Analysis
-
max time kernel
144s -
max time network
69s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
05-04-2021 09:13
Static task
static1
Behavioral task
behavioral1
Sample
updated.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
updated.exe
Resource
win10v20201028
General
-
Target
updated.exe
-
Size
5.1MB
-
MD5
e3749a1c5284b28ad7ded54ed747b6e0
-
SHA1
c516f5af4ab59ec6750ac86d11f06ee1dd47a1dd
-
SHA256
430039aeee4362784600b6b6994b72395c2666aa6d1ad30e6cbf1ed89ecbeaa9
-
SHA512
acd1911e755d715b7c96ea278a6f4ea039884a85ac230913b1bd85b3f1ab6e322d9cbe9e9869a4c9eeeb5460ebeca9591b5e64d48789ded45d8bc0168ec22bb4
Malware Config
Extracted
C:\READ-ME-NOW.txt
jormungand
Signatures
-
Jormungand Ransomware
Ransomware family first observed in March 2021.
-
Drops file in Drivers directory 4 IoCs
Processes:
updated.exedescription ioc process File opened for modification C:\Windows\SysWOW64\drivers\en-US\READ-ME-NOW.txt updated.exe File opened for modification C:\Windows\SysWOW64\drivers\READ-ME-NOW.txt updated.exe File opened for modification C:\Windows\SysWOW64\drivers\UMDF\READ-ME-NOW.txt updated.exe File opened for modification C:\Windows\SysWOW64\drivers\UMDF\en-US\READ-ME-NOW.txt updated.exe -
Modifies extensions of user files 8 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
updated.exedescription ioc process File renamed C:\Users\Admin\Pictures\HideCompare.tif => C:\Users\Admin\Pictures\HideCompare.tif.glock updated.exe File renamed C:\Users\Admin\Pictures\OptimizeOut.crw => C:\Users\Admin\Pictures\OptimizeOut.crw.glock updated.exe File renamed C:\Users\Admin\Pictures\SkipResume.png => C:\Users\Admin\Pictures\SkipResume.png.glock updated.exe File renamed C:\Users\Admin\Pictures\UnpublishExpand.crw => C:\Users\Admin\Pictures\UnpublishExpand.crw.glock updated.exe File renamed C:\Users\Admin\Pictures\CompareEnter.raw => C:\Users\Admin\Pictures\CompareEnter.raw.glock updated.exe File renamed C:\Users\Admin\Pictures\CompleteRegister.crw => C:\Users\Admin\Pictures\CompleteRegister.crw.glock updated.exe File renamed C:\Users\Admin\Pictures\DisableCheckpoint.raw => C:\Users\Admin\Pictures\DisableCheckpoint.raw.glock updated.exe File renamed C:\Users\Admin\Pictures\FormatWait.png => C:\Users\Admin\Pictures\FormatWait.png.glock updated.exe -
Drops startup file 2 IoCs
Processes:
updated.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\READ-ME-NOW.txt updated.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\READ-ME-NOW.txt updated.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 27 IoCs
Processes:
updated.exedescription ioc process File opened for modification C:\Users\Admin\Favorites\desktop.ini updated.exe File opened for modification C:\Users\Admin\Videos\desktop.ini updated.exe File opened for modification C:\Users\Public\Pictures\desktop.ini updated.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini updated.exe File opened for modification C:\Users\Public\AccountPictures\desktop.ini updated.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini updated.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini updated.exe File opened for modification C:\Users\Admin\Links\desktop.ini updated.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini updated.exe File opened for modification C:\Users\Public\Videos\desktop.ini updated.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini updated.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini updated.exe File opened for modification C:\Users\Admin\Searches\desktop.ini updated.exe File opened for modification C:\Program Files\desktop.ini updated.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini updated.exe File opened for modification C:\Users\Public\Music\desktop.ini updated.exe File opened for modification C:\Users\Admin\Documents\desktop.ini updated.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini updated.exe File opened for modification C:\Users\Public\Desktop\desktop.ini updated.exe File opened for modification C:\Users\Public\Documents\desktop.ini updated.exe File opened for modification C:\Users\Public\desktop.ini updated.exe File opened for modification C:\Users\Admin\Music\desktop.ini updated.exe File opened for modification C:\Program Files (x86)\desktop.ini updated.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini updated.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Stationery\Desktop.ini updated.exe File opened for modification C:\Users\Public\Downloads\desktop.ini updated.exe File opened for modification C:\Users\Public\Libraries\desktop.ini updated.exe -
Drops file in System32 directory 64 IoCs
Processes:
updated.exedescription ioc process File opened for modification C:\Windows\System32\DriverStore\FileRepository\mdmcomp.inf_amd64_c85f2acdcfd80e25\READ-ME-NOW.txt updated.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\usb.inf_amd64_9d11c732890f6cba\READ-ME-NOW.txt updated.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\wiaca00j.inf_amd64_2b730d5c3b5d1ba1\amd64\MG2100\READ-ME-NOW.txt updated.exe File opened for modification C:\Windows\SysWOW64\zh-CN\READ-ME-NOW.txt updated.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\mdmaiwa3.inf_amd64_082c965d06fa01ba\READ-ME-NOW.txt updated.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\mdmracal.inf_amd64_8601091f0497cbd2\READ-ME-NOW.txt updated.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms002.inf_amd64_07ee1bb78d96a8d3\READ-ME-NOW.txt updated.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\bthprint.inf_amd64_ec8d0fdfe67e99bf\READ-ME-NOW.txt updated.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\wiaca00j.inf_amd64_2b730d5c3b5d1ba1\amd64\MG5200\READ-ME-NOW.txt updated.exe File opened for modification C:\Windows\SysWOW64\IME\IMEKR\APPLETS\READ-ME-NOW.txt updated.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\volmgr.inf_amd64_84149a6ef7112aa8\READ-ME-NOW.txt updated.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetEventPacketCapture\READ-ME-NOW.txt updated.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\usbhub3.inf_amd64_6ea6830940f8f4e2\READ-ME-NOW.txt updated.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\wgencounter.inf_amd64_bdd64cbba1f77e90\READ-ME-NOW.txt updated.exe File opened for modification C:\Windows\SysWOW64\Printing_Admin_Scripts\en-US\READ-ME-NOW.txt updated.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\mdmhandy.inf_amd64_bb9338851f6bc758\READ-ME-NOW.txt updated.exe File opened for modification C:\Windows\SysWOW64\config\RegBack\READ-ME-NOW.txt updated.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\netevbda.inf_amd64_5b0a2c55b7945304\READ-ME-NOW.txt updated.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms001.inf_amd64_6df3b80c4f6b8f8d\READ-ME-NOW.txt updated.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\READ-ME-NOW.txt updated.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\1394.inf_amd64_c9bb1e2e78735498\READ-ME-NOW.txt updated.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\c_fscontinuousbackup.inf_amd64_fc73a166bb2171a9\READ-ME-NOW.txt updated.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\c_sensor.inf_amd64_91be02124b0e8e01\READ-ME-NOW.txt updated.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\c_sdhost.inf_amd64_d05c1c54ae75d39c\READ-ME-NOW.txt updated.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prncacla.inf_amd64_65d72b0cf837d4c1\READ-ME-NOW.txt updated.exe File opened for modification C:\Windows\SysWOW64\Tasks\Microsoft\Windows\WCM\READ-ME-NOW.txt updated.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.ODataUtils\READ-ME-NOW.txt updated.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_WaitForAny\READ-ME-NOW.txt updated.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\c_monitor.inf_amd64_2fb715161c068cfa\READ-ME-NOW.txt updated.exe File opened for modification C:\Windows\SysWOW64\sysprep\en-US\READ-ME-NOW.txt updated.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\hidbthle.inf_amd64_792724380f6ef57c\READ-ME-NOW.txt updated.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\wiaca00j.inf_amd64_2b730d5c3b5d1ba1\amd64\CNQ2414\READ-ME-NOW.txt updated.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prndlclf.inf_amd64_efe1d550b7437499\READ-ME-NOW.txt updated.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\storufs.inf_amd64_f25a0ad42f53c0f2\READ-ME-NOW.txt updated.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\READ-ME-NOW.txt updated.exe File opened for modification C:\Windows\SysWOW64\fr-FR\READ-ME-NOW.txt updated.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\mdmnis2u.inf_amd64_258d58dc848b3bfb\READ-ME-NOW.txt updated.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\netwsw00.inf_amd64_24d55504ae3587aa\READ-ME-NOW.txt updated.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\iagpio.inf_amd64_8df3c3e4f563fd12\READ-ME-NOW.txt updated.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\mbtr8897w81x64.inf_amd64_fd074d03451ecbb5\READ-ME-NOW.txt updated.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\netathr10x.inf_amd64_d271ba5a9c993ac3\READ-ME-NOW.txt updated.exe File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Engines\READ-ME-NOW.txt updated.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\CimCmdlets\READ-ME-NOW.txt updated.exe File opened for modification C:\Windows\SysWOW64\en-US\Licenses\OEM\Professional\READ-ME-NOW.txt updated.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\c_display.inf_amd64_23eb64caf422f130\READ-ME-NOW.txt updated.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\wiaca00j.inf_amd64_2b730d5c3b5d1ba1\amd64\MP640\READ-ME-NOW.txt updated.exe File opened for modification C:\Windows\SysWOW64\spp\tokens\READ-ME-NOW.txt updated.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\c_fsreplication.inf_amd64_794a10b0906dcc25\READ-ME-NOW.txt updated.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\netrndis.inf_amd64_b32102a0c2920c07\READ-ME-NOW.txt updated.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\tpm.inf_amd64_7d5f89afdf3873b2\READ-ME-NOW.txt updated.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\uicciso.inf_amd64_ab77a5dd693a6343\READ-ME-NOW.txt updated.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\wiaep003.inf_amd64_c58a04f11ce74cd7\READ-ME-NOW.txt updated.exe File opened for modification C:\Windows\SysWOW64\Licenses\neutral\Volume\Professional\READ-ME-NOW.txt updated.exe File opened for modification C:\Windows\SysWOW64\bg-BG\READ-ME-NOW.txt updated.exe File opened for modification C:\Windows\SysWOW64\ko-KR\READ-ME-NOW.txt updated.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\sensorsalsdriver.inf_amd64_afaf2df0cb2e7db6\READ-ME-NOW.txt updated.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\c_fsactivitymonitor.inf_amd64_9b02583544c39f62\READ-ME-NOW.txt updated.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\c_netclient.inf_amd64_40468abc5559cc75\READ-ME-NOW.txt updated.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\cdrom.inf_amd64_8343533b38a2a0da\READ-ME-NOW.txt updated.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\modemcsa.inf_amd64_301c39e3c1162ee0\READ-ME-NOW.txt updated.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\ndiscap.inf_amd64_960a76222168b3fa\READ-ME-NOW.txt updated.exe File opened for modification C:\Windows\SysWOW64\InstallShield\setupdir\000b\READ-ME-NOW.txt updated.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\READ-ME-NOW.txt updated.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\c_fshsm.inf_amd64_5701a150984e2034\READ-ME-NOW.txt updated.exe -
Drops file in Program Files directory 64 IoCs
Processes:
updated.exedescription ioc process File opened for modification C:\Program Files\Common Files\microsoft shared\Stationery\ShadesOfBlue.jpg updated.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\LinkedInboxMediumTile.scale-400.png updated.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\GenericMailLargeTile.scale-200.png updated.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\telemetryrules\hxcalendarappimm.exe_Rules.xml updated.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\lib\locale\READ-ME-NOW.txt updated.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\READ-ME-NOW.txt updated.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.director.nl_zh_4.4.0.v20140623020002.jar updated.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarAppList.targetsize-80.png updated.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\models\en-GB.mail.config updated.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\convertpdf-selector.js updated.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\hr-hr\ui-strings.js updated.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\tl\READ-ME-NOW.txt updated.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-editor-mimelookup-impl.xml updated.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarAppList.scale-400.png updated.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\images\example_icons2x.png updated.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Resources\1033\READ-ME-NOW.txt updated.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_1.1702.21039.0_x64__8wekyb3d8bbwe\Assets\Images\READ-ME-NOW.txt updated.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\2876_20x20x32.png updated.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\7813_40x40x32.png updated.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\images\rhp_world_icon_2x.png updated.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Welcome.pdf updated.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\it-it\READ-ME-NOW.txt updated.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\fi-fi\READ-ME-NOW.txt updated.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\Office365LogoWLockup.scale-100.png updated.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\SearchEmail.png updated.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\PSReadline\1.2\READ-ME-NOW.txt updated.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\GamePlayAssets\FreeCell\READ-ME-NOW.txt updated.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\da-dk\ui-strings.js updated.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\READ-ME-NOW.txt updated.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\zh-cn\READ-ME-NOW.txt updated.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\READ-ME-NOW.txt updated.exe File opened for modification C:\Program Files\Windows Media Player\Media Renderer\RenderingControl.xml updated.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\en-ae\ui-strings.js updated.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\sl-sl\READ-ME-NOW.txt updated.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxA-Advanced-Dark.scale-125.png updated.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\it-it\ui-strings.js updated.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\css\tool-view.css updated.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_1.1702.21039.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\READ-ME-NOW.txt updated.exe File opened for modification C:\Program Files\7-Zip\Lang\id.txt updated.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\README.txt updated.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.addons.swt.nl_ja_4.4.0.v20140623020002.jar updated.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\FileAttachmentPlaceholder.png updated.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_ellipses_selected-hover.svg updated.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\Toast.svg updated.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_listview_selected.svg updated.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\LTR\contrast-white\READ-ME-NOW.txt updated.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1702.301.0_x64__8wekyb3d8bbwe\READ-ME-NOW.txt updated.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\jquery.ui.touch-punch\0.2.2\READ-ME-NOW.txt updated.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303\feature.xml updated.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.databinding.property.nl_zh_4.4.0.v20140623020002.jar updated.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Advanced-Light.scale-200.png updated.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\eu-es\ui-strings.js updated.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\ru_get.svg updated.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\nb-no\READ-ME-NOW.txt updated.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\ro-ro\READ-ME-NOW.txt updated.exe File opened for modification C:\Program Files\7-Zip\Lang\lv.txt updated.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\fonts\LucidaSansRegular.ttf updated.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\faf-main.js updated.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\READ-ME-NOW.txt updated.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.metadata_2.2.0.v20131211-1531.jar updated.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.swt.win32.win32.x86_64_3.103.1.v20140903-1947.jar updated.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\fr_get.svg updated.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\de-de\READ-ME-NOW.txt updated.exe File opened for modification C:\Program Files (x86)\MSBuild\READ-ME-NOW.txt updated.exe -
Drops file in Windows directory 64 IoCs
Processes:
updated.exedescription ioc process File opened for modification C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.GPowerShell.Resources\READ-ME-NOW.txt updated.exe File opened for modification C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Uev.ManagedAgentWmi.WinRT\v4.0_10.0.0.0__31bf3856ad364e35\READ-ME-NOW.txt updated.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-d..al-chinese-moimeexe_31bf3856ad364e35_10.0.15063.0_none_425f31447fe3181d\READ-ME-NOW.txt updated.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-feclient_31bf3856ad364e35_10.0.15063.0_none_cfedea6490638e48\READ-ME-NOW.txt updated.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..timezones.resources_31bf3856ad364e35_10.0.15063.0_he-il_c24178b31a3047c3\READ-ME-NOW.txt updated.exe File opened for modification C:\Windows\WinSxS\amd64_netfx4-system.windo..input.manipulations_b03f5f7f11d50a3a_4.0.14917.0_none_2df1f127673ef9f0\READ-ME-NOW.txt updated.exe File opened for modification C:\Windows\WinSxS\x86_microsoft-windows-wusa_31bf3856ad364e35_10.0.15063.0_none_61f5cf32990e235e\READ-ME-NOW.txt updated.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-f..ruetype-comicsansms_31bf3856ad364e35_10.0.15063.0_none_ed68fcfc73314d2d\READ-ME-NOW.txt updated.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..uphandler.resources_31bf3856ad364e35_10.0.15063.0_en-us_e01c1cb240edb0d7\READ-ME-NOW.txt updated.exe File opened for modification C:\Windows\WinSxS\amd64_netfx4-alink_dll_b03f5f7f11d50a3a_4.0.15552.17062_none_c470ccf6d7f2d864\READ-ME-NOW.txt updated.exe File opened for modification C:\Windows\WinSxS\x86_microsoft-windows-cdosys.resources_31bf3856ad364e35_10.0.15063.0_hu-hu_ff335bcc19ba2859\READ-ME-NOW.txt updated.exe File opened for modification C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\speech\0c0a\READ-ME-NOW.txt updated.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-a..on-wizard.resources_31bf3856ad364e35_10.0.15063.0_en-us_50e3df9cff649a72\READ-ME-NOW.txt updated.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-d..owershell.resources_31bf3856ad364e35_10.0.15063.0_en-us_47b5e34aaf315973\READ-ME-NOW.txt updated.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-font-fms.resources_31bf3856ad364e35_10.0.15063.0_pt-pt_16167d44ab9d7d48\READ-ME-NOW.txt updated.exe File opened for modification C:\Windows\WinSxS\msil_system.runtime.serialization.json_b03f5f7f11d50a3a_4.0.14917.0_none_57ad03792915f188\READ-ME-NOW.txt updated.exe File opened for modification C:\Windows\WinSxS\x86_microsoft-windows-halftone-ui_31bf3856ad364e35_10.0.15063.0_none_8fd556771b8e0358\READ-ME-NOW.txt updated.