xmrig | d455b4adb3367a9f0dc67c1f4ff2371d5495eac4db016fbabe4fe8e3d61b2a06

Analysis

max time kernel
150s
max time network
124s
platform
windows10_x64
resource
win10v20210410
submitted
16-07-2021 14:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9M1B.TMP.exe
Size

751KB
MD5

15f71f76e53975f8276b6736741342f3
SHA1

b185723d4b783392dc0229cee1b3d682662cea37
SHA256

d455b4adb3367a9f0dc67c1f4ff2371d5495eac4db016fbabe4fe8e3d61b2a06
SHA512

4ad2b8f1220188ece7b66f9480f72fd90212ff75bb587d557187b6ed0039bfe7f74f957fc5ca3c5fa88457736eb78a93a64332c3b81e75e624dc777077681e02

Score

10^/10

xmrig miner persistence ransomware upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Executes dropped EXE 2 IoCs

Processes:

mstray.exe@[email protected]

pid process

4400 mstray.exe
4124 @[email protected]
Modifies Installed Components in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

pid	process
4400	mstray.exe
4124	@[email protected]

Modifies extensions of user files 6 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

cmd.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\ExportExit.raw => C:\Users\Admin\Pictures\ExportExit.raw.MCNB	cmd.exe
File renamed	C:\Users\Admin\Pictures\FormatComplete.png => C:\Users\Admin\Pictures\FormatComplete.png.MCNB	cmd.exe
File renamed	C:\Users\Admin\Pictures\LockComplete.raw => C:\Users\Admin\Pictures\LockComplete.raw.MCNB	cmd.exe
File renamed	C:\Users\Admin\Pictures\RedoImport.raw => C:\Users\Admin\Pictures\RedoImport.raw.MCNB	cmd.exe
File renamed	C:\Users\Admin\Pictures\SyncReceive.raw => C:\Users\Admin\Pictures\SyncReceive.raw.MCNB	cmd.exe
File renamed	C:\Users\Admin\Pictures\UnlockWait.raw => C:\Users\Admin\Pictures\UnlockWait.raw.MCNB	cmd.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\787.tmp\2Y8U.TMP	upx
C:\Windows\System32\mstray.exe	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mstray = "C:\\Windows\\system32\\mstray.exe"	reg.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

cmd.exeexplorer.exe

description	ioc	process
File opened (read-only)	\??\E:	cmd.exe
File opened (read-only)	\??\F:	cmd.exe
File opened (read-only)	\??\H:	cmd.exe
File opened (read-only)	\??\I:	cmd.exe
File opened (read-only)	\??\J:	cmd.exe
File opened (read-only)	\??\K:	cmd.exe
File opened (read-only)	\??\M:	cmd.exe
File opened (read-only)	\??\R:	cmd.exe
File opened (read-only)	\??\T:	cmd.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\G:	cmd.exe
File opened (read-only)	\??\N:	cmd.exe
File opened (read-only)	\??\W:	cmd.exe
File opened (read-only)	\??\Z:	cmd.exe
File opened (read-only)	\??\O:	cmd.exe
File opened (read-only)	\??\S:	cmd.exe
File opened (read-only)	\??\U:	cmd.exe
File opened (read-only)	\??\V:	cmd.exe
File opened (read-only)	\??\Y:	cmd.exe
File opened (read-only)	\??\L:	cmd.exe
File opened (read-only)	\??\P:	cmd.exe
File opened (read-only)	\??\X:	cmd.exe

Drops file in System32 directory 2 IoCs

Processes:

cmd.exe

description ioc process

File created C:\Windows\system32\mstray.exe cmd.exe
File opened for modification C:\Windows\system32\mstray.exe cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\system32\mstray.exe	cmd.exe
File opened for modification	C:\Windows\system32\mstray.exe	cmd.exe

Checks SCSI registry key(s) 3 TTPs 12 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Capabilities	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\ConfigFlags	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Capabilities	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\ConfigFlags	explorer.exe

Delays execution with timeout.exe 50 IoCs

evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid	process
3584	timeout.exe
2228	timeout.exe
4248	timeout.exe
1956	timeout.exe
3508	timeout.exe
812	timeout.exe
3268	timeout.exe
3436	timeout.exe
3532	timeout.exe
3440	timeout.exe
3680	timeout.exe
1432	timeout.exe
4224	timeout.exe
3944	timeout.exe
1532	timeout.exe
3260	timeout.exe
5076	timeout.exe
644	timeout.exe
4688	timeout.exe
4024	timeout.exe
3176	timeout.exe
504	timeout.exe
3252	timeout.exe
3268	timeout.exe
3472	timeout.exe
184	timeout.exe
1876	timeout.exe
2856	timeout.exe
3860	timeout.exe
3668	timeout.exe
3996	timeout.exe
4000	timeout.exe
4144	timeout.exe
5004	timeout.exe
4440	timeout.exe
8	timeout.exe
3732	timeout.exe
3564	timeout.exe
3872	timeout.exe
3332	timeout.exe
4720	timeout.exe
3648	timeout.exe
3344	timeout.exe
5084	timeout.exe
3980	timeout.exe
3236	timeout.exe
4112	timeout.exe
1720	timeout.exe
5104	timeout.exe
3164	timeout.exe

Enumerates processes with tasklist 1 TTPs 49 IoCs

Process Discovery

T1057

Processes:

tasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exe

pid	process
2272	tasklist.exe
3172	tasklist.exe
428	tasklist.exe
4144	tasklist.exe
1832	tasklist.exe
3704	tasklist.exe
2124	tasklist.exe
3924	tasklist.exe
1216	tasklist.exe
644	tasklist.exe
3164	tasklist.exe
4284	tasklist.exe
4052	tasklist.exe
1016	tasklist.exe
3496	tasklist.exe
3712	tasklist.exe
2840	tasklist.exe
4004	tasklist.exe
2772	tasklist.exe
4268	tasklist.exe
3608	tasklist.exe
3720	tasklist.exe
4360	tasklist.exe
4044	tasklist.exe
4208	tasklist.exe
3920	tasklist.exe
4252	tasklist.exe
3852	tasklist.exe
1124	tasklist.exe
4228	tasklist.exe
4708	tasklist.exe
3812	tasklist.exe
908	tasklist.exe
4012	tasklist.exe
2740	tasklist.exe
3076	tasklist.exe
2704	tasklist.exe
2672	tasklist.exe
2396	tasklist.exe
3276	tasklist.exe
4996	tasklist.exe
4252	tasklist.exe
4280	tasklist.exe
2272	tasklist.exe
2936	tasklist.exe
1832	tasklist.exe
2388	tasklist.exe
8	tasklist.exe
3980	tasklist.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

