bf9f31608deb672c319e79660504179b7f5c837cb5a5a21fed94bb8b7555401f

General

Target

bf9f31608deb672c319e79660504179b7f5c837cb5a5a21fed94bb8b7555401f.exe
Size

2.7MB
MD5

e3383885e03608cd7784ba4690493e26
SHA1

b87077a44d2a2e75a3ded415feea4056be1559f0
SHA256

bf9f31608deb672c319e79660504179b7f5c837cb5a5a21fed94bb8b7555401f
SHA512

e957d2582e13a998cf3dc165be7a3852df19f469f212411545bc73afb36944be842826c0105045d47d9b4e9ef52f26f0612ce83ca37064efb567a3a420efb93f

Score

10^/10

ransomware spyware stealer

Malware Config

Extracted

Path

C:\Unlock_All_Files.txt

Ransom Note

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Hack For Life <<<<<<<<<<<<<<<<<<<<<<<<<<<<<< All Your Files Has Been Locked! If you think you can decrypt the files we would be happy :) But all your files are protected by strong encryption with AES RSA 256 using military-grade encryption algorithm Video Decrypt: Due to the deletion of video on video sharing sites You can download and watch the video from the link below: https://drive.google.com/file/d/1L1qeBgY_AfjYVgO8FEZsViJxK4TBWXZI/view What does this mean ? This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them. You Can Send some Files that not Contains Valuable Data To make Sure That Your Files Can be Back with our Tool Your unique Id : QCNRHIFUSPKNSGNB Contact : [email protected] or https://t.me/filedecrypt002 What are the guarantees that I can decrypt my files after paying the ransom? Your main guarantee is the ability to decrypt test files. This means that we can decrypt all your files after paying the ransom. We have no reason to deceive you after receiving the ransom, since we are not barbarians and moreover it will harm our business. You Have 2days to Decide to Pay after 2 Days Decryption Price will Be Double And after 1 week it will be triple Try to Contact late and You will know Therefore, we recommend that you make payment within a few hours. Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Again, we emphasize that no one can decrypt files, so don't be a victim of fraud. It's just a business Warning : If you email us late You may miss the Decrypt program Because our emails are blocked quickly So it is better as soon as they read email Email us ;) You Can Learn How to Buy Bitcoin From This links Below https://localbitcoins.com/buy_bitcoins https://www.coindesk.com/information/how-can-i-buy-bitcoins https://www.bestbitcoinexchange.io >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Hack For Security <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<

Emails

[email protected]

URLs

https://drive.google.com/file/d/1L1qeBgY_AfjYVgO8FEZsViJxK4TBWXZI/view

https://t.me/filedecrypt002

https://www.bestbitcoinexchange.io

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops file in Program Files directory 64 IoCs

Processes:

