xmrig | d455b4adb3367a9f0dc67c1f4ff2371d5495eac4db016fbabe4fe8e3d61b2a06

Analysis

max time kernel
139s
max time network
12s
platform
windows7_x64
resource
win7v20210408
submitted
16-07-2021 14:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9M1B.TMP.exe
Size

751KB
MD5

15f71f76e53975f8276b6736741342f3
SHA1

b185723d4b783392dc0229cee1b3d682662cea37
SHA256

d455b4adb3367a9f0dc67c1f4ff2371d5495eac4db016fbabe4fe8e3d61b2a06
SHA512

4ad2b8f1220188ece7b66f9480f72fd90212ff75bb587d557187b6ed0039bfe7f74f957fc5ca3c5fa88457736eb78a93a64332c3b81e75e624dc777077681e02

Score

10^/10

xmrig miner persistence ransomware upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Executes dropped EXE 2 IoCs

Processes:

mstray.exe@RecoveryYourFiles@.exe

pid process

1488 mstray.exe
1664 @RecoveryYourFiles@.exe
Modifies Installed Components in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

pid	process
1488	mstray.exe
1664	@RecoveryYourFiles@.exe

Modifies extensions of user files 7 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

cmd.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\SubmitCheckpoint.raw => C:\Users\Admin\Pictures\SubmitCheckpoint.raw.MCNB	cmd.exe
File renamed	C:\Users\Admin\Pictures\ConvertToUnregister.raw => C:\Users\Admin\Pictures\ConvertToUnregister.raw.MCNB	cmd.exe
File renamed	C:\Users\Admin\Pictures\DisableApprove.tif => C:\Users\Admin\Pictures\DisableApprove.tif.MCNB	cmd.exe
File renamed	C:\Users\Admin\Pictures\DisconnectWait.crw => C:\Users\Admin\Pictures\DisconnectWait.crw.MCNB	cmd.exe
File renamed	C:\Users\Admin\Pictures\ExitUnpublish.crw => C:\Users\Admin\Pictures\ExitUnpublish.crw.MCNB	cmd.exe
File renamed	C:\Users\Admin\Pictures\ProtectGet.tiff => C:\Users\Admin\Pictures\ProtectGet.tiff.MCNB	cmd.exe
File renamed	C:\Users\Admin\Pictures\RestoreGrant.raw => C:\Users\Admin\Pictures\RestoreGrant.raw.MCNB	cmd.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\822B.tmp\2Y8U.TMP	upx
C:\Windows\System32\mstray.exe	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mstray = "C:\\Windows\\system32\\mstray.exe"	reg.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

cmd.exe

description	ioc	process
File opened (read-only)	\??\T:	cmd.exe
File opened (read-only)	\??\W:	cmd.exe
File opened (read-only)	\??\X:	cmd.exe
File opened (read-only)	\??\Y:	cmd.exe
File opened (read-only)	\??\E:	cmd.exe
File opened (read-only)	\??\J:	cmd.exe
File opened (read-only)	\??\L:	cmd.exe
File opened (read-only)	\??\O:	cmd.exe
File opened (read-only)	\??\U:	cmd.exe
File opened (read-only)	\??\Z:	cmd.exe
File opened (read-only)	\??\G:	cmd.exe
File opened (read-only)	\??\I:	cmd.exe
File opened (read-only)	\??\M:	cmd.exe
File opened (read-only)	\??\R:	cmd.exe
File opened (read-only)	\??\S:	cmd.exe
File opened (read-only)	\??\V:	cmd.exe
File opened (read-only)	\??\F:	cmd.exe
File opened (read-only)	\??\K:	cmd.exe
File opened (read-only)	\??\N:	cmd.exe
File opened (read-only)	\??\P:	cmd.exe
File opened (read-only)	\??\H:	cmd.exe

Drops file in System32 directory 2 IoCs

Processes:

cmd.exe

description ioc process

File created C:\Windows\system32\mstray.exe cmd.exe
File opened for modification C:\Windows\system32\mstray.exe cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\system32\mstray.exe	cmd.exe
File opened for modification	C:\Windows\system32\mstray.exe	cmd.exe

Delays execution with timeout.exe 46 IoCs

evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid	process
1192	timeout.exe
1568	timeout.exe
1848	timeout.exe
1568	timeout.exe
1868	timeout.exe
1936	timeout.exe
1168	timeout.exe
1620	timeout.exe
1596	timeout.exe
1740	timeout.exe
1848	timeout.exe
408	timeout.exe
892	timeout.exe
1532	timeout.exe
1936	timeout.exe
1320	timeout.exe
756	timeout.exe
1108	timeout.exe
1740	timeout.exe
1852	timeout.exe
1740	timeout.exe
1836	timeout.exe
1320	timeout.exe
1456	timeout.exe
1540	timeout.exe
560	timeout.exe
1532	timeout.exe
1416	timeout.exe
1740	timeout.exe
1744	timeout.exe
1856	timeout.exe
1108	timeout.exe
1632	timeout.exe
1912	timeout.exe
1176	timeout.exe
1776	timeout.exe
760	timeout.exe
1588	timeout.exe
2032	timeout.exe
1792	timeout.exe
1744	timeout.exe
1716	timeout.exe
1604	timeout.exe
820	timeout.exe
1836	timeout.exe
108	timeout.exe

Enumerates processes with tasklist 1 TTPs 45 IoCs

Process Discovery

T1057

Processes:

tasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exe

pid	process
1776	tasklist.exe
968	tasklist.exe
1868	tasklist.exe
848	tasklist.exe
1320	tasklist.exe
1364	tasklist.exe
1544	tasklist.exe
1748	tasklist.exe
1912	tasklist.exe
1808	tasklist.exe
1204	tasklist.exe
560	tasklist.exe
1028	tasklist.exe
1632	tasklist.exe
1544	tasklist.exe
2024	tasklist.exe
1632	tasklist.exe
1924	tasklist.exe
408	tasklist.exe
1356	tasklist.exe
1988	tasklist.exe
1744	tasklist.exe
1540	tasklist.exe
1564	tasklist.exe
1924	tasklist.exe
1704	tasklist.exe
1604	tasklist.exe
1356	tasklist.exe
1596	tasklist.exe
1848	tasklist.exe
1580	tasklist.exe
1632	tasklist.exe
1544	tasklist.exe
1456	tasklist.exe
1668	tasklist.exe
1988	tasklist.exe
2040	tasklist.exe
1580	tasklist.exe
1588	tasklist.exe
1544	tasklist.exe
572	tasklist.exe
1584	tasklist.exe
1560	tasklist.exe
628	tasklist.exe
1276	tasklist.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1580 taskkill.exe

pid	process
1580	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	explorer.exe

