80524ef85a8b932ff3d782663ba401b04e0d4baf17b2e4554464c7f436e48c6c

General

Target

80524ef85a8b932ff3d782663ba401b04e0d4baf17b2e4554464c7f436e48c6c.exe
Size

2.7MB
MD5

c7e98cfdf6e3db405331cf6b38dc198a
SHA1

805d8c78c3dcc3db15499247b865f6bad473ed1f
SHA256

80524ef85a8b932ff3d782663ba401b04e0d4baf17b2e4554464c7f436e48c6c
SHA512

b11d1cff3b35d2e5979bcae4ac839a845a2e8a30ab8724cc0c0ca6b550c0a276deb4f33041b84873de54efc8d66f2faa3b3521539d3956c6f92dcb2b23545a6f

Score

10^/10

ransomware spyware stealer

Malware Config

Extracted

Path

C:\Unlock_All_Files.txt

Ransom Note

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Hack For Life <<<<<<<<<<<<<<<<<<<<<<<<<<<<<< All Your Files Has Been Locked! If you think you can decrypt the files we would be happy :) But all your files are protected by strong encryption with AES RSA 256 using military-grade encryption algorithm Video Decrypt: Due to the deletion of video on video sharing sites You can download and watch the video from the link below: https://drive.google.com/file/d/1L1qeBgY_AfjYVgO8FEZsViJxK4TBWXZI/view What does this mean ? This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them. You Can Send some Files that not Contains Valuable Data To make Sure That Your Files Can be Back with our Tool Your unique Id : HOOHSAYVLXYHHEBP Contact : [email protected] or https://t.me/filedecrypt002 What are the guarantees that I can decrypt my files after paying the ransom? Your main guarantee is the ability to decrypt test files. This means that we can decrypt all your files after paying the ransom. We have no reason to deceive you after receiving the ransom, since we are not barbarians and moreover it will harm our business. You Have 2days to Decide to Pay after 2 Days Decryption Price will Be Double And after 1 week it will be triple Try to Contact late and You will know Therefore, we recommend that you make payment within a few hours. Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Again, we emphasize that no one can decrypt files, so don't be a victim of fraud. It's just a business Warning : If you email us late You may miss the Decrypt program Because our emails are blocked quickly So it is better as soon as they read email Email us ;) You Can Learn How to Buy Bitcoin From This links Below https://localbitcoins.com/buy_bitcoins https://www.coindesk.com/information/how-can-i-buy-bitcoins https://www.bestbitcoinexchange.io >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Hack For Security <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<

Emails

[email protected]

URLs

https://drive.google.com/file/d/1L1qeBgY_AfjYVgO8FEZsViJxK4TBWXZI/view

https://t.me/filedecrypt002

https://www.bestbitcoinexchange.io

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops file in Program Files directory 64 IoCs

Processes:

80524ef85a8b932ff3d782663ba401b04e0d4baf17b2e4554464c7f436e48c6c.exe

description	ioc	process
File created	C:\Program Files\7-Zip\Lang\fi.txt.Email=[[email protected]]ID=[HOOHSAYVLXYHHEBP].encrypt	80524ef85a8b932ff3d782663ba401b04e0d4baf17b2e4554464c7f436e48c6c.exe
File created	C:\Program Files\7-Zip\Lang\nn.txt.Email=[[email protected]]ID=[HOOHSAYVLXYHHEBP].encrypt	80524ef85a8b932ff3d782663ba401b04e0d4baf17b2e4554464c7f436e48c6c.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_image-frame-ImageMask.png.Email=[[email protected]]ID=[HOOHSAYVLXYHHEBP].encrypt	80524ef85a8b932ff3d782663ba401b04e0d4baf17b2e4554464c7f436e48c6c.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationUp_ButtonGraphic.png.Email=[[email protected]]ID=[HOOHSAYVLXYHHEBP].encrypt	80524ef85a8b932ff3d782663ba401b04e0d4baf17b2e4554464c7f436e48c6c.exe
File created	C:\Program Files\7-Zip\Lang\zh-tw.txt.Email=[[email protected]]ID=[HOOHSAYVLXYHHEBP].encrypt	80524ef85a8b932ff3d782663ba401b04e0d4baf17b2e4554464c7f436e48c6c.exe
File created	C:\Program Files\DVD Maker\PipeTran.dll.Email=[[email protected]]ID=[HOOHSAYVLXYHHEBP].encrypt	80524ef85a8b932ff3d782663ba401b04e0d4baf17b2e4554464c7f436e48c6c.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-back-static.png.Email=[[email protected]]ID=[HOOHSAYVLXYHHEBP].encrypt	80524ef85a8b932ff3d782663ba401b04e0d4baf17b2e4554464c7f436e48c6c.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\NavigationButtonSubpicture.png.Email=[[email protected]]ID=[HOOHSAYVLXYHHEBP].encrypt	80524ef85a8b932ff3d782663ba401b04e0d4baf17b2e4554464c7f436e48c6c.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsScenesBackground.wmv.Email=[[email protected]]ID=[HOOHSAYVLXYHHEBP].encrypt	80524ef85a8b932ff3d782663ba401b04e0d4baf17b2e4554464c7f436e48c6c.exe
File created	C:\Program Files\7-Zip\Lang\bg.txt.Email=[[email protected]]ID=[HOOHSAYVLXYHHEBP].encrypt	80524ef85a8b932ff3d782663ba401b04e0d4baf17b2e4554464c7f436e48c6c.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\vistabg.png.Email=[[email protected]]ID=[HOOHSAYVLXYHHEBP].encrypt	80524ef85a8b932ff3d782663ba401b04e0d4baf17b2e4554464c7f436e48c6c.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\specialoccasion.png.Email=[[email protected]]ID=[HOOHSAYVLXYHHEBP].encrypt	80524ef85a8b932ff3d782663ba401b04e0d4baf17b2e4554464c7f436e48c6c.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\et.pak.Email=[[email protected]]ID=[HOOHSAYVLXYHHEBP].encrypt	80524ef85a8b932ff3d782663ba401b04e0d4baf17b2e4554464c7f436e48c6c.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\hr.pak.Email=[[email protected]]ID=[HOOHSAYVLXYHHEBP].encrypt	80524ef85a8b932ff3d782663ba401b04e0d4baf17b2e4554464c7f436e48c6c.exe
File created	C:\Program Files\DisableReset.txt.Email=[[email protected]]ID=[HOOHSAYVLXYHHEBP].encrypt	80524ef85a8b932ff3d782663ba401b04e0d4baf17b2e4554464c7f436e48c6c.exe
File created	C:\Program Files\7-Zip\Lang\lv.txt.Email=[[email protected]]ID=[HOOHSAYVLXYHHEBP].encrypt	80524ef85a8b932ff3d782663ba401b04e0d4baf17b2e4554464c7f436e48c6c.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationUp_SelectionSubpicture.png.Email=[[email protected]]ID=[HOOHSAYVLXYHHEBP].encrypt	80524ef85a8b932ff3d782663ba401b04e0d4baf17b2e4554464c7f436e48c6c.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\title_stripe.png.Email=[[email protected]]ID=[HOOHSAYVLXYHHEBP].encrypt	80524ef85a8b932ff3d782663ba401b04e0d4baf17b2e4554464c7f436e48c6c.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\1047x576black.png.Email=[[email protected]]ID=[HOOHSAYVLXYHHEBP].encrypt	80524ef85a8b932ff3d782663ba401b04e0d4baf17b2e4554464c7f436e48c6c.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Notes_INTRO_BG_PAL.wmv.Email=[[email protected]]ID=[HOOHSAYVLXYHHEBP].encrypt	80524ef85a8b932ff3d782663ba401b04e0d4baf17b2e4554464c7f436e48c6c.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationRight_SelectionSubpicture.png.Email=[[email protected]]ID=[HOOHSAYVLXYHHEBP].encrypt	80524ef85a8b932ff3d782663ba401b04e0d4baf17b2e4554464c7f436e48c6c.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\selection_subpicture.png.Email=[[email protected]]ID=[HOOHSAYVLXYHHEBP].encrypt	80524ef85a8b932ff3d782663ba401b04e0d4baf17b2e4554464c7f436e48c6c.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\NavigationRight_ButtonGraphic.png.Email=[[email protected]]ID=[HOOHSAYVLXYHHEBP].encrypt	80524ef85a8b932ff3d782663ba401b04e0d4baf17b2e4554464c7f436e48c6c.exe
File created	C:\Program Files\7-Zip\Lang\gl.txt.Email=[[email protected]]ID=[HOOHSAYVLXYHHEBP].encrypt	80524ef85a8b932ff3d782663ba401b04e0d4baf17b2e4554464c7f436e48c6c.exe
File created	C:\Program Files\7-Zip\Lang\lt.txt.Email=[[email protected]]ID=[HOOHSAYVLXYHHEBP].encrypt	80524ef85a8b932ff3d782663ba401b04e0d4baf17b2e4554464c7f436e48c6c.exe
File created	C:\Program Files\7-Zip\readme.txt.Email=[[email protected]]ID=[HOOHSAYVLXYHHEBP].encrypt	80524ef85a8b932ff3d782663ba401b04e0d4baf17b2e4554464c7f436e48c6c.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationRight_SelectionSubpicture.png.Email=[[email protected]]ID=[HOOHSAYVLXYHHEBP].encrypt	80524ef85a8b932ff3d782663ba401b04e0d4baf17b2e4554464c7f436e48c6c.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\push_title.png.Email=[[email protected]]ID=[HOOHSAYVLXYHHEBP].encrypt	80524ef85a8b932ff3d782663ba401b04e0d4baf17b2e4554464c7f436e48c6c.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\reflect.png.Email=[[email protected]]ID=[HOOHSAYVLXYHHEBP].encrypt	80524ef85a8b932ff3d782663ba401b04e0d4baf17b2e4554464c7f436e48c6c.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\ar.pak.Email=[[email protected]]ID=[HOOHSAYVLXYHHEBP].encrypt	80524ef85a8b932ff3d782663ba401b04e0d4baf17b2e4554464c7f436e48c6c.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\bear_formatted_rgb6.wmv.Email=[[email protected]]ID=[HOOHSAYVLXYHHEBP].encrypt	80524ef85a8b932ff3d782663ba401b04e0d4baf17b2e4554464c7f436e48c6c.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationUp_ButtonGraphic.png.Email=[[email protected]]ID=[HOOHSAYVLXYHHEBP].encrypt	80524ef85a8b932ff3d782663ba401b04e0d4baf17b2e4554464c7f436e48c6c.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\SmallLogo.png.Email=[[email protected]]ID=[HOOHSAYVLXYHHEBP].encrypt	80524ef85a8b932ff3d782663ba401b04e0d4baf17b2e4554464c7f436e48c6c.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\SmallLogoCanary.png.Email=[[email protected]]ID=[HOOHSAYVLXYHHEBP].encrypt	80524ef85a8b932ff3d782663ba401b04e0d4baf17b2e4554464c7f436e48c6c.exe
File created	C:\Program Files\7-Zip\Lang\sa.txt.Email=[[email protected]]ID=[HOOHSAYVLXYHHEBP].encrypt	80524ef85a8b932ff3d782663ba401b04e0d4baf17b2e4554464c7f436e48c6c.exe
File created	C:\Program Files\7-Zip\Lang\sv.txt.Email=[[email protected]]ID=[HOOHSAYVLXYHHEBP].encrypt	80524ef85a8b932ff3d782663ba401b04e0d4baf17b2e4554464c7f436e48c6c.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_trans_rgb.wmv.Email=[[email protected]]ID=[HOOHSAYVLXYHHEBP].encrypt	80524ef85a8b932ff3d782663ba401b04e0d4baf17b2e4554464c7f436e48c6c.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationLeft_ButtonGraphic.png.Email=[[email protected]]ID=[HOOHSAYVLXYHHEBP].encrypt	80524ef85a8b932ff3d782663ba401b04e0d4baf17b2e4554464c7f436e48c6c.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\scene_button_style_default_Thumbnail.bmp.Email=[[email protected]]ID=[HOOHSAYVLXYHHEBP].encrypt	80524ef85a8b932ff3d782663ba401b04e0d4baf17b2e4554464c7f436e48c6c.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\ro.pak.Email=[[email protected]]ID=[HOOHSAYVLXYHHEBP].encrypt	80524ef85a8b932ff3d782663ba401b04e0d4baf17b2e4554464c7f436e48c6c.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\16to9Squareframe_VideoInset.png.Email=[[email protected]]ID=[HOOHSAYVLXYHHEBP].encrypt	80524ef85a8b932ff3d782663ba401b04e0d4baf17b2e4554464c7f436e48c6c.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\nav_leftarrow.png.Email=[[email protected]]ID=[HOOHSAYVLXYHHEBP].encrypt	80524ef85a8b932ff3d782663ba401b04e0d4baf17b2e4554464c7f436e48c6c.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\photograph.png.Email=[[email protected]]ID=[HOOHSAYVLXYHHEBP].encrypt	80524ef85a8b932ff3d782663ba401b04e0d4baf17b2e4554464c7f436e48c6c.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\LightBlueRectangle.PNG.Email=[[email protected]]ID=[HOOHSAYVLXYHHEBP].encrypt	80524ef85a8b932ff3d782663ba401b04e0d4baf17b2e4554464c7f436e48c6c.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsScenesBackground_PAL.wmv.Email=[[email protected]]ID=[HOOHSAYVLXYHHEBP].encrypt	80524ef85a8b932ff3d782663ba401b04e0d4baf17b2e4554464c7f436e48c6c.exe
File created	C:\Program Files\DVD Maker\fr-FR\WMM2CLIP.dll.mui.Email=[[email protected]]ID=[HOOHSAYVLXYHHEBP].encrypt	80524ef85a8b932ff3d782663ba401b04e0d4baf17b2e4554464c7f436e48c6c.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\es.pak.Email=[[email protected]]ID=[HOOHSAYVLXYHHEBP].encrypt	80524ef85a8b932ff3d782663ba401b04e0d4baf17b2e4554464c7f436e48c6c.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\16_9-frame-highlight.png.Email=[[email protected]]ID=[HOOHSAYVLXYHHEBP].encrypt	80524ef85a8b932ff3d782663ba401b04e0d4baf17b2e4554464c7f436e48c6c.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\Bear_Formatted_RGB6_PAL.wmv.Email=[[email protected]]ID=[HOOHSAYVLXYHHEBP].encrypt	80524ef85a8b932ff3d782663ba401b04e0d4baf17b2e4554464c7f436e48c6c.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SceneButtonInset_Alpha2.png.Email=[[email protected]]ID=[HOOHSAYVLXYHHEBP].encrypt	80524ef85a8b932ff3d782663ba401b04e0d4baf17b2e4554464c7f436e48c6c.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationUp_ButtonGraphic.png.Email=[[email protected]]ID=[HOOHSAYVLXYHHEBP].encrypt	80524ef85a8b932ff3d782663ba401b04e0d4baf17b2e4554464c7f436e48c6c.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\decorative_rule.png.Email=[[email protected]]ID=[HOOHSAYVLXYHHEBP].encrypt	80524ef85a8b932ff3d782663ba401b04e0d4baf17b2e4554464c7f436e48c6c.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\travel.png.Email=[[email protected]]ID=[HOOHSAYVLXYHHEBP].encrypt	80524ef85a8b932ff3d782663ba401b04e0d4baf17b2e4554464c7f436e48c6c.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationLeft_SelectionSubpicture.png.Email=[[email protected]]ID=[HOOHSAYVLXYHHEBP].encrypt	80524ef85a8b932ff3d782663ba401b04e0d4baf17b2e4554464c7f436e48c6c.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationLeft_SelectionSubpicture.png.Email=[[email protected]]ID=[HOOHSAYVLXYHHEBP].encrypt	80524ef85a8b932ff3d782663ba401b04e0d4baf17b2e4554464c7f436e48c6c.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\TravelIntroToMain.wmv.Email=[[email protected]]ID=[HOOHSAYVLXYHHEBP].encrypt	80524ef85a8b932ff3d782663ba401b04e0d4baf17b2e4554464c7f436e48c6c.exe
File created	C:\Program Files\DVD Maker\WMM2CLIP.dll.Email=[[email protected]]ID=[HOOHSAYVLXYHHEBP].encrypt	80524ef85a8b932ff3d782663ba401b04e0d4baf17b2e4554464c7f436e48c6c.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\background.png.Email=[[email protected]]ID=[HOOHSAYVLXYHHEBP].encrypt	80524ef85a8b932ff3d782663ba401b04e0d4baf17b2e4554464c7f436e48c6c.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Perf_Scenes_Subpicture1.png.Email=[[email protected]]ID=[HOOHSAYVLXYHHEBP].encrypt	80524ef85a8b932ff3d782663ba401b04e0d4baf17b2e4554464c7f436e48c6c.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\1047x576black.png.Email=[[email protected]]ID=[HOOHSAYVLXYHHEBP].encrypt	80524ef85a8b932ff3d782663ba401b04e0d4baf17b2e4554464c7f436e48c6c.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\16_9-frame-image-inset.png.Email=[[email protected]]ID=[HOOHSAYVLXYHHEBP].encrypt	80524ef85a8b932ff3d782663ba401b04e0d4baf17b2e4554464c7f436e48c6c.exe
File created	C:\Program Files\ExportUnpublish.php.Email=[[email protected]]ID=[HOOHSAYVLXYHHEBP].encrypt	80524ef85a8b932ff3d782663ba401b04e0d4baf17b2e4554464c7f436e48c6c.exe
File created	C:\Program Files\7-Zip\7-zip.dll.Email=[[email protected]]ID=[HOOHSAYVLXYHHEBP].encrypt	80524ef85a8b932ff3d782663ba401b04e0d4baf17b2e4554464c7f436e48c6c.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\TitleButtonIcon.png.Email=[[email protected]]ID=[HOOHSAYVLXYHHEBP].encrypt	80524ef85a8b932ff3d782663ba401b04e0d4baf17b2e4554464c7f436e48c6c.exe

Kills process with taskkill 3 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exe

pid process

1632 taskkill.exe
1996 taskkill.exe
564 taskkill.exe
Runs net.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

taskkill.exetaskkill.exetaskkill.exe

description pid process

Token: SeDebugPrivilege 1632 taskkill.exe
Token: SeDebugPrivilege 1996 taskkill.exe
Token: SeDebugPrivilege 564 taskkill.exe

pid	process
1632	taskkill.exe
1996	taskkill.exe
564	taskkill.exe

description	pid	process
Token: SeDebugPrivilege	1632	taskkill.exe
Token: SeDebugPrivilege	1996	taskkill.exe
Token: SeDebugPrivilege	564	taskkill.exe

Suspicious use of WriteProcessMemory 45 IoCs

Processes:

80524ef85a8b932ff3d782663ba401b04e0d4baf17b2e4554464c7f436e48c6c.execmd.execmd.execmd.execmd.execmd.exenet.exe

description	pid	process	target process
PID 1012 wrote to memory of 1928	1012	80524ef85a8b932ff3d782663ba401b04e0d4baf17b2e4554464c7f436e48c6c.exe	cmd.exe
PID 1012 wrote to memory of 1928	1012	80524ef85a8b932ff3d782663ba401b04e0d4baf17b2e4554464c7f436e48c6c.exe	cmd.exe
PID 1012 wrote to memory of 1928	1012	80524ef85a8b932ff3d782663ba401b04e0d4baf17b2e4554464c7f436e48c6c.exe	cmd.exe
PID 1928 wrote to memory of 1632	1928	cmd.exe	taskkill.exe
PID 1928 wrote to memory of 1632	1928	cmd.exe	taskkill.exe
PID 1928 wrote to memory of 1632	1928	cmd.exe	taskkill.exe
PID 1012 wrote to memory of 1716	1012	80524ef85a8b932ff3d782663ba401b04e0d4baf17b2e4554464c7f436e48c6c.exe	cmd.exe
PID 1012 wrote to memory of 1716	1012	80524ef85a8b932ff3d782663ba401b04e0d4baf17b2e4554464c7f436e48c6c.exe	cmd.exe
PID 1012 wrote to memory of 1716	1012	80524ef85a8b932ff3d782663ba401b04e0d4baf17b2e4554464c7f436e48c6c.exe	cmd.exe
PID 1716 wrote to memory of 1996	1716	cmd.exe	taskkill.exe
PID 1716 wrote to memory of 1996	1716	cmd.exe	taskkill.exe
PID 1716 wrote to memory of 1996	1716	cmd.exe	taskkill.exe
PID 1012 wrote to memory of 1760	1012	80524ef85a8b932ff3d782663ba401b04e0d4baf17b2e4554464c7f436e48c6c.exe	cmd.exe
PID 1012 wrote to memory of 1760	1012	80524ef85a8b932ff3d782663ba401b04e0d4baf17b2e4554464c7f436e48c6c.exe	cmd.exe
PID 1012 wrote to memory of 1760	1012	80524ef85a8b932ff3d782663ba401b04e0d4baf17b2e4554464c7f436e48c6c.exe	cmd.exe
PID 1760 wrote to memory of 564	1760	cmd.exe	taskkill.exe
PID 1760 wrote to memory of 564	1760	cmd.exe	taskkill.exe
PID 1760 wrote to memory of 564	1760	cmd.exe	taskkill.exe
PID 1012 wrote to memory of 1164	1012	80524ef85a8b932ff3d782663ba401b04e0d4baf17b2e4554464c7f436e48c6c.exe	cmd.exe
PID 1012 wrote to memory of 1164	1012	80524ef85a8b932ff3d782663ba401b04e0d4baf17b2e4554464c7f436e48c6c.exe	cmd.exe
PID 1012 wrote to memory of 1164	1012	80524ef85a8b932ff3d782663ba401b04e0d4baf17b2e4554464c7f436e48c6c.exe	cmd.exe
PID 1012 wrote to memory of 1660	1012	80524ef85a8b932ff3d782663ba401b04e0d4baf17b2e4554464c7f436e48c6c.exe	cmd.exe
PID 1012 wrote to memory of 1660	1012	80524ef85a8b932ff3d782663ba401b04e0d4baf17b2e4554464c7f436e48c6c.exe	cmd.exe
PID 1012 wrote to memory of 1660	1012	80524ef85a8b932ff3d782663ba401b04e0d4baf17b2e4554464c7f436e48c6c.exe	cmd.exe
PID 1012 wrote to memory of 360	1012	80524ef85a8b932ff3d782663ba401b04e0d4baf17b2e4554464c7f436e48c6c.exe	cmd.exe
PID 1012 wrote to memory of 360	1012	80524ef85a8b932ff3d782663ba401b04e0d4baf17b2e4554464c7f436e48c6c.exe	cmd.exe
PID 1012 wrote to memory of 360	1012	80524ef85a8b932ff3d782663ba401b04e0d4baf17b2e4554464c7f436e48c6c.exe	cmd.exe
PID 1012 wrote to memory of 428	1012	80524ef85a8b932ff3d782663ba401b04e0d4baf17b2e4554464c7f436e48c6c.exe	cmd.exe
PID 1012 wrote to memory of 428	1012	80524ef85a8b932ff3d782663ba401b04e0d4baf17b2e4554464c7f436e48c6c.exe	cmd.exe
PID 1012 wrote to memory of 428	1012	80524ef85a8b932ff3d782663ba401b04e0d4baf17b2e4554464c7f436e48c6c.exe	cmd.exe
PID 428 wrote to memory of 1808	428	cmd.exe	attrib.exe
PID 428 wrote to memory of 1808	428	cmd.exe	attrib.exe
PID 428 wrote to memory of 1808	428	cmd.exe	attrib.exe
PID 1012 wrote to memory of 808	1012	80524ef85a8b932ff3d782663ba401b04e0d4baf17b2e4554464c7f436e48c6c.exe	cmd.exe
PID 1012 wrote to memory of 808	1012	80524ef85a8b932ff3d782663ba401b04e0d4baf17b2e4554464c7f436e48c6c.exe	cmd.exe
PID 1012 wrote to memory of 808	1012	80524ef85a8b932ff3d782663ba401b04e0d4baf17b2e4554464c7f436e48c6c.exe	cmd.exe
PID 808 wrote to memory of 1212	808	cmd.exe	net.exe
PID 808 wrote to memory of 1212	808	cmd.exe	net.exe
PID 808 wrote to memory of 1212	808	cmd.exe	net.exe
PID 1212 wrote to memory of 1776	1212	net.exe	net1.exe
PID 1212 wrote to memory of 1776	1212	net.exe	net1.exe
PID 1212 wrote to memory of 1776	1212	net.exe	net1.exe
PID 1012 wrote to memory of 532	1012	80524ef85a8b932ff3d782663ba401b04e0d4baf17b2e4554464c7f436e48c6c.exe	cmd.exe
PID 1012 wrote to memory of 532	1012	80524ef85a8b932ff3d782663ba401b04e0d4baf17b2e4554464c7f436e48c6c.exe	cmd.exe
PID 1012 wrote to memory of 532	1012	80524ef85a8b932ff3d782663ba401b04e0d4baf17b2e4554464c7f436e48c6c.exe	cmd.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

1808 attrib.exe

pid	process
1808	attrib.exe

C:\Windows\system32\taskkill.exe
taskkill /F /IM sqlservr.exe /T
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1632

C:\Windows\system32\cmd.exe
cmd /C "taskkill /F /IM sqlservr.exe /T"
1⤵
- Suspicious use of WriteProcessMemory
PID:1928

C:\Users\Admin\AppData\Local\Temp\80524ef85a8b932ff3d782663ba401b04e0d4baf17b2e4554464c7f436e48c6c.exe
"C:\Users\Admin\AppData\Local\Temp\80524ef85a8b932ff3d782663ba401b04e0d4baf17b2e4554464c7f436e48c6c.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1012
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /F /IM sqlceip.exe /T"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1716
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /F /IM sqlwriter.exe /T"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1760
- C:\Windows\system32\cmd.exe
  cmd /C "rmdir C:\Users\Admin\AppData /s /q"
  2⤵
  PID:1164
- C:\Windows\system32\cmd.exe
  cmd /C "rmdir C:\Users\Default\AppData /s /q"
  2⤵
  PID:1660
- C:\Windows\system32\cmd.exe
  cmd /C "rmdir C:\Users\Public\AppData /s /q"
  2⤵
  PID:360
- C:\Windows\system32\cmd.exe
  cmd /C "attrib +h +s Encrypt.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:428
- - C:\Windows\system32\attrib.exe
    attrib +h +s Encrypt.exe
    3⤵
    - Views/modifies file attributes
    PID:1808
- C:\Windows\system32\cmd.exe
  cmd /C "net stop MSSQL$SQLEXPRESS"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:808
- C:\Windows\system32\cmd.exe
  cmd /C "rmdir C:\$Recycle.Bin /s /q"
  2⤵
  PID:532

C:\Windows\system32\taskkill.exe
taskkill /F /IM sqlceip.exe /T
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1996

C:\Windows\system32\taskkill.exe
taskkill /F /IM sqlwriter.exe /T
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:564

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$SQLEXPRESS
1⤵
PID:1776

C:\Windows\system32\net.exe
net stop MSSQL$SQLEXPRESS
1⤵
- Suspicious use of WriteProcessMemory
PID:1212

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

1

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

1

T1158

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/360-62-0x0000000000000000-mapping.dmp

Download
memory/428-63-0x0000000000000000-mapping.dmp

Download
memory/532-68-0x0000000000000000-mapping.dmp

Download
memory/564-59-0x0000000000000000-mapping.dmp

Download
memory/808-65-0x0000000000000000-mapping.dmp

Download
memory/1164-60-0x0000000000000000-mapping.dmp

Download
memory/1212-66-0x0000000000000000-mapping.dmp

Download
memory/1632-55-0x0000000000000000-mapping.dmp

Download
memory/1660-61-0x0000000000000000-mapping.dmp

Download
memory/1716-56-0x0000000000000000-mapping.dmp

Download
memory/1760-58-0x0000000000000000-mapping.dmp

Download
memory/1776-67-0x0000000000000000-mapping.dmp

Download
memory/1808-64-0x0000000000000000-mapping.dmp

Download
memory/1928-54-0x0000000000000000-mapping.dmp

Download
memory/1996-57-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing