Analysis
-
max time kernel
121s -
max time network
123s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
02-11-2021 15:42
General
-
Target
44edca2989cfa4ba819191b70323fe5f83e300dd0c2e66abb42f1f9ca831f29b.exe
-
Size
149KB
-
MD5
4e68455c60c1aa59b0c28808d6445e50
-
SHA1
7f58174891abc9b764d5cdd010078f107c1febb5
-
SHA256
44edca2989cfa4ba819191b70323fe5f83e300dd0c2e66abb42f1f9ca831f29b
-
SHA512
3c0b92f3b567e4652f39d1bd71bfe630933af00a6d39cb0911e30915d34a00dac345d5042877237d849375855f22ead11d8c583495f3823b45cfbaef87ef5f69
Score
10/10
Malware Config
Extracted
Path
C:\Users\Admin\AppData\Local\Temp\RESTORE_FILES_INFO.txt
Ransom Note
YOUR COMPANY WAS HACKED AND COMPROMISED!!!
All your important files have been encrypted!
Our encryption algorithms are very strong and your files are very well protected,
the only way to get your files back is to cooperate with us and get the decrypter program.
Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover.
____________________________________________________________________________________
For us this is just business and to prove to you our seriousness, we will decrypt you three files for free.
Just open our website, upload the encrypted files and get the decrypted files for free.
____________________________________________________________________________________
! WARNING !
Whole your network was fully COMPROMISED!
We has DOWNLOADED of your PRIVATE SENSITIVE Data, including your Billing info, Insuranse cases, Financial reports,
Business audit, Banking Accounts! Also we have corporate correspondence, information about your clients.
We got even more info about your partners and even about your staff.
Additionally, you must know that your sensitive data has been stolen by our analyst experts and if you choose to no cooperate with us,
you are exposing yourself to huge penalties with lawsuits and government if we both don't find an agreement.
We have seen it before cases with multi million costs in fines and lawsuits,
not to mention the company reputation and losing clients trust and the medias calling non-stop for answers.
Come chat with us and you could be surprised on how fast we both can find an agreement without getting this incident public.
____________________________________________________________________________________
IF YOU ARE AN EMPLOYER OF A COMPANY THEN YOU SHOULD KNOW THAT SPREADING SENSITIVE INFORMATION ABOUT YOUR COMPANY BEING COMPROMISED IS A VIOLATION OF CONFIDENTIALITY.
YOUR COMPANY'S REPUTATION WILL SUFFER AND SANCTIONS WILL BE TAKEN AGAINST YOU.
____________________________________________________________________________________
WE HIGHLY SUGGEST THAT YOU DON'T CONTACT THE AUTHORITIES REGARDING THIS INCIDENT BECAUSE IF YOU DO, THEN AUTHORITIES WILL MAKE THIS PUBLIC WHICH COMES WITH A COST FOR YOUR ENTERPRISE.
THE RECOVERY PROCESS OF YOUR FILES WILL BE FASTER IF YOU COME AND CHAT WITH US EARLY. IF YOU CHOOSE TO COOPERATE, YOU WILL SEE THAT WE ARE PROFESSIONALS WHO GIVES GOOD SUPPORT.
Instructions for contacting us:
____________________________________________________________________________________
You have way:
1) Using a TOR browser!
a. Download and install TOR browser from this site: https://torproject.org/
b. Open the Tor browser. Copy the link: http://spookuhvfyxzph54ikjfwf2mwmxt572krpom7reyayrmxbkizbvkpaid.onion/chat.php?track=NMU7PHR3V5 and paste it in the Tor browser.
c. Start a chat and follow the further instructions.
