0000000000000000-mapping.dmp

                      • memory/3916-28-0x0000000000000000-mapping.dmp

                      • memory/3924-21-0x0000000000000000-mapping.dmp

                      • memory/3960-22-0x0000000000000000-mapping.dmp

                      • memory/3980-15-0x0000000000000000-mapping.dmp

                      • memory/3984-29-0x0000000000000000-mapping.dmp

                      • memory/4148-30-0x0000000000000000-mapping.dmp

                      • memory/4172-31-0x0000000000000000-mapping.dmp

                      • memory/4220-32-0x0000000000000000-mapping.dmp

                      • memory/4296-33-0x0000000000000000-mapping.dmp

                      • memory/4360-34-0x0000000000000000-mapping.dmp

                      • memory/4400-35-0x0000000000000000-mapping.dmp

                      • memory/4492-36-0x0000000000000000-mapping.dmp

                      • memory/4596-37-0x0000000000000000-mapping.dmp

                      • memory/4604-48-0x0000000000000000-mapping.dmp

                      • memory/4636-38-0x0000000000000000-mapping.dmp

                      • memory/4680-39-0x0000000000000000-mapping.dmp

                      • memory/4740-40-0x0000000000000000-mapping.dmp

                      • memory/4812-41-0x0000000000000000-mapping.dmp

                      • memory/4868-42-0x0000000000000000-mapping.dmp

                      • memory/4944-43-0x0000000000000000-mapping.dmp

                      • memory/5004-49-0x0000000000000000-mapping.dmp

                      • memory/5016-44-0x0000000000000000-mapping.dmp

                      • memory/5072-45-0x0000000000000000-mapping.dmp

                      • memory/5112-46-0x0000000000000000-mapping.dmp

                      • memory/5156-50-0x0000000000000000-mapping.dmp

                      • memory/6688-51-0x0000000000000000-mapping.dmp