Overview

overview

10

Static

static

10

0ed55db21a...16.exe

windows7_x64

10

0ed55db21a...16.exe

windows10_x64

10

Analysis

  • max time kernel
    152s
  • max time network
    143s
  • platform
    windows7_x64
  • resource
    win7-en-20210920
  • submitted
    02-11-2021 15:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0ed55db21a1a5eeca96605f870cb6d4ddf1277e1e257371e75d6ee9e1507b216.exe

  • Size

    147KB

  • MD5

    86ad533921708b0668096db5c7625412

  • SHA1

    5fa4eea3b307a2de4de5e86620f40aa83e0c7938

  • SHA256

    0ed55db21a1a5eeca96605f870cb6d4ddf1277e1e257371e75d6ee9e1507b216

  • SHA512

    a1af898f3b2ef1d01e3406dfc1acb4bafb9f9931de9005d33f1c17bccbdf0b27abd0d20e2d00771ccf1ce4920836145c7f70e4b913b4ceb350bdf0fa889b27ea

Score
10/10
evasionpersistenceransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RESTORE_FILES_INFO.txt

Ransom Note
YOUR COMPANY WAS HACKED AND COMPROMISED!!! All your important files have been encrypted! Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. ____________________________________________________________________________________ For us this is just business and to prove to you our seriousness, we will decrypt you three files for free. Just open our website, upload the encrypted files and get the decrypted files for free. ____________________________________________________________________________________ ! WARNING ! Whole your network was fully COMPROMISED! We has DOWNLOADED of your PRIVATE SENSITIVE Data, including your Billing info, Insuranse cases, Financial reports, Business audit, Banking Accounts! Also we have corporate correspondence, information about your clients. We got even more info about your partners and even about your staff. Additionally, you must know that your sensitive data has been stolen by our analyst experts and if you choose to no cooperate with us, you are exposing yourself to huge penalties with lawsuits and government if we both don't find an agreement. We have seen it before cases with multi million costs in fines and lawsuits, not to mention the company reputation and losing clients trust and the medias calling non-stop for answers. Come chat with us and you could be surprised on how fast we both can find an agreement without getting this incident public. ____________________________________________________________________________________ IF YOU ARE AN EMPLOYER OF A COMPANY THEN YOU SHOULD KNOW THAT SPREADING SENSITIVE INFORMATION ABOUT YOUR COMPANY BEING COMPROMISED IS A VIOLATION OF CONFIDENTIALITY. YOUR COMPANY'S REPUTATION WILL SUFFER AND SANCTIONS WILL BE TAKEN AGAINST YOU. ____________________________________________________________________________________ WE HIGHLY SUGGEST THAT YOU DON'T CONTACT THE AUTHORITIES REGARDING THIS INCIDENT BECAUSE IF YOU DO, THEN AUTHORITIES WILL MAKE THIS PUBLIC WHICH COMES WITH A COST FOR YOUR ENTERPRISE. THE RECOVERY PROCESS OF YOUR FILES WILL BE FASTER IF YOU COME AND CHAT WITH US EARLY. IF YOU CHOOSE TO COOPERATE, YOU WILL SEE THAT WE ARE PROFESSIONALS WHO GIVES GOOD SUPPORT. Instructions for contacting us: ____________________________________________________________________________________ You have way: 1) Using a TOR browser! a. Download and install TOR browser from this site: https://torproject.org/ b. Open the Tor browser. Copy the link: http://spookuhvfyxzph54ikjfwf2mwmxt572krpom7reyayrmxbkizbvkpaid.onion/chat.php?track=NMU7PHR3V5 and paste it in the Tor browser. c. Start a chat and follow the further instructions. Key Identifier: gZEERL6hlrlI8l/OXATQbDNQng8kB7BErSk6vpPqrx0KvY8VrCKQawDNjJMYXfdu+rFo4B5cNEpFzEXOtOGDV9mU3yfeFqg1GQo4KTkKm8+GsfO4nORtQH84lr39A6C09hBInObjomzStvKrkQQidUoxiTMCRg8JTLmISjVOlsn61/ao4RhZsbocapw7wXOvz3NC1hBpXPSeVD6L0yEuhgm0oCIkBwIg3gSAsvgBJtHCXFF1SS8VIk2fbHB1hAJYN6HFo6tJhkpZ7vPtgJeMrS+3KfgdrMh2lzlNyki88T8nfbcfaWIy4oxvZ1DGlz/05FayUaEGGIv1eQOBERHhjBiPPhzGefdvOyZLd6fB842kNp99L7lhXDqS6Zy7x478z00PQPauzFdNNI6+zDeOFYRSkXzo7n2pUMUI/7eaaoN0NE0WXyTucjpHRYuqKUA+stkMIu9GOAV9Y0IPL63Q5T4xbbuYGLz6RvEkjq0u/mOI8RNeJtUCdqspntta9kYyxdaPuOeqMlIB56VpWdwWEvujEJS6DVFeQ1CvSBj0izMAi0fLNZXFePj0Rk9NOB6los0GKMLYultGtEiobF077Iz27VY4dXLmKQI1ruFPZ7u4R4BbdcrRqyln7KiT7li4dflPrOux0bDDaE10yMx18j0riO1dabdEVF7CDDf634A=
URLs

http://spookuhvfyxzph54ikjfwf2mwmxt572krpom7reyayrmxbkizbvkpaid.onion/chat.php?track=NMU7PHR3V5

Extracted

Path

C:\Users\Admin\Desktop\RESTORE_FILES_INFO.txt

Ransom Note
YOUR COMPANY WAS HACKED AND COMPROMISED!!! All your important files have been encrypted! Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. ____________________________________________________________________________________ For us this is just business and to prove to you our seriousness, we will decrypt you three files for free. Just open our website, upload the encrypted files and get the decrypted files for free. ____________________________________________________________________________________ ! WARNING ! Whole your network was fully COMPROMISED! We has DOWNLOADED of your PRIVATE SENSITIVE Data, including your Billing info, Insuranse cases, Financial reports, Business audit, Banking Accounts! Also we have corporate correspondence, information about your clients. We got even more info about your partners and even about your staff. Additionally, you must know that your sensitive data has been stolen by our analyst experts and if you choose to no cooperate with us, you are exposing yourself to huge penalties with lawsuits and government if we both don't find an agreement. We have seen it before cases with multi million costs in fines and lawsuits, not to mention the company reputation and losing clients trust and the medias calling non-stop for answers. Come chat with us and you could be surprised on how fast we both can find an agreement without getting this incident public. ____________________________________________________________________________________ IF YOU ARE AN EMPLOYER OF A COMPANY THEN YOU SHOULD KNOW THAT SPREADING SENSITIVE INFORMATION ABOUT YOUR COMPANY BEING COMPROMISED IS A VIOLATION OF CONFIDENTIALITY. YOUR COMPANY'S REPUTATION WILL SUFFER AND SANCTIONS WILL BE TAKEN AGAINST YOU. ____________________________________________________________________________________ WE HIGHLY SUGGEST THAT YOU DON'T CONTACT THE AUTHORITIES REGARDING THIS INCIDENT BECAUSE IF YOU DO, THEN AUTHORITIES WILL MAKE THIS PUBLIC WHICH COMES WITH A COST FOR YOUR ENTERPRISE. THE RECOVERY PROCESS OF YOUR FILES WILL BE FASTER IF YOU COME AND CHAT WITH US EARLY. IF YOU CHOOSE TO COOPERATE, YOU WILL SEE THAT WE ARE PROFESSIONALS WHO GIVES GOOD SUPPORT. Instructions for contacting us: ____________________________________________________________________________________ You have way: 1) Using a TOR browser! a. Download and install TOR browser from this site: https://torproject.org/ b. Open the Tor browser. Copy the link: http://spookuhvfyxzph54ikjfwf2mwmxt572krpom7reyayrmxbkizbvkpaid.onion/chat.php?track=NMU7PHR3V5 and paste it in the Tor browser. c. Start a chat and follow the further instructions. Key Identifier: gZEERL6hlrlI8l/OXATQbDNQng8kB7BErSk6vpPqrx0KvY8VrCKQawDNjJMYXfdu+rFo4B5cNEpFzEXOtOGDV9mU3yfeFqg1GQo4KTkKm8+GsfO4nORtQH84lr39A6C09hBInObjomzStvKrkQQidUoxiTMCRg8JTLmISjVOlsn61/ao4RhZsbocapw7wXOvz3NC1hBpXPSeVD6L0yEuhgm0oCIkBwIg3gSAsvgBJtHCXFF1SS8VIk2fbHB1hAJYN6HFo6tJhkpZ7vPtgJeMrS+3KfgdrMh2lzlNyki88T8nfbcfaWIy4oxvZ1DGlz/05FayUaEGGIv1eQOBERHhjBiPPhzGefdvOyZLd6fB842kNp99L7lhXDqS6Zy7x478z00PQPauzFdNNI6+zDeOFYRSkXzo7n2pUMUI/7eaaoN0NE0WXyTucjpHRYuqKUA+stkMIu9GOAV9Y0IPL63Q5T4xbbuYGLz6RvEkjq0u/mOI8RNeJtUCdqspntta9kYyxdaPuOeqMlIB56VpWdwWEvujEJS6DVFeQ1CvSBj0izMAi0fLNZXFePj0Rk9NOB6los0GKMLYultGtEiobF077Iz27VY4dXLmKQI1ruFPZ7u4R4BbdcrRqyln7KiT7li4dflPrOux0bDDaE10yMx18j0riO1dabdEVF7CDDf634A= Number of files that were processed is: 533
URLs