bf9f31608deb672c319e79660504179b7f5c837cb5a5a21fed94bb8b7555401f.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01152_.WMF.Email=[[email protected]]ID=[QCNRHIFUSPKNSGNB].encrypt	bf9f31608deb672c319e79660504179b7f5c837cb5a5a21fed94bb8b7555401f.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\calendar_single_bkg.png.Email=[[email protected]]ID=[QCNRHIFUSPKNSGNB].encrypt	bf9f31608deb672c319e79660504179b7f5c837cb5a5a21fed94bb8b7555401f.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationUp_SelectionSubpicture.png.Email=[[email protected]]ID=[QCNRHIFUSPKNSGNB].encrypt	bf9f31608deb672c319e79660504179b7f5c837cb5a5a21fed94bb8b7555401f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-lib-profiler-charts.xml.Email=[[email protected]]ID=[QCNRHIFUSPKNSGNB].encrypt	bf9f31608deb672c319e79660504179b7f5c837cb5a5a21fed94bb8b7555401f.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\settings.html.Email=[[email protected]]ID=[QCNRHIFUSPKNSGNB].encrypt	bf9f31608deb672c319e79660504179b7f5c837cb5a5a21fed94bb8b7555401f.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01139_.WMF.Email=[[email protected]]ID=[QCNRHIFUSPKNSGNB].encrypt	bf9f31608deb672c319e79660504179b7f5c837cb5a5a21fed94bb8b7555401f.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105244.WMF.Email=[[email protected]]ID=[QCNRHIFUSPKNSGNB].encrypt	bf9f31608deb672c319e79660504179b7f5c837cb5a5a21fed94bb8b7555401f.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02051_.WMF.Email=[[email protected]]ID=[QCNRHIFUSPKNSGNB].encrypt	bf9f31608deb672c319e79660504179b7f5c837cb5a5a21fed94bb8b7555401f.exe
File created	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18194_.WMF.Email=[[email protected]]ID=[QCNRHIFUSPKNSGNB].encrypt	bf9f31608deb672c319e79660504179b7f5c837cb5a5a21fed94bb8b7555401f.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR43F.GIF.Email=[[email protected]]ID=[QCNRHIFUSPKNSGNB].encrypt	bf9f31608deb672c319e79660504179b7f5c837cb5a5a21fed94bb8b7555401f.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_photo_Thumbnail.bmp.Email=[[email protected]]ID=[QCNRHIFUSPKNSGNB].encrypt	bf9f31608deb672c319e79660504179b7f5c837cb5a5a21fed94bb8b7555401f.exe
File created	C:\Program Files\Google\Chrome\Application\chrome.exe.Email=[[email protected]]ID=[QCNRHIFUSPKNSGNB].encrypt	bf9f31608deb672c319e79660504179b7f5c837cb5a5a21fed94bb8b7555401f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\MANIFEST.MF.Email=[[email protected]]ID=[QCNRHIFUSPKNSGNB].encrypt	bf9f31608deb672c319e79660504179b7f5c837cb5a5a21fed94bb8b7555401f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_gtk.css.Email=[[email protected]]ID=[QCNRHIFUSPKNSGNB].encrypt	bf9f31608deb672c319e79660504179b7f5c837cb5a5a21fed94bb8b7555401f.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\CRANINST.WMF.Email=[[email protected]]ID=[QCNRHIFUSPKNSGNB].encrypt	bf9f31608deb672c319e79660504179b7f5c837cb5a5a21fed94bb8b7555401f.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\images\dial_sml.png.Email=[[email protected]]ID=[QCNRHIFUSPKNSGNB].encrypt	bf9f31608deb672c319e79660504179b7f5c837cb5a5a21fed94bb8b7555401f.exe
File created	C:\Program Files\VideoLAN\VLC\locale\nl\LC_MESSAGES\vlc.mo.Email=[[email protected]]ID=[QCNRHIFUSPKNSGNB].encrypt	bf9f31608deb672c319e79660504179b7f5c837cb5a5a21fed94bb8b7555401f.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.71\goopdateres_te.dll.Email=[[email protected]]ID=[QCNRHIFUSPKNSGNB].encrypt	bf9f31608deb672c319e79660504179b7f5c837cb5a5a21fed94bb8b7555401f.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Library\EUROTOOL.XLAM.Email=[[email protected]]ID=[QCNRHIFUSPKNSGNB].encrypt	bf9f31608deb672c319e79660504179b7f5c837cb5a5a21fed94bb8b7555401f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Johannesburg.Email=[[email protected]]ID=[QCNRHIFUSPKNSGNB].encrypt	bf9f31608deb672c319e79660504179b7f5c837cb5a5a21fed94bb8b7555401f.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\libmpg123_plugin.dll.Email=[[email protected]]ID=[QCNRHIFUSPKNSGNB].encrypt	bf9f31608deb672c319e79660504179b7f5c837cb5a5a21fed94bb8b7555401f.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01630_.WMF.Email=[[email protected]]ID=[QCNRHIFUSPKNSGNB].encrypt	bf9f31608deb672c319e79660504179b7f5c837cb5a5a21fed94bb8b7555401f.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR27F.GIF.Email=[[email protected]]ID=[QCNRHIFUSPKNSGNB].encrypt	bf9f31608deb672c319e79660504179b7f5c837cb5a5a21fed94bb8b7555401f.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\AD.XML.Email=[[email protected]]ID=[QCNRHIFUSPKNSGNB].encrypt	bf9f31608deb672c319e79660504179b7f5c837cb5a5a21fed94bb8b7555401f.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGPQUOT.DPV.Email=[[email protected]]ID=[QCNRHIFUSPKNSGNB].encrypt	bf9f31608deb672c319e79660504179b7f5c837cb5a5a21fed94bb8b7555401f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\Reykjavik.Email=[[email protected]]ID=[QCNRHIFUSPKNSGNB].encrypt	bf9f31608deb672c319e79660504179b7f5c837cb5a5a21fed94bb8b7555401f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-api-progress.jar.Email=[[email protected]]ID=[QCNRHIFUSPKNSGNB].encrypt	bf9f31608deb672c319e79660504179b7f5c837cb5a5a21fed94bb8b7555401f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-output2.xml.Email=[[email protected]]ID=[QCNRHIFUSPKNSGNB].encrypt	bf9f31608deb672c319e79660504179b7f5c837cb5a5a21fed94bb8b7555401f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-api-caching.jar.Email=[[email protected]]ID=[QCNRHIFUSPKNSGNB].encrypt	bf9f31608deb672c319e79660504179b7f5c837cb5a5a21fed94bb8b7555401f.exe
File created	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Flow.eftx.Email=[[email protected]]ID=[QCNRHIFUSPKNSGNB].encrypt	bf9f31608deb672c319e79660504179b7f5c837cb5a5a21fed94bb8b7555401f.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\TWLAY32.DLL.Email=[[email protected]]ID=[QCNRHIFUSPKNSGNB].encrypt	bf9f31608deb672c319e79660504179b7f5c837cb5a5a21fed94bb8b7555401f.exe
File created	C:\Program Files (x86)\Windows Media Player\de-DE\mpvis.dll.mui.Email=[[email protected]]ID=[QCNRHIFUSPKNSGNB].encrypt	bf9f31608deb672c319e79660504179b7f5c837cb5a5a21fed94bb8b7555401f.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\js\picturePuzzle.js.Email=[[email protected]]ID=[QCNRHIFUSPKNSGNB].encrypt	bf9f31608deb672c319e79660504179b7f5c837cb5a5a21fed94bb8b7555401f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ecf.provider.filetransfer.httpclient4.ssl_1.0.0.v20140827-1444.jar.Email=[[email protected]]ID=[QCNRHIFUSPKNSGNB].encrypt	bf9f31608deb672c319e79660504179b7f5c837cb5a5a21fed94bb8b7555401f.exe
File created	C:\Program Files\Java\jre7\lib\deploy\messages_fr.properties.Email=[[email protected]]ID=[QCNRHIFUSPKNSGNB].encrypt	bf9f31608deb672c319e79660504179b7f5c837cb5a5a21fed94bb8b7555401f.exe
File created	C:\Program Files\Java\jre7\lib\zi\Etc\GMT-7.Email=[[email protected]]ID=[QCNRHIFUSPKNSGNB].encrypt	bf9f31608deb672c319e79660504179b7f5c837cb5a5a21fed94bb8b7555401f.exe
File created	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14982_.GIF.Email=[[email protected]]ID=[QCNRHIFUSPKNSGNB].encrypt	bf9f31608deb672c319e79660504179b7f5c837cb5a5a21fed94bb8b7555401f.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02578_.WMF.Email=[[email protected]]ID=[QCNRHIFUSPKNSGNB].encrypt	bf9f31608deb672c319e79660504179b7f5c837cb5a5a21fed94bb8b7555401f.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationRight_ButtonGraphic.png.Email=[[email protected]]ID=[QCNRHIFUSPKNSGNB].encrypt	bf9f31608deb672c319e79660504179b7f5c837cb5a5a21fed94bb8b7555401f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-modules.xml.Email=[[email protected]]ID=[QCNRHIFUSPKNSGNB].encrypt	bf9f31608deb672c319e79660504179b7f5c837cb5a5a21fed94bb8b7555401f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-application-views.xml.Email=[[email protected]]ID=[QCNRHIFUSPKNSGNB].encrypt	bf9f31608deb672c319e79660504179b7f5c837cb5a5a21fed94bb8b7555401f.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0281638.WMF.Email=[[email protected]]ID=[QCNRHIFUSPKNSGNB].encrypt	bf9f31608deb672c319e79660504179b7f5c837cb5a5a21fed94bb8b7555401f.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00670_.WMF.Email=[[email protected]]ID=[QCNRHIFUSPKNSGNB].encrypt	bf9f31608deb672c319e79660504179b7f5c837cb5a5a21fed94bb8b7555401f.