c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c

Analysis

max time kernel
118s
max time network
142s
platform
windows7_x64
resource
win7-en-20211014
submitted
29-10-2021 15:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
Size

203KB
MD5

cefd366a2c000d9bbbd35dfd0a73311d
SHA1

0864171c1e033067b04317979803d97f1c90c85b
SHA256

c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c
SHA512

5f43b27b0495afb6ded495816405efe4a0d77b9991f56b7bfd09cd56d3ae890ec8dc2461a1806b2131edeaafc15d3478b471d1ef0376f9f78128eff539451040

Score

10^/10

evasion persistence ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\HOW_TO_RECOVER_MY_FILES.txt

Ransom Note

ALL YOUR FILES HAS BEEN ENCRYPTED! ALL YOUR FILES HAVE NOW THE .LOCKED EXTENSION! TO DE-CRYPT YOUR FILES, CONTACT US HERE: 1- Download qTox >>> https://tox.chat/download.html 2- Install qTox and make a profile, after you have done this: 3- Use this TOX-ID (Copy + Paste): FF45ED6FCE4433D273E34DA1C22AC1B0290973082BE068066D5EDF6C62EF39500A691BDE33B9 and make a friend request, after 5 minutes, you will be in contact with our negotiator. If you want proof, attach 2-3 encrypted files together with the Key ID (you can find the Key-ID in the How-To-Recover-My-Files document on your Desktop,) less then 5Mb each, non-archived and your files should not contain valuable information, like Databases, back-ups, large excel sheets, etc. You will receive decrypted samples and our conditions how to get the decoder. Please don't forget to write the name of your company in the subject of your e-mail! Alternatively, please get in touch with the negotiator at the following email address: [email protected] Key Identifier: LjqyEfdX+jDDhC1aV62UQ5a6cCb1cZuUgN8e29VcKpyy9AL/OMcz9OSgswuWxkJPfxKIqqDjfCJeGm4LD3BIX+cUVdAd4+f5mc0KOoWxSTmJ4psJ5uPUqOdPXo5SkWzQBDxR4QVZ0JDdlGj974yH5UpDQAuU6f8RQ39IBFe2sUzhywIPEQE6EKUEXiNVjKKkZ0d4oeAxDTj6xbVJZEHqM+hxA40Smdr7J/Io3AqlLesGRXDR2fL9SXblR5FoQpWQRDKTjWgDOG4/U4XsCHPX7nvkeXMEPdZJhGV+HGMRLPBhy+uqoYMZQLn7lksgm4Yln/FhJ5LobgEQXZoAt3Du6QizlzPbtiqCDtfbaZ3AfBoo9B4g98N/XO5QsfRiZo7sWD4kQGJGTtUPFRNTJTOddS32u6jAFO/ZhoVrgs+wKBnQql0qaCH3rn/WxKiiXBMvzT69/BUIiiMkonv0qDlZEcbajIhoKTOxJLyVrUPOfzU6aSfbCgZhsd/s5AKFegirzC1wm6E14uh5U6300Wpex81/g+UdGgCyVU19Y/6+ADFLq3idJlZM2X+Sw6gu8i2xgKmRomRrvCIcd0bSx4H/fpy3dXycVxS/TUhniWiaoKboyIl20t1LfWN+JiDz2JB1hn9rpe/ISEu07WLjoxaQjh98aqnEBvRLsJ+o0EOJOpE=

Emails

[email protected]

URLs

https://tox.chat/download.html

Signatures

Blocklisted process makes network request 3 IoCs

flow	pid	Process
21	828	mshta.exe
23	828	mshta.exe
25	828	mshta.exe

Downloads MZ/PE file

Downloads PsExec from SysInternals website 1 IoCs

Sysinternals tools like PsExec are often leveraged maliciously by malware families due to being commonly used by testers/administrators.

description	flow	ioc
HTTP URL	11	http://live.sysinternals.com/PsExec.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Modifies extensions of user files 11 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\CloseExport.crw => C:\Users\Admin\Pictures\CloseExport.crw.LOCKED	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
File renamed	C:\Users\Admin\Pictures\CompressUnpublish.png => C:\Users\Admin\Pictures\CompressUnpublish.png.LOCKED	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
File opened for modification	C:\Users\Admin\Pictures\OpenAdd.tiff	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
File opened for modification	C:\Users\Admin\Pictures\OpenAdd.tiff.LOCKED	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
File opened for modification	C:\Users\Admin\Pictures\ResolveRevoke.crw.LOCKED	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
File renamed	C:\Users\Admin\Pictures\SearchJoin.png => C:\Users\Admin\Pictures\SearchJoin.png.LOCKED	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
File opened for modification	C:\Users\Admin\Pictures\CloseExport.crw.LOCKED	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
File opened for modification	C:\Users\Admin\Pictures\CompressUnpublish.png.LOCKED	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
File renamed	C:\Users\Admin\Pictures\OpenAdd.tiff => C:\Users\Admin\Pictures\OpenAdd.tiff.LOCKED	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
File renamed	C:\Users\Admin\Pictures\ResolveRevoke.crw => C:\Users\Admin\Pictures\ResolveRevoke.crw.LOCKED	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
File opened for modification	C:\Users\Admin\Pictures\SearchJoin.png.LOCKED	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe

Deletes itself 1 IoCs

pid	Process
948	cmd.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\reload1.lnk	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
File opened (read-only)	\??\P:	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
File opened (read-only)	\??\G:	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
File opened (read-only)	\??\J:	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
File opened (read-only)	\??\L:	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
File opened (read-only)	\??\V:	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
File opened (read-only)	\??\E:	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
File opened (read-only)	\??\T:	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
File opened (read-only)	\??\N:	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
File opened (read-only)	\??\U:	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
File opened (read-only)	\??\A:	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
File opened (read-only)	\??\F:	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
File opened (read-only)	\??\H:	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
File opened (read-only)	\??\Z:	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
File opened (read-only)	\??\Q:	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
File opened (read-only)	\??\Y:	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
File opened (read-only)	\??\W:	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
File opened (read-only)	\??\S:	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
File opened (read-only)	\??\K:	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
File opened (read-only)	\??\X:	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
File opened (read-only)	\??\B:	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
File opened (read-only)	\??\M:	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
File opened (read-only)	\??\R:	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
File opened (read-only)	\??\O:	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Information..."	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "All your files are secured, please read the text note located in your desktop..."	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 48 IoCs

evasion

pid	Process
1292	taskkill.exe
1828	taskkill.exe
1916	taskkill.exe
1724	taskkill.exe
1712	taskkill.exe
1716	taskkill.exe
1076	taskkill.exe
1228	taskkill.exe
1044	taskkill.exe
1476	taskkill.exe
1556	taskkill.exe
1628	taskkill.exe
1924	taskkill.exe
888	taskkill.exe
1908	taskkill.exe
1112	taskkill.exe
984	taskkill.exe
1776	taskkill.exe
912	taskkill.exe
1188	taskkill.exe
952	taskkill.exe
1060	taskkill.exe
2024	taskkill.exe
1592	taskkill.exe
1916	taskkill.exe
1728	taskkill.exe
1496	taskkill.exe
1912	taskkill.exe
1164	taskkill.exe
548	taskkill.exe
1768	taskkill.exe
1940	taskkill.exe
1688	taskkill.exe
1920	taskkill.exe
888	taskkill.exe
1548	taskkill.exe
1164	taskkill.exe
1612	taskkill.exe
2032	taskkill.exe
1588	taskkill.exe
288	taskkill.exe
1376	taskkill.exe
1888	taskkill.exe
1676	taskkill.exe
1768	taskkill.exe
1504	taskkill.exe
1680	taskkill.exe
1276	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
1064	reg.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	mshta.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	mshta.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	mshta.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1232	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
828	mshta.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

description	pid	Process
Token: SeDebugPrivilege	464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
Token: SeDebugPrivilege	1188	taskkill.exe
Token: SeDebugPrivilege	952	taskkill.exe
Token: SeDebugPrivilege	1592	taskkill.exe
Token: SeDebugPrivilege	1768	taskkill.exe
Token: SeDebugPrivilege	1556	taskkill.exe
Token: SeDebugPrivilege	1060	taskkill.exe
Token: SeDebugPrivilege	1916	taskkill.exe
Token: SeDebugPrivilege	1728	taskkill.exe
Token: SeDebugPrivilege	984	taskkill.exe
Token: SeDebugPrivilege	1940	taskkill.exe
Token: SeDebugPrivilege	1712	taskkill.exe
Token: SeDebugPrivilege	1628	taskkill.exe
Token: SeDebugPrivilege	1716	taskkill.exe
Token: SeDebugPrivilege	1688	taskkill.exe
Token: SeDebugPrivilege	1776	taskkill.exe
Token: SeDebugPrivilege	1076	taskkill.exe
Token: SeDebugPrivilege	1920	taskkill.exe
Token: SeDebugPrivilege	1924	taskkill.exe
Token: SeDebugPrivilege	888	taskkill.exe
Token: SeDebugPrivilege	1164	taskkill.exe
Token: SeDebugPrivilege	1504	taskkill.exe
Token: SeDebugPrivilege	1680	taskkill.exe
Token: SeDebugPrivilege	1292	Process not Found
Token: SeDebugPrivilege	912	taskkill.exe
Token: SeDebugPrivilege	1612	taskkill.exe
Token: SeDebugPrivilege	1228	taskkill.exe
Token: SeDebugPrivilege	1588	taskkill.exe
Token: SeDebugPrivilege	1908	taskkill.exe
Token: SeDebugPrivilege	1496	taskkill.exe
Token: SeDebugPrivilege	1044	taskkill.exe
Token: SeDebugPrivilege	2032	taskkill.exe
Token: SeDebugPrivilege	888	taskkill.exe
Token: SeDebugPrivilege	1828	taskkill.exe
Token: SeDebugPrivilege	1164	taskkill.exe
Token: SeDebugPrivilege	288	taskkill.exe
Token: SeDebugPrivilege	1548	taskkill.exe
Token: SeDebugPrivilege	548	taskkill.exe
Token: SeDebugPrivilege	1112	taskkill.exe
Token: SeDebugPrivilege	2024	taskkill.exe
Token: SeDebugPrivilege	1916	taskkill.exe
Token: SeDebugPrivilege	1476	taskkill.exe
Token: SeDebugPrivilege	1376	taskkill.exe
Token: SeDebugPrivilege	1888	taskkill.exe
Token: SeDebugPrivilege	1724	taskkill.exe
Token: SeDebugPrivilege	1676	taskkill.exe
Token: SeDebugPrivilege	1276	taskkill.exe
Token: SeDebugPrivilege	1768	taskkill.exe
Token: SeDebugPrivilege	1060	powershell.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 464 wrote to memory of 1188	464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	29
PID 464 wrote to memory of 1188	464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	29
PID 464 wrote to memory of 1188	464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	29
PID 464 wrote to memory of 1188	464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	29
PID 464 wrote to memory of 1068	464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	31
PID 464 wrote to memory of 1068	464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	31
PID 464 wrote to memory of 1068	464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	31
PID 464 wrote to memory of 1068	464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	31
PID 464 wrote to memory of 1064	464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	33
PID 464 wrote to memory of 1064	464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	33
PID 464 wrote to memory of 1064	464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	33
PID 464 wrote to memory of 1064	464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	33
PID 464 wrote to memory of 1828	464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	35
PID 464 wrote to memory of 1828	464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	35
PID 464 wrote to memory of 1828	464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	35
PID 464 wrote to memory of 1828	464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	35
PID 464 wrote to memory of 840	464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	37
PID 464 wrote to memory of 840	464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	37
PID 464 wrote to memory of 840	464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	37
PID 464 wrote to memory of 840	464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	37
PID 464 wrote to memory of 1672	464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	38
PID 464 wrote to memory of 1672	464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	38
PID 464 wrote to memory of 1672	464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	38
PID 464 wrote to memory of 1672	464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	38
PID 464 wrote to memory of 2032	464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	40
PID 464 wrote to memory of 2032	464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	40
PID 464 wrote to memory of 2032	464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	40
PID 464 wrote to memory of 2032	464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	40
PID 464 wrote to memory of 1756	464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	43
PID 464 wrote to memory of 1756	464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	43
PID 464 wrote to memory of 1756	464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	43
PID 464 wrote to memory of 1756	464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	43
PID 464 wrote to memory of 2036	464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	44
PID 464 wrote to memory of 2036	464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	44
PID 464 wrote to memory of 2036	464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	44
PID 464 wrote to memory of 2036	464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	44
PID 464 wrote to memory of 1112	464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	46
PID 464 wrote to memory of 1112	464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	46
PID 464 wrote to memory of 1112	464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	46
PID 464 wrote to memory of 1112	464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	46
PID 464 wrote to memory of 928	464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	48
PID 464 wrote to memory of 928	464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	48
PID 464 wrote to memory of 928	464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	48
PID 464 wrote to memory of 928	464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	48
PID 464 wrote to memory of 908	464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	50
PID 464 wrote to memory of 908	464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	50
PID 464 wrote to memory of 908	464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	50
PID 464 wrote to memory of 908	464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	50
PID 464 wrote to memory of 952	464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	53
PID 464 wrote to memory of 952	464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	53
PID 464 wrote to memory of 952	464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	53
PID 464 wrote to memory of 952	464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	53
PID 464 wrote to memory of 1592	464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	54
PID 464 wrote to memory of 1592	464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	54
PID 464 wrote to memory of 1592	464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	54
PID 464 wrote to memory of 1592	464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	54
PID 464 wrote to memory of 1768	464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	56
PID 464 wrote to memory of 1768	464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	56
PID 464 wrote to memory of 1768	464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	56
PID 464 wrote to memory of 1768	464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	56
PID 464 wrote to memory of 1556	464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	59
PID 464 wrote to memory of 1556	464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	59
PID 464 wrote to memory of 1556	464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	59
PID 464 wrote to memory of 1556	464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	59

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy = "1"	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticecaption = "Information..."	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticetext = "All your files are secured, please read the text note located in your desktop..."	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe

C:\Users\Admin\AppData\Local\Temp\c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
"C:\Users\Admin\AppData\Local\Temp\c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe"
1⤵
- Modifies extensions of user files
- Drops startup file
- Enumerates connected drives
- Modifies WinLogon
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
- System policy modification
PID:464
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill" /F /IM RaccineSettings.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1188
- C:\Windows\SysWOW64\reg.exe
  "reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F
  2⤵
  PID:1068
- C:\Windows\SysWOW64\reg.exe
  "reg" delete HKCU\Software\Raccine /F
  2⤵
  - Modifies registry key
  PID:1064
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks" /DELETE /TN "Raccine Rules Updater" /F
  2⤵
  PID:1828
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config Dnscache start= auto
  2⤵
  PID:840
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SQLTELEMETRY start= disabled
  2⤵
  PID:1672
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config FDResPub start= auto
  2⤵
  PID:2032
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SSDPSRV start= auto
  2⤵
  PID:1756
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
  2⤵
  PID:2036
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SstpSvc start= disabled
  2⤵
  PID:1112
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config upnphost start= auto
  2⤵
  PID:928
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SQLWriter start= disabled
  2⤵
  PID:908
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:952
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1592
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM synctime.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1768
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1556
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM Ntrtscan.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1060
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mysqld.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1916
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM isqlplussvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1728
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqbcoreservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:984
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1940
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM onenote.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1628
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM firefoxconfig.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1712
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM encsvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1716
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM excel.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1688
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM agntsvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1776
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM dbeng50.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1076
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM PccNTMon.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1920
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM CNTAoSMgr.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1924
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM msaccess.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1164
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM thebat64.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:888
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM thebat.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1504
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqlwriter.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1680
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM ocomm.exe /F
  2⤵
  - Kills process with taskkill
  PID:1292
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM infopath.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:912
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM outlook.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1612
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM steam.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1228
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM tbirdconfig.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1588
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mbamtray.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1908
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM tmlisten.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1496
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" IM thunderbird.exe /F
  2⤵
  - Kills process with taskkill
  PID:1912
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM wordpad.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1044
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM dbsnmp.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2032
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM msftesql.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:888
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM zoolz.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1828
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mysqld-opt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1164
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM powerpnt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1548
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM xfssvccon.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:288
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM ocautoupds.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:548
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1112
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM ocssd.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2024
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM visio.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1916
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM oracle.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1476
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqlagent.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1376
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1888
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqlbrowser.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1724
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM winword.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1676
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqlservr.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1276
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mysqld-nt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1768
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1060
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
  2⤵
  PID:1556
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes
  2⤵
  PID:1900
- C:\Windows\SysWOW64\arp.exe
  "arp" -a
  2⤵
  PID:1472
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin
  2⤵
  PID:1064
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
  2⤵
  PID:1168
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes
  2⤵
  PID:1908
- C:\Windows\SysWOW64\arp.exe
  "arp" -a
  2⤵
  PID:912
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\System32\mshta.exe" C:\Users\Admin\Desktop\HOW_TO_RECOVER_MY_FILES.hta
  2⤵
  - Blocklisted process makes network request
  - Modifies Internet Explorer settings
  - Modifies system certificate store
  - Suspicious behavior: GetForegroundWindowSpam
  PID:828
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
  2⤵
  PID:1124
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.7 -n 3
    3⤵
    - Runs ping.exe
    PID:1232
- - C:\Windows\SysWOW64\fsutil.exe
    fsutil file setZeroData offset=0 length=524288 “%s”
    3⤵
    PID:1496
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
  2⤵
  - Deletes itself
  PID:948
- - C:\Windows\SysWOW64\choice.exe
    choice /C Y /N /D Y /T 3
    3⤵
    PID:1448

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/464-57-0x00000000040D0000-0x00000000040D1000-memory.dmp

Filesize
4KB

Download
memory/464-55-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/1060-119-0x00000000024A0000-0x00000000030EA000-memory.dmp

Filesize
12.3MB

Download
memory/1060-118-0x0000000075F41000-0x0000000075F43000-memory.dmp

Filesize
8KB

Download