Modifies registry class 5 IoCs

Processes:

explorer.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

1252 reg.exe
Suspicious behavior: CmdExeWriteProcessMemorySpam 2 IoCs

Processes:

mstray.exe@RecoveryYourFiles@.exe

pid process

1488 mstray.exe
1664 @RecoveryYourFiles@.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

explorer.exe

pid process

1112 explorer.exe

pid	process
1252	reg.exe

pid	process
1488	mstray.exe
1664	@RecoveryYourFiles@.exe

Suspicious use of AdjustPrivilegeToken 62 IoCs

Processes:

taskkill.exeexplorer.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exe

description	pid	process
Token: SeDebugPrivilege	1580	taskkill.exe
Token: SeShutdownPrivilege	1112	explorer.exe
Token: SeShutdownPrivilege	1112	explorer.exe
Token: SeShutdownPrivilege	1112	explorer.exe
Token: SeShutdownPrivilege	1112	explorer.exe
Token: SeShutdownPrivilege	1112	explorer.exe
Token: SeShutdownPrivilege	1112	explorer.exe
Token: SeShutdownPrivilege	1112	explorer.exe
Token: SeDebugPrivilege	560	tasklist.exe
Token: SeShutdownPrivilege	1112	explorer.exe
Token: SeShutdownPrivilege	1112	explorer.exe
Token: SeShutdownPrivilege	1112	explorer.exe
Token: SeShutdownPrivilege	1112	explorer.exe
Token: SeDebugPrivilege	1456	tasklist.exe
Token: SeDebugPrivilege	1668	tasklist.exe
Token: SeDebugPrivilege	1564	tasklist.exe
Token: SeDebugPrivilege	1584	tasklist.exe
Token: SeDebugPrivilege	1924	tasklist.exe
Token: SeDebugPrivilege	1028	tasklist.exe
Token: SeDebugPrivilege	1632	tasklist.exe
Token: SeDebugPrivilege	1704	tasklist.exe
Token: SeDebugPrivilege	1604	tasklist.exe
Token: SeShutdownPrivilege	1112	explorer.exe
Token: SeShutdownPrivilege	1112	explorer.exe
Token: SeDebugPrivilege	1320	tasklist.exe
Token: SeDebugPrivilege	1560	tasklist.exe
Token: SeDebugPrivilege	1364	tasklist.exe
Token: SeDebugPrivilege	1356	tasklist.exe
Token: SeDebugPrivilege	1544	tasklist.exe
Token: SeDebugPrivilege	1988	tasklist.exe
Token: SeShutdownPrivilege	1112	explorer.exe
Token: SeShutdownPrivilege	1112	explorer.exe
Token: SeDebugPrivilege	2040	tasklist.exe
Token: SeDebugPrivilege	1588	tasklist.exe
Token: SeDebugPrivilege	1580	tasklist.exe
Token: SeDebugPrivilege	1544	tasklist.exe
Token: SeDebugPrivilege	1988	tasklist.exe
Token: SeDebugPrivilege	1632	tasklist.exe
Token: SeDebugPrivilege	1776	tasklist.exe
Token: SeDebugPrivilege	1580	tasklist.exe
Token: SeDebugPrivilege	1544	tasklist.exe
Token: SeDebugPrivilege	1744	tasklist.exe
Token: SeDebugPrivilege	572	tasklist.exe
Token: SeDebugPrivilege	1632	tasklist.exe
Token: SeDebugPrivilege	1748	tasklist.exe
Token: SeDebugPrivilege	1912	tasklist.exe
Token: SeDebugPrivilege	1924	tasklist.exe
Token: SeDebugPrivilege	1544	tasklist.exe
Token: SeDebugPrivilege	2024	tasklist.exe
Token: SeDebugPrivilege	408	tasklist.exe
Token: SeDebugPrivilege	1808	tasklist.exe
Token: SeDebugPrivilege	1540	tasklist.exe
Token: SeShutdownPrivilege	1112	explorer.exe
Token: SeDebugPrivilege	628	tasklist.exe
Token: SeDebugPrivilege	1356	tasklist.exe
Token: SeDebugPrivilege	1596	tasklist.exe
Token: SeDebugPrivilege	1868	tasklist.exe
Token: SeDebugPrivilege	1276	tasklist.exe
Token: SeDebugPrivilege	848	tasklist.exe
Token: SeDebugPrivilege	1204	tasklist.exe
Token: SeDebugPrivilege	968	tasklist.exe
Token: SeDebugPrivilege	1848	tasklist.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

explorer.exe

pid	process
1112	explorer.exe
1112	explorer.exe
1112	explorer.exe
1112	explorer.exe
1112	explorer.exe
1112	explorer.exe
1112	explorer.exe
1112	explorer.exe
1112	explorer.exe
1112	explorer.exe
1112	explorer.exe
1112	explorer.exe
1112	explorer.exe
1112	explorer.exe
1112	explorer.exe
1112	explorer.exe
1112	explorer.exe
1112	explorer.exe
1112	explorer.exe
1112	explorer.exe
1112	explorer.exe
1112	explorer.exe
1112	explorer.exe
1112	explorer.exe
1112	explorer.exe
1112	explorer.exe

Suspicious use of SendNotifyMessage 36 IoCs

Processes:

explorer.exe

pid	process
1112	explorer.exe
1112	explorer.exe
1112	explorer.exe
1112	explorer.exe
1112	explorer.exe
1112	explorer.exe
1112	explorer.exe
1112	explorer.exe
1112	explorer.exe
1112	explorer.exe
1112	explorer.exe
1112	explorer.exe
1112	explorer.exe
1112	explorer.exe
1112	explorer.exe
1112	explorer.exe
1112	explorer.exe
1112	explorer.exe
1112	explorer.exe
1112	explorer.exe
1112	explorer.exe
1112	explorer.exe
1112	explorer.exe
1112	explorer.exe
1112	explorer.exe
1112	explorer.exe
1112	explorer.exe
1112	explorer.exe
1112	explorer.exe
1112	explorer.exe
1112	explorer.exe
1112	explorer.exe
1112	explorer.exe
1112	explorer.exe
1112	explorer.exe
1112	explorer.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