http://spookuhvfyxzph54ikjfwf2mwmxt572krpom7reyayrmxbkizbvkpaid.onion/chat.php?track=NMU7PHR3V5

Extracted

Path

C:\Users\Admin\Desktop\RESTORE_FILES_INFO.hta

Ransom Note
YOUR COMPANY WAS HACKED AND COMPROMISED!!! All your important files have been encrypted! Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. ____________________________________________________________________________________ For us this is just business and to prove to you our seriousness, we will decrypt you three files for free. Just open our website, upload the encrypted files and get the decrypted files for free. ____________________________________________________________________________________ ! WARNING ! Whole your network was fully COMPROMISED! We has DOWNLOADED of your PRIVATE SENSITIVE Data, including your Billing info, Insuranse cases, Financial reports, Business audit, Banking Accounts! Also we have corporate correspondence, information about your clients. We got even more info about your partners and even about your staff. Additionally, you must know that your sensitive data has been stolen by our analyst experts and if you choose to no cooperate with us, you are exposing yourself to huge penalties with lawsuits and government if we both don't find an agreement. We have seen it before cases with multi million costs in fines and lawsuits, not to mention the company reputation and losing clients trust and the medias calling non-stop for answers. Come chat with us and you could be surprised on how fast we both can find an agreement without getting this incident public. ____________________________________________________________________________________ IF YOU ARE AN EMPLOYER OF A COMPANY THEN YOU SHOULD KNOW THAT SPREADING SENSITIVE INFORMATION ABOUT YOUR COMPANY BEING COMPROMISED IS A VIOLATION OF CONFIDENTIALITY. YOUR COMPANY'S REPUTATION WILL SUFFER AND SANCTIONS WILL BE TAKEN AGAINST YOU. ____________________________________________________________________________________ WE HIGHLY SUGGEST THAT YOU DON'T CONTACT THE AUTHORITIES REGARDING THIS INCIDENT BECAUSE IF YOU DO, THEN AUTHORITIES WILL MAKE THIS PUBLIC WHICH COMES WITH A COST FOR YOUR ENTERPRISE. THE RECOVERY PROCESS OF YOUR FILES WILL BE FASTER IF YOU COME AND CHAT WITH US EARLY. IF YOU CHOOSE TO COOPERATE, YOU WILL SEE THAT WE ARE PROFESSIONALS WHO GIVES GOOD SUPPORT. Instructions for contacting us: ____________________________________________________________________________________ You have way: 1) Using a TOR browser! a. Download and install TOR browser from this site: https://torproject.org/ b. Open the Tor browser. Copy the link: http://spookuhvfyxzph54ikjfwf2mwmxt572krpom7reyayrmxbkizbvkpaid.onion/chat.php?track=NMU7PHR3V5 and paste it in the Tor browser. c. Start a chat and follow the further instructions. Key Identifier: gZEERL6hlrlI8l/OXATQbDNQng8kB7BErSk6vpPqrx0KvY8VrCKQawDNjJMYXfdu+rFo4B5cNEpFzEXOtOGDV9mU3yfeFqg1GQo4KTkKm8+GsfO4nORtQH84lr39A6C09hBInObjomzStvKrkQQidUoxiTMCRg8JTLmISjVOlsn61/ao4RhZsbocapw7wXOvz3NC1hBpXPSeVD6L0yEuhgm0oCIkBwIg3gSAsvgBJtHCXFF1SS8VIk2fbHB1hAJYN6HFo6tJhkpZ7vPtgJeMrS+3KfgdrMh2lzlNyki88T8nfbcfaWIy4oxvZ1DGlz/05FayUaEGGIv1eQOBERHhjBiPPhzGefdvOyZLd6fB842kNp99L7lhXDqS6Zy7x478z00PQPauzFdNNI6+zDeOFYRSkXzo7n2pUMUI/7eaaoN0NE0WXyTucjpHRYuqKUA+stkMIu9GOAV9Y0IPL63Q5T4xbbuYGLz6RvEkjq0u/mOI8RNeJtUCdqspntta9kYyxdaPuOeqMlIB56VpWdwWEvujEJS6DVFeQ1CvSBj0izMAi0fLNZXFePj0Rk9NOB6los0GKMLYultGtEiobF077Iz27VY4dXLmKQI1ruFPZ7u4R4BbdcrRqyln7KiT7li4dflPrOux0bDDaE10yMx18j0riO1dabdEVF7CDDf634A= Number of files that were processed is: 533
URLs

http://spookuhvfyxzph54ikjfwf2mwmxt572krpom7reyayrmxbkizbvkpaid.onion/chat.php?track=NMU7PHR3V5

Signatures

  • Downloads MZ/PE file
  • Downloads PsExec from SysInternals website 1 IoCs

    Sysinternals tools like PsExec are often leveraged maliciously by malware families due to being commonly used by testers/administrators.

  • Modifies Windows Firewall 1 TTPs
    evasion
  • Modifies extensions of user files 15 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Deletes itself 1 IoCs
  • Drops startup file 1 IoCs
  • Drops desktop.ini file(s) 6 IoCs
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • Launches sc.exe

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Kills process with taskkill 48 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Modifies registry key 1 TTPs 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 49 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 4 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\0ed55db21a1a5eeca96605f870cb6d4ddf1277e1e257371e75d6ee9e1507b216.exe
    "C:\Users\Admin\AppData\Local\Temp\0ed55db21a1a5eeca96605f870cb6d4ddf1277e1e257371e75d6ee9e1507b216.exe"
    1⤵
    • Modifies extensions of user files
    • Drops startup file
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Modifies WinLogon
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:652
    • C:\Windows\SysWOW64\taskkill.exe
      "taskkill" /F /IM RaccineSettings.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1684
    • C:\Windows\SysWOW64\reg.exe
      "reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F
      2⤵
        PID:1044
      • C:\Windows\SysWOW64\reg.exe
        "reg" delete HKCU\Software\Raccine /F
        2⤵
        • Modifies registry key
        PID:1096
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks" /DELETE /TN "Raccine Rules Updater" /F
        2⤵
          PID:1956
        • C:\Windows\SysWOW64\sc.exe
          "sc.exe" config SQLTELEMETRY start= disabled
          2⤵
            PID:1000
          • C:\Windows\SysWOW64\sc.exe
            "sc.exe" config Dnscache start= auto
            2⤵
              PID:1644
            • C:\Windows\SysWOW64\sc.exe
              "sc.exe" config FDResPub start= auto
              2⤵
                PID:924
              • C:\Windows\SysWOW64\sc.exe
                "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
                2⤵
                  PID:668
                • C:\Windows\SysWOW64\sc.exe
                  "sc.exe" config SSDPSRV start= auto
                  2⤵
                    PID:1564
                  • C:\Windows\SysWOW64\sc.exe
                    "sc.exe" config SQLWriter start= disabled
                    2⤵
                      PID:1912
                    • C:\Windows\SysWOW64\sc.exe
                      "sc.exe" config SstpSvc start= disabled
                      2⤵
                        PID:812
                      • C:\Windows\SysWOW64\sc.exe
                        "sc.exe" config upnphost start= auto
                        2⤵
                          PID:1724
                        • C:\Windows\SysWOW64\taskkill.exe
                          "taskkill.exe" /IM mspub.exe /F
                          2⤵
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1676
                        • C:\Windows\SysWOW64\taskkill.exe
                          "taskkill.exe" /IM mspub.exe /F
                          2⤵
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1900
                        • C:\Windows\SysWOW64\taskkill.exe
                          "taskkill.exe" /IM synctime.exe /F
                          2⤵
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:840
                        • C:\Windows\SysWOW64\taskkill.exe
                          "taskkill.exe" /IM Ntrtscan.exe /F
                          2⤵
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1488
                        • C:\Windows\SysWOW64\taskkill.exe
                          "taskkill.exe" /IM mysqld.exe /F
                          2⤵
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1092
                        • C:\Windows\SysWOW64\taskkill.exe
                          "taskkill.exe" /IM mydesktopqos.exe /F
                          2⤵
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1672
                        • C:\Windows\SysWOW64\taskkill.exe
                          "taskkill.exe" /IM mydesktopservice.exe /F
                          2⤵
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1720
                        • C:\Windows\SysWOW64\taskkill.exe
                          "taskkill.exe" /IM sqbcoreservice.exe /F
                          2⤵
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1148
                        • C:\Windows\SysWOW64\taskkill.exe
                          "taskkill.exe" /IM isqlplussvc.exe /F
                          2⤵
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1332
                        • C:\Windows\SysWOW64\taskkill.exe
                          "taskkill.exe" /IM firefoxconfig.exe /F
                          2⤵
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1848
                        • C:\Windows\SysWOW64\taskkill.exe
                          "taskkill.exe" /IM encsvc.exe /F
                          2⤵
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:432
                        • C:\Windows\SysWOW64\taskkill.exe
                          "taskkill.exe" /IM tbirdconfig.exe /F
                          2⤵
