Resubmissions
24-02-2022 10:10
220224-l7djracga3 10Analysis
-
max time kernel
132s -
max time network
136s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
24-02-2022 10:10
General
-
Target
c860bf644bd5e3d6f4cae67848c4fc769184ae652fcb41cac670042b185d217a.exe
-
Size
7.6MB
-
MD5
33f612338b6b5e6b4fe8cbb17208795c
-
SHA1
66535700bbce7f90d2add7c504bc0e0523d4d71d
-
SHA256
c860bf644bd5e3d6f4cae67848c4fc769184ae652fcb41cac670042b185d217a
-
SHA512
7dfce042f5287858cf1d2942f6672084d01ad5677c7b47a1e9c2bcd4e0a2ea375ccd3a33676dc64dbe28edfe4fd19d25de5232c8fd23c0c7b24708c85b647fb2
Score
10/10
Malware Config
Extracted
Path
C:\re_ad_me.txt
Ransom Note
All of your files are currently encrypted by ZEON strain.
As you know (if you don't - just "google it"), all of the data that has been encrypted by our software cannot be recovered by any means without contacting our team directly.
If you try to use any additional recovery software - the files might be damaged, so if you are willing to try - try it on the data of the lowest value.
To make sure that we REALLY CAN get your data back - we offer you to decrypt 2 random files completely free of charge.
You can contact our team directly for further instructions through our website :
TOR VERSION :
(you should download and install TOR browser first https://torproject.org)
http://zeonrefpbompx6rwdqa5hxgtp2cxgfmoymlli3azoanisze33pp3x3yd.onion/
YOU SHOULD BE AWARE!
Just in case, if you try to ignore us. We've downloaded a pack of your internal data and are ready to publish it on out news website if you do not respond. So it will be better for both sides if you contact us as soon as possible.
---BEGIN ID---
FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh
---END ID---
URLs
http://zeonrefpbompx6rwdqa5hxgtp2cxgfmoymlli3azoanisze33pp3x3yd.onion/
Signatures
-
Modifies extensions of user files 8 IoCs
Ransomware generally changes the extension on encrypted files.
-
Loads dropped DLL 31 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Kills process with taskkill 53 IoCs
-
Runs net.exe
-
Suspicious use of AdjustPrivilegeToken 53 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\c860bf644bd5e3d6f4cae67848c4fc769184ae652fcb41cac670042b185d217a.exe"C:\Users\Admin\AppData\Local\Temp\c860bf644bd5e3d6f4cae67848c4fc769184ae652fcb41cac670042b185d217a.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\c860bf644bd5e3d6f4cae67848c4fc769184ae652fcb41cac670042b185d217a.exe"C:\Users\Admin\AppData\Local\Temp\c860bf644bd5e3d6f4cae67848c4fc769184ae652fcb41cac670042b185d217a.exe"2⤵
- Modifies extensions of user files
- Loads dropped DLL
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet stop /y backup3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop /y backup4⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop /y wbengine3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop /y wbengine4⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop /y McShield3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop /y McShield4⤵
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im steam.exe /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\net.exenet stop /y mfefire3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop /y mfefire4⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop /y EhttpSrv3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop /y EhttpSrv4⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop /y KAVF3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop /y KAVF4⤵
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im ocautoupds.exe /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\net.exenet stop /y VeeamNFSSvc3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop /y VeeamNFSSvc4⤵
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im backup.exe /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\net.exenet stop /y bedbg3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop /y bedbg4⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop /y SmcService3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop /y SmcService4⤵
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im winword.exe /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im thunderbird.exe /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\net.exenet stop /y Sophos3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop /y Sophos4⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop /y CCSF3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop /y CCSF4⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop /y tmlisten3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop /y tmlisten4⤵
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im dbsnmp.exe /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\net.exenet stop /y ekrn3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop /y ekrn4⤵
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im mydesktopservice.exe /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\net.exenet stop /y RESvc3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop /y RESvc4⤵
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im Raccine.exe /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im firefox.exe /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\net.exenet stop /y EPSecurity3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop /y EPSecurity4⤵
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im veeam.exe /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\net.exenet stop /y xchange3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop /y xchange4⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop /y TrueKey3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop /y TrueKey4⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop /y MsDts3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop /y MsDts4⤵
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im vmwp.exe /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im msaccess.exe /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im wordpad.exe /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im oracle.exe /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im sofos.exe /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\net.exenet stop /y swi_3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop /y swi_4⤵
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im xfssvccon.exe /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\net.exenet stop /y Enterprise3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop /y Enterprise4⤵
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im xchange.exe /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\net.exenet stop /y AVP3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop /y AVP4⤵
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im isqlplussvc.exe /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im notepad.exe /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\net.exenet stop /y Exchange3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop /y Exchange4⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop /y Smcinst3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop /y Smcinst4⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop /y Antivirus3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop /y Antivirus4⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop /y NetMsmq3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop /y NetMsmq4⤵
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im ocomm.exe /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im ocssd.exe /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im dbeng50.exe /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im firefoxconfig.exe /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im synctime.exe /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\net.exenet stop /y mfemms3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop /y mfemms4⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop /y Monitor3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop /y Monitor4⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop /y WRSVC3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop /y WRSVC4⤵