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\InputPersonalization\TrainedDataStore\READ-ME-NOW.txt updated.exe File opened for modification C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\views\READ-ME-NOW.txt updated.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..timezones.resources_31bf3856ad364e35_10.0.15063.0_sr-..-rs_691da48bfc92e6b3\READ-ME-NOW.txt updated.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-mlang.resources_31bf3856ad364e35_10.0.15063.0_sl-si_7ea4ba26925669fa\READ-ME-NOW.txt updated.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..ingstack-base-extra_31bf3856ad364e35_10.0.15063.0_none_3018c456fc224bc5\READ-ME-NOW.txt updated.exe File opened for modification C:\Windows\WinSxS\x86_microsoft-windows-g..zards-mui.resources_31bf3856ad364e35_10.0.15063.0_en-us_0ca347faaf94422e\READ-ME-NOW.txt updated.exe File opened for modification C:\Windows\WinSxS\x86_microsoft-windows-i..plication.resources_31bf3856ad364e35_11.0.15063.0_en-us_3e442547fad7f6e6\READ-ME-NOW.txt updated.exe File opened for modification C:\Windows\Boot\PCAT\zh-TW\READ-ME-NOW.txt updated.exe File opened for modification C:\Windows\WinSxS\x86_microsoft-windows-d..evicecontexthandler_31bf3856ad364e35_10.0.15063.0_none_526c3d63b2b9be9f\READ-ME-NOW.txt updated.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..ional-codepage-1252_31bf3856ad364e35_10.0.15063.0_none_332fa831431abc8e\READ-ME-NOW.txt updated.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-performance.resources_31bf3856ad364e35_10.0.15063.0_en-us_57c7495250910b4d\READ-ME-NOW.txt updated.exe File opened for modification C:\Windows\WinSxS\msil_microsoft.visualc_b03f5f7f11d50a3a_4.0.14917.0_none_405a915394fb2568\READ-ME-NOW.txt updated.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-p..r-library.resources_31bf3856ad364e35_10.0.15063.0_en-us_2cda21d46795ac97\READ-ME-NOW.txt updated.exe File opened for modification C:\Windows\WinSxS\x86_netfx35linq-system.data.services.design_31bf3856ad364e35_10.0.15063.0_none_aec5804f2e7edcc2\READ-ME-NOW.txt updated.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..lprovider.resources_31bf3856ad364e35_10.0.15063.0_en-us_a1cee114be590b8f\READ-ME-NOW.txt updated.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-searchfolder-library_31bf3856ad364e35_10.0.15063.0_none_ab3c90f5da661b6b\READ-ME-NOW.txt updated.exe File opened for modification C:\Windows\diagnostics\system\WindowsMediaPlayerConfiguration\READ-ME-NOW.txt updated.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-font-truetype-yibaiti_31bf3856ad364e35_10.0.15063.0_none_69559982f36cf9b2\READ-ME-NOW.txt updated.exe File opened for modification C:\Windows\WinSxS\amd64_multipoint-station_31bf3856ad364e35_10.0.15063.0_none_3db9505992926e35\READ-ME-NOW.txt updated.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-charmap.resources_31bf3856ad364e35_10.0.15063.0_en-us_f852cda3309c14d5\READ-ME-NOW.txt updated.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..agnostics.resources_31bf3856ad364e35_10.0.15063.0_nl-nl_f73767e372a1f4b0\READ-ME-NOW.txt updated.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..dac-rds-persist-dll_31bf3856ad364e35_10.0.15063.0_none_a5c104f160245808\READ-ME-NOW.txt updated.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..enterpriseg-license_31bf3856ad364e35_10.0.15063.0_none_2dec83a8bf6eebcb\READ-ME-NOW.txt updated.exe File opened for modification C:\Windows\WinSxS\amd64_windows-defender-service_31bf3856ad364e35_10.0.15063.0_none_d6b9fc078f9b4d5a\READ-ME-NOW.txt updated.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-i..l-keyboard-00000447_31bf3856ad364e35_10.0.15063.0_none_055377cacfb1b69b\READ-ME-NOW.txt updated.exe File opened for modification C:\Windows\WinSxS\x86_microsoft-windows-comdlg32.resources_31bf3856ad364e35_10.0.15063.0_ru-ru_e90c83a541642cb5\READ-ME-NOW.txt updated.exe File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Images\READ-ME-NOW.txt updated.exe File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\LTR\contrast-black\READ-ME-NOW.txt updated.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-clouddomainjoinaug_31bf3856ad364e35_10.0.15063.0_none_17f0ea3e297abdaa\READ-ME-NOW.txt updated.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-e..iewer-adm.resources_31bf3856ad364e35_10.0.15063.0_en-us_5a4a84c5cc965674\READ-ME-NOW.txt updated.exe File opened for modification C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ComponentModel.EventBasedAsync\READ-ME-NOW.txt updated.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-onecore-notificationcontroller_31bf3856ad364e35_10.0.15063.0_none_141eb2b4724c6d6d\READ-ME-NOW.txt updated.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-cloudstore.resources_31bf3856ad364e35_10.0.15063.0_en-us_66e1da8727e9ccef\READ-ME-NOW.txt updated.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-sx-shared_31bf3856ad364e35_10.0.15063.0_none_49b79a14525917ad\READ-ME-NOW.txt updated.