SearchUI.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchUI.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchUI.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

4280 taskkill.exe

pid	process
4280	taskkill.exe

Modifies registry class 29 IoCs

Processes:

SearchUI.exeexplorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.cortana	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "23"	SearchUI.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\IconStreams = 14000000070000000100010005000000140000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b0072000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002c100000000000002000000e50707004100720067006a006200650078000a005600610067007200650061007200670020006e007000700072006600660000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000074ae2078e323294282c1e41cb67d5b9c000000000000000000000000b86cd272517ad70100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000020000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000002000000e50707004600630072006e0078007200650066003a002000360037002500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000000100000073ae2078e323294282c1e41cb67d5b9c000000000000000000000000cf817372517ad70100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000030000007b00360051003800300039003300370037002d0036004e00530030002d003400340034004f002d0038003900350037002d004e00330037003700330053003000320032003000300052007d005c004a0076006100710062006a0066002000510072007300720061007100720065005c005a0046004e00460050006800760059002e0072006b007200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000000000000e50704004e0070006700760062006100660020006100720072007100720071002e00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000fffffffff9a6406d323dcb4f8a86be992e03dc7600000000000000000000000033a4c4b1d72dd70100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e5070400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff75ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e5070400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff81ae2078e323294282c1e41cb67d5b9c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.cortana	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "56"	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "23"	SearchUI.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "56"	SearchUI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"	SearchUI.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\UserStartTime = "132625117264543786"	explorer.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

5112 reg.exe

pid	process
5112	reg.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

taskkill.exeexplorer.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exe

description	pid	process
Token: SeDebugPrivilege	4280	taskkill.exe
Token: SeShutdownPrivilege	4376	explorer.exe
Token: SeCreatePagefilePrivilege	4376	explorer.exe
Token: SeShutdownPrivilege	4376	explorer.exe
Token: SeCreatePagefilePrivilege	4376	explorer.exe
Token: SeShutdownPrivilege	4376	explorer.exe
Token: SeCreatePagefilePrivilege	4376	explorer.exe
Token: SeShutdownPrivilege	4376	explorer.exe
Token: SeCreatePagefilePrivilege	4376	explorer.exe
Token: SeShutdownPrivilege	4376	explorer.exe
Token: SeCreatePagefilePrivilege	4376	explorer.exe
Token: SeShutdownPrivilege	4376	explorer.exe
Token: SeCreatePagefilePrivilege	4376	explorer.exe
Token: SeShutdownPrivilege	4376	explorer.exe
Token: SeCreatePagefilePrivilege	4376	explorer.exe
Token: SeShutdownPrivilege	4376	explorer.exe
Token: SeCreatePagefilePrivilege	4376	explorer.exe
Token: SeShutdownPrivilege	4376	explorer.exe
Token: SeCreatePagefilePrivilege	4376	explorer.exe
Token: SeShutdownPrivilege	4376	explorer.exe
Token: SeCreatePagefilePrivilege	4376	explorer.exe
Token: SeShutdownPrivilege	4376	explorer.exe
Token: SeCreatePagefilePrivilege	4376	explorer.exe
Token: SeShutdownPrivilege	4376	explorer.exe
Token: SeCreatePagefilePrivilege	4376	explorer.exe
Token: SeShutdownPrivilege	4376	explorer.exe
Token: SeCreatePagefilePrivilege	4376	explorer.exe
Token: SeShutdownPrivilege	4376	explorer.exe
Token: SeCreatePagefilePrivilege	4376	explorer.exe
Token: SeShutdownPrivilege	4376	explorer.exe
Token: SeCreatePagefilePrivilege	4376	explorer.exe
Token: SeDebugPrivilege	8	tasklist.exe
Token: SeShutdownPrivilege	4376	explorer.exe
Token: SeCreatePagefilePrivilege	4376	explorer.exe
Token: SeShutdownPrivilege	4376	explorer.exe
Token: SeCreatePagefilePrivilege	4376	explorer.exe
Token: SeDebugPrivilege	4252	tasklist.exe
Token: SeDebugPrivilege	4280	tasklist.exe
Token: SeDebugPrivilege	2772	tasklist.exe
Token: SeDebugPrivilege	3852	tasklist.exe
Token: SeShutdownPrivilege	4376	explorer.exe
Token: SeCreatePagefilePrivilege	4376	explorer.exe
Token: SeShutdownPrivilege	4376	explorer.exe
Token: SeCreatePagefilePrivilege	4376	explorer.exe
Token: SeDebugPrivilege	3704	tasklist.exe
Token: SeDebugPrivilege	3608	tasklist.exe
Token: SeDebugPrivilege	2124	tasklist.exe
Token: SeDebugPrivilege	1016	tasklist.exe
Token: SeDebugPrivilege	4268	tasklist.exe
Token: SeDebugPrivilege	3980	tasklist.exe
Token: SeDebugPrivilege	3712	tasklist.exe
Token: SeDebugPrivilege	2840	tasklist.exe
Token: SeDebugPrivilege	3276	tasklist.exe
Token: SeDebugPrivilege	4996	tasklist.exe
Token: SeDebugPrivilege	3720	tasklist.exe
Token: SeDebugPrivilege	2936	tasklist.exe
Token: SeDebugPrivilege	4360	tasklist.exe
Token: SeDebugPrivilege	2740	tasklist.exe
Token: SeDebugPrivilege	3496	tasklist.exe
Token: SeShutdownPrivilege	4376	explorer.exe
Token: SeCreatePagefilePrivilege	4376	explorer.exe
Token: SeDebugPrivilege	4044	tasklist.exe
Token: SeDebugPrivilege	908	tasklist.exe
Token: SeDebugPrivilege	2272	tasklist.exe

Suspicious use of FindShellTrayWindow 44 IoCs

Processes:

explorer.exe

pid	process
4376	explorer.exe
4376	explorer.exe
4376	explorer.exe
4376	explorer.exe
4376	explorer.exe
4376	explorer.exe
4376	explorer.exe
4376	explorer.exe
4376	explorer.exe
4376	explorer.exe
4376	explorer.exe
4376	explorer.exe
4376	explorer.exe
4376	explorer.exe
4376	explorer.exe
4376	explorer.exe
4376	explorer.exe
4376	explorer.exe
4376	explorer.exe
4376	explorer.exe
4376	explorer.exe
4376	explorer.exe
4376	explorer.exe
4376	explorer.exe
4376	explorer.exe
4376	explorer.exe
4376	explorer.exe
4376	explorer.exe
4376	explorer.exe
4376	explorer.exe
4376	explorer.exe
4376	explorer.exe
4376	explorer.exe
4376	explorer.exe
4376	explorer.exe
4376	explorer.exe
4376	explorer.exe
4376	explorer.exe
4376	explorer.exe
4376	explorer.exe
4376	explorer.exe
4376	explorer.exe
4376	explorer.exe
4376	explorer.exe

Suspicious use of SendNotifyMessage 23 IoCs

Processes:

explorer.exe

pid	process
4376	explorer.exe
4376	explorer.exe
4376	explorer.exe
4376	explorer.exe
4376	explorer.exe
4376	explorer.exe
4376	explorer.exe
4376	explorer.exe
4376	explorer.exe
4376	explorer.exe
4376	explorer.exe
4376	explorer.exe
4376	explorer.exe
4376	explorer.exe
4376	explorer.exe
4376	explorer.exe
4376	explorer.exe
4376	explorer.exe
4376	explorer.exe
4376	explorer.exe
4376	explorer.exe
4376	explorer.exe
4376	explorer.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

ShellExperienceHost.exeSearchUI.exe@[email protected]

pid process

1584 ShellExperienceHost.exe
1852 SearchUI.exe
1584 ShellExperienceHost.exe
4124 @[email protected]
4124 @[email protected]

pid	process
1584	ShellExperienceHost.exe
1852	SearchUI.exe
1584	ShellExperienceHost.exe
4124	@[email protected]
4124	@[email protected]

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

9M1B.TMP.execmd.exemstray.execmd.execmd.execmd.exe

description	pid	process	target process
PID 4428 wrote to memory of 5012	4428	9M1B.TMP.exe	cmd.exe
PID 4428 wrote to memory of 5012	4428	9M1B.TMP.exe	cmd.exe
PID 5012 wrote to memory of 5112	5012	cmd.exe	reg.exe
PID 5012 wrote to memory of 5112	5012	cmd.exe	reg.exe
PID 5012 wrote to memory of 3256	5012	cmd.exe	cmd.exe
PID 5012 wrote to memory of 3256	5012	cmd.exe	cmd.exe
PID 5012 wrote to memory of 3300	5012	cmd.exe	cacls.exe
PID 5012 wrote to memory of 3300	5012	cmd.exe	cacls.exe
PID 5012 wrote to memory of 3116	5012	cmd.exe	cmd.exe
PID 5012 wrote to memory of 3116	5012	cmd.exe	cmd.exe
PID 5012 wrote to memory of 1936	5012	cmd.exe	cacls.exe
PID 5012 wrote to memory of 1936	5012	cmd.exe	cacls.exe
PID 5012 wrote to memory of 2332	5012	cmd.exe	cmd.exe
PID 5012 wrote to memory of 2332	5012	cmd.exe	cmd.exe
PID 5012 wrote to memory of 4116	5012	cmd.exe	cacls.exe
PID 5012 wrote to memory of 4116	5012	cmd.exe	cacls.exe
PID 5012 wrote to memory of 4060	5012	cmd.exe	cmd.exe
PID 5012 wrote to memory of 4060	5012	cmd.exe	cmd.exe
PID 5012 wrote to memory of 4024	5012	cmd.exe	cacls.exe
PID 5012 wrote to memory of 4024	5012	cmd.exe	cacls.exe
PID 5012 wrote to memory of 4108	5012	cmd.exe	cmd.exe
PID 5012 wrote to memory of 4108	5012	cmd.exe	cmd.exe
PID 5012 wrote to memory of 4036	5012	cmd.exe	cacls.exe
PID 5012 wrote to memory of 4036	5012	cmd.exe	cacls.exe
PID 5012 wrote to memory of 4056	5012	cmd.exe	cmd.exe
PID 5012 wrote to memory of 4056	5012	cmd.exe	cmd.exe
PID 5012 wrote to memory of 4156	5012	cmd.exe	cacls.exe
PID 5012 wrote to memory of 4156	5012	cmd.exe	cacls.exe
PID 5012 wrote to memory of 4184	5012	cmd.exe	cmd.exe
PID 5012 wrote to memory of 4184	5012	cmd.exe	cmd.exe
PID 5012 wrote to memory of 4168	5012	cmd.exe	cacls.exe
PID 5012 wrote to memory of 4168	5012	cmd.exe	cacls.exe
PID 5012 wrote to memory of 4228	5012	cmd.exe	cmd.exe
PID 5012 wrote to memory of 4228	5012	cmd.exe	cmd.exe
PID 5012 wrote to memory of 4208	5012	cmd.exe	cacls.exe
PID 5012 wrote to memory of 4208	5012	cmd.exe	cacls.exe
PID 5012 wrote to memory of 4244	5012	cmd.exe	reg.exe
PID 5012 wrote to memory of 4244	5012	cmd.exe	reg.exe
PID 5012 wrote to memory of 4280	5012	cmd.exe	taskkill.exe
PID 5012 wrote to memory of 4280	5012	cmd.exe	taskkill.exe
PID 5012 wrote to memory of 4376	5012	cmd.exe	explorer.exe
PID 5012 wrote to memory of 4376	5012	cmd.exe	explorer.exe
PID 5012 wrote to memory of 4400	5012	cmd.exe	mstray.exe
PID 5012 wrote to memory of 4400	5012	cmd.exe	mstray.exe
PID 5012 wrote to memory of 4400	5012	cmd.exe	mstray.exe
PID 4400 wrote to memory of 192	4400	mstray.exe	cmd.exe
PID 4400 wrote to memory of 192	4400	mstray.exe	cmd.exe
PID 192 wrote to memory of 1956	192	cmd.exe	timeout.exe
PID 192 wrote to memory of 1956	192	cmd.exe	timeout.exe
PID 192 wrote to memory of 3640	192	cmd.exe	cmd.exe
PID 192 wrote to memory of 3640	192	cmd.exe	cmd.exe
PID 3640 wrote to memory of 8	3640	cmd.exe	tasklist.exe
PID 3640 wrote to memory of 8	3640	cmd.exe	tasklist.exe
PID 3640 wrote to memory of 1936	3640	cmd.exe	find.exe
PID 3640 wrote to memory of 1936	3640	cmd.exe	find.exe
PID 192 wrote to memory of 4124	192	cmd.exe	@[email protected]
PID 192 wrote to memory of 4124	192	cmd.exe	@[email protected]
PID 192 wrote to memory of 4124	192	cmd.exe	@[email protected]
PID 192 wrote to memory of 4112	192	cmd.exe	timeout.exe
PID 192 wrote to memory of 4112	192	cmd.exe	timeout.exe
PID 192 wrote to memory of 4260	192	cmd.exe	cmd.exe
PID 192 wrote to memory of 4260	192	cmd.exe	cmd.exe
PID 4260 wrote to memory of 4252	4260	cmd.exe	tasklist.exe
PID 4260 wrote to memory of 4252	4260	cmd.exe	tasklist.exe

C:\Users\Admin\AppData\Local\Temp\9M1B.TMP.exe
"C:\Users\Admin\AppData\Local\Temp\9M1B.TMP.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4428

C:\Windows\System32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\787.tmp\798.tmp\799.bat C:\Users\Admin\AppData\Local\Temp\9M1B.TMP.exe"
2⤵
- Modifies extensions of user files
- Enumerates connected drives
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5012

C:\Windows\system32\reg.exe
reg delete HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v msfdhs /f
3⤵
- Modifies registry key
PID:5112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:3256

C:\Windows\system32\cacls.exe
cacls "C:\Users\Admin\Music\*.*" /e /d everyone
3⤵
PID:3300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:3116

C:\Windows\system32\cacls.exe
cacls "C:\Users\Admin\Downloads\*.*" /e /d everyone
3⤵
PID:1936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:2332

C:\Windows\system32\cacls.exe
cacls "C:\Users\Admin\Links\*.*" /e /d everyone
3⤵
PID:4116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:4060

C:\Windows\system32\cacls.exe
cacls "C:\Users\Admin\Favorites\*.*" /e /d everyone
3⤵
PID:4024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:4108

C:\Windows\system32\cacls.exe
cacls "C:\Users\Admin\Documents\*.*" /e /d everyone
3⤵
PID:4036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:4056

C:\Windows\system32\cacls.exe
cacls "C:\Users\Admin\Videos\*.*" /e /d everyone
3⤵
PID:4156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:4184

C:\Windows\system32\cacls.exe
cacls "C:\Users\Admin\Pictures\*.*" /e /d everyone
3⤵
PID:4168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:4228

C:\Windows\system32\cacls.exe
cacls "C:\Users\Admin\Desktop\*.*" /e /d everyone
3⤵
PID:4208

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "mstray" /t REG_SZ /d "C:\Windows\system32\mstray.exe" /f
3⤵
- Adds Run key to start application
PID:4244

C:\Windows\system32\taskkill.exe
taskkill /f /im explorer.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4280

C:\Windows\explorer.exe
explorer.exe
3⤵
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4376

C:\Windows\system32\mstray.exe
C:\Windows\system32\mstray.exe
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4400

C:\Windows\System32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\F38.tmp\F39.tmp\F4A.bat C:\Windows\system32\mstray.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:192

C:\Windows\system32\timeout.exe
timeout /t 3
5⤵
- Delays execution with timeout.exe
PID:1956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
5⤵
- Suspicious use of WriteProcessMemory
PID:3640

C:\Windows\system32\tasklist.exe
tasklist
6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:8

C:\Windows\system32\find.exe
find /i "@[email protected]"
6⤵
PID:1936

C:\MiniworldRansom\@[email protected]
C:\MiniworldRansom\@[email protected]
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4124

C:\Windows\system32\timeout.exe
timeout /t 3
5⤵
- Delays execution with timeout.exe
PID:4112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
5⤵
- Suspicious use of WriteProcessMemory
PID:4260

C:\Windows\system32\tasklist.exe
tasklist
6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4252

C:\Windows\system32\find.exe
find /i "@[email protected]"
6⤵
PID:4208

C:\Windows\system32\timeout.exe
timeout /t 3
5⤵
- Delays execution with timeout.exe
PID:3332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
5⤵
PID:4308

C:\Windows\system32\tasklist.exe
tasklist
6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4280

C:\Windows\system32\find.exe
find /i "@[email protected]"
6⤵
PID:2840

C:\Windows\system32\timeout.exe
timeout /t 3
5⤵
- Delays execution with timeout.exe
PID:4720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
5⤵
PID:184

C:\Windows\system32\tasklist.exe
tasklist
6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2772

C:\Windows\system32\find.exe
find /i "@[email protected]"
6⤵
PID:3176

C:\Windows\system32\timeout.exe
timeout /t 3
5⤵
- Delays execution with timeout.exe
PID:3508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
5⤵
PID:2936

C:\Windows\system32\tasklist.exe
tasklist
6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3852

C:\Windows\system32\find.exe
find /i "@[email protected]"
6⤵
PID:1872

C:\Windows\system32\timeout.exe
timeout /t 3
5⤵
- Delays execution with timeout.exe
PID:3648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
5⤵
PID:3544

C:\Windows\system32\tasklist.exe
tasklist
6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3704

C:\Windows\system32\find.exe
find /i "@[email protected]"
6⤵
PID:3496

C:\Windows\system32\timeout.exe
timeout /t 3
5⤵
- Delays execution with timeout.exe
PID:3472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
5⤵
PID:3528

C:\Windows\system32\tasklist.exe
tasklist
6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3608

C:\Windows\system32\find.exe
find /i "@[email protected]"
6⤵
PID:3452

C:\Windows\system32\timeout.exe
timeout /t 3
5⤵
- Delays execution with timeout.exe
PID:3344

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
5⤵
PID:2272

C:\Windows\system32\tasklist.exe
tasklist
6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2124

C:\Windows\system32\find.exe
find /i "@[email protected]"
6⤵
PID:4912

C:\Windows\system32\timeout.exe
timeout /t 3
5⤵
- Delays execution with timeout.exe
PID:812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
5⤵
PID:748

C:\Windows\system32\tasklist.exe
tasklist
6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1016

C:\Windows\system32\find.exe
find /i "@[email protected]"
6⤵
PID:2196

C:\Windows\system32\timeout.exe
timeout /t 3
5⤵
- Delays execution with timeout.exe
PID:4000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
5⤵
PID:4032

C:\Windows\system32\tasklist.exe
tasklist
6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4268

C:\Windows\system32\find.exe
find /i "@[email protected]"
6⤵
PID:4244

C:\Windows\system32\timeout.exe
timeout /t 3
5⤵
- Delays execution with timeout.exe
PID:1720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
5⤵
PID:5096

C:\Windows\system32\tasklist.exe
tasklist
6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3980

C:\Windows\system32\find.exe
find /i "@[email protected]"
6⤵
PID:4892

C:\Windows\system32\timeout.exe
timeout /t 3
5⤵
- Delays execution with timeout.exe
PID:3268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
5⤵
PID:3076

C:\Windows\system32\tasklist.exe
tasklist
6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3712

C:\Windows\system32\find.exe
find /i "@[email protected]"
6⤵
PID:3864

C:\Windows\system32\timeout.exe
timeout /t 3
5⤵
- Delays execution with timeout.exe
PID:5104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
5⤵
PID:4280

C:\Windows\system32\tasklist.exe
tasklist
6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2840

C:\Windows\system32\find.exe
find /i "@[email protected]"
6⤵
PID:4308

C:\Windows\system32\timeout.exe
timeout /t 3
5⤵
- Delays execution with timeout.exe
PID:5076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
5⤵
PID:2472

C:\Windows\system32\tasklist.exe
tasklist
6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3276

C:\Windows\system32\find.exe
find /i "@[email protected]"
6⤵
PID:3220

C:\Windows\system32\timeout.exe
timeout /t 3
5⤵
- Delays execution with timeout.exe
PID:3176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
5⤵
PID:5068

C:\Windows\system32\tasklist.exe
tasklist
6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4996

C:\Windows\system32\find.exe
find /i "@[email protected]"
6⤵
PID:4432

C:\Windows\system32\timeout.exe
timeout /t 3
5⤵
- Delays execution with timeout.exe
PID:4144

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
5⤵
PID:3728

C:\Windows\system32\tasklist.exe
tasklist
6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3720

C:\Windows\system32\find.exe
find /i "@[email protected]"
6⤵
PID:3084

C:\Windows\system32\timeout.exe
timeout /t 3
5⤵
- Delays execution with timeout.exe
PID:644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
5⤵
PID:3900

C:\Windows\system32\tasklist.exe
tasklist
6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2936

C:\Windows\system32\find.exe
find /i "@[email protected]"
6⤵
PID:2948

C:\Windows\system32\timeout.exe
timeout /t 3
5⤵
- Delays execution with timeout.exe
PID:3164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
5⤵
PID:2148

C:\Windows\system32\tasklist.exe
tasklist
6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4360

C:\Windows\system32\find.exe
find /i "@[email protected]"
6⤵
PID:4436

C:\Windows\system32\timeout.exe
timeout /t 3
5⤵
- Delays execution with timeout.exe
PID:3440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
5⤵
PID:3880

C:\Windows\system32\tasklist.exe
tasklist
6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2740

C:\Windows\system32\find.exe
find /i "@[email protected]"
6⤵
PID:3380

C:\Windows\system32\timeout.exe
timeout /t 3
5⤵
- Delays execution with timeout.exe
PID:3680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
5⤵
PID:3500

C:\Windows\system32\tasklist.exe
tasklist
6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3496

C:\Windows\system32\find.exe
find /i "@[email protected]"
6⤵
PID:3544

C:\Windows\system32\timeout.exe
timeout /t 3
5⤵
- Delays execution with timeout.exe
PID:3584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
5⤵
PID:3408

C:\Windows\system32\tasklist.exe
tasklist
6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4044

C:\Windows\system32\find.exe
find /i "@[email protected]"
6⤵
PID:3608

C:\Windows\system32\timeout.exe
timeout /t 3
5⤵
- Delays execution with timeout.exe
PID:4688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
5⤵
PID:4656

C:\Windows\system32\tasklist.exe
tasklist
6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:908

C:\Windows\system32\find.exe
find /i "@[email protected]"
6⤵
PID:2544

C:\Windows\system32\timeout.exe
timeout /t 3
5⤵
- Delays execution with timeout.exe
PID:1432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
5⤵
PID:2240

C:\Windows\system32\tasklist.exe
tasklist
6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2272

C:\Windows\system32\find.exe
find /i "@[email protected]"
6⤵
PID:4016

C:\Windows\system32\timeout.exe
timeout /t 3
5⤵
- Delays execution with timeout.exe
PID:8

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
5⤵
PID:3116

C:\Windows\system32\tasklist.exe
tasklist
6⤵
- Enumerates processes with tasklist
PID:1832

C:\Windows\system32\find.exe
find /i "@[email protected]"
6⤵
PID:2196

C:\Windows\system32\timeout.exe
timeout /t 3
5⤵
- Delays execution with timeout.exe
PID:2228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
5⤵
PID:5032

C:\Windows\system32\tasklist.exe
tasklist
6⤵
- Enumerates processes with tasklist
PID:3924

C:\Windows\system32\find.exe
find /i "@[email protected]"
6⤵
PID:4132

C:\Windows\system32\timeout.exe
timeout /t 3
5⤵
- Delays execution with timeout.exe
PID:4224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
5⤵
PID:4216

C:\Windows\system32\tasklist.exe
tasklist
6⤵
- Enumerates processes with tasklist
PID:4012

C:\Windows\system32\find.exe
find /i "@[email protected]"
6⤵
PID:1068

C:\Windows\system32\timeout.exe
timeout /t 3
5⤵
- Delays execution with timeout.exe
PID:504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
5⤵
PID:4072

C:\Windows\system32\tasklist.exe
tasklist
6⤵
- Enumerates processes with tasklist
PID:4208

C:\Windows\system32\find.exe
find /i "@[email protected]"
6⤵
PID:3868

C:\Windows\system32\timeout.exe
timeout /t 3
5⤵
- Delays execution with timeout.exe
PID:3980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
5⤵
PID:5096

C:\Windows\system32\tasklist.exe
tasklist
6⤵
- Enumerates processes with tasklist
PID:1216

C:\Windows\system32\find.exe
find /i "@[email protected]"
6⤵
PID:996

C:\Windows\system32\timeout.exe
timeout /t 3
5⤵
- Delays execution with timeout.exe
PID:5004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
5⤵
PID:4860

C:\Windows\system32\tasklist.exe
tasklist
6⤵
- Enumerates processes with tasklist
PID:3076

C:\Windows\system32\find.exe
find /i "@[email protected]"
6⤵
PID:4392

C:\Windows\system32\timeout.exe
timeout /t 3
5⤵
- Delays execution with timeout.exe
PID:4440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
5⤵
PID:4600

C:\Windows\system32\tasklist.exe
tasklist
6⤵
- Enumerates processes with tasklist
PID:2704

C:\Windows\system32\find.exe
find /i "@[email protected]"
6⤵
PID:4720

C:\Windows\system32\timeout.exe
timeout /t 3
5⤵
- Delays execution with timeout.exe
PID:3252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
5⤵
PID:3276

C:\Windows\system32\tasklist.exe
tasklist
6⤵
- Enumerates processes with tasklist
PID:3172

C:\Windows\system32\find.exe
find /i "@[email protected]"
6⤵
PID:3264

C:\Windows\system32\timeout.exe
timeout /t 3
5⤵
- Delays execution with timeout.exe
PID:184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
5⤵
PID:4160

C:\Windows\system32\tasklist.exe
tasklist
6⤵
- Enumerates processes with tasklist
PID:428

C:\Windows\system32\find.exe
find /i "@[email protected]"
6⤵
PID:4168

C:\Windows\system32\timeout.exe
timeout /t 3
5⤵
- Delays execution with timeout.exe
PID:4024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
5⤵
PID:4148

C:\Windows\system32\tasklist.exe
tasklist
6⤵
- Enumerates processes with tasklist
PID:4144

C:\Windows\system32\find.exe
find /i "@[email protected]"
6⤵
PID:3740

C:\Windows\system32\timeout.exe
timeout /t 3
5⤵
- Delays execution with timeout.exe
PID:3732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
5⤵
PID:3856

C:\Windows\system32\tasklist.exe
tasklist
6⤵
- Enumerates processes with tasklist
PID:644

C:\Windows\system32\find.exe
find /i "@[email protected]"
6⤵
PID:3972

C:\Windows\system32\timeout.exe
timeout /t 3
5⤵
- Delays execution with timeout.exe
PID:3860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
5⤵
PID:4108

C:\Windows\system32\tasklist.exe
tasklist
6⤵
- Enumerates processes with tasklist
PID:3164

C:\Windows\system32\find.exe
find /i "@[email protected]"
6⤵
PID:1588

C:\Windows\system32\timeout.exe
timeout /t 3
5⤵
- Delays execution with timeout.exe
PID:1876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
5⤵
PID:1256

C:\Windows\system32\tasklist.exe
tasklist
6⤵
- Enumerates processes with tasklist
PID:2388

C:\Windows\system32\find.exe
find /i "@[email protected]"
6⤵
PID:3804

C:\Windows\system32\timeout.exe
timeout /t 3
5⤵
- Delays execution with timeout.exe
PID:3668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
5⤵
PID:4612

C:\Windows\system32\tasklist.exe
tasklist
6⤵
- Enumerates processes with tasklist
PID:2672

C:\Windows\system32\find.exe
find /i "@[email protected]"
6⤵
PID:2312

C:\Windows\system32\timeout.exe
timeout /t 3
5⤵
- Delays execution with timeout.exe
PID:3564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
5⤵
PID:3880

C:\Windows\system32\tasklist.exe
tasklist
6⤵
- Enumerates processes with tasklist
PID:4708

C:\Windows\system32\find.exe
find /i "@[email protected]"
6⤵
PID:4744

C:\Windows\system32\timeout.exe
timeout /t 3
5⤵
- Delays execution with timeout.exe
PID:2856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
5⤵
PID:3680

C:\Windows\system32\tasklist.exe
tasklist
6⤵
- Enumerates processes with tasklist
PID:4284

C:\Windows\system32\find.exe
find /i "@[email protected]"
6⤵
PID:3916

C:\Windows\system32\timeout.exe
timeout /t 3
5⤵
- Delays execution with timeout.exe
PID:3436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
5⤵
PID:3500

C:\Windows\system32\tasklist.exe
tasklist
6⤵
- Enumerates processes with tasklist
PID:3920

C:\Windows\system32\find.exe
find /i "@[email protected]"
6⤵
PID:3992

C:\Windows\system32\timeout.exe
timeout /t 3
5⤵
- Delays execution with timeout.exe
PID:3532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
5⤵
PID:3608

C:\Windows\system32\tasklist.exe
tasklist
6⤵
- Enumerates processes with tasklist
PID:4004

C:\Windows\system32\find.exe
find /i "@[email protected]"
6⤵
PID:4204

C:\Windows\system32\timeout.exe
timeout /t 3
5⤵
- Delays execution with timeout.exe
PID:3944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
5⤵
PID:3344

C:\Windows\system32\tasklist.exe
tasklist
6⤵
- Enumerates processes with tasklist
PID:2396

C:\Windows\system32\find.exe
find /i "@[email protected]"
6⤵
PID:2268

C:\Windows\system32\timeout.exe
timeout /t 3
5⤵
- Delays execution with timeout.exe
PID:3872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
5⤵
PID:1904

C:\Windows\system32\tasklist.exe
tasklist
6⤵
- Enumerates processes with tasklist
PID:2272

C:\Windows\system32\find.exe
find /i "@[email protected]"
6⤵
PID:4016

C:\Windows\system32\timeout.exe
timeout /t 3
5⤵
- Delays execution with timeout.exe
PID:3996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
5⤵
PID:2260

C:\Windows\system32\tasklist.exe
tasklist
6⤵
- Enumerates processes with tasklist
PID:1832

C:\Windows\system32\find.exe
find /i "@[email protected]"
6⤵
PID:2196

C:\Windows\system32\timeout.exe
timeout /t 3
5⤵
- Delays execution with timeout.exe
PID:4248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
5⤵
PID:4240

C:\Windows\system32\tasklist.exe
tasklist
6⤵
- Enumerates processes with tasklist
PID:4252

C:\Windows\system32\find.exe
find /i "@[email protected]"
6⤵
PID:4132

C:\Windows\system32\timeout.exe
timeout /t 3
5⤵
- Delays execution with timeout.exe
PID:1532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
5⤵
PID:4364

C:\Windows\system32\tasklist.exe
tasklist
6⤵
- Enumerates processes with tasklist
PID:1124

C:\Windows\system32\find.exe
find /i "@[email protected]"
6⤵
PID:1068

C:\Windows\system32\timeout.exe
timeout /t 3
5⤵
- Delays execution with timeout.exe
PID:3260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
5⤵
PID:1720

C:\Windows\system32\tasklist.exe
tasklist
6⤵
- Enumerates processes with tasklist
PID:4228

C:\Windows\system32\find.exe
find /i "@[email protected]"
6⤵
PID:4260

C:\Windows\system32\timeout.exe
timeout /t 3
5⤵
- Delays execution with timeout.exe
PID:3268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
5⤵
PID:3632

C:\Windows\system32\tasklist.exe
tasklist
6⤵
- Enumerates processes with tasklist
PID:4052

C:\Windows\system32\find.exe
find /i "@[email protected]"
6⤵
PID:1236

C:\Windows\system32\timeout.exe
timeout /t 3
5⤵
- Delays execution with timeout.exe
PID:5084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
5⤵
PID:516

C:\Windows\system32\tasklist.exe
tasklist
6⤵
- Enumerates processes with tasklist
PID:3812

C:\Windows\system32\find.exe
find /i "@[email protected]"
6⤵
PID:3864

C:\Windows\system32\timeout.exe
timeout /t 3
5⤵
- Delays execution with timeout.exe
PID:3236

C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:1584

C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1852

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Process Discovery

T1057

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MiniworldRansom\@[email protected]
MD5
4fa99da1c78cfaa53253e55043e5f5d4

SHA1
ba8f4be3e782283cc0bacd20eab8a50960bd27a7

SHA256
a65554fbc7aded7f05894923c699c17b909f810a0a4ddf60cf053f07a190db85

SHA512
146da3fc2ca5825b04ceb398ae8d4e711ca77f6f3be6fb5ae7d35030b300e24d00ea8acbe8db2f5ecaebdaa07e7e3e1a84db595d07d061c1dc30d4291feb697f

Download Submit
C:\MiniworldRansom\@[email protected]
MD5
4fa99da1c78cfaa53253e55043e5f5d4

SHA1
ba8f4be3e782283cc0bacd20eab8a50960bd27a7

SHA256
a65554fbc7aded7f05894923c699c17b909f810a0a4ddf60cf053f07a190db85

SHA512
146da3fc2ca5825b04ceb398ae8d4e711ca77f6f3be6fb5ae7d35030b300e24d00ea8acbe8db2f5ecaebdaa07e7e3e1a84db595d07d061c1dc30d4291feb697f

Download Submit
C:\Users\Admin\AppData\Local\Temp\787.tmp\2Y8U.TMP
MD5
a8b1f3a1ff16facab894394044460a67

SHA1
84807917cd43a75d295340263f34cde7655f90db

SHA256
c35eecb5533a63a7f9f0e32ce559f679e7207448f5be5ccbb2c368cd20aeaab1

SHA512
47fb76a21cecc65474ccd9c6b355afbb61aa482671a61682b6b2759f995bdaf166b97f6153513e7058beb107a24637254f854d58a34bacca80931558d4bd2425

Download Submit
C:\Users\Admin\AppData\Local\Temp\787.tmp\3R9J.TMP
MD5
4fa99da1c78cfaa53253e55043e5f5d4

SHA1
ba8f4be3e782283cc0bacd20eab8a50960bd27a7

SHA256
a65554fbc7aded7f05894923c699c17b909f810a0a4ddf60cf053f07a190db85

SHA512
146da3fc2ca5825b04ceb398ae8d4e711ca77f6f3be6fb5ae7d35030b300e24d00ea8acbe8db2f5ecaebdaa07e7e3e1a84db595d07d061c1dc30d4291feb697f

Download Submit
C:\Users\Admin\AppData\Local\Temp\787.tmp\798.tmp\799.bat
MD5
e9b7f5e881a2acedaed2ab8a383ae868

SHA1
007dd77306674371ac941350e391f76b95d75892

SHA256
7f46a26b89ef1c5f291b2b5a389160ff00c072e90e8796a0ccd0818476fa7e43

SHA512
bdeb27b48621b5cef41c3c9329ba64c47347d6ee6489177ab2a9ca3a4529bd823f760dcec3d3f030bba517c6accc89d3277c6699a08d32fc33bec6b6e1860acd

Download Submit
C:\Users\Admin\AppData\Local\Temp\787.tmp\@[email protected]
MD5
d2d51c6d6cc1cdd77ef953437e55086c

SHA1
2b4d4a9ff45540c137a426ea93d508c8364e1e9e

SHA256
6266559ecd24ef4be236373a0b059415d24ad689ad0a60ba7ee0ca0ee99d31b9

SHA512
440eb2ebb00a3008bf40d2a1a59ce88ca49db30c9fe8179e0947e5b75d6007678e54fc4c2bd1df6f5dfdc4629e7fa99d0039154b9d0904b8ef142f7e681aa7da

Download Submit
C:\Users\Admin\AppData\Local\Temp\787.tmp\background.jpg
MD5
8caeb0ab9e567bbe2bb1d3a6f8871782

SHA1
c7a5522eccaab5c0d435cf32a982c24ec69ceda3

SHA256
1fead54464769a95c719c665083cd6022c2f8f85d8b865f5481a7ad09d4c1631

SHA512
3d2bb691304c873a8ace9ea8909cd466278487ac2af87fbbb973038e3d0e5bd24e74f85ef7158c1f44290ac21e52ad1ed3bfa1fa061c9fda0165f085c7880619

Download Submit
C:\Users\Admin\AppData\Local\Temp\F38.tmp\F39.tmp\F4A.bat
MD5
3f8ac701a1bdb8ce5a89f49c3071aff4

SHA1
84e76f63cf9f91495a5e7eb9220f10c51e4d828f

SHA256
2354202cdaf8d417b682ba1440e84f0aea6495fa4268fb306647a2ea22df9d56

SHA512
1a884548f1fb52d770ee2e1d88282bbc81a0bdbd67087e401efc7ede3afd3f3bc7424100a1e21cd718930d06671af3fe7a51e8812309846a6c9d2b3b49894045

Download Submit
C:\Users\Public\Desktop\@[email protected]
MD5
4fa99da1c78cfaa53253e55043e5f5d4

SHA1
ba8f4be3e782283cc0bacd20eab8a50960bd27a7

SHA256
a65554fbc7aded7f05894923c699c17b909f810a0a4ddf60cf053f07a190db85

SHA512
146da3fc2ca5825b04ceb398ae8d4e711ca77f6f3be6fb5ae7d35030b300e24d00ea8acbe8db2f5ecaebdaa07e7e3e1a84db595d07d061c1dc30d4291feb697f

Download Submit
C:\Windows\System32\mstray.exe
MD5
a8b1f3a1ff16facab894394044460a67

SHA1
84807917cd43a75d295340263f34cde7655f90db

SHA256
c35eecb5533a63a7f9f0e32ce559f679e7207448f5be5ccbb2c368cd20aeaab1

SHA512
47fb76a21cecc65474ccd9c6b355afbb61aa482671a61682b6b2759f995bdaf166b97f6153513e7058beb107a24637254f854d58a34bacca80931558d4bd2425

Download Submit
memory/8-148-0x0000000000000000-mapping.dmp

Download
memory/184-162-0x0000000000000000-mapping.dmp

Download
memory/192-142-0x0000000000000000-mapping.dmp

Download
memory/748-182-0x0000000000000000-mapping.dmp

Download
memory/812-181-0x0000000000000000-mapping.dmp

Download
memory/1016-183-0x0000000000000000-mapping.dmp

Download
memory/1872-168-0x0000000000000000-mapping.dmp

Download
memory/1936-120-0x0000000000000000-mapping.dmp

Download
memory/1936-149-0x0000000000000000-mapping.dmp

Download
memory/1956-144-0x0000000000000000-mapping.dmp

Download
memory/2124-179-0x0000000000000000-mapping.dmp

Download
memory/2196-184-0x0000000000000000-mapping.dmp

Download
memory/2272-178-0x0000000000000000-mapping.dmp

Download
memory/2332-121-0x0000000000000000-mapping.dmp

Download
memory/2772-163-0x0000000000000000-mapping.dmp

Download
memory/2840-160-0x0000000000000000-mapping.dmp

Download
memory/2936-166-0x0000000000000000-mapping.dmp

Download
memory/3116-119-0x0000000000000000-mapping.dmp

Download
memory/3176-164-0x0000000000000000-mapping.dmp

Download
memory/3256-117-0x0000000000000000-mapping.dmp

Download
memory/3300-118-0x0000000000000000-mapping.dmp

Download
memory/3332-157-0x0000000000000000-mapping.dmp

Download
memory/3344-177-0x0000000000000000-mapping.dmp

Download
memory/3452-176-0x0000000000000000-mapping.dmp

Download
memory/3472-173-0x0000000000000000-mapping.dmp

Download
memory/3496-172-0x0000000000000000-mapping.dmp

Download
memory/3508-165-0x0000000000000000-mapping.dmp

Download
memory/3528-174-0x0000000000000000-mapping.dmp

Download
memory/3544-170-0x0000000000000000-mapping.dmp

Download
memory/3608-175-0x0000000000000000-mapping.dmp

Download
memory/3640-147-0x0000000000000000-mapping.dmp

Download
memory/3648-169-0x0000000000000000-mapping.dmp

Download
memory/3704-171-0x0000000000000000-mapping.dmp

Download
memory/3852-167-0x0000000000000000-mapping.dmp

Download
memory/4000-185-0x0000000000000000-mapping.dmp

Download
memory/4024-124-0x0000000000000000-mapping.dmp

Download
memory/4032-186-0x0000000000000000-mapping.dmp

Download
memory/4036-126-0x0000000000000000-mapping.dmp

Download
memory/4056-127-0x0000000000000000-mapping.dmp

Download
memory/4060-123-0x0000000000000000-mapping.dmp

Download
memory/4108-125-0x0000000000000000-mapping.dmp

Download
memory/4112-153-0x0000000000000000-mapping.dmp

Download
memory/4116-122-0x0000000000000000-mapping.dmp

Download
memory/4124-150-0x0000000000000000-mapping.dmp

Download
memory/4156-128-0x0000000000000000-mapping.dmp

Download
memory/4168-130-0x0000000000000000-mapping.dmp

Download
memory/4184-129-0x0000000000000000-mapping.dmp

Download
memory/4208-156-0x0000000000000000-mapping.dmp

Download
memory/4208-132-0x0000000000000000-mapping.dmp

Download
memory/4228-131-0x0000000000000000-mapping.dmp

Download
memory/4244-137-0x0000000000000000-mapping.dmp

Download
memory/4244-188-0x0000000000000000-mapping.dmp

Download
memory/4252-155-0x0000000000000000-mapping.dmp

Download
memory/4260-154-0x0000000000000000-mapping.dmp

Download
memory/4268-187-0x0000000000000000-mapping.dmp

Download
memory/4280-138-0x0000000000000000-mapping.dmp

Download
memory/4280-159-0x0000000000000000-mapping.dmp

Download
memory/4308-158-0x0000000000000000-mapping.dmp

Download
memory/4376-139-0x0000000000000000-mapping.dmp

Download
memory/4376-146-0x0000000002640000-0x0000000002641000-memory.dmp

Filesize
4KB

Download
memory/4400-140-0x0000000000000000-mapping.dmp

Download
memory/4720-161-0x0000000000000000-mapping.dmp

Download
memory/4912-180-0x0000000000000000-mapping.dmp

Download
memory/5012-114-0x0000000000000000-mapping.dmp

Download
memory/5112-116-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads