c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f

Analysis

max time kernel
300s
max time network
302s
platform
windows7_x64
resource
win7-en-20210920
submitted
29-10-2021 12:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
Size

106KB
MD5

af745cf9bbc68f8652678a1299abb68d
SHA1

cd4793e42b0a27b2d73bc558d2d01842f73311e4
SHA256

c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f
SHA512

22fdaa9a782c1e3c08b0403dee317ccb441eec6c461a7b3372e184c557ba7721ab62412a161a9b33ee96fe4f8240ccc1f5142bfa76a14b2001b73a113ff018fd

Score

10^/10

evasion ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\decrypt_info.txt

Ransom Note

All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail [email protected] or: [email protected] (Backup mail) Send us this file decrypt_info ================================================================================================================= Free decryption as a guarantee Before paying, you can send 1-2 files for free decryption. File format: txt doc pdf jpeg jpg gif png bmp Total file size should not exceed 2 MB (without archive) ====================================================== You can buy Bitcoins here: https://localbitcoins.com Or use the search how to buy Bitcoins in your country ================================================================================================================= IMPORTANT!!! Remember that your files are encrypted and only WE can recover them! Do not try to recover yourself, as well as on third-party resources, you will lose your files and money forever! =============================================================================================================== Key Identifier: 0HJwFosZTroKtHExYxlJycpcJyx9jfQSsEGAsJoUHNj7HkOc0guXIJ50/LzSXytHhxCk6GDQs9XMdV7e36K3cE2gNTl1GtQsm07J8wi/DNwp07QYm9Xj++HEhtCwk0reuJFYPq6ppYLXrH5lc7iBqQJsqIPZQCbOBR7KcEy9G2QD1aYzscudIqijAu2nW9jeHx+t4WbUue5t4CmGreMYb5bHYeJsGu7VSLHFmp78caanHyW/4eXRlanW/3poPQlUCTksxXV6MMjtLLUKZK4O7KAg09Hb+tTDftucexCMExFA9b3VfbKNtP46IiZUiCYMP2xmQ/c1ja3a9SuJxm1L3jjlyJFiyCtDig4VGhuE5HQ77AdLLA8eDOX0aw6M9FKbfcXKSL6YbxSgIg8FyVFy/d8FiU4GHkaIuxCv4xrocB3bb/CTP/Z3xtv6IXLVcSQAEcFpnxPMENT5X2iLVY6OgDPBjr+hFB4oci5m2ma9tLa5h4DFtqqzmbiXf0Z6UI1MvakzVZwuDd3kRpZCqaMdWM0c0YL8VAPGF2lVqyueqy0ap3e+sND+trv0g5QjIlfIPEejF2CCc0ez81pGDGPonMZcOH/oioL6SsIBdmghvQvnZOoZsBN47JuTueuJdbHhQDe6+S3RpyOvQiIXBaKRq2XPeQO+1rC4QMAkHThlGm8= PC Hardware ID: DCE526E0

Emails

[email protected]

Extracted

Path

C:\Users\Admin\Desktop\decrypt_info.txt

Ransom Note

Emails

[email protected]

Signatures

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Modifies extensions of user files 1 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\MergeRename.tiff	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1760 cmd.exe

pid	process
1760	cmd.exe

Drops startup file 1 IoCs

Processes:

c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe

Drops desktop.ini file(s) 6 IoCs

Processes:

c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe

description	ioc	process
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Games\Desktop.ini	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe

Drops file in Program Files directory 46 IoCs

Processes:

c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe

description	ioc	process
File opened for modification	C:\Program Files\ReceiveLock.midi	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
File opened for modification	C:\Program Files\SelectInvoke.rle	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
File opened for modification	C:\Program Files\UpdateUnregister.xls.[ID-DCE526E0].[[email protected]].noname	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
File opened for modification	C:\Program Files\DebugConvert.tif.[ID-DCE526E0].[[email protected]].noname	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
File opened for modification	C:\Program Files\PublishApprove.au	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
File opened for modification	C:\Program Files\EditWatch.ini	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
File opened for modification	C:\Program Files\EditWatch.ini.[ID-DCE526E0].[[email protected]].noname	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
File opened for modification	C:\Program Files\ExpandMerge.csv	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
File opened for modification	C:\Program Files\ExpandMerge.csv.[ID-DCE526E0].[[email protected]].noname	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
File opened for modification	C:\Program Files\PublishApprove.au.[ID-DCE526E0].[[email protected]].noname	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
File opened for modification	C:\Program Files\ReceiveLock.midi.[ID-DCE526E0].[[email protected]].noname	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
File opened for modification	C:\Program Files\CompressHide.vdx	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
File opened for modification	C:\Program Files\CopyReset.rar	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
File opened for modification	C:\Program Files\SelectInvoke.rle.[ID-DCE526E0].[[email protected]].noname	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
File opened for modification	C:\Program Files\UnblockHide.mp4v	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
File opened for modification	C:\Program Files\DebugConvert.tif	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
File opened for modification	C:\Program Files\ExitApprove.wma	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
File opened for modification	C:\Program Files\ExitApprove.wma.[ID-DCE526E0].[[email protected]].noname	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
File opened for modification	C:\Program Files\NewRedo.js.[ID-DCE526E0].[[email protected]].noname	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
File opened for modification	C:\Program Files\ReadPop.tiff.[ID-DCE526E0].[[email protected]].noname	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
File opened for modification	C:\Program Files\ReadWrite.3gp2.[ID-DCE526E0].[[email protected]].noname	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
File opened for modification	C:\Program Files\ApproveRequest.asp	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
File opened for modification	C:\Program Files\CopyReset.rar.[ID-DCE526E0].[[email protected]].noname	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
File opened for modification	C:\Program Files\UnblockHide.mp4v.[ID-DCE526E0].[[email protected]].noname	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
File opened for modification	C:\Program Files\UnprotectUninstall.mid.[ID-DCE526E0].[[email protected]].noname	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
File opened for modification	C:\Program Files\ReadWrite.3gp2	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
File opened for modification	C:\Program Files\UnprotectRestore.ps1.[ID-DCE526E0].[[email protected]].noname	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
File opened for modification	C:\Program Files\ReadPop.tiff	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
File opened for modification	C:\Program Files\ReceiveAdd.rm	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
File opened for modification	C:\Program Files\SaveSkip.ex_.[ID-DCE526E0].[[email protected]].noname	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
File opened for modification	C:\Program Files\UnprotectUninstall.mid	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
File opened for modification	C:\Program Files\DisableWrite.zip	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
File opened for modification	C:\Program Files\NewRedo.js	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
File opened for modification	C:\Program Files\MoveTrace.mpv2	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
File opened for modification	C:\Program Files\MoveTrace.mpv2.[ID-DCE526E0].[[email protected]].noname	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
File opened for modification	C:\Program Files\RedoNew.xltm	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
File opened for modification	C:\Program Files\ApproveRequest.asp.[ID-DCE526E0].[[email protected]].noname	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
File opened for modification	C:\Program Files\CompressHide.vdx.[ID-DCE526E0].[[email protected]].noname	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
File opened for modification	C:\Program Files\ExportConfirm.mpg.[ID-DCE526E0].[[email protected]].noname	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
File opened for modification	C:\Program Files\ReceiveAdd.rm.[ID-DCE526E0].[[email protected]].noname	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
File opened for modification	C:\Program Files\RedoNew.xltm.[ID-DCE526E0].[[email protected]].noname	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
File opened for modification	C:\Program Files\DisableWrite.zip.[ID-DCE526E0].[[email protected]].noname	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
File opened for modification	C:\Program Files\ExportConfirm.mpg	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
File opened for modification	C:\Program Files\UpdateUnregister.xls	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
File opened for modification	C:\Program Files\SaveSkip.ex_	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
File opened for modification	C:\Program Files\UnprotectRestore.ps1	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe

Drops file in Windows directory 28 IoCs

Processes:

c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe

description	ioc	process
File opened for modification	C:\Windows\PFRO.log	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
File opened for modification	C:\Windows\setupact.log.[ID-DCE526E0].[[email protected]].noname	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
File opened for modification	C:\Windows\TSSysprep.log.[ID-DCE526E0].[[email protected]].noname	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
File opened for modification	C:\Windows\PFRO.log.[ID-DCE526E0].[[email protected]].noname	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
File opened for modification	C:\Windows\WindowsUpdate.log.[ID-DCE526E0].[[email protected]].noname	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
File opened for modification	C:\Windows\WindowsShell.Manifest	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
File opened for modification	C:\Windows\msdfmap.ini	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
File opened for modification	C:\Windows\setuperr.log	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
File opened for modification	C:\Windows\setupact.log	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
File opened for modification	C:\Windows\system.ini.[ID-DCE526E0].[[email protected]].noname	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
File created	C:\Windows\decrypt_info.txt	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
File opened for modification	C:\Windows\bootstat.dat	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
File opened for modification	C:\Windows\system.ini	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
File opened for modification	C:\Windows\Ultimate.xml	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
File opened for modification	C:\Windows\Ultimate.xml.[ID-DCE526E0].[[email protected]].noname	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
File opened for modification	C:\Windows\win.ini.[ID-DCE526E0].[[email protected]].noname	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
File opened for modification	C:\Windows\WMSysPr9.prx	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
File opened for modification	C:\Windows\WindowsUpdate.log	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
File opened for modification	C:\Windows\mib.bin	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
File opened for modification	C:\Windows\msdfmap.ini.[ID-DCE526E0].[[email protected]].noname	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
File opened for modification	C:\Windows\Starter.xml	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
File opened for modification	C:\Windows\Starter.xml.[ID-DCE526E0].[[email protected]].noname	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
File opened for modification	C:\Windows\TSSysprep.log	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
File opened for modification	C:\Windows\win.ini	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
File created	C:\Windows\bootstat.dat.[ID-DCE526E0].[[email protected]].noname	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
File opened for modification	C:\Windows\DtcInstall.log	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
File opened for modification	C:\Windows\DtcInstall.log.[ID-DCE526E0].[[email protected]].noname	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
File opened for modification	C:\Windows\WindowsShell.Manifest.[ID-DCE526E0].[[email protected]].noname	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 48 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
1832	taskkill.exe
1368	taskkill.exe
1420	taskkill.exe
1772	taskkill.exe
1612	taskkill.exe
1668	taskkill.exe
1008	taskkill.exe
1196	taskkill.exe
1596	taskkill.exe
1648	taskkill.exe
1848	taskkill.exe
944	taskkill.exe
1972	taskkill.exe
1704	taskkill.exe
1724	taskkill.exe
1764	taskkill.exe
1592	taskkill.exe
1772	taskkill.exe
1056	taskkill.exe
1228	taskkill.exe
1736	taskkill.exe
1804	taskkill.exe
1760	taskkill.exe
1364	taskkill.exe
548	taskkill.exe
1676	taskkill.exe
896	taskkill.exe
1684	taskkill.exe
1576	taskkill.exe
340	taskkill.exe
2028	taskkill.exe
1700	taskkill.exe
2028	taskkill.exe
924	taskkill.exe
1128	taskkill.exe
1092	taskkill.exe
1728	taskkill.exe
2044	taskkill.exe
1592	taskkill.exe
2016	taskkill.exe
1368	taskkill.exe
1924	taskkill.exe
1728	taskkill.exe
1460	taskkill.exe
1544	taskkill.exe
1408	taskkill.exe
560	taskkill.exe
1152	taskkill.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

1176 reg.exe
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

notepad.exe

pid process

1596 notepad.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1308 PING.EXE

pid	process
1176	reg.exe

pid	process
1596	notepad.exe

pid	process
1308	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe

pid	process
752	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
752	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
752	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
752	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
752	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
752	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
752	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
752	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
752	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
752	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
752	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
752	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
752	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
752	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
752	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
752	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
752	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
752	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
752	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
752	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
752	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
752	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
752	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
752	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
752	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
752	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
752	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
752	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
752	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
752	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
752	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
752	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
752	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
752	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
752	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
752	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
752	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
752	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
752	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
752	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
752	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
752	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
752	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
752	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
752	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
752	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
752	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
752	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
752	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
752	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
752	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
752	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
752	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
752	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
752	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
752	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
752	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
752	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
752	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
752	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
752	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
752	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
752	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
752	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

Processes:

c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.execonhost.exetaskkill.exetaskkill.exetaskkill.execonhost.exetaskkill.exetaskkill.exetaskkill.exetaskkill.execonhost.exetaskkill.exetaskkill.exepowershell.execonhost.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	752	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
Token: SeDebugPrivilege	1420	taskkill.exe
Token: SeDebugPrivilege	1056	taskkill.exe
Token: SeDebugPrivilege	1592	taskkill.exe
Token: SeDebugPrivilege	1596	taskkill.exe
Token: SeDebugPrivilege	1648	taskkill.exe
Token: SeDebugPrivilege	1544	taskkill.exe
Token: SeDebugPrivilege	2028	taskkill.exe
Token: SeDebugPrivilege	548	taskkill.exe
Token: SeDebugPrivilege	1972	taskkill.exe
Token: SeDebugPrivilege	924	taskkill.exe
Token: SeDebugPrivilege	2016	taskkill.exe
Token: SeDebugPrivilege	1408	taskkill.exe
Token: SeDebugPrivilege	1228	taskkill.exe
Token: SeDebugPrivilege	1772	taskkill.exe
Token: SeDebugPrivilege	1612	taskkill.exe
Token: SeDebugPrivilege	1128	taskkill.exe
Token: SeDebugPrivilege	1092	conhost.exe
Token: SeDebugPrivilege	1848	taskkill.exe
Token: SeDebugPrivilege	1368	taskkill.exe
Token: SeDebugPrivilege	1728	taskkill.exe
Token: SeDebugPrivilege	1736	conhost.exe
Token: SeDebugPrivilege	1704	taskkill.exe
Token: SeDebugPrivilege	2044	taskkill.exe
Token: SeDebugPrivilege	560	taskkill.exe
Token: SeDebugPrivilege	1668	taskkill.exe
Token: SeDebugPrivilege	1676	conhost.exe
Token: SeDebugPrivilege	1684	taskkill.exe
Token: SeDebugPrivilege	1576	taskkill.exe
Token: SeDebugPrivilege	340	powershell.exe
Token: SeDebugPrivilege	1008	conhost.exe
Token: SeDebugPrivilege	1924	taskkill.exe
Token: SeDebugPrivilege	1196	taskkill.exe
Token: SeDebugPrivilege	1804	taskkill.exe
Token: SeDebugPrivilege	944	taskkill.exe
Token: SeDebugPrivilege	1724	taskkill.exe
Token: SeDebugPrivilege	1832	taskkill.exe
Token: SeDebugPrivilege	1764	taskkill.exe
Token: SeDebugPrivilege	1728	taskkill.exe
Token: SeDebugPrivilege	2028	taskkill.exe
Token: SeDebugPrivilege	1592	taskkill.exe
Token: SeDebugPrivilege	1460	taskkill.exe
Token: SeDebugPrivilege	1152	taskkill.exe
Token: SeDebugPrivilege	1760	taskkill.exe
Token: SeDebugPrivilege	1700	taskkill.exe
Token: SeDebugPrivilege	1364	taskkill.exe
Token: SeDebugPrivilege	1772	taskkill.exe
Token: SeDebugPrivilege	1368	taskkill.exe
Token: SeDebugPrivilege	340	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe

pid process

752 c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe

pid process

752 c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe

description	pid	process	target process
PID 752 wrote to memory of 1420	752	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe	taskkill.exe
PID 752 wrote to memory of 1420	752	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe	taskkill.exe
PID 752 wrote to memory of 1420	752	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe	taskkill.exe
PID 752 wrote to memory of 1420	752	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe	taskkill.exe
PID 752 wrote to memory of 1872	752	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe	reg.exe
PID 752 wrote to memory of 1872	752	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe	reg.exe
PID 752 wrote to memory of 1872	752	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe	reg.exe
PID 752 wrote to memory of 1872	752	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe	reg.exe
PID 752 wrote to memory of 1176	752	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe	reg.exe
PID 752 wrote to memory of 1176	752	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe	reg.exe
PID 752 wrote to memory of 1176	752	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe	reg.exe
PID 752 wrote to memory of 1176	752	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe	reg.exe
PID 752 wrote to memory of 1040	752	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe	schtasks.exe
PID 752 wrote to memory of 1040	752	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe	schtasks.exe
PID 752 wrote to memory of 1040	752	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe	schtasks.exe
PID 752 wrote to memory of 1040	752	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe	schtasks.exe
PID 752 wrote to memory of 1880	752	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe	netsh.exe
PID 752 wrote to memory of 1880	752	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe	netsh.exe
PID 752 wrote to memory of 1880	752	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe	netsh.exe
PID 752 wrote to memory of 1880	752	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe	netsh.exe
PID 752 wrote to memory of 1608	752	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe	sc.exe
PID 752 wrote to memory of 1608	752	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe	sc.exe
PID 752 wrote to memory of 1608	752	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe	sc.exe
PID 752 wrote to memory of 1608	752	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe	sc.exe
PID 752 wrote to memory of 1912	752	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe	sc.exe
PID 752 wrote to memory of 1912	752	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe	sc.exe
PID 752 wrote to memory of 1912	752	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe	sc.exe
PID 752 wrote to memory of 1912	752	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe	sc.exe
PID 752 wrote to memory of 1184	752	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe	sc.exe
PID 752 wrote to memory of 1184	752	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe	sc.exe
PID 752 wrote to memory of 1184	752	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe	sc.exe
PID 752 wrote to memory of 1184	752	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe	sc.exe
PID 752 wrote to memory of 1740	752	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe	sc.exe
PID 752 wrote to memory of 1740	752	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe	sc.exe
PID 752 wrote to memory of 1740	752	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe	sc.exe
PID 752 wrote to memory of 1740	752	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe	sc.exe
PID 752 wrote to memory of 1064	752	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe	sc.exe
PID 752 wrote to memory of 1064	752	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe	sc.exe
PID 752 wrote to memory of 1064	752	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe	sc.exe
PID 752 wrote to memory of 1064	752	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe	sc.exe
PID 752 wrote to memory of 1380	752	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe	sc.exe
PID 752 wrote to memory of 1380	752	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe	sc.exe
PID 752 wrote to memory of 1380	752	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe	sc.exe
PID 752 wrote to memory of 1380	752	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe	sc.exe
PID 752 wrote to memory of 2024	752	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe	sc.exe
PID 752 wrote to memory of 2024	752	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe	sc.exe
PID 752 wrote to memory of 2024	752	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe	sc.exe
PID 752 wrote to memory of 2024	752	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe	sc.exe
PID 752 wrote to memory of 900	752	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe	sc.exe
PID 752 wrote to memory of 900	752	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe	sc.exe
PID 752 wrote to memory of 900	752	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe	sc.exe
PID 752 wrote to memory of 900	752	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe	sc.exe
PID 752 wrote to memory of 1056	752	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe	taskkill.exe
PID 752 wrote to memory of 1056	752	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe	taskkill.exe
PID 752 wrote to memory of 1056	752	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe	taskkill.exe
PID 752 wrote to memory of 1056	752	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe	taskkill.exe
PID 752 wrote to memory of 1592	752	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe	taskkill.exe
PID 752 wrote to memory of 1592	752	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe	taskkill.exe
PID 752 wrote to memory of 1592	752	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe	taskkill.exe
PID 752 wrote to memory of 1592	752	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe	taskkill.exe
PID 752 wrote to memory of 1596	752	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe	taskkill.exe
PID 752 wrote to memory of 1596	752	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe	taskkill.exe
PID 752 wrote to memory of 1596	752	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe	taskkill.exe
PID 752 wrote to memory of 1596	752	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe	taskkill.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy = "1"	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe

C:\Users\Admin\AppData\Local\Temp\c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
"C:\Users\Admin\AppData\Local\Temp\c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe"
1⤵
- Modifies extensions of user files
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
- System policy modification
PID:752
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill" /F /IM RaccineSettings.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1420
- C:\Windows\SysWOW64\reg.exe
  "reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F
  2⤵
  PID:1872
- C:\Windows\SysWOW64\reg.exe
  "reg" delete HKCU\Software\Raccine /F
  2⤵
  - Modifies registry key
  PID:1176
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks" /DELETE /TN "Raccine Rules Updater" /F
  2⤵
  PID:1040
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
  2⤵
  PID:1880
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config Dnscache start= auto
  2⤵
  PID:1608
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SQLTELEMETRY start= disabled
  2⤵
  PID:1912
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config FDResPub start= auto
  2⤵
  PID:1184
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SSDPSRV start= auto
  2⤵
  PID:1740
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
  2⤵
  PID:1064
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SstpSvc start= disabled
  2⤵
  PID:1380
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SQLWriter start= disabled
  2⤵
  PID:2024
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config upnphost start= auto
  2⤵
  PID:900
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1056
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1592
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM synctime.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1596
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1648
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mysqld.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1544
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM Ntrtscan.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2028
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:548
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqbcoreservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1972
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM isqlplussvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:924
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM firefoxconfig.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2016
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM encsvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1408
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM onenote.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1228
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM tbirdconfig.exe /F
  2⤵
  - Kills process with taskkill
  PID:1772
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM agntsvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1612
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM excel.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1128
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM PccNTMon.exe /F
  2⤵
  - Kills process with taskkill
  PID:1092
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM dbeng50.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1848
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM CNTAoSMgr.exe /F
  2⤵
  - Kills process with taskkill
  PID:1728
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM thebat.exe /F
  2⤵
  - Kills process with taskkill
  PID:1368
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes
  2⤵
  PID:1708
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM msaccess.exe /F
  2⤵
  - Kills process with taskkill
  PID:1736
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM thebat64.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1704
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM steam.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2044
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM outlook.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:560
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM ocomm.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1668
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqlwriter.exe /F
  2⤵
  - Kills process with taskkill
  PID:1676
- C:\Windows\SysWOW64\arp.exe
  "arp" -a
  2⤵
  PID:296
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" IM thunderbird.exe /F
  2⤵
  - Kills process with taskkill
  PID:896
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM tmlisten.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1684
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM infopath.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1576
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM dbsnmp.exe /F
  2⤵
  - Kills process with taskkill
  PID:1008
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM wordpad.exe /F
  2⤵
  - Kills process with taskkill
  PID:340
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM xfssvccon.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1196
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM msftesql.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1924
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mysqld-opt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1804
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mbamtray.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:944
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM powerpnt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1724
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM ocautoupds.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1832
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM zoolz.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1764
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1728
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM ocssd.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2028
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM visio.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1592
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1152
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM oracle.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1460
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqlagent.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1760
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM winword.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1700
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqlbrowser.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1364
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mysqld-nt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1772
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqlservr.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1368
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:340
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin
  2⤵
  PID:1944
- C:\Windows\SysWOW64\notepad.exe
  "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\decrypt_info.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:1596
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
  2⤵
  PID:1736
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.7 -n 3
    3⤵
    - Runs ping.exe
    PID:1308
- - C:\Windows\SysWOW64\fsutil.exe
    fsutil file setZeroData offset=0 length=524288 “%s”
    3⤵
    PID:1184
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
  2⤵
  - Deletes itself
  PID:1760
- - C:\Windows\SysWOW64\choice.exe
    choice /C Y /N /D Y /T 3
    3⤵
    PID:1772

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "374974841-725674899-41934098607261480-1006113283-912137817-1991060793-2094246369"
1⤵
PID:896

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-205895794416129037221688961156177746177613377037431767822558-100915762420696786"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1676

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1923001964639266095-1583496888435004594-1619378021-1902796504-1667243790-983624634"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1008

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-275574535-1586773739-10407034901847019630-89266152747894984-13248757661751436310"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1092

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-639826604-887406887-1773767249-1087930381-402078007-512413841029061795-1336751633"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1736

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\decrypt_info.txt

MD5
5c13376caedc535c86fd66b646bb2c80

SHA1
9a0a21132ee9319fd5353bf48b50f2e1576c38c6

SHA256
43f7ece56f44c57ee9c34437be761b4d434a16db95946c4b2cad91a2bed30a49

SHA512
33f28a157606cdce60dfe11a129ad37d959206824e3edddbc862e61c1708dc7fcb691b913ef634f9d2b28deccc9a15a3b8f4b96e43b77669082d9d06699152c8

Download Submit
memory/296-98-0x0000000000000000-mapping.dmp

Download
memory/340-121-0x0000000000000000-mapping.dmp

Download
memory/340-102-0x0000000000000000-mapping.dmp

Download
memory/340-123-0x0000000002630000-0x000000000327A000-memory.dmp

Filesize
12.3MB

Download
memory/548-77-0x0000000000000000-mapping.dmp

Download
memory/560-95-0x0000000000000000-mapping.dmp

Download
memory/752-54-0x0000000001390000-0x0000000001391000-memory.dmp

Filesize
4KB

Download
memory/752-56-0x0000000004980000-0x0000000004981000-memory.dmp

Filesize
4KB

Download
memory/896-99-0x0000000000000000-mapping.dmp

Download
memory/900-69-0x0000000000000000-mapping.dmp

Download
memory/924-79-0x0000000000000000-mapping.dmp

Download
memory/944-107-0x0000000000000000-mapping.dmp

Download
memory/1008-103-0x0000000000000000-mapping.dmp

Download
memory/1040-60-0x0000000000000000-mapping.dmp

Download
memory/1056-70-0x0000000000000000-mapping.dmp

Download
memory/1064-66-0x0000000000000000-mapping.dmp

Download
memory/1092-86-0x0000000000000000-mapping.dmp

Download
memory/1128-85-0x0000000000000000-mapping.dmp

Download
memory/1152-115-0x0000000000000000-mapping.dmp

Download
memory/1176-59-0x0000000000000000-mapping.dmp

Download
memory/1184-64-0x0000000000000000-mapping.dmp

Download
memory/1196-104-0x0000000000000000-mapping.dmp

Download
memory/1228-82-0x0000000000000000-mapping.dmp

Download
memory/1364-118-0x0000000000000000-mapping.dmp

Download
memory/1368-89-0x0000000000000000-mapping.dmp

Download
memory/1368-120-0x0000000000000000-mapping.dmp

Download
memory/1380-67-0x0000000000000000-mapping.dmp

Download
memory/1408-81-0x0000000000000000-mapping.dmp

Download
memory/1420-57-0x0000000000000000-mapping.dmp

Download
memory/1460-114-0x0000000000000000-mapping.dmp

Download
memory/1544-74-0x0000000000000000-mapping.dmp

Download
memory/1576-101-0x0000000000000000-mapping.dmp

Download
memory/1592-71-0x0000000000000000-mapping.dmp

Download
memory/1592-113-0x0000000000000000-mapping.dmp

Download
memory/1596-72-0x0000000000000000-mapping.dmp

Download
memory/1608-62-0x0000000000000000-mapping.dmp

Download
memory/1612-84-0x0000000000000000-mapping.dmp

Download
memory/1648-73-0x0000000000000000-mapping.dmp

Download
memory/1668-96-0x0000000000000000-mapping.dmp

Download
memory/1676-97-0x0000000000000000-mapping.dmp

Download
memory/1684-100-0x0000000000000000-mapping.dmp

Download
memory/1700-117-0x0000000000000000-mapping.dmp

Download
memory/1704-92-0x0000000000000000-mapping.dmp

Download
memory/1708-91-0x0000000000000000-mapping.dmp

Download
memory/1724-108-0x0000000000000000-mapping.dmp

Download
memory/1728-88-0x0000000000000000-mapping.dmp

Download
memory/1728-111-0x0000000000000000-mapping.dmp

Download
memory/1736-90-0x0000000000000000-mapping.dmp

Download
memory/1740-65-0x0000000000000000-mapping.dmp

Download
memory/1760-116-0x0000000000000000-mapping.dmp

Download
memory/1764-110-0x0000000000000000-mapping.dmp

Download
memory/1772-119-0x0000000000000000-mapping.dmp

Download
memory/1772-83-0x0000000000000000-mapping.dmp

Download
memory/1804-106-0x0000000000000000-mapping.dmp

Download
memory/1832-109-0x0000000000000000-mapping.dmp

Download
memory/1848-87-0x0000000000000000-mapping.dmp

Download
memory/1872-58-0x0000000000000000-mapping.dmp

Download
memory/1880-76-0x0000000076201000-0x0000000076203000-memory.dmp

Filesize
8KB

Download
memory/1880-61-0x0000000000000000-mapping.dmp

Download
memory/1912-63-0x0000000000000000-mapping.dmp

Download
memory/1924-105-0x0000000000000000-mapping.dmp

Download
memory/1944-124-0x0000000000000000-mapping.dmp

Download
memory/1972-78-0x0000000000000000-mapping.dmp

Download
memory/2016-80-0x0000000000000000-mapping.dmp

Download
memory/2024-68-0x0000000000000000-mapping.dmp

Download
memory/2028-75-0x0000000000000000-mapping.dmp

Download
memory/2028-112-0x0000000000000000-mapping.dmp

Download
memory/2044-94-0x0000000000000000-mapping.dmp

Download