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-i..l-keyboard-0000046f_31bf3856ad364e35_10.0.15063.0_none_1a2b1bacc24bbea6\READ-ME-NOW.txt updated.exe File opened for modification C:\Windows\WinSxS\x86_microsoft-windows-l2gpstore-mof_31bf3856ad364e35_10.0.15063.0_none_f4ad09ba99aba77d\READ-ME-NOW.txt updated.exe File opened for modification C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\READ-ME-NOW.txt updated.exe File opened for modification C:\Windows\WinSxS\amd64_netfx-aspnet_uninstallsqlstatetem_b03f5f7f11d50a3a_10.0.15063.0_none_7645d20f4286a665\READ-ME-NOW.txt updated.exe File opened for modification C:\Windows\WinSxS\amd64_windows-gaming-prev..esenumeration-winrt_31bf3856ad364e35_10.0.15063.0_none_5ed5e2ee46bb800d\READ-ME-NOW.txt updated.exe File opened for modification C:\Windows\WinSxS\x86_microsoft-windows-s..ngstack-onecorebase_31bf3856ad364e35_10.0.15063.0_none_a57a337f62556507\READ-ME-NOW.txt updated.exe File opened for modification C:\Windows\assembly\GAC_MSIL\Microsoft_VsaVb\8.0.0.0__b03f5f7f11d50a3a\READ-ME-NOW.txt updated.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-computer-name-ui_31bf3856ad364e35_10.0.15063.0_none_1f1b00c82751e7ca\READ-ME-NOW.txt updated.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft.windows.winhttp.resources_31bf3856ad364e35_6.0.15063.0_en-us_6dffadf883c9e255\READ-ME-NOW.txt updated.exe File opened for modification C:\Windows\WinSxS\x86_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.15063.0_sk-sk_e4534a2525509eff\READ-ME-NOW.txt updated.exe File opened for modification C:\Windows\WinSxS\x86_netfx4-msvcr120_clr_dll_31bf3856ad364e35_4.0.15552.17081_none_cd147ad90d25379b\READ-ME-NOW.txt updated.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-e..d-keyboardfilterwmi_31bf3856ad364e35_10.0.15063.0_none_77d21830e6444e76\READ-ME-NOW.txt updated.exe File opened for modification C:\Windows\INF\ESENT\READ-ME-NOW.txt updated.exe -
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
Processes:
description flow ioc HTTP User-Agent header 11 Go-http-client/1.1 -
Kills process with taskkill 41 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 852 taskkill.exe 4604 taskkill.exe 3464 taskkill.exe 5004 taskkill.exe 1772 taskkill.exe 188 taskkill.exe 2248 taskkill.exe 3924 taskkill.exe 1660 taskkill.exe 4492 taskkill.exe 4148 taskkill.exe 4172 taskkill.exe 4596 taskkill.exe 3024 taskkill.exe 2832 taskkill.exe 3960 taskkill.exe 4636 taskkill.exe 5112 taskkill.exe 3148 taskkill.exe 4220 taskkill.exe 4360 taskkill.exe 4812 taskkill.exe 1748 taskkill.exe 5156 taskkill.exe 3984 taskkill.exe 2272 taskkill.exe 1296 taskkill.exe 3980 taskkill.exe 1956 taskkill.exe 2200 taskkill.exe 3848 taskkill.exe 3916 taskkill.exe 4868 taskkill.exe 4944 taskkill.exe 5072 taskkill.exe 640 taskkill.exe 4400 taskkill.exe 4296 taskkill.exe 4680 taskkill.exe 4740 taskkill.exe 5016 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 41 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exedescription pid process Token: SeDebugPrivilege 852 taskkill.exe Token: SeDebugPrivilege 1296 taskkill.exe Token: SeDebugPrivilege 640 taskkill.exe Token: SeDebugPrivilege 3148 taskkill.exe Token: SeDebugPrivilege 3980 taskkill.exe Token: SeDebugPrivilege 1772 taskkill.exe Token: SeDebugPrivilege 188 taskkill.exe Token: SeDebugPrivilege 2832 taskkill.exe Token: SeDebugPrivilege 2248 taskkill.exe Token: SeDebugPrivilege 1956 taskkill.exe Token: SeDebugPrivilege 3024 taskkill.exe Token: SeDebugPrivilege 3924 taskkill.exe Token: SeDebugPrivilege 3960 taskkill.exe Token: SeDebugPrivilege 2200 taskkill.exe Token: SeDebugPrivilege 3464 taskkill.exe Token: SeDebugPrivilege 2272 taskkill.exe Token: SeDebugPrivilege 1660 taskkill.exe Token: SeDebugPrivilege 3984 taskkill.exe Token: SeDebugPrivilege 3848 taskkill.exe Token: SeDebugPrivilege 4172 taskkill.exe Token: SeDebugPrivilege 3916 taskkill.exe Token: SeDebugPrivilege 4220 taskkill.exe Token: SeDebugPrivilege 4148 taskkill.exe Token: SeDebugPrivilege 4296 taskkill.exe Token: SeDebugPrivilege 4360 taskkill.exe Token: SeDebugPrivilege 4492 taskkill.exe Token: SeDebugPrivilege 4400 taskkill.exe Token: SeDebugPrivilege 4596 taskkill.exe Token: SeDebugPrivilege 4680 taskkill.exe Token: SeDebugPrivilege 4636 taskkill.exe Token: SeDebugPrivilege 4740 taskkill.exe Token: SeDebugPrivilege 4812 taskkill.exe Token: SeDebugPrivilege 5072 taskkill.exe Token: SeDebugPrivilege 4868 taskkill.exe Token: SeDebugPrivilege 4944 taskkill.exe Token: SeDebugPrivilege 5016 taskkill.exe Token: SeDebugPrivilege 1748 taskkill.exe Token: SeDebugPrivilege 5004 taskkill.exe Token: SeDebugPrivilege 4604 taskkill.exe Token: SeDebugPrivilege 5112 taskkill.exe Token: SeDebugPrivilege 5156 taskkill.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
NOTEPAD.EXEpid process 6892 NOTEPAD.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