Key Identifier:
XGbbBBcaxHWhSyu+B7yGoqv/sNRlybS+xxVG1KfESXnZ6RAsdJBXXueIfnwlkCysfRtmb6EEGzynAjT/RiY4EDXa9ApG9Q+dJ+3wi/eNGhpHANaSEQh7d2oK/9Y8hQuFGCXhLqmUA+ojIxHS86ekiYwRYYgHG18Q0a9Ch04o8NqRuiTAP1AK6yP15UQLy6Oo0ggOvhO7u5MMuNQgEvwYQFAKKrFS3QaPRQF3wqsBE+GFcgP5zKxbkvJ4lDUcJ8l+QR4Sh+yvG/PIXv++CvjbHk8+vQhX83H6iQloQK1/uTxgh/wpaJy8bikvLh5X5hwHFqddR8hSUFhdbzucp+ORPzlb3NTHUbSO0WzxVIxs1EMRsn8GfWTQU/4Y7FlW9C2UdkdrF/CzeaYO1uMEi96NbHRdOWqzfUWSmRbKMDxvxO6HHUalJHjeg2I03Wvm7j2fqdUrlUolEgk5ye4lvvQS7fUepG1GSCNZ4Mr1rwXKSLYbAZ6I/2Re57tf3RdVi9gnBTllbn4BA8E7aeVkt9p46af2kignIGo5h3E0DzfM2IZ+mNgsgdCG5LPSw4MKmbhR1KM6/01kGnGJWOs3MwyKcf/94J1RvcYtjTrccnFqJFQ6SnQ6BVs+b5LLpyN6kLAmglBCdVQhKnLAyIA/kVt6JPISPgS4RHUw868hFlHsdc8=
URLs
http://spookuhvfyxzph54ikjfwf2mwmxt572krpom7reyayrmxbkizbvkpaid.onion/chat.php?track=NMU7PHR3V5
Extracted
Path
C:\Users\Admin\Desktop\RESTORE_FILES_INFO.txt
Ransom Note
YOUR COMPANY WAS HACKED AND COMPROMISED!!!
All your important files have been encrypted!
Our encryption algorithms are very strong and your files are very well protected,
the only way to get your files back is to cooperate with us and get the decrypter program.
Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover.
____________________________________________________________________________________
For us this is just business and to prove to you our seriousness, we will decrypt you three files for free.
Just open our website, upload the encrypted files and get the decrypted files for free.
____________________________________________________________________________________
! WARNING !
Whole your network was fully COMPROMISED!
We has DOWNLOADED of your PRIVATE SENSITIVE Data, including your Billing info, Insuranse cases, Financial reports,
Business audit, Banking Accounts! Also we have corporate correspondence, information about your clients.
We got even more info about your partners and even about your staff.
Additionally, you must know that your sensitive data has been stolen by our analyst experts and if you choose to no cooperate with us,
you are exposing yourself to huge penalties with lawsuits and government if we both don't find an agreement.
We have seen it before cases with multi million costs in fines and lawsuits,
not to mention the company reputation and losing clients trust and the medias calling non-stop for answers.
Come chat with us and you could be surprised on how fast we both can find an agreement without getting this incident public.
____________________________________________________________________________________
IF YOU ARE AN EMPLOYER OF A COMPANY THEN YOU SHOULD KNOW THAT SPREADING SENSITIVE INFORMATION ABOUT YOUR COMPANY BEING COMPROMISED IS A VIOLATION OF CONFIDENTIALITY.
YOUR COMPANY'S REPUTATION WILL SUFFER AND SANCTIONS WILL BE TAKEN AGAINST YOU.
____________________________________________________________________________________
WE HIGHLY SUGGEST THAT YOU DON'T CONTACT THE AUTHORITIES REGARDING THIS INCIDENT BECAUSE IF YOU DO, THEN AUTHORITIES WILL MAKE THIS PUBLIC WHICH COMES WITH A COST FOR YOUR ENTERPRISE.
THE RECOVERY PROCESS OF YOUR FILES WILL BE FASTER IF YOU COME AND CHAT WITH US EARLY. IF YOU CHOOSE TO COOPERATE, YOU WILL SEE THAT WE ARE PROFESSIONALS WHO GIVES GOOD SUPPORT.
Instructions for contacting us:
____________________________________________________________________________________
You have way:
1) Using a TOR browser!
a. Download and install TOR browser from this site: https://torproject.org/
b. Open the Tor browser. Copy the link: http://spookuhvfyxzph54ikjfwf2mwmxt572krpom7reyayrmxbkizbvkpaid.onion/chat.php?track=NMU7PHR3V5 and paste it in the Tor browser.
c. Start a chat and follow the further instructions.
Key Identifier:
XGbbBBcaxHWhSyu+B7yGoqv/sNRlybS+xxVG1KfESXnZ6RAsdJBXXueIfnwlkCysfRtmb6EEGzynAjT/RiY4EDXa9ApG9Q+dJ+3wi/eNGhpHANaSEQh7d2oK/9Y8hQuFGCXhLqmUA+ojIxHS86ekiYwRYYgHG18Q0a9Ch04o8NqRuiTAP1AK6yP15UQLy6Oo0ggOvhO7u5MMuNQgEvwYQFAKKrFS3QaPRQF3wqsBE+GFcgP5zKxbkvJ4lDUcJ8l+QR4Sh+yvG/PIXv++CvjbHk8+vQhX83H6iQloQK1/uTxgh/wpaJy8bikvLh5X5hwHFqddR8hSUFhdbzucp+ORPzlb3NTHUbSO0WzxVIxs1EMRsn8GfWTQU/4Y7FlW9C2UdkdrF/CzeaYO1uMEi96NbHRdOWqzfUWSmRbKMDxvxO6HHUalJHjeg2I03Wvm7j2fqdUrlUolEgk5ye4lvvQS7fUepG1GSCNZ4Mr1rwXKSLYbAZ6I/2Re57tf3RdVi9gnBTllbn4BA8E7aeVkt9p46af2kignIGo5h3E0DzfM2IZ+mNgsgdCG5LPSw4MKmbhR1KM6/01kGnGJWOs3MwyKcf/94J1RvcYtjTrccnFqJFQ6SnQ6BVs+b5LLpyN6kLAmglBCdVQhKnLAyIA/kVt6JPISPgS4RHUw868hFlHsdc8=
Number of files that were processed is: 138
URLs
http://spookuhvfyxzph54ikjfwf2mwmxt572krpom7reyayrmxbkizbvkpaid.onion/chat.php?track=NMU7PHR3V5
Extracted
Path
C:\Users\Admin\Desktop\RESTORE_FILES_INFO.hta
Ransom Note
YOUR COMPANY WAS HACKED AND COMPROMISED!!!
All your important files have been encrypted!
Our encryption algorithms are very strong and your files are very well protected,
the only way to get your files back is to cooperate with us and get the decrypter program.
Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover.
____________________________________________________________________________________
For us this is just business and to prove to you our seriousness, we will decrypt you three files for free.
Just open our website, upload the encrypted files and get the decrypted files for free.
____________________________________________________________________________________
! WARNING !
Whole your network was fully COMPROMISED!
We has DOWNLOADED of your PRIVATE SENSITIVE Data, including your Billing info, Insuranse cases, Financial reports,
Business audit, Banking Accounts! Also we have corporate correspondence, information about your clients.
We got even more info about your partners and even about your staff.
Additionally, you must know that your sensitive data has been stolen by our analyst experts and if you choose to no cooperate with us,
you are exposing yourself to huge penalties with lawsuits and government if we both don't find an agreement.
We have seen it before cases with multi million costs in fines and lawsuits,
not to mention the company reputation and losing clients trust and the medias calling non-stop for answers.
Come chat with us and you could be surprised on how fast we both can find an agreement without getting this incident public.
____________________________________________________________________________________
IF YOU ARE AN EMPLOYER OF A COMPANY THEN YOU SHOULD KNOW THAT SPREADING SENSITIVE INFORMATION ABOUT YOUR COMPANY BEING COMPROMISED IS A VIOLATION OF CONFIDENTIALITY.
YOUR COMPANY'S REPUTATION WILL SUFFER AND SANCTIONS WILL BE TAKEN AGAINST YOU.
____________________________________________________________________________________
WE HIGHLY SUGGEST THAT YOU DON'T CONTACT THE AUTHORITIES REGARDING THIS INCIDENT BECAUSE IF YOU DO, THEN AUTHORITIES WILL MAKE THIS PUBLIC WHICH COMES WITH A COST FOR YOUR ENTERPRISE.
THE RECOVERY PROCESS OF YOUR FILES WILL BE FASTER IF YOU COME AND CHAT WITH US EARLY. IF YOU CHOOSE TO COOPERATE, YOU WILL SEE THAT WE ARE PROFESSIONALS WHO GIVES GOOD SUPPORT.
Instructions for contacting us:
____________________________________________________________________________________
You have way:
1) Using a TOR browser!
a. Download and install TOR browser from this site: https://torproject.org/
b. Open the Tor browser. Copy the link: http://spookuhvfyxzph54ikjfwf2mwmxt572krpom7reyayrmxbkizbvkpaid.onion/chat.php?track=NMU7PHR3V5 and paste it in the Tor browser.
c. Start a chat and follow the further instructions.
Key Identifier: XGbbBBcaxHWhSyu+B7yGoqv/sNRlybS+xxVG1KfESXnZ6RAsdJBXXueIfnwlkCysfRtmb6EEGzynAjT/RiY4EDXa9ApG9Q+dJ+3wi/eNGhpHANaSEQh7d2oK/9Y8hQuFGCXhLqmUA+ojIxHS86ekiYwRYYgHG18Q0a9Ch04o8NqRuiTAP1AK6yP15UQLy6Oo0ggOvhO7u5MMuNQgEvwYQFAKKrFS3QaPRQF3wqsBE+GFcgP5zKxbkvJ4lDUcJ8l+QR4Sh+yvG/PIXv++CvjbHk8+vQhX83H6iQloQK1/uTxgh/wpaJy8bikvLh5X5hwHFqddR8hSUFhdbzucp+ORPzlb3NTHUbSO0WzxVIxs1EMRsn8GfWTQU/4Y7FlW9C2UdkdrF/CzeaYO1uMEi96NbHRdOWqzfUWSmRbKMDxvxO6HHUalJHjeg2I03Wvm7j2fqdUrlUolEgk5ye4lvvQS7fUepG1GSCNZ4Mr1rwXKSLYbAZ6I/2Re57tf3RdVi9gnBTllbn4BA8E7aeVkt9p46af2kignIGo5h3E0DzfM2IZ+mNgsgdCG5LPSw4MKmbhR1KM6/01kGnGJWOs3MwyKcf/94J1RvcYtjTrccnFqJFQ6SnQ6BVs+b5LLpyN6kLAmglBCdVQhKnLAyIA/kVt6JPISPgS4RHUw868hFlHsdc8=
Number of files that were processed is: 138
URLs
http://spookuhvfyxzph54ikjfwf2mwmxt572krpom7reyayrmxbkizbvkpaid.onion/chat.php?track=NMU7PHR3V5
Signatures
-
Modifies extensions of user files 4 IoCs
Ransomware generally changes the extension on encrypted files.
-
Drops startup file 1 IoCs
-
Modifies WinLogon 2 TTPs 2 IoCs
-
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 48 IoCs
-
Modifies registry key 1 TTPs 1 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 49 IoCs
-
Suspicious use of FindShellTrayWindow 3 IoCs
-
Suspicious use of SendNotifyMessage 3 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\44edca2989cfa4ba819191b70323fe5f83e300dd0c2e66abb42f1f9ca831f29b.exe"C:\Users\Admin\AppData\Local\Temp\44edca2989cfa4ba819191b70323fe5f83e300dd0c2e66abb42f1f9ca831f29b.exe"1⤵
- Modifies extensions of user files
- Drops startup file
- Modifies WinLogon
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\taskkill.exe"taskkill" /F /IM RaccineSettings.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\reg.exe"reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F2⤵
-
-
C:\Windows\SysWOW64\reg.exe"reg" delete HKCU\Software\Raccine /F2⤵
- Modifies registry key
-
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /DELETE /TN "Raccine Rules Updater" /F2⤵
-
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config FDResPub start= auto2⤵
-
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config Dnscache start= auto2⤵
-
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config SQLTELEMETRY start= disabled2⤵
-
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled2⤵
-
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config SstpSvc start= disabled2⤵
-
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config SSDPSRV start= auto2⤵
-
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config SQLWriter start= disabled2⤵
-
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config upnphost start= auto2⤵
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mspub.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM synctime.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mspub.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mydesktopqos.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mysqld.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM Ntrtscan.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM sqbcoreservice.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM isqlplussvc.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mydesktopservice.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM onenote.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM firefoxconfig.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM encsvc.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM excel.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM PccNTMon.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM agntsvc.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM CNTAoSMgr.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM dbeng50.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM msaccess.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM thebat64.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM thebat.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM sqlwriter.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM outlook.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM ocomm.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM tbirdconfig.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM steam.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM tmlisten.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM infopath.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" IM thunderbird.exe /F2⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM dbsnmp.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM wordpad.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM msftesql.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mbamtray.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM powerpnt.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM xfssvccon.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mysqld-opt.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM zoolz.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM ocautoupds.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mydesktopqos.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM ocssd.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM visio.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM oracle.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mydesktopservice.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM sqlagent.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM winword.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM sqlbrowser.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mysqld-nt.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM sqlservr.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin2⤵
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" C:\Users\Admin\Desktop\RESTORE_FILES_INFO.hta2⤵
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”2⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.7 -n 33⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\fsutil.exefsutil file setZeroData offset=0 length=524288 “%s”3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\44edca2989cfa4ba819191b70323fe5f83e300dd0c2e66abb42f1f9ca831f29b.exe2⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 33⤵
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
1ae2a631dd37413891ec0edf044828cf
SHA1bede97c1aa82fc562ed382312fe02c3c2d26d7c8
SHA25650f1b5d7330e6aa5be24569f2d1ef3a2c52d8d7c1fc27f75d3ceec72b2f8468d
SHA512fa204f369bfc64a83501d63400075b3b3ea2752485bdfc0b8842000b96ae3b3001afdddcd6bca5c9d48bfad62903a350eee1e4bd8652b90ae0d525c2b67d9a65
-
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-