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im calc.exe /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im powerpnt.exe /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\net.exenet stop /y veeam3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop /y veeam4⤵
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im encsvc.exe /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\net.exenet stop /y Veeam3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop /y Veeam4⤵
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im virtual.exe /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\net.exenet stop /y vmcomp3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop /y vmcomp4⤵
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im raccine.exe /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\net.exenet stop /y SMTP3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop /y SMTP4⤵
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im mbamtray.exe /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im vmcomp.exe /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\net.exenet stop /y W3S3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop /y W3S4⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop /y vss3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop /y vss4⤵
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im Ntrtscan.exe /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\net.exenet stop /y EsgShKernel3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop /y EsgShKernel4⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop /y ntrt3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop /y ntrt4⤵
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im sqlbcoreservice.exe /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\net.exenet stop /y Eraser3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop /y Eraser4⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop /y task3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop /y task4⤵
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im dbeng.exe /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im word.exe /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im PccNTMon.exe /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\net.exenet stop /y IMAP43⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop /y IMAP44⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop /y klnagent3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop /y klnagent4⤵
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im mspub.exe /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im tmlisten.exe /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im ekrn.exe /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im mydesktop.exe /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im sqbcoreservice.exe /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\net.exenet stop /y FA_Scheduler3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop /y FA_Scheduler4⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop /y VeeamTransportSvc3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop /y VeeamTransportSvc4⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop /y sql3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop /y sql4⤵
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im infopath.exe /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im tbirdconfig.exe /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\net.exenet stop /y EPUpdate3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop /y EPUpdate4⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop /y Back3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop /y Back4⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop /y UIODetect3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop /y UIODetect4⤵
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im visio.exe /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\net.exenet stop /y ESHASRV3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop /y ESHASRV4⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop /y vmwp3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop /y vmwp4⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop /y acronis3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop /y acronis4⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop /y POP33⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop /y POP34⤵
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im zoolz.exe /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\net.exenet stop /y mms3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop /y mms4⤵
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im mydesktopqos.exe /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im thebat.exe /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\net.exenet stop /y Endpoint3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop /y Endpoint4⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop /y Afee3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop /y Afee4⤵
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im CNTAoSMgr.exe /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\net.exenet stop /y Report3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop /y Report4⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop /y IISAdmin3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop /y IISAdmin4⤵
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im sql.exe /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\net.exenet stop /y DCAgent3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop /y DCAgent4⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop /y MBAM3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop /y MBAM4⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop /y PDVF3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop /y PDVF4⤵
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im onenote.exe /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im outlook.exe /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\net.exenet stop /y mfevtp3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop /y mfevtp4⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop /y AcrSch3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop /y AcrSch4⤵
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im Backup.exe /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\net.exenet stop /y SNAC3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop /y SNAC4⤵
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im excel.exe /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\net.exenet stop /y Backup3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop /y Backup4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c schtasks.exe /Create /TN zE0xO6us /TR "CMD.EXE DEL /F /Q "{DNAME}\{PRNAME}" >> NUL" /sc once /st 00:00 /RL HIGHEST3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /Create /TN zE0xO6us /TR "CMD.EXE DEL /F /Q "{DNAME}\{PRNAME}" >> NUL" /sc once /st 00:00 /RL HIGHEST4⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c schtasks.exe /Create /TN zE0xO6tMpus /TR "CMD.EXE DEL /F /Q "{PATHIM}" >> NUL" /sc once /st 00:00 /RL HIGHEST3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /Create /TN zE0xO6tMpus /TR "CMD.EXE DEL /F /Q "{PATHIM}" >> NUL" /sc once /st 00:00 /RL HIGHEST4⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c schtasks.exe /Create /TN zE0xO6bGus /TR "CMD.EXE DEL /F /Q "C:\ProgramData\pqBxGx.jpg" >> NUL" /sc once /st 00:00 /RL HIGHEST3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /Create /TN zE0xO6bGus /TR "CMD.EXE DEL /F /Q "C:\ProgramData\pqBxGx.jpg" >> NUL" /sc once /st 00:00 /RL HIGHEST4⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c schtasks.exe /Run /TN zE0xO6us3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /Run /TN zE0xO6us4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c schtasks.exe /Run /TN zE0xO6tMpus3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /Run /TN zE0xO6tMpus4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c schtasks.exe /Run /TN zE0xO6bGus3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /Run /TN zE0xO6bGus4⤵
-
-
-
-
C:\Windows\system32\CMD.EXECMD.EXE DEL /F /Q {DNAME}\{PRNAME} >> NUL1⤵
-
C:\Windows\system32\CMD.EXECMD.EXE DEL /F /Q {PATHIM} >> NUL1⤵
-
C:\Windows\system32\CMD.EXECMD.EXE DEL /F /Q C:\ProgramData\pqBxGx.jpg >> NUL1⤵