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:964
                        • C:\Windows\SysWOW64\taskkill.exe
                          "taskkill.exe" /IM onenote.exe /F
                          2⤵
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1252
                        • C:\Windows\SysWOW64\taskkill.exe
                          "taskkill.exe" /IM dbeng50.exe /F
                          2⤵
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:2012
                        • C:\Windows\SysWOW64\taskkill.exe
                          "taskkill.exe" /IM excel.exe /F
                          2⤵
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1532
                        • C:\Windows\SysWOW64\taskkill.exe
                          "taskkill.exe" /IM PccNTMon.exe /F
                          2⤵
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1156
                        • C:\Windows\SysWOW64\taskkill.exe
                          "taskkill.exe" /IM agntsvc.exe /F
                          2⤵
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1112
                        • C:\Windows\SysWOW64\taskkill.exe
                          "taskkill.exe" /IM thebat.exe /F
                          2⤵
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1784
                        • C:\Windows\SysWOW64\taskkill.exe
                          "taskkill.exe" /IM msaccess.exe /F
                          2⤵
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1052
                        • C:\Windows\SysWOW64\taskkill.exe
                          "taskkill.exe" /IM CNTAoSMgr.exe /F
                          2⤵
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1120
                        • C:\Windows\SysWOW64\taskkill.exe
                          "taskkill.exe" /IM thebat64.exe /F
                          2⤵
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1816
                        • C:\Windows\SysWOW64\taskkill.exe
                          "taskkill.exe" /IM outlook.exe /F
                          2⤵
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1968
                        • C:\Windows\SysWOW64\taskkill.exe
                          "taskkill.exe" /IM steam.exe /F
                          2⤵
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:420
                        • C:\Windows\SysWOW64\taskkill.exe
                          "taskkill.exe" /IM ocomm.exe /F
                          2⤵
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:864
                        • C:\Windows\SysWOW64\taskkill.exe
                          "taskkill.exe" /IM sqlwriter.exe /F
                          2⤵
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:548
                        • C:\Windows\SysWOW64\taskkill.exe
                          "taskkill.exe" IM thunderbird.exe /F
                          2⤵
                          • Kills process with taskkill
                          PID:1132
                        • C:\Windows\SysWOW64\taskkill.exe
                          "taskkill.exe" /IM tmlisten.exe /F
                          2⤵
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1508
                        • C:\Windows\SysWOW64\taskkill.exe
                          "taskkill.exe" /IM infopath.exe /F
                          2⤵
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1980
                        • C:\Windows\SysWOW64\taskkill.exe
                          "taskkill.exe" /IM dbsnmp.exe /F
                          2⤵
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1056
                        • C:\Windows\SysWOW64\taskkill.exe
                          "taskkill.exe" /IM wordpad.exe /F
                          2⤵
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:792
                        • C:\Windows\SysWOW64\taskkill.exe
                          "taskkill.exe" /IM msftesql.exe /F
                          2⤵
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1712
                        • C:\Windows\SysWOW64\taskkill.exe
                          "taskkill.exe" /IM xfssvccon.exe /F
                          2⤵
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1352
                        • C:\Windows\SysWOW64\taskkill.exe
                          "taskkill.exe" /IM mbamtray.exe /F
                          2⤵
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1192
                        • C:\Windows\SysWOW64\taskkill.exe
                          "taskkill.exe" /IM mysqld-opt.exe /F
                          2⤵
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1468
                        • C:\Windows\SysWOW64\taskkill.exe
                          "taskkill.exe" /IM powerpnt.exe /F
                          2⤵
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1076
                        • C:\Windows\SysWOW64\taskkill.exe
                          "taskkill.exe" /IM zoolz.exe /F
                          2⤵
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1512
                        • C:\Windows\SysWOW64\taskkill.exe
                          "taskkill.exe" /IM ocautoupds.exe /F
                          2⤵
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1548
                        • C:\Windows\SysWOW64\taskkill.exe
                          "taskkill.exe" /IM mydesktopqos.exe /F
                          2⤵
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:884
                        • C:\Windows\SysWOW64\taskkill.exe
                          "taskkill.exe" /IM ocssd.exe /F
                          2⤵
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:796
                        • C:\Windows\SysWOW64\taskkill.exe
                          "taskkill.exe" /IM visio.exe /F
                          2⤵
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1268
                        • C:\Windows\SysWOW64\taskkill.exe
                          "taskkill.exe" /IM oracle.exe /F
                          2⤵
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1740
                        • C:\Windows\SysWOW64\taskkill.exe
                          "taskkill.exe" /IM mydesktopservice.exe /F
                          2⤵
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1760
                        • C:\Windows\SysWOW64\taskkill.exe
                          "taskkill.exe" /IM sqlagent.exe /F
                          2⤵
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1936
                        • C:\Windows\SysWOW64\taskkill.exe
                          "taskkill.exe" /IM winword.exe /F
                          2⤵
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1736
                        • C:\Windows\SysWOW64\taskkill.exe
                          "taskkill.exe" /IM sqlbrowser.exe /F
                          2⤵
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1640
                        • C:\Windows\SysWOW64\taskkill.exe
                          "taskkill.exe" /IM mysqld-nt.exe /F
                          2⤵
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1060
                        • C:\Windows\SysWOW64\taskkill.exe
                          "taskkill.exe" /IM sqlservr.exe /F
                          2⤵
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1788
                        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                          "powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
                          2⤵
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1168
                        • C:\Windows\SysWOW64\netsh.exe
                          "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
                          2⤵
                            PID:1532
                          • C:\Windows\SysWOW64\netsh.exe
                            "netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes
                            2⤵
                              PID:1112
                            • C:\Windows\SysWOW64\arp.exe
                              "arp" -a
                              2⤵
                                PID:1672
                              • C:\Windows\SysWOW64\cmd.exe
                                "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin
                                2⤵
                                  PID:1132
                                • C:\Windows\SysWOW64\netsh.exe
                                  "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
                                  2⤵
                                    PID:1432
                                  • C:\Windows\SysWOW64\netsh.exe
                                    "netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes
                                    2⤵
                                      PID:1728
                                    • C:\Windows\SysWOW64\arp.exe
                                      "arp" -a
                                      2⤵
                                        PID:1428
                                      • C:\Windows\SysWOW64\mshta.exe
                                        "C:\Windows\System32\mshta.exe" C:\Users\Admin\Desktop\RESTORE_FILES_INFO.hta
                                        2⤵
                                        • Modifies Internet Explorer settings
                                        • Suspicious behavior: GetForegroundWindowSpam
                                        PID:1096
                                      • C:\Windows\SysWOW64\cmd.exe
                                        "cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
                                        2⤵
                                          PID:812
                                          • C:\Windows\SysWOW64\PING.EXE
                                            ping 127.0.0.7 -n 3
                                            3⤵
                                            • Runs ping.exe
                                            PID:1044
                                          • C:\Windows\SysWOW64\fsutil.exe
                                            fsutil file setZeroData offset=0 length=524288 “%s”
                                            3⤵
                                              PID:1684
                                          • C:\Windows\SysWOW64\cmd.exe
                                            "C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\0ed55db21a1a5eeca96605f870cb6d4ddf1277e1e257371e75d6ee9e1507b216.exe
                                            2⤵
                                            • Deletes itself
                                            PID:1224
                                            • C:\Windows\SysWOW64\choice.exe
                                              choice /C Y /N /D Y /T 3
                                              3⤵
                                                PID:1844

                                          Network

                                          MITRE ATT&CK Enterprise v6

                                          Replay Monitor

                                          Loading Replay Monitor...

                                          Downloads

                                          • C:\Users\Admin\Desktop\RESTORE_FILES_INFO.hta
                                            MD5

                                            f2aadebcef102841fc20ec431eb111b2

                                            SHA1

                                            457cf4b6d11fdf754510583aa8a380795abd6d4a

                                            SHA256

                                            e338977b26e843a646ab3bb2974f45d663d95ec64b102ed8b60ba2bc98d59003

                                            SHA512

                                            e1e3bd908a69cc2df2e9657f3405ad14bddc3085fb582d0fb2b521e434252144cfbafdf9dce2f0c6885116f0daec93fbc892df934485abc5958f86456ac01fb5

                                            Download Submit

                                          • memory/420-90-0x0000000000000000-mapping.dmp

                                            Download

                                          • memory/432-79-0x0000000000000000-mapping.dmp

                                            Download

                                          • memory/548-93-0x0000000000000000-mapping.dmp

                                            Download

                                          • memory/652-56-0x00000000005D0000-0x00000000005D1000-memory.dmp

                                            Filesize

                                            4KB

                                            Download

                                          • memory/652-54-0x0000000000E70000-0x0000000000E71000-memory.dmp

                                            Filesize

                                            4KB

                                            Download

                                          • memory/668-64-0x0000000000000000-mapping.dmp

                                            Download

                                          • memory/792-98-0x0000000000000000-mapping.dmp

                                            Download

                                          • memory/796-107-0x0000000000000000-mapping.dmp

                                            Download

                                          • memory/812-67-0x0000000000000000-mapping.dmp

                                            Download

                                          • memory/840-71-0x0000000000000000-mapping.dmp

                                            Download

                                          • memory/864-92-0x0000000000000000-mapping.dmp

                                            Download

                                          • memory/884-106-0x0000000000000000-mapping.dmp

                                            Download

                                          • memory/924-63-0x0000000000000000-mapping.dmp

                                            Download

                                          • memory/964-80-0x0000000000000000-mapping.dmp

                                            Download

                                          • memory/1000-61-0x0000000000000000-mapping.dmp

                                            Download

                                          • memory/1044-58-0x0000000000000000-mapping.dmp

                                            Download

                                          • memory/1052-87-0x0000000000000000-mapping.dmp

                                            Download

                                          • memory/1056-97-0x0000000000000000-mapping.dmp

                                            Download

                                          • memory/1060-114-0x0000000000000000-mapping.dmp

                                            Download

                                          • memory/1076-103-0x0000000000000000-mapping.dmp

                                            Download

                                          • memory/1092-73-0x0000000000000000-mapping.dmp

                                            Download

                                          • memory/1096-59-0x0000000000000000-mapping.dmp

                                            Download

                                          • memory/1112-83-0x0000000000000000-mapping.dmp

                                            Download

                                          • memory/1112-123-0x0000000000000000-mapping.dmp

                                            Download

                                          • memory/1120-89-0x0000000000000000-mapping.dmp

                                            Download

                                          • memory/1132-126-0x0000000000000000-mapping.dmp

                                            Download

                                          • memory/1132-94-0x0000000000000000-mapping.dmp

                                            Download

                                          • memory/1148-76-0x0000000000000000-mapping.dmp

                                            Download

                                          • memory/1156-85-0x0000000000000000-mapping.dmp

                                            Download

                                          • memory/1168-117-0x0000000075BF1000-0x0000000075BF3000-memory.dmp

                                            Filesize

                                            8KB

                                            Download

                                          • memory/1168-120-0x0000000002460000-0x00000000030AA000-memory.dmp

                                            Filesize

                                            12.3MB

                                            Download

                                          • memory/1168-116-0x0000000000000000-mapping.dmp

                                            Download

                                          • memory/1168-118-0x0000000002460000-0x00000000030AA000-memory.dmp

                                            Filesize

                                            12.3MB

                                            Download

                                          • memory/1168-119-0x0000000002460000-0x00000000030AA000-memory.dmp

                                            Filesize

                                            12.3MB

                                            Download

                                          • memory/1192-100-0x0000000000000000-mapping.dmp

                                            Download

                                          • memory/1252-81-0x0000000000000000-mapping.dmp

                                            Download

                                          • memory/1268-108-0x0000000000000000-mapping.dmp

                                            Download

                                          • memory/1332-77-0x0000000000000000-mapping.dmp

                                            Download

                                          • memory/1352-101-0x0000000000000000-mapping.dmp

                                            Download

                                          • memory/1468-102-0x0000000000000000-mapping.dmp

                                            Download

                                          • memory/1488-74-0x0000000000000000-mapping.dmp

                                            Download

                                          • memory/1508-95-0x0000000000000000-mapping.dmp

                                            Download

                                          • memory/1512-104-0x0000000000000000-mapping.dmp

                                            Download

                                          • memory/1532-121-0x0000000000000000-mapping.dmp

                                            Download

                                          • memory/1532-84-0x0000000000000000-mapping.dmp

                                            Download

                                          • memory/1548-105-0x0000000000000000-mapping.dmp

                                            Download

                                          • memory/1564-65-0x0000000000000000-mapping.dmp

                                            Download

                                          • memory/1640-113-0x0000000000000000-mapping.dmp

                                            Download

                                          • memory/1644-62-0x0000000000000000-mapping.dmp

                                            Download

                                          • memory/1672-72-0x0000000000000000-mapping.dmp

                                            Download

                                          • memory/1672-125-0x0000000000000000-mapping.dmp

                                            Download

                                          • memory/1676-69-0x0000000000000000-mapping.dmp

                                            Download

                                          • memory/1684-57-0x0000000000000000-mapping.dmp

                                            Download

                                          • memory/1712-99-0x0000000000000000-mapping.dmp

                                            Download

                                          • memory/1720-75-0x0000000000000000-mapping.dmp

                                            Download

                                          • memory/1724-68-0x0000000000000000-mapping.dmp

                                            Download

                                          • memory/1736-112-0x0000000000000000-mapping.dmp

                                            Download

                                          • memory/1740-109-0x0000000000000000-mapping.dmp

                                            Download

                                          • memory/1760-110-0x0000000000000000-mapping.dmp

                                            Download

                                          • memory/1784-86-0x0000000000000000-mapping.dmp

                                            Download

                                          • memory/1788-115-0x0000000000000000-mapping.dmp

                                            Download

                                          • memory/1816-88-0x0000000000000000-mapping.dmp

                                            Download

                                          • memory/1848-78-0x0000000000000000-mapping.dmp

                                            Download

                                          • memory/1900-70-0x0000000000000000-mapping.dmp

                                            Download

                                          • memory/1912-66-0x0000000000000000-mapping.dmp

                                            Download

                                          • memory/1936-111-0x0000000000000000-mapping.dmp

                                            Download

                                          • memory/1956-60-0x0000000000000000-mapping.dmp

                                            Download

                                          • memory/1968-91-0x0000000000000000-mapping.dmp

                                            Download

                                          • memory/1980-96-0x0000000000000000-mapping.dmp

                                            Download

                                          • memory/2012-82-0x0000000000000000-mapping.dmp

                                            Download