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Tasks.accdt.Email=[[email protected]]ID=[QCNRHIFUSPKNSGNB].encrypt	bf9f31608deb672c319e79660504179b7f5c837cb5a5a21fed94bb8b7555401f.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\system.png.Email=[[email protected]]ID=[QCNRHIFUSPKNSGNB].encrypt	bf9f31608deb672c319e79660504179b7f5c837cb5a5a21fed94bb8b7555401f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_it.properties.Email=[[email protected]]ID=[QCNRHIFUSPKNSGNB].encrypt	bf9f31608deb672c319e79660504179b7f5c837cb5a5a21fed94bb8b7555401f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\META-INF\ECLIPSE_.RSA.Email=[[email protected]]ID=[QCNRHIFUSPKNSGNB].encrypt	bf9f31608deb672c319e79660504179b7f5c837cb5a5a21fed94bb8b7555401f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-api-caching_ja.jar.Email=[[email protected]]ID=[QCNRHIFUSPKNSGNB].encrypt	bf9f31608deb672c319e79660504179b7f5c837cb5a5a21fed94bb8b7555401f.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\demux\libmod_plugin.dll.Email=[[email protected]]ID=[QCNRHIFUSPKNSGNB].encrypt	bf9f31608deb672c319e79660504179b7f5c837cb5a5a21fed94bb8b7555401f.exe
File created	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18227_.WMF.Email=[[email protected]]ID=[QCNRHIFUSPKNSGNB].encrypt	bf9f31608deb672c319e79660504179b7f5c837cb5a5a21fed94bb8b7555401f.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\SEQCHK10.DLL.Email=[[email protected]]ID=[QCNRHIFUSPKNSGNB].encrypt	bf9f31608deb672c319e79660504179b7f5c837cb5a5a21fed94bb8b7555401f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-swing-outline.jar.Email=[[email protected]]ID=[QCNRHIFUSPKNSGNB].encrypt	bf9f31608deb672c319e79660504179b7f5c837cb5a5a21fed94bb8b7555401f.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\access\libaccess_wasapi_plugin.dll.Email=[[email protected]]ID=[QCNRHIFUSPKNSGNB].encrypt	bf9f31608deb672c319e79660504179b7f5c837cb5a5a21fed94bb8b7555401f.exe
File created	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Newsprint.xml.Email=[[email protected]]ID=[QCNRHIFUSPKNSGNB].encrypt	bf9f31608deb672c319e79660504179b7f5c837cb5a5a21fed94bb8b7555401f.exe
File created	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD10265_.GIF.Email=[[email protected]]ID=[QCNRHIFUSPKNSGNB].encrypt	bf9f31608deb672c319e79660504179b7f5c837cb5a5a21fed94bb8b7555401f.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsImageTemplate.html.Email=[[email protected]]ID=[QCNRHIFUSPKNSGNB].encrypt	bf9f31608deb672c319e79660504179b7f5c837cb5a5a21fed94bb8b7555401f.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGHEADING.XML.Email=[[email protected]]ID=[QCNRHIFUSPKNSGNB].encrypt	bf9f31608deb672c319e79660504179b7f5c837cb5a5a21fed94bb8b7555401f.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\css\calendar.css.Email=[[email protected]]ID=[QCNRHIFUSPKNSGNB].encrypt	bf9f31608deb672c319e79660504179b7f5c837cb5a5a21fed94bb8b7555401f.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD00413_.WMF.Email=[[email protected]]ID=[QCNRHIFUSPKNSGNB].encrypt	bf9f31608deb672c319e79660504179b7f5c837cb5a5a21fed94bb8b7555401f.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152708.WMF.Email=[[email protected]]ID=[QCNRHIFUSPKNSGNB].encrypt	bf9f31608deb672c319e79660504179b7f5c837cb5a5a21fed94bb8b7555401f.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0195260.WMF.Email=[[email protected]]ID=[QCNRHIFUSPKNSGNB].encrypt	bf9f31608deb672c319e79660504179b7f5c837cb5a5a21fed94bb8b7555401f.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\INFOPATH_COL.HXT.Email=[[email protected]]ID=[QCNRHIFUSPKNSGNB].encrypt	bf9f31608deb672c319e79660504179b7f5c837cb5a5a21fed94bb8b7555401f.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00364_.WMF.Email=[[email protected]]ID=[QCNRHIFUSPKNSGNB].encrypt	bf9f31608deb672c319e79660504179b7f5c837cb5a5a21fed94bb8b7555401f.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\4to3Squareframe_Buttongraphic.png.Email=[[email protected]]ID=[QCNRHIFUSPKNSGNB].encrypt	bf9f31608deb672c319e79660504179b7f5c837cb5a5a21fed94bb8b7555401f.exe

Kills process with taskkill 3 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exe

pid process

1192 taskkill.exe
772 taskkill.exe
432 taskkill.exe
Runs net.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

taskkill.exetaskkill.exetaskkill.exe

description pid process

Token: SeDebugPrivilege 1192 taskkill.exe
Token: SeDebugPrivilege 772 taskkill.exe
Token: SeDebugPrivilege 432 taskkill.exe

pid	process
1192	taskkill.exe
772	taskkill.exe
432	taskkill.exe

description	pid	process
Token: SeDebugPrivilege	1192	taskkill.exe
Token: SeDebugPrivilege	772	taskkill.exe
Token: SeDebugPrivilege	432	taskkill.exe

Suspicious use of WriteProcessMemory 45 IoCs

Processes:

bf9f31608deb672c319e79660504179b7f5c837cb5a5a21fed94bb8b7555401f.execmd.execmd.execmd.execmd.execmd.exenet.exe

description	pid	process	target process
PID 1204 wrote to memory of 1196	1204	bf9f31608deb672c319e79660504179b7f5c837cb5a5a21fed94bb8b7555401f.exe	cmd.exe
PID 1204 wrote to memory of 1196	1204	bf9f31608deb672c319e79660504179b7f5c837cb5a5a21fed94bb8b7555401f.exe	cmd.exe
PID 1204 wrote to memory of 1196	1204	bf9f31608deb672c319e79660504179b7f5c837cb5a5a21fed94bb8b7555401f.exe	cmd.exe
PID 1196 wrote to memory of 1192	1196	cmd.exe	taskkill.exe
PID 1196 wrote to memory of 1192	1196	cmd.exe	taskkill.exe
PID 1196 wrote to memory of 1192	1196	cmd.exe	taskkill.exe
PID 1204 wrote to memory of 832	1204	bf9f31608deb672c319e79660504179b7f5c837cb5a5a21fed94bb8b7555401f.exe	cmd.exe
PID 1204 wrote to memory of 832	1204	bf9f31608deb672c319e79660504179b7f5c837cb5a5a21fed94bb8b7555401f.exe	cmd.exe
PID 1204 wrote to memory of 832	1204	bf9f31608deb672c319e79660504179b7f5c837cb5a5a21fed94bb8b7555401f.exe	cmd.exe
PID 832 wrote to memory of 772	832	cmd.exe	taskkill.exe
PID 832 wrote to memory of 772	832	cmd.exe	taskkill.exe
PID 832 wrote to memory of 772	832	cmd.exe	taskkill.exe
PID 1204 wrote to memory of 1076	1204	bf9f31608deb672c319e79660504179b7f5c837cb5a5a21fed94bb8b7555401f.exe	cmd.exe
PID 1204 wrote to memory of 1076	1204	bf9f31608deb672c319e79660504179b7f5c837cb5a5a21fed94bb8b7555401f.exe	cmd.exe
PID 1204 wrote to memory of 1076	1204	bf9f31608deb672c319e79660504179b7f5c837cb5a5a21fed94bb8b7555401f.exe	cmd.exe
PID 1076 wrote to memory of 432	1076	cmd.exe	taskkill.exe
PID 1076 wrote to memory of 432	1076	cmd.exe	taskkill.exe
PID 1076 wrote to memory of 432	1076	cmd.exe	taskkill.exe
PID 1204 wrote to memory of 1912	1204	bf9f31608deb672c319e79660504179b7f5c837cb5a5a21fed94bb8b7555401f.exe	cmd.exe
PID 1204 wrote to memory of 1912	1204	bf9f31608deb672c319e79660504179b7f5c837cb5a5a21fed94bb8b7555401f.exe	cmd.exe
PID 1204 wrote to memory of 1912	1204	bf9f31608deb672c319e79660504179b7f5c837cb5a5a21fed94bb8b7555401f.exe	cmd.exe
PID 1204 wrote to memory of 1752	1204	bf9f31608deb672c319e79660504179b7f5c837cb5a5a21fed94bb8b7555401f.exe	cmd.exe
PID 1204 wrote to memory of 1752	1204	bf9f31608deb672c319e79660504179b7f5c837cb5a5a21fed94bb8b7555401f.exe	cmd.exe
PID 1204 wrote to memory of 1752	1204	bf9f31608deb672c319e79660504179b7f5c837cb5a5a21fed94bb8b7555401f.exe	cmd.exe
PID 1204 wrote to memory of 744	1204	bf9f31608deb672c319e79660504179b7f5c837cb5a5a21fed94bb8b7555401f.exe	cmd.exe
PID 1204 wrote to memory of 744	1204	bf9f31608deb672c319e79660504179b7f5c837cb5a5a21fed94bb8b7555401f.exe	cmd.exe
PID 1204 wrote to memory of 744	1204	bf9f31608deb672c319e79660504179b7f5c837cb5a5a21fed94bb8b7555401f.exe	cmd.exe
PID 1204 wrote to memory of 1616	1204	bf9f31608deb672c319e79660504179b7f5c837cb5a5a21fed94bb8b7555401f.exe	cmd.exe
PID 1204 wrote to memory of 1616	1204	bf9f31608deb672c319e79660504179b7f5c837cb5a5a21fed94bb8b7555401f.exe	cmd.exe
PID 1204 wrote to memory of 1616	1204	bf9f31608deb672c319e79660504179b7f5c837cb5a5a21fed94bb8b7555401f.exe	cmd.exe
PID 1616 wrote to memory of 360	1616	cmd.exe	attrib.exe
PID 1616 wrote to memory of 360	1616	cmd.exe	attrib.exe
PID 1616 wrote to memory of 360	1616	cmd.exe	attrib.exe
PID 1204 wrote to memory of 1640	1204	bf9f31608deb672c319e79660504179b7f5c837cb5a5a21fed94bb8b7555401f.exe	cmd.exe
PID 1204 wrote to memory of 1640	1204	bf9f31608deb672c319e79660504179b7f5c837cb5a5a21fed94bb8b7555401f.exe	cmd.exe
PID 1204 wrote to memory of 1640	1204	bf9f31608deb672c319e79660504179b7f5c837cb5a5a21fed94bb8b7555401f.exe	cmd.exe
PID 1640 wrote to memory of 1480	1640	cmd.exe	net.exe
PID 1640 wrote to memory of 1480	1640	cmd.exe	net.exe
PID 1640 wrote to memory of 1480	1640	cmd.exe	net.exe
PID 1480 wrote to memory of 1728	1480	net.exe	net1.exe
PID 1480 wrote to memory of 1728	1480	net.exe	net1.exe
PID 1480 wrote to memory of 1728	1480	net.exe	net1.exe
PID 1204 wrote to memory of 1952	1204	bf9f31608deb672c319e79660504179b7f5c837cb5a5a21fed94bb8b7555401f.exe	cmd.exe
PID 1204 wrote to memory of 1952	1204	bf9f31608deb672c319e79660504179b7f5c837cb5a5a21fed94bb8b7555401f.exe	cmd.exe
PID 1204 wrote to memory of 1952	1204	bf9f31608deb672c319e79660504179b7f5c837cb5a5a21fed94bb8b7555401f.exe	cmd.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

360 attrib.exe

pid	process
360	attrib.exe

C:\Users\Admin\AppData\Local\Temp\bf9f31608deb672c319e79660504179b7f5c837cb5a5a21fed94bb8b7555401f.exe
"C:\Users\Admin\AppData\Local\Temp\bf9f31608deb672c319e79660504179b7f5c837cb5a5a21fed94bb8b7555401f.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1204
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /F /IM sqlservr.exe /T"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1196
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM sqlservr.exe /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1192
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /F /IM sqlceip.exe /T"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:832
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM sqlceip.exe /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:772
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /F /IM sqlwriter.exe /T"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1076
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM sqlwriter.exe /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:432
- C:\Windows\system32\cmd.exe
  cmd /C "rmdir C:\Users\Admin\AppData /s /q"
  2⤵
  PID:1912
- C:\Windows\system32\cmd.exe
  cmd /C "rmdir C:\Users\Default\AppData /s /q"
  2⤵
  PID:1752
- C:\Windows\system32\cmd.exe
  cmd /C "rmdir C:\Users\Public\AppData /s /q"
  2⤵
  PID:744
- C:\Windows\system32\cmd.exe
  cmd /C "attrib +h +s Encrypt.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1616
- - C:\Windows\system32\attrib.exe
    attrib +h +s Encrypt.exe
    3⤵
    - Views/modifies file attributes
    PID:360
- C:\Windows\system32\cmd.exe
  cmd /C "net stop MSSQL$SQLEXPRESS"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1640
- - C:\Windows\system32\net.exe
    net stop MSSQL$SQLEXPRESS
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1480
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$SQLEXPRESS
      4⤵
      PID:1728
- C:\Windows\system32\cmd.exe
  cmd /C "rmdir C:\$Recycle.Bin /s /q"
  2⤵
  PID:1952