updated.exedescription pid process target process PID 1152 wrote to memory of 488 1152 updated.exe mode.com PID 1152 wrote to memory of 488 1152 updated.exe mode.com PID 1152 wrote to memory of 488 1152 updated.exe mode.com PID 1152 wrote to memory of 1296 1152 updated.exe taskkill.exe PID 1152 wrote to memory of 1296 1152 updated.exe taskkill.exe PID 1152 wrote to memory of 1296 1152 updated.exe taskkill.exe PID 1152 wrote to memory of 852 1152 updated.exe taskkill.exe PID 1152 wrote to memory of 852 1152 updated.exe taskkill.exe PID 1152 wrote to memory of 852 1152 updated.exe taskkill.exe PID 1152 wrote to memory of 640 1152 updated.exe taskkill.exe PID 1152 wrote to memory of 640 1152 updated.exe taskkill.exe PID 1152 wrote to memory of 640 1152 updated.exe taskkill.exe PID 1152 wrote to memory of 3148 1152 updated.exe taskkill.exe PID 1152 wrote to memory of 3148 1152 updated.exe taskkill.exe PID 1152 wrote to memory of 3148 1152 updated.exe taskkill.exe PID 1152 wrote to memory of 1772 1152 updated.exe taskkill.exe PID 1152 wrote to memory of 1772 1152 updated.exe taskkill.exe PID 1152 wrote to memory of 1772 1152 updated.exe taskkill.exe PID 1152 wrote to memory of 3980 1152 updated.exe taskkill.exe PID 1152 wrote to memory of 3980 1152 updated.exe taskkill.exe PID 1152 wrote to memory of 3980 1152 updated.exe taskkill.exe PID 1152 wrote to memory of 2832 1152 updated.exe taskkill.exe PID 1152 wrote to memory of 2832 1152 updated.exe taskkill.exe PID 1152 wrote to memory of 2832 1152 updated.exe taskkill.exe PID 1152 wrote to memory of 188 1152 updated.exe taskkill.exe PID 1152 wrote to memory of 188 1152 updated.exe taskkill.exe PID 1152 wrote to memory of 188 1152 updated.exe taskkill.exe PID 1152 wrote to memory of 2248 1152 updated.exe taskkill.exe PID 1152 wrote to memory of 2248 1152 updated.exe taskkill.exe PID 1152 wrote to memory of 2248 1152 updated.exe taskkill.exe PID 1152 wrote to memory of 3024 1152 updated.exe taskkill.exe PID 1152 wrote to memory of 3024 1152 updated.exe taskkill.exe PID 1152 wrote to memory of 3024 1152 updated.exe taskkill.exe PID 1152 wrote to memory of 1956 1152 updated.exe taskkill.exe PID 1152 wrote to memory of 1956 1152 updated.exe taskkill.exe PID 1152 wrote to memory of 1956 1152 updated.exe taskkill.exe PID 1152 wrote to memory of 3924 1152 updated.exe taskkill.exe PID 1152 wrote to memory of 3924 1152 updated.exe taskkill.exe PID 1152 wrote to memory of 3924 1152 updated.exe taskkill.exe PID 1152 wrote to memory of 3960 1152 updated.exe taskkill.exe PID 1152 wrote to memory of 3960 1152 updated.exe taskkill.exe PID 1152 wrote to memory of 3960 1152 updated.exe taskkill.exe PID 1152 wrote to memory of 2200 1152 updated.exe taskkill.exe PID 1152 wrote to memory of 2200 1152 updated.exe taskkill.exe PID 1152 wrote to memory of 2200 1152 updated.exe taskkill.exe PID 1152 wrote to memory of 3464 1152 updated.exe taskkill.exe PID 1152 wrote to memory of 3464 1152 updated.exe taskkill.exe PID 1152 wrote to memory of 3464 1152 updated.exe taskkill.exe PID 1152 wrote to memory of 1660 1152 updated.exe taskkill.exe PID 1152 wrote to memory of 1660 1152 updated.exe taskkill.exe PID 1152 wrote to memory of 1660 1152 updated.exe taskkill.exe PID 1152 wrote to memory of 2272 1152 updated.exe taskkill.exe PID 1152 wrote to memory of 2272 1152 updated.exe taskkill.exe PID 1152 wrote to memory of 2272 1152 updated.exe taskkill.exe PID 1152 wrote to memory of 3848 1152 updated.exe taskkill.exe PID 1152 wrote to memory of 3848 1152 updated.exe taskkill.exe PID 1152 wrote to memory of 3848 1152 updated.exe taskkill.exe PID 1152 wrote to memory of 3916 1152 updated.exe taskkill.exe PID 1152 wrote to memory of 3916 1152 updated.exe taskkill.exe PID 1152 wrote to memory of 3916 1152 updated.exe taskkill.exe PID 1152 wrote to memory of 3984 1152 updated.exe taskkill.exe PID 1152 wrote to memory of 3984 1152 updated.exe taskkill.exe PID 1152 wrote to memory of 3984 1152 updated.exe taskkill.exe PID 1152 wrote to memory of 4148 1152 updated.exe taskkill.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\updated.exe"C:\Users\Admin\AppData\Local\Temp\updated.exe"1⤵
- Drops file in Drivers directory
- Modifies extensions of user files
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1152 -
C:\Windows\SysWOW64\mode.commode con cp select=125 vssadmin delete shadows /all2⤵PID:488
-
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /f /im msaccess.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1296 -
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /f /im mspub.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:640 -
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /f /im sqlagent.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:852 -
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /f /im tbirdconfig.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1772 -
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /f /im sqlbrowser.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3980 -
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /f /im mydesktopqos.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2832 -
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /f /im dbsnmp.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:188 -
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /f /im thebat64.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2248 -
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /f /im sqbcoreservice.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1956 -
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /f /im encsvc.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3924 -
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /f /im dbeng50.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2200 -
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /f /im winword.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3960 -
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /f /im ocautoupds.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1660 -
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /f /im firefoxconfig.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3848 -
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /f /im sqlservr.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3916 -
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /f /im infopath.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3984 -
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /f /im thebat.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4148 -
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /f /im outlook.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4220 -
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /f /im notepad.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4360 -
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /f /im sqlserver.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4400 -
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /f /im mysqld.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4296 -
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /f /im excel.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4172 -
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /f /im visio.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2272 -
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /f /im powerpnt.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4492 -
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /f /im msftesql.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4596 -
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /f /im xfsssvccon.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4636 -
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /f /im onenote.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4680 -
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /f /im notepad++.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4740 -
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /f /im synctime.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4812 -
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /f /im agntsvc.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4868 -
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /f /im sqlwriter.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4944 -
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /f /im mysql-nt.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5016 -
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /f /im isqlplussvc.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5112 -
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /f /im wordpad.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5072 -
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /f /im mydesktopservice.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1748 -
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /f /im oracle.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4604 -
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /f /im steam.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5004 -
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /f /im mysql-opt.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5156 -
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /f /im ocomm.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3464 -
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /f /im thunderdird.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3024 -
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /f /im ocssd.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3148 -
C:\Windows\SysWOW64\mode.commode con cp select=125 vssadmin delete shadows /all2⤵PID:6688
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\READ-ME-NOW.txt1⤵
- Suspicious use of FindShellTrayWindow
PID:6892
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
80f5783486fa96c294b1c04105468093
SHA194e76e300ceace5d7bea7856894d91d003dccde9
SHA256c9cc8a2c05f78dd4af4a798ee7b0665f73ae5f8ffeb92091fea842f4b3d62fa7
SHA512dc99b897181e5a45a4f63e189e2e762c8e729c37ddd7f7d159c8760662aa8854900e04322be4975c942d9e01c2aaaf722a565970d7d57a6eb9295889f9d5e31b