@RecoveryYourFiles@.exe

pid process

1664 @RecoveryYourFiles@.exe
1664 @RecoveryYourFiles@.exe

pid	process
1664	@RecoveryYourFiles@.exe
1664	@RecoveryYourFiles@.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

9M1B.TMP.execmd.exe

description	pid	process	target process
PID 1944 wrote to memory of 1380	1944	9M1B.TMP.exe	cmd.exe
PID 1944 wrote to memory of 1380	1944	9M1B.TMP.exe	cmd.exe
PID 1944 wrote to memory of 1380	1944	9M1B.TMP.exe	cmd.exe
PID 1944 wrote to memory of 1380	1944	9M1B.TMP.exe	cmd.exe
PID 1380 wrote to memory of 1252	1380	cmd.exe	reg.exe
PID 1380 wrote to memory of 1252	1380	cmd.exe	reg.exe
PID 1380 wrote to memory of 1252	1380	cmd.exe	reg.exe
PID 1380 wrote to memory of 1224	1380	cmd.exe	cmd.exe
PID 1380 wrote to memory of 1224	1380	cmd.exe	cmd.exe
PID 1380 wrote to memory of 1224	1380	cmd.exe	cmd.exe
PID 1380 wrote to memory of 588	1380	cmd.exe	cacls.exe
PID 1380 wrote to memory of 588	1380	cmd.exe	cacls.exe
PID 1380 wrote to memory of 588	1380	cmd.exe	cacls.exe
PID 1380 wrote to memory of 688	1380	cmd.exe	cmd.exe
PID 1380 wrote to memory of 688	1380	cmd.exe	cmd.exe
PID 1380 wrote to memory of 688	1380	cmd.exe	cmd.exe
PID 1380 wrote to memory of 732	1380	cmd.exe	cacls.exe
PID 1380 wrote to memory of 732	1380	cmd.exe	cacls.exe
PID 1380 wrote to memory of 732	1380	cmd.exe	cacls.exe
PID 1380 wrote to memory of 872	1380	cmd.exe	cmd.exe
PID 1380 wrote to memory of 872	1380	cmd.exe	cmd.exe
PID 1380 wrote to memory of 872	1380	cmd.exe	cmd.exe
PID 1380 wrote to memory of 1808	1380	cmd.exe	cacls.exe
PID 1380 wrote to memory of 1808	1380	cmd.exe	cacls.exe
PID 1380 wrote to memory of 1808	1380	cmd.exe	cacls.exe
PID 1380 wrote to memory of 1796	1380	cmd.exe	cmd.exe
PID 1380 wrote to memory of 1796	1380	cmd.exe	cmd.exe
PID 1380 wrote to memory of 1796	1380	cmd.exe	cmd.exe
PID 1380 wrote to memory of 1768	1380	cmd.exe	cacls.exe
PID 1380 wrote to memory of 1768	1380	cmd.exe	cacls.exe
PID 1380 wrote to memory of 1768	1380	cmd.exe	cacls.exe
PID 1380 wrote to memory of 1804	1380	cmd.exe	cmd.exe
PID 1380 wrote to memory of 1804	1380	cmd.exe	cmd.exe
PID 1380 wrote to memory of 1804	1380	cmd.exe	cmd.exe
PID 1380 wrote to memory of 1824	1380	cmd.exe	cacls.exe
PID 1380 wrote to memory of 1824	1380	cmd.exe	cacls.exe
PID 1380 wrote to memory of 1824	1380	cmd.exe	cacls.exe
PID 1380 wrote to memory of 1732	1380	cmd.exe	cmd.exe
PID 1380 wrote to memory of 1732	1380	cmd.exe	cmd.exe
PID 1380 wrote to memory of 1732	1380	cmd.exe	cmd.exe
PID 1380 wrote to memory of 1028	1380	cmd.exe	cacls.exe
PID 1380 wrote to memory of 1028	1380	cmd.exe	cacls.exe
PID 1380 wrote to memory of 1028	1380	cmd.exe	cacls.exe
PID 1380 wrote to memory of 1628	1380	cmd.exe	cmd.exe
PID 1380 wrote to memory of 1628	1380	cmd.exe	cmd.exe
PID 1380 wrote to memory of 1628	1380	cmd.exe	cmd.exe
PID 1380 wrote to memory of 1624	1380	cmd.exe	cacls.exe
PID 1380 wrote to memory of 1624	1380	cmd.exe	cacls.exe
PID 1380 wrote to memory of 1624	1380	cmd.exe	cacls.exe
PID 1380 wrote to memory of 1588	1380	cmd.exe	cmd.exe
PID 1380 wrote to memory of 1588	1380	cmd.exe	cmd.exe
PID 1380 wrote to memory of 1588	1380	cmd.exe	cmd.exe
PID 1380 wrote to memory of 1660	1380	cmd.exe	cacls.exe
PID 1380 wrote to memory of 1660	1380	cmd.exe	cacls.exe
PID 1380 wrote to memory of 1660	1380	cmd.exe	cacls.exe
PID 1380 wrote to memory of 1684	1380	cmd.exe	reg.exe
PID 1380 wrote to memory of 1684	1380	cmd.exe	reg.exe
PID 1380 wrote to memory of 1684	1380	cmd.exe	reg.exe
PID 1380 wrote to memory of 1580	1380	cmd.exe	taskkill.exe
PID 1380 wrote to memory of 1580	1380	cmd.exe	taskkill.exe
PID 1380 wrote to memory of 1580	1380	cmd.exe	taskkill.exe
PID 1380 wrote to memory of 1112	1380	cmd.exe	explorer.exe
PID 1380 wrote to memory of 1112	1380	cmd.exe	explorer.exe
PID 1380 wrote to memory of 1112	1380	cmd.exe	explorer.exe

C:\Users\Admin\AppData\Local\Temp\9M1B.TMP.exe
"C:\Users\Admin\AppData\Local\Temp\9M1B.TMP.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1944

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\822B.tmp\822C.tmp\822D.bat C:\Users\Admin\AppData\Local\Temp\9M1B.TMP.exe"
2⤵
- Modifies extensions of user files
- Enumerates connected drives
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1380

C:\Windows\system32\reg.exe
reg delete HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v msfdhs /f
3⤵
- Modifies registry key
PID:1252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1224

C:\Windows\system32\cacls.exe
cacls "C:\Users\Admin\Music\*.*" /e /d everyone
3⤵
PID:588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:688

C:\Windows\system32\cacls.exe
cacls "C:\Users\Admin\Downloads\*.*" /e /d everyone
3⤵
PID:732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:872

C:\Windows\system32\cacls.exe
cacls "C:\Users\Admin\Links\*.*" /e /d everyone
3⤵
PID:1808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1796

C:\Windows\system32\cacls.exe
cacls "C:\Users\Admin\Favorites\*.*" /e /d everyone
3⤵
PID:1768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1804

C:\Windows\system32\cacls.exe
cacls "C:\Users\Admin\Documents\*.*" /e /d everyone
3⤵
PID:1824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1732

C:\Windows\system32\cacls.exe
cacls "C:\Users\Admin\Videos\*.*" /e /d everyone
3⤵
PID:1028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1628

C:\Windows\system32\cacls.exe
cacls "C:\Users\Admin\Pictures\*.*" /e /d everyone
3⤵
PID:1624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1588

C:\Windows\system32\cacls.exe
cacls "C:\Users\Admin\Desktop\*.*" /e /d everyone
3⤵
PID:1660

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "mstray" /t REG_SZ /d "C:\Windows\system32\mstray.exe" /f
3⤵
- Adds Run key to start application
PID:1684

C:\Windows\system32\taskkill.exe
taskkill /f /im explorer.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1580

C:\Windows\explorer.exe
explorer.exe
3⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1112

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\@readme@.txt
4⤵
PID:1308

C:\Windows\system32\mstray.exe
C:\Windows\system32\mstray.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1488

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\8CD5.tmp\8CD6.tmp\8CD7.bat C:\Windows\system32\mstray.exe"
4⤵
PID:864

C:\Windows\system32\timeout.exe
timeout /t 3
5⤵
- Delays execution with timeout.exe
PID:820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist|find /i "@RecoveryYourFiles@.exe"
5⤵
PID:1344

C:\Windows\system32\tasklist.exe
tasklist
6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:560

C:\Windows\system32\find.exe
find /i "@RecoveryYourFiles@.exe"
6⤵
PID:1280

C:\MiniworldRansom\@RecoveryYourFiles@.exe
C:\MiniworldRansom\@RecoveryYourFiles@.exe
5⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of SetWindowsHookEx
PID:1664

C:\Windows\system32\timeout.exe
timeout /t 3
5⤵
- Delays execution with timeout.exe
PID:1416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist|find /i "@RecoveryYourFiles@.exe"
5⤵
PID:1580

C:\Windows\system32\tasklist.exe
tasklist
6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1456

C:\Windows\system32\find.exe
find /i "@RecoveryYourFiles@.exe"
6⤵
PID:1572

C:\Windows\system32\timeout.exe
timeout /t 3
5⤵
- Delays execution with timeout.exe
PID:1740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist|find /i "@RecoveryYourFiles@.exe"
5⤵
PID:1268

C:\Windows\system32\tasklist.exe
tasklist
6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1668

C:\Windows\system32\find.exe
find /i "@RecoveryYourFiles@.exe"
6⤵
PID:900

C:\Windows\system32\timeout.exe
timeout /t 3
5⤵
- Delays execution with timeout.exe
PID:1744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist|find /i "@RecoveryYourFiles@.exe"
5⤵
PID:1576

C:\Windows\system32\tasklist.exe
tasklist
6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1564

C:\Windows\system32\find.exe
find /i "@RecoveryYourFiles@.exe"
6⤵
PID:1428

C:\Windows\system32\timeout.exe
timeout /t 3
5⤵
- Delays execution with timeout.exe
PID:1836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist|find /i "@RecoveryYourFiles@.exe"
5⤵
PID:1832

C:\Windows\system32\tasklist.exe
tasklist
6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1584

C:\Windows\system32\find.exe
find /i "@RecoveryYourFiles@.exe"
6⤵
PID:1660

C:\Windows\system32\timeout.exe
timeout /t 3
5⤵
- Delays execution with timeout.exe
PID:1596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist|find /i "@RecoveryYourFiles@.exe"
5⤵
PID:1396

C:\Windows\system32\tasklist.exe
tasklist
6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1924

C:\Windows\system32\find.exe
find /i "@RecoveryYourFiles@.exe"
6⤵
PID:1456

C:\Windows\system32\timeout.exe
timeout /t 3
5⤵
- Delays execution with timeout.exe
PID:1740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist|find /i "@RecoveryYourFiles@.exe"
5⤵
PID:1524

C:\Windows\system32\tasklist.exe
tasklist
6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1028

C:\Windows\system32\find.exe
find /i "@RecoveryYourFiles@.exe"
6⤵
PID:316

C:\Windows\system32\timeout.exe
timeout /t 3
5⤵
- Delays execution with timeout.exe
PID:1320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist|find /i "@RecoveryYourFiles@.exe"
5⤵
PID:1108

C:\Windows\system32\tasklist.exe
tasklist
6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1632

C:\Windows\system32\find.exe
find /i "@RecoveryYourFiles@.exe"
6⤵
PID:1560

C:\Windows\system32\timeout.exe
timeout /t 3
5⤵
- Delays execution with timeout.exe
PID:1532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist|find /i "@RecoveryYourFiles@.exe"
5⤵
PID:1936

C:\Windows\system32\tasklist.exe
tasklist
6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1704

C:\Windows\system32\find.exe
find /i "@RecoveryYourFiles@.exe"
6⤵
PID:108

C:\Windows\system32\timeout.exe
timeout /t 3
5⤵
- Delays execution with timeout.exe
PID:1848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist|find /i "@RecoveryYourFiles@.exe"
5⤵
PID:1384

C:\Windows\system32\tasklist.exe
tasklist
6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1604

C:\Windows\system32\find.exe
find /i "@RecoveryYourFiles@.exe"
6⤵
PID:1504

C:\Windows\system32\timeout.exe
timeout /t 3
5⤵
- Delays execution with timeout.exe
PID:1456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist|find /i "@RecoveryYourFiles@.exe"
5⤵
PID:2024

C:\Windows\system32\tasklist.exe
tasklist
6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1320

C:\Windows\system32\find.exe
find /i "@RecoveryYourFiles@.exe"
6⤵
PID:1424

C:\Windows\system32\timeout.exe
timeout /t 3
5⤵
- Delays execution with timeout.exe
PID:1744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist|find /i "@RecoveryYourFiles@.exe"
5⤵
PID:1632

C:\Windows\system32\tasklist.exe
tasklist
6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1560

C:\Windows\system32\find.exe
find /i "@RecoveryYourFiles@.exe"
6⤵
PID:1428

C:\Windows\system32\timeout.exe
timeout /t 3
5⤵
- Delays execution with timeout.exe
PID:1716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist|find /i "@RecoveryYourFiles@.exe"
5⤵
PID:1416

C:\Windows\system32\tasklist.exe
tasklist
6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1364

C:\Windows\system32\find.exe
find /i "@RecoveryYourFiles@.exe"
6⤵
PID:1904

C:\Windows\system32\timeout.exe
timeout /t 3
5⤵
- Delays execution with timeout.exe
PID:1568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist|find /i "@RecoveryYourFiles@.exe"
5⤵
PID:1848

C:\Windows\system32\tasklist.exe
tasklist
6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1356

C:\Windows\system32\find.exe
find /i "@RecoveryYourFiles@.exe"
6⤵
PID:1104

C:\Windows\system32\timeout.exe
timeout /t 3
5⤵
- Delays execution with timeout.exe
PID:1604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist|find /i "@RecoveryYourFiles@.exe"
5⤵
PID:1596

C:\Windows\system32\tasklist.exe
tasklist
6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1544

C:\Windows\system32\find.exe
find /i "@RecoveryYourFiles@.exe"
6⤵
PID:1396

C:\Windows\system32\timeout.exe
timeout /t 3
5⤵
- Delays execution with timeout.exe
PID:756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist|find /i "@RecoveryYourFiles@.exe"
5⤵
PID:1344

C:\Windows\system32\tasklist.exe
tasklist
6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1988

C:\Windows\system32\find.exe
find /i "@RecoveryYourFiles@.exe"
6⤵
PID:1284

C:\Windows\system32\timeout.exe
timeout /t 3
5⤵
- Delays execution with timeout.exe
PID:1108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist|find /i "@RecoveryYourFiles@.exe"
5⤵
PID:1560

C:\Windows\system32\tasklist.exe
tasklist
6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2040

C:\Windows\system32\find.exe
find /i "@RecoveryYourFiles@.exe"
6⤵
PID:892

C:\Windows\system32\timeout.exe
timeout /t 3
5⤵
- Delays execution with timeout.exe
PID:1936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist|find /i "@RecoveryYourFiles@.exe"
5⤵
PID:1576

C:\Windows\system32\tasklist.exe
tasklist
6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1588

C:\Windows\system32\find.exe
find /i "@RecoveryYourFiles@.exe"
6⤵
PID:1904

C:\Windows\system32\timeout.exe
timeout /t 3
5⤵
- Delays execution with timeout.exe
PID:1192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist|find /i "@RecoveryYourFiles@.exe"
5⤵
PID:1924

C:\Windows\system32\tasklist.exe
tasklist
6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1580

C:\Windows\system32\find.exe
find /i "@RecoveryYourFiles@.exe"
6⤵
PID:1380

C:\Windows\system32\timeout.exe
timeout /t 3
5⤵
- Delays execution with timeout.exe
PID:560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist|find /i "@RecoveryYourFiles@.exe"
5⤵
PID:1668

C:\Windows\system32\tasklist.exe
tasklist
6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1544

C:\Windows\system32\find.exe
find /i "@RecoveryYourFiles@.exe"
6⤵
PID:1396

C:\Windows\system32\timeout.exe
timeout /t 3
5⤵
- Delays execution with timeout.exe
PID:1836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist|find /i "@RecoveryYourFiles@.exe"
5⤵
PID:2024

C:\Windows\system32\tasklist.exe
tasklist
6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1988

C:\Windows\system32\find.exe
find /i "@RecoveryYourFiles@.exe"
6⤵
PID:1424

C:\Windows\system32\timeout.exe
timeout /t 3
5⤵
- Delays execution with timeout.exe
PID:108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist|find /i "@RecoveryYourFiles@.exe"
5⤵
PID:1808

C:\Windows\system32\tasklist.exe
tasklist
6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1632

C:\Windows\system32\find.exe
find /i "@RecoveryYourFiles@.exe"
6⤵
PID:2040

C:\Windows\system32\timeout.exe
timeout /t 3
5⤵
- Delays execution with timeout.exe
PID:1568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist|find /i "@RecoveryYourFiles@.exe"
5⤵
PID:688

C:\Windows\system32\tasklist.exe
tasklist
6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1776

C:\Windows\system32\find.exe
find /i "@RecoveryYourFiles@.exe"
6⤵
PID:1088

C:\Windows\system32\timeout.exe
timeout /t 3
5⤵
- Delays execution with timeout.exe
PID:1848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist|find /i "@RecoveryYourFiles@.exe"
5⤵
PID:1356

C:\Windows\system32\tasklist.exe
tasklist
6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1580

C:\Windows\system32\find.exe
find /i "@RecoveryYourFiles@.exe"
6⤵
PID:1924

C:\Windows\system32\timeout.exe
timeout /t 3
5⤵
- Delays execution with timeout.exe
PID:1320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist|find /i "@RecoveryYourFiles@.exe"
5⤵
PID:1384

C:\Windows\system32\tasklist.exe
tasklist
6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1544

C:\Windows\system32\find.exe
find /i "@RecoveryYourFiles@.exe"
6⤵
PID:1456

C:\Windows\system32\timeout.exe
timeout /t 3
5⤵
- Delays execution with timeout.exe
PID:1740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist|find /i "@RecoveryYourFiles@.exe"
5⤵
PID:1988

C:\Windows\system32\tasklist.exe
tasklist
6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1744

C:\Windows\system32\find.exe
find /i "@RecoveryYourFiles@.exe"
6⤵
PID:1032

C:\Windows\system32\timeout.exe
timeout /t 3
5⤵
- Delays execution with timeout.exe
PID:1852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist|find /i "@RecoveryYourFiles@.exe"
5⤵
PID:1660

C:\Windows\system32\tasklist.exe
tasklist
6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:572

C:\Windows\system32\find.exe
find /i "@RecoveryYourFiles@.exe"
6⤵
PID:1864

C:\Windows\system32\timeout.exe
timeout /t 3
5⤵
- Delays execution with timeout.exe
PID:892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist|find /i "@RecoveryYourFiles@.exe"
5⤵
PID:1812

C:\Windows\system32\tasklist.exe
tasklist
6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1632

C:\Windows\system32\find.exe
find /i "@RecoveryYourFiles@.exe"
6⤵
PID:2040

C:\Windows\system32\timeout.exe
timeout /t 3
5⤵
- Delays execution with timeout.exe
PID:2032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist|find /i "@RecoveryYourFiles@.exe"
5⤵
PID:1676

C:\Windows\system32\tasklist.exe
tasklist
6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1748

C:\Windows\system32\find.exe
find /i "@RecoveryYourFiles@.exe"
6⤵
PID:1280

C:\Windows\system32\timeout.exe
timeout /t 3
5⤵
- Delays execution with timeout.exe
PID:1776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist|find /i "@RecoveryYourFiles@.exe"
5⤵
PID:1804

C:\Windows\system32\tasklist.exe
tasklist
6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1912

C:\Windows\system32\find.exe
find /i "@RecoveryYourFiles@.exe"
6⤵
PID:1504

C:\Windows\system32\timeout.exe
timeout /t 3
5⤵
- Delays execution with timeout.exe
PID:760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist|find /i "@RecoveryYourFiles@.exe"
5⤵
PID:1580

C:\Windows\system32\tasklist.exe
tasklist
6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1924

C:\Windows\system32\find.exe
find /i "@RecoveryYourFiles@.exe"
6⤵
PID:584

C:\Windows\system32\timeout.exe
timeout /t 3
5⤵
- Delays execution with timeout.exe
PID:1532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist|find /i "@RecoveryYourFiles@.exe"
5⤵
PID:1396

C:\Windows\system32\tasklist.exe
tasklist
6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1544

C:\Windows\system32\find.exe
find /i "@RecoveryYourFiles@.exe"
6⤵
PID:1384

C:\Windows\system32\timeout.exe
timeout /t 3
5⤵
- Delays execution with timeout.exe
PID:1868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist|find /i "@RecoveryYourFiles@.exe"
5⤵
PID:2028

C:\Windows\system32\tasklist.exe
tasklist
6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2024

C:\Windows\system32\find.exe
find /i "@RecoveryYourFiles@.exe"
6⤵
PID:2016

C:\Windows\system32\timeout.exe
timeout /t 3
5⤵
- Delays execution with timeout.exe
PID:1936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist|find /i "@RecoveryYourFiles@.exe"
5⤵
PID:108

C:\Windows\system32\tasklist.exe
tasklist
6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:408

C:\Windows\system32\find.exe
find /i "@RecoveryYourFiles@.exe"
6⤵
PID:1976

C:\Windows\system32\timeout.exe
timeout /t 3
5⤵
- Delays execution with timeout.exe
PID:1168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist|find /i "@RecoveryYourFiles@.exe"
5⤵
PID:1204

C:\Windows\system32\tasklist.exe
tasklist
6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1808

C:\Windows\system32\find.exe
find /i "@RecoveryYourFiles@.exe"
6⤵
PID:1428

C:\Windows\system32\timeout.exe
timeout /t 3
5⤵
- Delays execution with timeout.exe
PID:1588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist|find /i "@RecoveryYourFiles@.exe"
5⤵
PID:1576

C:\Windows\system32\tasklist.exe
tasklist
6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1540

C:\Windows\system32\find.exe
find /i "@RecoveryYourFiles@.exe"
6⤵
PID:2008

C:\Windows\system32\timeout.exe
timeout /t 3
5⤵
- Delays execution with timeout.exe
PID:1856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist|find /i "@RecoveryYourFiles@.exe"
5⤵
PID:1336

C:\Windows\system32\tasklist.exe
tasklist
6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:628

C:\Windows\system32\find.exe
find /i "@RecoveryYourFiles@.exe"
6⤵
PID:1848

C:\Windows\system32\timeout.exe
timeout /t 3
5⤵
- Delays execution with timeout.exe
PID:1108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist|find /i "@RecoveryYourFiles@.exe"
5⤵
PID:756

C:\Windows\system32\tasklist.exe
tasklist
6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1356

C:\Windows\system32\find.exe
find /i "@RecoveryYourFiles@.exe"
6⤵
PID:1924

C:\Windows\system32\timeout.exe
timeout /t 3
5⤵
- Delays execution with timeout.exe
PID:1740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist|find /i "@RecoveryYourFiles@.exe"
5⤵
PID:1456

C:\Windows\system32\tasklist.exe
tasklist
6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1596

C:\Windows\system32\find.exe
find /i "@RecoveryYourFiles@.exe"
6⤵
PID:1668

C:\Windows\system32\timeout.exe
timeout /t 3
5⤵
- Delays execution with timeout.exe
PID:1792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist|find /i "@RecoveryYourFiles@.exe"
5⤵
PID:1724

C:\Windows\system32\tasklist.exe
tasklist
6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1868

C:\Windows\system32\find.exe
find /i "@RecoveryYourFiles@.exe"
6⤵
PID:1644

C:\Windows\system32\timeout.exe
timeout /t 3
5⤵
- Delays execution with timeout.exe
PID:1620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist|find /i "@RecoveryYourFiles@.exe"
5⤵
PID:2028

C:\Windows\system32\tasklist.exe
tasklist
6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1276

C:\Windows\system32\find.exe
find /i "@RecoveryYourFiles@.exe"
6⤵
PID:608

C:\Windows\system32\timeout.exe
timeout /t 3
5⤵
- Delays execution with timeout.exe
PID:408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist|find /i "@RecoveryYourFiles@.exe"
5⤵
PID:108

C:\Windows\system32\tasklist.exe
tasklist
6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:848

C:\Windows\system32\find.exe
find /i "@RecoveryYourFiles@.exe"
6⤵
PID:1168

C:\Windows\system32\timeout.exe
timeout /t 3
5⤵
- Delays execution with timeout.exe
PID:1632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist|find /i "@RecoveryYourFiles@.exe"
5⤵
PID:1428

C:\Windows\system32\tasklist.exe
tasklist
6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1204

C:\Windows\system32\find.exe
find /i "@RecoveryYourFiles@.exe"
6⤵
PID:1588

C:\Windows\system32\timeout.exe
timeout /t 3
5⤵
- Delays execution with timeout.exe
PID:1540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist|find /i "@RecoveryYourFiles@.exe"
5⤵
PID:1568

C:\Windows\system32\tasklist.exe
tasklist
6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:968

C:\Windows\system32\find.exe
find /i "@RecoveryYourFiles@.exe"
6⤵
PID:1564

C:\Windows\system32\timeout.exe
timeout /t 3
5⤵
- Delays execution with timeout.exe
PID:1912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist|find /i "@RecoveryYourFiles@.exe"
5⤵
PID:628

C:\Windows\system32\tasklist.exe
tasklist
6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1848

C:\Windows\system32\find.exe
find /i "@RecoveryYourFiles@.exe"
6⤵
PID:1680

C:\Windows\system32\timeout.exe
timeout /t 3
5⤵
- Delays execution with timeout.exe
PID:1176

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Process Discovery

T1057

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MiniworldRansom\@RecoveryYourFiles@.exe
MD5
4fa99da1c78cfaa53253e55043e5f5d4

SHA1
ba8f4be3e782283cc0bacd20eab8a50960bd27a7

SHA256
a65554fbc7aded7f05894923c699c17b909f810a0a4ddf60cf053f07a190db85

SHA512
146da3fc2ca5825b04ceb398ae8d4e711ca77f6f3be6fb5ae7d35030b300e24d00ea8acbe8db2f5ecaebdaa07e7e3e1a84db595d07d061c1dc30d4291feb697f

Download Submit
C:\MiniworldRansom\@RecoveryYourFiles@.exe
MD5
4fa99da1c78cfaa53253e55043e5f5d4

SHA1
ba8f4be3e782283cc0bacd20eab8a50960bd27a7

SHA256
a65554fbc7aded7f05894923c699c17b909f810a0a4ddf60cf053f07a190db85

SHA512
146da3fc2ca5825b04ceb398ae8d4e711ca77f6f3be6fb5ae7d35030b300e24d00ea8acbe8db2f5ecaebdaa07e7e3e1a84db595d07d061c1dc30d4291feb697f

Download Submit
C:\Users\Admin\AppData\Local\Temp\822B.tmp\2Y8U.TMP
MD5
a8b1f3a1ff16facab894394044460a67

SHA1
84807917cd43a75d295340263f34cde7655f90db

SHA256
c35eecb5533a63a7f9f0e32ce559f679e7207448f5be5ccbb2c368cd20aeaab1

SHA512
47fb76a21cecc65474ccd9c6b355afbb61aa482671a61682b6b2759f995bdaf166b97f6153513e7058beb107a24637254f854d58a34bacca80931558d4bd2425

Download Submit
C:\Users\Admin\AppData\Local\Temp\822B.tmp\3R9J.TMP
MD5
4fa99da1c78cfaa53253e55043e5f5d4

SHA1
ba8f4be3e782283cc0bacd20eab8a50960bd27a7

SHA256
a65554fbc7aded7f05894923c699c17b909f810a0a4ddf60cf053f07a190db85

SHA512
146da3fc2ca5825b04ceb398ae8d4e711ca77f6f3be6fb5ae7d35030b300e24d00ea8acbe8db2f5ecaebdaa07e7e3e1a84db595d07d061c1dc30d4291feb697f

Download Submit
C:\Users\Admin\AppData\Local\Temp\822B.tmp\822C.tmp\822D.bat
MD5
e9b7f5e881a2acedaed2ab8a383ae868

SHA1
007dd77306674371ac941350e391f76b95d75892

SHA256
7f46a26b89ef1c5f291b2b5a389160ff00c072e90e8796a0ccd0818476fa7e43

SHA512
bdeb27b48621b5cef41c3c9329ba64c47347d6ee6489177ab2a9ca3a4529bd823f760dcec3d3f030bba517c6accc89d3277c6699a08d32fc33bec6b6e1860acd

Download Submit
C:\Users\Admin\AppData\Local\Temp\822B.tmp\@readme@.txt
MD5
d2d51c6d6cc1cdd77ef953437e55086c

SHA1
2b4d4a9ff45540c137a426ea93d508c8364e1e9e

SHA256
6266559ecd24ef4be236373a0b059415d24ad689ad0a60ba7ee0ca0ee99d31b9

SHA512
440eb2ebb00a3008bf40d2a1a59ce88ca49db30c9fe8179e0947e5b75d6007678e54fc4c2bd1df6f5dfdc4629e7fa99d0039154b9d0904b8ef142f7e681aa7da

Download Submit
C:\Users\Admin\AppData\Local\Temp\822B.tmp\background.jpg
MD5
8caeb0ab9e567bbe2bb1d3a6f8871782

SHA1
c7a5522eccaab5c0d435cf32a982c24ec69ceda3

SHA256
1fead54464769a95c719c665083cd6022c2f8f85d8b865f5481a7ad09d4c1631

SHA512
3d2bb691304c873a8ace9ea8909cd466278487ac2af87fbbb973038e3d0e5bd24e74f85ef7158c1f44290ac21e52ad1ed3bfa1fa061c9fda0165f085c7880619

Download Submit
C:\Users\Admin\AppData\Local\Temp\8CD5.tmp\8CD6.tmp\8CD7.bat
MD5
3f8ac701a1bdb8ce5a89f49c3071aff4

SHA1
84e76f63cf9f91495a5e7eb9220f10c51e4d828f

SHA256
2354202cdaf8d417b682ba1440e84f0aea6495fa4268fb306647a2ea22df9d56

SHA512
1a884548f1fb52d770ee2e1d88282bbc81a0bdbd67087e401efc7ede3afd3f3bc7424100a1e21cd718930d06671af3fe7a51e8812309846a6c9d2b3b49894045

Download Submit
C:\Users\Public\Desktop\@RecoveryYourFiles@.exe
MD5
4fa99da1c78cfaa53253e55043e5f5d4

SHA1
ba8f4be3e782283cc0bacd20eab8a50960bd27a7

SHA256
a65554fbc7aded7f05894923c699c17b909f810a0a4ddf60cf053f07a190db85

SHA512
146da3fc2ca5825b04ceb398ae8d4e711ca77f6f3be6fb5ae7d35030b300e24d00ea8acbe8db2f5ecaebdaa07e7e3e1a84db595d07d061c1dc30d4291feb697f

Download Submit
C:\Users\Public\Desktop\@readme@.txt
MD5
d2d51c6d6cc1cdd77ef953437e55086c

SHA1
2b4d4a9ff45540c137a426ea93d508c8364e1e9e

SHA256
6266559ecd24ef4be236373a0b059415d24ad689ad0a60ba7ee0ca0ee99d31b9

SHA512
440eb2ebb00a3008bf40d2a1a59ce88ca49db30c9fe8179e0947e5b75d6007678e54fc4c2bd1df6f5dfdc4629e7fa99d0039154b9d0904b8ef142f7e681aa7da

Download Submit
C:\Windows\System32\mstray.exe
MD5
a8b1f3a1ff16facab894394044460a67

SHA1
84807917cd43a75d295340263f34cde7655f90db

SHA256
c35eecb5533a63a7f9f0e32ce559f679e7207448f5be5ccbb2c368cd20aeaab1

SHA512
47fb76a21cecc65474ccd9c6b355afbb61aa482671a61682b6b2759f995bdaf166b97f6153513e7058beb107a24637254f854d58a34bacca80931558d4bd2425

Download Submit
memory/108-134-0x0000000000000000-mapping.dmp

Download
memory/316-126-0x0000000000000000-mapping.dmp

Download
memory/560-96-0x0000000000000000-mapping.dmp

Download
memory/588-64-0x0000000000000000-mapping.dmp

Download
memory/688-65-0x0000000000000000-mapping.dmp

Download
memory/732-66-0x0000000000000000-mapping.dmp

Download
memory/820-92-0x0000000000000000-mapping.dmp

Download
memory/864-90-0x0000000000000000-mapping.dmp

Download
memory/872-67-0x0000000000000000-mapping.dmp

Download
memory/900-110-0x0000000000000000-mapping.dmp

Download
memory/1028-74-0x0000000000000000-mapping.dmp

Download
memory/1028-125-0x0000000000000000-mapping.dmp

Download
memory/1108-128-0x0000000000000000-mapping.dmp

Download
memory/1112-106-0x0000000004440000-0x000000000447D000-memory.dmp

Filesize
244KB

Download
memory/1112-89-0x000007FEFB8D1000-0x000007FEFB8D3000-memory.dmp

Filesize
8KB

Download
memory/1112-85-0x0000000000000000-mapping.dmp

Download
memory/1224-63-0x0000000000000000-mapping.dmp

Download
memory/1252-62-0x0000000000000000-mapping.dmp

Download
memory/1268-108-0x0000000000000000-mapping.dmp

Download
memory/1280-97-0x0000000000000000-mapping.dmp

Download
memory/1320-127-0x0000000000000000-mapping.dmp

Download
memory/1344-95-0x0000000000000000-mapping.dmp

Download
memory/1380-60-0x0000000000000000-mapping.dmp

Download
memory/1384-136-0x0000000000000000-mapping.dmp

Download
memory/1396-120-0x0000000000000000-mapping.dmp

Download
memory/1416-101-0x0000000000000000-mapping.dmp

Download
memory/1428-114-0x0000000000000000-mapping.dmp

Download
memory/1456-122-0x0000000000000000-mapping.dmp

Download
memory/1456-104-0x0000000000000000-mapping.dmp

Download
memory/1488-86-0x0000000000000000-mapping.dmp

Download
memory/1504-138-0x0000000000000000-mapping.dmp

Download
memory/1524-124-0x0000000000000000-mapping.dmp

Download
memory/1532-131-0x0000000000000000-mapping.dmp

Download
memory/1560-130-0x0000000000000000-mapping.dmp

Download
memory/1564-113-0x0000000000000000-mapping.dmp

Download
memory/1572-105-0x0000000000000000-mapping.dmp

Download
memory/1576-112-0x0000000000000000-mapping.dmp

Download
memory/1580-84-0x0000000000000000-mapping.dmp

Download
memory/1580-103-0x0000000000000000-mapping.dmp

Download
memory/1584-117-0x0000000000000000-mapping.dmp

Download
memory/1588-77-0x0000000000000000-mapping.dmp

Download
memory/1596-119-0x0000000000000000-mapping.dmp

Download
memory/1604-137-0x0000000000000000-mapping.dmp

Download
memory/1624-76-0x0000000000000000-mapping.dmp

Download
memory/1628-75-0x0000000000000000-mapping.dmp

Download
memory/1632-129-0x0000000000000000-mapping.dmp

Download
memory/1660-118-0x0000000000000000-mapping.dmp

Download
memory/1660-78-0x0000000000000000-mapping.dmp

Download
memory/1664-99-0x0000000000000000-mapping.dmp

Download
memory/1668-109-0x0000000000000000-mapping.dmp

Download
memory/1684-83-0x0000000000000000-mapping.dmp

Download
memory/1704-133-0x0000000000000000-mapping.dmp

Download
memory/1732-73-0x0000000000000000-mapping.dmp

Download
memory/1740-107-0x0000000000000000-mapping.dmp

Download
memory/1740-123-0x0000000000000000-mapping.dmp

Download
memory/1744-111-0x0000000000000000-mapping.dmp

Download
memory/1768-70-0x0000000000000000-mapping.dmp

Download
memory/1796-69-0x0000000000000000-mapping.dmp

Download
memory/1804-71-0x0000000000000000-mapping.dmp

Download
memory/1808-68-0x0000000000000000-mapping.dmp

Download
memory/1824-72-0x0000000000000000-mapping.dmp

Download
memory/1832-116-0x0000000000000000-mapping.dmp

Download
memory/1836-115-0x0000000000000000-mapping.dmp

Download
memory/1848-135-0x0000000000000000-mapping.dmp

Download
memory/1924-121-0x0000000000000000-mapping.dmp

Download
memory/1936-132-0x0000000000000000-mapping.dmp

Download
memory/1944-59-0x00000000760B1000-0x00000000760B3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads