c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f

Analysis

max time kernel
121s
max time network
122s
platform
windows10_x64
resource
win10-en-20211014
submitted
29-10-2021 12:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
Size

106KB
MD5

af745cf9bbc68f8652678a1299abb68d
SHA1

cd4793e42b0a27b2d73bc558d2d01842f73311e4
SHA256

c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f
SHA512

22fdaa9a782c1e3c08b0403dee317ccb441eec6c461a7b3372e184c557ba7721ab62412a161a9b33ee96fe4f8240ccc1f5142bfa76a14b2001b73a113ff018fd

Score

10^/10

evasion ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\decrypt_info.txt

Ransom Note

All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail [email protected] or: [email protected] (Backup mail) Send us this file decrypt_info ================================================================================================================= Free decryption as a guarantee Before paying, you can send 1-2 files for free decryption. File format: txt doc pdf jpeg jpg gif png bmp Total file size should not exceed 2 MB (without archive) ====================================================== You can buy Bitcoins here: https://localbitcoins.com Or use the search how to buy Bitcoins in your country ================================================================================================================= IMPORTANT!!! Remember that your files are encrypted and only WE can recover them! Do not try to recover yourself, as well as on third-party resources, you will lose your files and money forever! =============================================================================================================== Key Identifier: Kdtcq+s7UnqgqmU2Yljc1sBuT2AavRO7NU7XxHQRkemES+V4oLQTpIlZpXH3ywu/JJTfMRgX+ZmQUqiMobjFqv2/1xkkBEso8ZxlEAAfI2HrRGh28n/uXHmU0KyL1cXsAaUGBnK2nBXkIcYCz8ELa+C/x0vaORuk5oeBjI/KemRWBHr+fuWP8aJLYj77dWfPFyaiAzn/rgWrGv/kSCYAJBKiswPosemR6WhNO1nxPLWWg9nv7PNUm0aQTPY9TNvGsfvND7Raj4TxdKuEI6us3yB5sLK0XbzXp7kRx1Xo3Bmk9Ss0W0QKZfZW094WelH7RjoOfz0k3vlJ5QNTm4UmzmW1DOaYqTf8Y/dK6lOzuFoyNtC/FPj/lu4XixDO4mp7q75f5F5R7CnoXPwEaOaEKYeWr0iQnfyM9qhYyRS52Tpaj45ZkdOcUEfLlB20ZDVNSAiVYSZANp5axMAFDDAYo6t82p9137Ki+jA66ffKgZbRpbrxPSqK2kZQBiGPe71Ir+cGEWLo2G+f4NV62VgAd1aZQj+GedC5GcoSZEVlJJh1IQHUovcLuN05yB6BOE9uYc1dj6OnPHUVGkRgDM55CvOasOiw3Q2RrT0VI9pIrzKcWovruL6YClI4CVeLTdev7b2GQAbqZsEqo85TWJLpam4GLxIfW746m1DwKAlg7N4= PC Hardware ID: DA5D582B

Emails

[email protected]

Extracted

Path

C:\Users\Admin\Desktop\decrypt_info.txt

Ransom Note

Emails

[email protected]

Signatures

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Drops startup file 1 IoCs

Processes:

c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe

Drops desktop.ini file(s) 3 IoCs

Processes:

c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe

description	ioc	process
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe

Drops file in Program Files directory 20 IoCs

Processes:

c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe

description	ioc	process
File opened for modification	C:\Program Files\UnblockPop.bin.[ID-DA5D582B].[[email protected]].noname	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
File opened for modification	C:\Program Files\StartConvert.hta	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
File opened for modification	C:\Program Files\StartConvert.hta.[ID-DA5D582B].[[email protected]].noname	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
File opened for modification	C:\Program Files\UnblockPop.bin	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
File opened for modification	C:\Program Files\ConvertSubmit.jpeg.[ID-DA5D582B].[[email protected]].noname	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
File opened for modification	C:\Program Files\FormatConfirm.temp	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
File opened for modification	C:\Program Files\ReadExit.emf	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
File opened for modification	C:\Program Files\RevokeUnregister.txt.[ID-DA5D582B].[[email protected]].noname	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
File opened for modification	C:\Program Files\SuspendTest.dib.[ID-DA5D582B].[[email protected]].noname	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
File opened for modification	C:\Program Files\UnregisterJoin.mpg.[ID-DA5D582B].[[email protected]].noname	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
File opened for modification	C:\Program Files\ConvertSubmit.jpeg	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
File opened for modification	C:\Program Files\FormatConfirm.temp.[ID-DA5D582B].[[email protected]].noname	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
File opened for modification	C:\Program Files\RestartSubmit.clr	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
File opened for modification	C:\Program Files\RestartSubmit.clr.[ID-DA5D582B].[[email protected]].noname	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
File opened for modification	C:\Program Files\RevokeUnregister.txt	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
File opened for modification	C:\Program Files\SuspendTest.dib	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
File opened for modification	C:\Program Files\UnregisterJoin.mpg	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
File opened for modification	C:\Program Files\ReadExit.emf.[ID-DA5D582B].[[email protected]].noname	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
File opened for modification	C:\Program Files\RepairResume.jpeg	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
File opened for modification	C:\Program Files\RepairResume.jpeg.[ID-DA5D582B].[[email protected]].noname	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe

Drops file in Windows directory 36 IoCs

Processes:

netsh.exec6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe

description	ioc	process
File created	C:\Windows\rescache\_merged\4185669309\1880392806.pri	netsh.exe
File opened for modification	C:\Windows\DtcInstall.log	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
File opened for modification	C:\Windows\lsasetup.log	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
File opened for modification	C:\Windows\Professional.xml	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
File opened for modification	C:\Windows\system.ini.[ID-DA5D582B].[[email protected]].noname	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
File opened for modification	C:\Windows\WindowsUpdate.log.[ID-DA5D582B].[[email protected]].noname	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
File created	C:\Windows\rescache\_merged\3623239459\11870838.pri	netsh.exe
File created	C:\Windows\rescache\_merged\81479705\2284120958.pri	netsh.exe
File created	C:\Windows\rescache\_merged\4272278488\927794230.pri	netsh.exe
File opened for modification	C:\Windows\PFRO.log	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
File opened for modification	C:\Windows\PFRO.log.[ID-DA5D582B].[[email protected]].noname	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
File opened for modification	C:\Windows\system.ini	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
File opened for modification	C:\Windows\WindowsShell.Manifest	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
File created	C:\Windows\decrypt_info.txt	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
File created	C:\Windows\rescache\_merged\2878165772\3312292840.pri	netsh.exe
File opened for modification	C:\Windows\DtcInstall.log.[ID-DA5D582B].[[email protected]].noname	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
File opened for modification	C:\Windows\lsasetup.log.[ID-DA5D582B].[[email protected]].noname	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
File opened for modification	C:\Windows\mib.bin	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
File opened for modification	C:\Windows\Professional.xml.[ID-DA5D582B].[[email protected]].noname	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
File created	C:\Windows\rescache\_merged\2483382631\1144272743.pri	netsh.exe
File created	C:\Windows\rescache\_merged\1601268389\3068621934.pri	netsh.exe
File created	C:\Windows\bootstat.dat.[ID-DA5D582B].[[email protected]].noname	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
File opened for modification	C:\Windows\WindowsUpdate.log	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
File created	C:\Windows\rescache\_merged\423379043\2764571712.pri	netsh.exe
File opened for modification	C:\Windows\bootstat.dat	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
File opened for modification	C:\Windows\win.ini	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
File created	C:\Windows\rescache\_merged\1476457207\263943467.pri	netsh.exe
File opened for modification	C:\Windows\setupact.log.[ID-DA5D582B].[[email protected]].noname	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
File opened for modification	C:\Windows\WMSysPr9.prx	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
File created	C:\Windows\rescache\_merged\1301087654\4010849688.pri	netsh.exe
File created	C:\Windows\rescache\_merged\3418783148\4223189797.pri	netsh.exe
File created	C:\Windows\rescache\_merged\4183903823\1195458082.pri	netsh.exe
File opened for modification	C:\Windows\setupact.log	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
File opened for modification	C:\Windows\setuperr.log	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
File opened for modification	C:\Windows\win.ini.[ID-DA5D582B].[[email protected]].noname	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
File created	C:\Windows\rescache\_merged\1974107395\1506172464.pri	netsh.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 48 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
1996	taskkill.exe
3152	taskkill.exe
1512	taskkill.exe
2816	taskkill.exe
3992	taskkill.exe
1352	taskkill.exe
1488	taskkill.exe
1900	taskkill.exe
3748	taskkill.exe
3756	taskkill.exe
2480	taskkill.exe
3176	taskkill.exe
1724	taskkill.exe
872	taskkill.exe
2608	taskkill.exe
1656	taskkill.exe
3188	taskkill.exe
2936	taskkill.exe
2264	taskkill.exe
3948	taskkill.exe
2380	taskkill.exe
1192	taskkill.exe
2200	taskkill.exe
364	taskkill.exe
3576	taskkill.exe
2360	taskkill.exe
3456	taskkill.exe
2312	taskkill.exe
1992	taskkill.exe
2992	taskkill.exe
1424	taskkill.exe
832	taskkill.exe
652	taskkill.exe
1760	taskkill.exe
3792	taskkill.exe
2900	taskkill.exe
2252	taskkill.exe
1012	taskkill.exe
2332	taskkill.exe
2524	taskkill.exe
2840	taskkill.exe
2060	taskkill.exe
3972	taskkill.exe
3324	taskkill.exe
2652	taskkill.exe
1996	taskkill.exe
3260	taskkill.exe
1176	taskkill.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

2664 reg.exe
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

notepad.exe

pid process

3808 notepad.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2764 PING.EXE

pid	process
2664	reg.exe

pid	process
3808	notepad.exe

pid	process
2764	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe

pid	process
2680	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
2680	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
2680	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
2680	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
2680	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
2680	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
2680	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
2680	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
2680	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
2680	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
2680	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
2680	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
2680	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
2680	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
2680	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
2680	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
2680	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
2680	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
2680	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
2680	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
2680	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
2680	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
2680	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
2680	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
2680	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
2680	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
2680	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
2680	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
2680	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
2680	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
2680	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
2680	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
2680	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
2680	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
2680	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
2680	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
2680	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
2680	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
2680	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
2680	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
2680	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
2680	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
2680	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
2680	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
2680	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
2680	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
2680	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
2680	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
2680	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
2680	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
2680	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
2680	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
2680	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
2680	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
2680	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
2680	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
2680	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
2680	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
2680	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
2680	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
2680	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
2680	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
2680	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
2680	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

Processes:

c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2680	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
Token: SeDebugPrivilege	2900	taskkill.exe
Token: SeDebugPrivilege	2936	taskkill.exe
Token: SeDebugPrivilege	2992	taskkill.exe
Token: SeDebugPrivilege	1512	taskkill.exe
Token: SeDebugPrivilege	2264	taskkill.exe
Token: SeDebugPrivilege	3972	taskkill.exe
Token: SeDebugPrivilege	2252	taskkill.exe
Token: SeDebugPrivilege	1424	taskkill.exe
Token: SeDebugPrivilege	1996	taskkill.exe
Token: SeDebugPrivilege	2480	taskkill.exe
Token: SeDebugPrivilege	3176	taskkill.exe
Token: SeDebugPrivilege	1724	taskkill.exe
Token: SeDebugPrivilege	2200	taskkill.exe
Token: SeDebugPrivilege	364	taskkill.exe
Token: SeDebugPrivilege	3324	taskkill.exe
Token: SeDebugPrivilege	1012	taskkill.exe
Token: SeDebugPrivilege	3260	taskkill.exe
Token: SeDebugPrivilege	2652	taskkill.exe
Token: SeDebugPrivilege	652	taskkill.exe
Token: SeDebugPrivilege	832	taskkill.exe
Token: SeDebugPrivilege	3948	taskkill.exe
Token: SeDebugPrivilege	2332	taskkill.exe
Token: SeDebugPrivilege	1352	taskkill.exe
Token: SeDebugPrivilege	1760	taskkill.exe
Token: SeDebugPrivilege	2360	taskkill.exe
Token: SeDebugPrivilege	1488	taskkill.exe
Token: SeDebugPrivilege	872	taskkill.exe
Token: SeDebugPrivilege	1900	taskkill.exe
Token: SeDebugPrivilege	3576	taskkill.exe
Token: SeDebugPrivilege	2816	taskkill.exe
Token: SeDebugPrivilege	3792	taskkill.exe
Token: SeDebugPrivilege	3992	taskkill.exe
Token: SeDebugPrivilege	3748	taskkill.exe
Token: SeDebugPrivilege	2380	taskkill.exe
Token: SeDebugPrivilege	1996	taskkill.exe
Token: SeDebugPrivilege	3456	taskkill.exe
Token: SeDebugPrivilege	2608	taskkill.exe
Token: SeDebugPrivilege	1176	taskkill.exe
Token: SeDebugPrivilege	2840	taskkill.exe
Token: SeDebugPrivilege	2060	taskkill.exe
Token: SeDebugPrivilege	2312	taskkill.exe
Token: SeDebugPrivilege	1192	taskkill.exe
Token: SeDebugPrivilege	3152	taskkill.exe
Token: SeDebugPrivilege	1656	taskkill.exe
Token: SeDebugPrivilege	3756	taskkill.exe
Token: SeDebugPrivilege	1992	taskkill.exe
Token: SeDebugPrivilege	3188	taskkill.exe
Token: SeDebugPrivilege	4032	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe

pid process

2680 c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe

pid process

2680 c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe

description	pid	process	target process
PID 2680 wrote to memory of 2900	2680	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe	taskkill.exe
PID 2680 wrote to memory of 2900	2680	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe	taskkill.exe
PID 2680 wrote to memory of 2900	2680	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe	taskkill.exe
PID 2680 wrote to memory of 2380	2680	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe	reg.exe
PID 2680 wrote to memory of 2380	2680	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe	reg.exe
PID 2680 wrote to memory of 2380	2680	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe	reg.exe
PID 2680 wrote to memory of 2664	2680	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe	reg.exe
PID 2680 wrote to memory of 2664	2680	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe	reg.exe
PID 2680 wrote to memory of 2664	2680	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe	reg.exe
PID 2680 wrote to memory of 3936	2680	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe	schtasks.exe
PID 2680 wrote to memory of 3936	2680	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe	schtasks.exe
PID 2680 wrote to memory of 3936	2680	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe	schtasks.exe
PID 2680 wrote to memory of 3412	2680	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe	netsh.exe
PID 2680 wrote to memory of 3412	2680	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe	netsh.exe
PID 2680 wrote to memory of 3412	2680	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe	netsh.exe
PID 2680 wrote to memory of 3680	2680	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe	sc.exe
PID 2680 wrote to memory of 3680	2680	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe	sc.exe
PID 2680 wrote to memory of 3680	2680	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe	sc.exe
PID 2680 wrote to memory of 2828	2680	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe	sc.exe
PID 2680 wrote to memory of 2828	2680	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe	sc.exe
PID 2680 wrote to memory of 2828	2680	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe	sc.exe
PID 2680 wrote to memory of 4052	2680	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe	sc.exe
PID 2680 wrote to memory of 4052	2680	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe	sc.exe
PID 2680 wrote to memory of 4052	2680	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe	sc.exe
PID 2680 wrote to memory of 892	2680	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe	sc.exe
PID 2680 wrote to memory of 892	2680	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe	sc.exe
PID 2680 wrote to memory of 892	2680	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe	sc.exe
PID 2680 wrote to memory of 2408	2680	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe	sc.exe
PID 2680 wrote to memory of 2408	2680	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe	sc.exe
PID 2680 wrote to memory of 2408	2680	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe	sc.exe
PID 2680 wrote to memory of 3036	2680	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe	sc.exe
PID 2680 wrote to memory of 3036	2680	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe	sc.exe
PID 2680 wrote to memory of 3036	2680	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe	sc.exe
PID 2680 wrote to memory of 1144	2680	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe	sc.exe
PID 2680 wrote to memory of 1144	2680	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe	sc.exe
PID 2680 wrote to memory of 1144	2680	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe	sc.exe
PID 2680 wrote to memory of 956	2680	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe	sc.exe
PID 2680 wrote to memory of 956	2680	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe	sc.exe
PID 2680 wrote to memory of 956	2680	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe	sc.exe
PID 2680 wrote to memory of 2936	2680	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe	taskkill.exe
PID 2680 wrote to memory of 2936	2680	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe	taskkill.exe
PID 2680 wrote to memory of 2936	2680	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe	taskkill.exe
PID 2680 wrote to memory of 2992	2680	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe	taskkill.exe
PID 2680 wrote to memory of 2992	2680	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe	taskkill.exe
PID 2680 wrote to memory of 2992	2680	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe	taskkill.exe
PID 2680 wrote to memory of 1512	2680	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe	taskkill.exe
PID 2680 wrote to memory of 1512	2680	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe	taskkill.exe
PID 2680 wrote to memory of 1512	2680	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe	taskkill.exe
PID 2680 wrote to memory of 2264	2680	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe	taskkill.exe
PID 2680 wrote to memory of 2264	2680	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe	taskkill.exe
PID 2680 wrote to memory of 2264	2680	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe	taskkill.exe
PID 2680 wrote to memory of 3972	2680	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe	taskkill.exe
PID 2680 wrote to memory of 3972	2680	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe	taskkill.exe
PID 2680 wrote to memory of 3972	2680	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe	taskkill.exe
PID 2680 wrote to memory of 2252	2680	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe	taskkill.exe
PID 2680 wrote to memory of 2252	2680	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe	taskkill.exe
PID 2680 wrote to memory of 2252	2680	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe	taskkill.exe
PID 2680 wrote to memory of 1424	2680	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe	taskkill.exe
PID 2680 wrote to memory of 1424	2680	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe	taskkill.exe
PID 2680 wrote to memory of 1424	2680	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe	taskkill.exe
PID 2680 wrote to memory of 1996	2680	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe	taskkill.exe
PID 2680 wrote to memory of 1996	2680	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe	taskkill.exe
PID 2680 wrote to memory of 1996	2680	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe	taskkill.exe
PID 2680 wrote to memory of 2480	2680	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe	taskkill.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy = "1"	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe

C:\Users\Admin\AppData\Local\Temp\c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
"C:\Users\Admin\AppData\Local\Temp\c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe"
1⤵
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2680
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill" /F /IM RaccineSettings.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2900
- C:\Windows\SysWOW64\reg.exe
  "reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F
  2⤵
  PID:2380
- C:\Windows\SysWOW64\reg.exe
  "reg" delete HKCU\Software\Raccine /F
  2⤵
  - Modifies registry key
  PID:2664
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks" /DELETE /TN "Raccine Rules Updater" /F
  2⤵
  PID:3936
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
  2⤵
  - Drops file in Windows directory
  PID:3412
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config Dnscache start= auto
  2⤵
  PID:3680
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config FDResPub start= auto
  2⤵
  PID:2828
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SQLTELEMETRY start= disabled
  2⤵
  PID:4052
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SSDPSRV start= auto
  2⤵
  PID:892
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
  2⤵
  PID:2408
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SstpSvc start= disabled
  2⤵
  PID:3036
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config upnphost start= auto
  2⤵
  PID:1144
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SQLWriter start= disabled
  2⤵
  PID:956
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2936
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1512
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM synctime.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2992
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2264
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mysqld.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3972
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM Ntrtscan.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2252
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM isqlplussvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1424
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqbcoreservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1996
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2480
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM firefoxconfig.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2200
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM encsvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:364
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM onenote.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3176
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM tbirdconfig.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1724
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM PccNTMon.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3324
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM excel.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1012
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM agntsvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2652
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM dbeng50.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3260
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM msaccess.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:652
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM thebat64.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:832
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM thebat.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2332
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM CNTAoSMgr.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3948
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM ocomm.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1352
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM outlook.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1488
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqlwriter.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2360
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM steam.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1760
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" IM thunderbird.exe /F
  2⤵
  - Kills process with taskkill
  PID:2524
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM tmlisten.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:872
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM infopath.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1900
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM wordpad.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3576
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM dbsnmp.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2816
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM msftesql.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3792
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mbamtray.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3992
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mysqld-opt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3748
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM xfssvccon.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2380
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM powerpnt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1996
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM zoolz.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3456
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM ocautoupds.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2608
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1176
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM ocssd.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2840
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM visio.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2060
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM oracle.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2312
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1192
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqlagent.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3152
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM winword.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1656
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqlbrowser.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3756
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mysqld-nt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1992
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqlservr.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3188
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4032
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes
  2⤵
  PID:2948
- C:\Windows\SysWOW64\arp.exe
  "arp" -a
  2⤵
  PID:3036
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin
  2⤵
  PID:3904
- C:\Windows\SysWOW64\notepad.exe
  "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\decrypt_info.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:3808
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
  2⤵
  PID:3800
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.7 -n 3
    3⤵
    - Runs ping.exe
    PID:2764
- - C:\Windows\SysWOW64\fsutil.exe
    fsutil file setZeroData offset=0 length=524288 “%s”
    3⤵
    PID:2312
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
  2⤵
  PID:3772
- - C:\Windows\SysWOW64\choice.exe
    choice /C Y /N /D Y /T 3
    3⤵
    PID:516

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\decrypt_info.txt

MD5
9a8e4f665cf1041d4560846a61f10499

SHA1
decff0fbcac2481d9a2f15899a5234f9e1815729

SHA256
b297f45844fea06a2b6cfd718c6b8e5f60623c29daf0a9954fb78141fa4f7c0b

SHA512
e30be6d51e740359c4fa505d4cc7c0cff939d1684c7a9f6a78d5b801053c3e4edb15b07c4c70c645a33afcfce9b23fa650c3ad6bb376155b59a63e13208e6ead

Download Submit
memory/364-143-0x0000000000000000-mapping.dmp

Download
memory/652-149-0x0000000000000000-mapping.dmp

Download
memory/832-150-0x0000000000000000-mapping.dmp

Download
memory/872-158-0x0000000000000000-mapping.dmp

Download
memory/892-127-0x0000000000000000-mapping.dmp

Download
memory/956-131-0x0000000000000000-mapping.dmp

Download
memory/1012-146-0x0000000000000000-mapping.dmp

Download
memory/1144-130-0x0000000000000000-mapping.dmp

Download
memory/1176-169-0x0000000000000000-mapping.dmp

Download
memory/1192-173-0x0000000000000000-mapping.dmp

Download
memory/1352-153-0x0000000000000000-mapping.dmp

Download
memory/1424-138-0x0000000000000000-mapping.dmp

Download
memory/1488-155-0x0000000000000000-mapping.dmp

Download
memory/1512-134-0x0000000000000000-mapping.dmp

Download
memory/1656-175-0x0000000000000000-mapping.dmp

Download
memory/1724-144-0x0000000000000000-mapping.dmp

Download
memory/1760-154-0x0000000000000000-mapping.dmp

Download
memory/1900-159-0x0000000000000000-mapping.dmp

Download
memory/1992-177-0x0000000000000000-mapping.dmp

Download
memory/1996-166-0x0000000000000000-mapping.dmp

Download
memory/1996-139-0x0000000000000000-mapping.dmp

Download
memory/2060-171-0x0000000000000000-mapping.dmp

Download
memory/2200-142-0x0000000000000000-mapping.dmp

Download
memory/2252-137-0x0000000000000000-mapping.dmp

Download
memory/2264-135-0x0000000000000000-mapping.dmp

Download
memory/2312-172-0x0000000000000000-mapping.dmp

Download
memory/2332-152-0x0000000000000000-mapping.dmp

Download
memory/2360-156-0x0000000000000000-mapping.dmp

Download
memory/2380-165-0x0000000000000000-mapping.dmp

Download
memory/2380-120-0x0000000000000000-mapping.dmp

Download
memory/2408-128-0x0000000000000000-mapping.dmp

Download
memory/2480-140-0x0000000000000000-mapping.dmp

Download
memory/2524-157-0x0000000000000000-mapping.dmp

Download
memory/2608-168-0x0000000000000000-mapping.dmp

Download
memory/2652-148-0x0000000000000000-mapping.dmp

Download
memory/2664-121-0x0000000000000000-mapping.dmp

Download
memory/2680-118-0x0000000004B70000-0x0000000004B71000-memory.dmp

Filesize
4KB

Download
memory/2680-115-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/2680-117-0x0000000004BF0000-0x0000000004BF1000-memory.dmp

Filesize
4KB

Download
memory/2816-161-0x0000000000000000-mapping.dmp

Download
memory/2828-125-0x0000000000000000-mapping.dmp

Download
memory/2840-170-0x0000000000000000-mapping.dmp

Download
memory/2900-119-0x0000000000000000-mapping.dmp

Download
memory/2936-132-0x0000000000000000-mapping.dmp

Download
memory/2948-184-0x0000000000000000-mapping.dmp

Download
memory/2992-133-0x0000000000000000-mapping.dmp

Download
memory/3036-129-0x0000000000000000-mapping.dmp

Download
memory/3036-186-0x0000000000000000-mapping.dmp

Download
memory/3152-174-0x0000000000000000-mapping.dmp

Download
memory/3176-141-0x0000000000000000-mapping.dmp

Download
memory/3188-178-0x0000000000000000-mapping.dmp

Download
memory/3260-147-0x0000000000000000-mapping.dmp

Download
memory/3324-145-0x0000000000000000-mapping.dmp

Download
memory/3412-123-0x0000000000000000-mapping.dmp

Download
memory/3456-167-0x0000000000000000-mapping.dmp

Download
memory/3576-160-0x0000000000000000-mapping.dmp

Download
memory/3680-124-0x0000000000000000-mapping.dmp

Download
memory/3748-164-0x0000000000000000-mapping.dmp

Download
memory/3756-176-0x0000000000000000-mapping.dmp

Download
memory/3792-162-0x0000000000000000-mapping.dmp

Download
memory/3904-208-0x0000000000000000-mapping.dmp

Download
memory/3936-122-0x0000000000000000-mapping.dmp

Download
memory/3948-151-0x0000000000000000-mapping.dmp

Download
memory/3972-136-0x0000000000000000-mapping.dmp

Download
memory/3992-163-0x0000000000000000-mapping.dmp

Download
memory/4032-179-0x0000000000000000-mapping.dmp

Download
memory/4032-183-0x0000000004620000-0x0000000004621000-memory.dmp

Filesize
4KB

Download
memory/4032-182-0x00000000046C0000-0x00000000046C1000-memory.dmp

Filesize
4KB

Download
memory/4032-185-0x0000000007090000-0x0000000007091000-memory.dmp

Filesize
4KB

Download
memory/4032-181-0x0000000000FE0000-0x0000000000FE1000-memory.dmp

Filesize
4KB

Download
memory/4032-187-0x00000000046C2000-0x00000000046C3000-memory.dmp

Filesize
4KB

Download
memory/4032-188-0x00000000078A0000-0x00000000078A1000-memory.dmp

Filesize
4KB

Download
memory/4032-189-0x0000000007730000-0x0000000007731000-memory.dmp

Filesize
4KB

Download
memory/4032-191-0x0000000007A80000-0x0000000007A81000-memory.dmp

Filesize
4KB

Download
memory/4032-192-0x0000000007A40000-0x0000000007A41000-memory.dmp

Filesize
4KB

Download
memory/4032-193-0x00000000082E0000-0x00000000082E1000-memory.dmp

Filesize
4KB

Download
memory/4032-194-0x0000000008190000-0x0000000008191000-memory.dmp

Filesize
4KB

Download
memory/4032-195-0x0000000000FE0000-0x0000000000FE1000-memory.dmp

Filesize
4KB

Download
memory/4032-205-0x0000000000FE0000-0x0000000000FE1000-memory.dmp

Filesize
4KB

Download
memory/4032-206-0x00000000046C3000-0x00000000046C4000-memory.dmp

Filesize
4KB

Download
memory/4032-207-0x00000000046C4000-0x00000000046C6000-memory.dmp

Filesize
8KB

Download
memory/4032-180-0x0000000000FE0000-0x0000000000FE1000-memory.dmp

Filesize
4KB

Download
memory/4052-126-0x0000000000000000-mapping.dmp

Download