Resubmissions
01-08-2022 08:17
220801-j625lsfeck 1005-07-2022 14:57
220705-sby9xaccb4 1005-07-2022 14:36
220705-ryptbacah4 1026-07-2021 12:57
210726-wxmw2p8876 10Analysis
-
max time kernel
110s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
05-07-2022 14:36
Static task
static1
Behavioral task
behavioral1
Sample
d0cde86d47219e9c56b717f55dcdb01b0566344c13aa671613598cab427345b9.exe
Resource
win10v2004-20220414-en
windows10-2004_x64
0 signatures
0 seconds
General
-
Target
d0cde86d47219e9c56b717f55dcdb01b0566344c13aa671613598cab427345b9.exe
-
Size
235KB
-
MD5
c41a0e1ddeb85b6326a3dc403a5fd0fa
-
SHA1
3c8e60ce5ff0cb21be39d1176d1056f9ef9438fa
-
SHA256
d0cde86d47219e9c56b717f55dcdb01b0566344c13aa671613598cab427345b9
-
SHA512
2e380295fe24b54e04699a43f4b124501f4b25ca356857b7a137718f1904dd60c3d7f40cea11063acbf15f5db85712d94a4572b8729d7cdc20ae9de9ace1882a
Score
10/10
Malware Config
Extracted
Path
C:\ClopReadMe.txt
Family
clop
Ransom Note
Your network has been penetrated.
All files on each host in the network have been encrypted with a strong algorithm.
Backups were either encrypted or deleted or backup disks were formatted.
Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover.
We exclusively have decryption software for your situation
No decryption software is available in the public.
DO NOT RESET OR SHUTDOWN – files may be damaged.
DO NOT RENAME OR MOVE the encrypted and readme files.
DO NOT DELETE readme files.
This may lead to the impossibility of recovery of the certain files.
Photorec, RannohDecryptor etc. repair tools are useless and can destroy your files irreversibly.
If you want to restore your files write to emails (contacts are at the bottom of the sheet) and attach 2-3 encrypted files
(Less than 5 Mb each, non-archived and your files should not contain valuable information
(Databases, backups, large excel sheets, etc.)).
You will receive decrypted samples and our conditions how to get the decoder.
Attention!!!
Your warranty - decrypted samples.
Do not rename encrypted files.
Do not try to decrypt your data using third party software.
We don`t need your files and your information.
But after 2 weeks all your files and keys will be deleted automatically.
Contact emails:
[email protected]
or
[email protected]
The final price depends on how fast you write to us.
Clop
Signatures
-
Clop
Ransomware discovered in early 2019 which has been actively developed since release.
-
Modifies extensions of user files 7 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
d0cde86d47219e9c56b717f55dcdb01b0566344c13aa671613598cab427345b9.exedescription ioc Process File created C:\Users\Admin\Pictures\ResumeTest.png.Clop d0cde86d47219e9c56b717f55dcdb01b0566344c13aa671613598cab427345b9.exe File created C:\Users\Admin\Pictures\AddReceive.crw.Clop d0cde86d47219e9c56b717f55dcdb01b0566344c13aa671613598cab427345b9.exe File opened for modification C:\Users\Admin\Pictures\CopyDisconnect.tiff d0cde86d47219e9c56b717f55dcdb01b0566344c13aa671613598cab427345b9.exe File created C:\Users\Admin\Pictures\CopyDisconnect.tiff.Clop d0cde86d47219e9c56b717f55dcdb01b0566344c13aa671613598cab427345b9.exe File created C:\Users\Admin\Pictures\FormatComplete.raw.Clop d0cde86d47219e9c56b717f55dcdb01b0566344c13aa671613598cab427345b9.exe File created C:\Users\Admin\Pictures\InstallApprove.crw.Clop d0cde86d47219e9c56b717f55dcdb01b0566344c13aa671613598cab427345b9.exe File created C:\Users\Admin\Pictures\LimitAdd.tif.Clop d0cde86d47219e9c56b717f55dcdb01b0566344c13aa671613598cab427345b9.exe -
Drops desktop.ini file(s) 24 IoCs
Processes:
d0cde86d47219e9c56b717f55dcdb01b0566344c13aa671613598cab427345b9.exedescription ioc Process File opened for modification C:\Users\Admin\Downloads\desktop.ini d0cde86d47219e9c56b717f55dcdb01b0566344c13aa671613598cab427345b9.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini d0cde86d47219e9c56b717f55dcdb01b0566344c13aa671613598cab427345b9.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini d0cde86d47219e9c56b717f55dcdb01b0566344c13aa671613598cab427345b9.exe File opened for modification C:\Users\Admin\Videos\desktop.ini d0cde86d47219e9c56b717f55dcdb01b0566344c13aa671613598cab427345b9.exe File opened for modification C:\Users\Public\desktop.ini d0cde86d47219e9c56b717f55dcdb01b0566344c13aa671613598cab427345b9.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini d0cde86d47219e9c56b717f55dcdb01b0566344c13aa671613598cab427345b9.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini d0cde86d47219e9c56b717f55dcdb01b0566344c13aa671613598cab427345b9.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini d0cde86d47219e9c56b717f55dcdb01b0566344c13aa671613598cab427345b9.exe File opened for modification C:\Users\Public\AccountPictures\desktop.ini d0cde86d47219e9c56b717f55dcdb01b0566344c13aa671613598cab427345b9.exe File opened for modification C:\Users\Public\Documents\desktop.ini d0cde86d47219e9c56b717f55dcdb01b0566344c13aa671613598cab427345b9.exe File opened for modification C:\$Recycle.Bin\S-1-5-21-2632097139-1792035885-811742494-1000\desktop.ini d0cde86d47219e9c56b717f55dcdb01b0566344c13aa671613598cab427345b9.exe File opened for modification C:\Users\Admin\3D Objects\desktop.ini d0cde86d47219e9c56b717f55dcdb01b0566344c13aa671613598cab427345b9.exe File opened for modification C:\Users\Admin\Documents\desktop.ini d0cde86d47219e9c56b717f55dcdb01b0566344c13aa671613598cab427345b9.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini d0cde86d47219e9c56b717f55dcdb01b0566344c13aa671613598cab427345b9.exe File opened for modification C:\Users\Admin\Links\desktop.ini d0cde86d47219e9c56b717f55dcdb01b0566344c13aa671613598cab427345b9.exe File opened for modification C:\Users\Admin\Music\desktop.ini d0cde86d47219e9c56b717f55dcdb01b0566344c13aa671613598cab427345b9.exe File opened for modification C:\Users\Admin\Searches\desktop.ini d0cde86d47219e9c56b717f55dcdb01b0566344c13aa671613598cab427345b9.exe File opened for modification C:\Users\Public\Music\desktop.ini d0cde86d47219e9c56b717f55dcdb01b0566344c13aa671613598cab427345b9.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini d0cde86d47219e9c56b717f55dcdb01b0566344c13aa671613598cab427345b9.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini d0cde86d47219e9c56b717f55dcdb01b0566344c13aa671613598cab427345b9.exe File opened for modification C:\Users\Public\Downloads\desktop.ini d0cde86d47219e9c56b717f55dcdb01b0566344c13aa671613598cab427345b9.exe File opened for modification C:\Users\Public\Libraries\desktop.ini d0cde86d47219e9c56b717f55dcdb01b0566344c13aa671613598cab427345b9.exe File opened for modification C:\Users\Public\Pictures\desktop.ini d0cde86d47219e9c56b717f55dcdb01b0566344c13aa671613598cab427345b9.exe File opened for modification C:\Users\Public\Videos\desktop.ini d0cde86d47219e9c56b717f55dcdb01b0566344c13aa671613598cab427345b9.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
d0cde86d47219e9c56b717f55dcdb01b0566344c13aa671613598cab427345b9.exedescription ioc Process File opened (read-only) \??\V: d0cde86d47219e9c56b717f55dcdb01b0566344c13aa671613598cab427345b9.exe File opened (read-only) \??\Y: d0cde86d47219e9c56b717f55dcdb01b0566344c13aa671613598cab427345b9.exe File opened (read-only) \??\A: d0cde86d47219e9c56b717f55dcdb01b0566344c13aa671613598cab427345b9.exe File opened (read-only) \??\M: d0cde86d47219e9c56b717f55dcdb01b0566344c13aa671613598cab427345b9.exe File opened (read-only) \??\P: d0cde86d47219e9c56b717f55dcdb01b0566344c13aa671613598cab427345b9.exe File opened (read-only) \??\Q: d0cde86d47219e9c56b717f55dcdb01b0566344c13aa671613598cab427345b9.exe File opened (read-only) \??\R: d0cde86d47219e9c56b717f55dcdb01b0566344c13aa671613598cab427345b9.exe File opened (read-only) \??\X: d0cde86d47219e9c56b717f55dcdb01b0566344c13aa671613598cab427345b9.exe File opened (read-only) \??\G: d0cde86d47219e9c56b717f55dcdb01b0566344c13aa671613598cab427345b9.exe File opened (read-only) \??\I: d0cde86d47219e9c56b717f55dcdb01b0566344c13aa671613598cab427345b9.exe File opened (read-only) \??\N: d0cde86d47219e9c56b717f55dcdb01b0566344c13aa671613598cab427345b9.exe File opened (read-only) \??\O: d0cde86d47219e9c56b717f55dcdb01b0566344c13aa671613598cab427345b9.exe File opened (read-only) \??\W: d0cde86d47219e9c56b717f55dcdb01b0566344c13aa671613598cab427345b9.exe File opened (read-only) \??\J: d0cde86d47219e9c56b717f55dcdb01b0566344c13aa671613598cab427345b9.exe File opened (read-only) \??\K: d0cde86d47219e9c56b717f55dcdb01b0566344c13aa671613598cab427345b9.exe File opened (read-only) \??\L: d0cde86d47219e9c56b717f55dcdb01b0566344c13aa671613598cab427345b9.exe File opened (read-only) \??\T: d0cde86d47219e9c56b717f55dcdb01b0566344c13aa671613598cab427345b9.exe File opened (read-only) \??\Z: d0cde86d47219e9c56b717f55dcdb01b0566344c13aa671613598cab427345b9.exe File opened (read-only) \??\U: d0cde86d47219e9c56b717f55dcdb01b0566344c13aa671613598cab427345b9.exe File opened (read-only) \??\B: d0cde86d47219e9c56b717f55dcdb01b0566344c13aa671613598cab427345b9.exe File opened (read-only) \??\E: d0cde86d47219e9c56b717f55dcdb01b0566344c13aa671613598cab427345b9.exe File opened (read-only) \??\F: d0cde86d47219e9c56b717f55dcdb01b0566344c13aa671613598cab427345b9.exe File opened (read-only) \??\H: d0cde86d47219e9c56b717f55dcdb01b0566344c13aa671613598cab427345b9.exe File opened (read-only) \??\S: d0cde86d47219e9c56b717f55dcdb01b0566344c13aa671613598cab427345b9.exe -
Drops file in Program Files directory 2 IoCs
Processes:
d0cde86d47219e9c56b717f55dcdb01b0566344c13aa671613598cab427345b9.exedescription ioc Process File opened for modification C:\Program Files\ClopReadMe.txt d0cde86d47219e9c56b717f55dcdb01b0566344c13aa671613598cab427345b9.exe File opened for modification C:\Program Files (x86)\ClopReadMe.txt d0cde86d47219e9c56b717f55dcdb01b0566344c13aa671613598cab427345b9.exe -
Drops file in Windows directory 1 IoCs
Processes:
d0cde86d47219e9c56b717f55dcdb01b0566344c13aa671613598cab427345b9.exedescription ioc Process File opened for modification C:\Windows\ClopReadMe.txt d0cde86d47219e9c56b717f55dcdb01b0566344c13aa671613598cab427345b9.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid Process 7272 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
d0cde86d47219e9c56b717f55dcdb01b0566344c13aa671613598cab427345b9.exepid Process 4756 d0cde86d47219e9c56b717f55dcdb01b0566344c13aa671613598cab427345b9.exe 4756 d0cde86d47219e9c56b717f55dcdb01b0566344c13aa671613598cab427345b9.exe 4756 d0cde86d47219e9c56b717f55dcdb01b0566344c13aa671613598cab427345b9.exe 4756 d0cde86d47219e9c56b717f55dcdb01b0566344c13aa671613598cab427345b9.exe 4756 d0cde86d47219e9c56b717f55dcdb01b0566344c13aa671613598cab427345b9.exe 4756 d0cde86d47219e9c56b717f55dcdb01b0566344c13aa671613598cab427345b9.exe 4756 d0cde86d47219e9c56b717f55dcdb01b0566344c13aa671613598cab427345b9.exe 4756 d0cde86d47219e9c56b717f55dcdb01b0566344c13aa671613598cab427345b9.exe 4756 d0cde86d47219e9c56b717f55dcdb01b0566344c13aa671613598cab427345b9.exe 4756 d0cde86d47219e9c56b717f55dcdb01b0566344c13aa671613598cab427345b9.exe 4756 d0cde86d47219e9c56b717f55dcdb01b0566344c13aa671613598cab427345b9.exe 4756 d0cde86d47219e9c56b717f55dcdb01b0566344c13aa671613598cab427345b9.exe 4756 d0cde86d47219e9c56b717f55dcdb01b0566344c13aa671613598cab427345b9.exe 4756 d0cde86d47219e9c56b717f55dcdb01b0566344c13aa671613598cab427345b9.exe 4756 d0cde86d47219e9c56b717f55dcdb01b0566344c13aa671613598cab427345b9.exe 4756 d0cde86d47219e9c56b717f55dcdb01b0566344c13aa671613598cab427345b9.exe 4756 d0cde86d47219e9c56b717f55dcdb01b0566344c13aa671613598cab427345b9.exe 4756 d0cde86d47219e9c56b717f55dcdb01b0566344c13aa671613598cab427345b9.exe 4756 d0cde86d47219e9c56b717f55dcdb01b0566344c13aa671613598cab427345b9.exe 4756 d0cde86d47219e9c56b717f55dcdb01b0566344c13aa671613598cab427345b9.exe 4756 d0cde86d47219e9c56b717f55dcdb01b0566344c13aa671613598cab427345b9.exe 4756 d0cde86d47219e9c56b717f55dcdb01b0566344c13aa671613598cab427345b9.exe 4756 d0cde86d47219e9c56b717f55dcdb01b0566344c13aa671613598cab427345b9.exe 4756 d0cde86d47219e9c56b717f55dcdb01b0566344c13aa671613598cab427345b9.exe 4756 d0cde86d47219e9c56b717f55dcdb01b0566344c13aa671613598cab427345b9.exe 4756 d0cde86d47219e9c56b717f55dcdb01b0566344c13aa671613598cab427345b9.exe 4756 d0cde86d47219e9c56b717f55dcdb01b0566344c13aa671613598cab427345b9.exe 4756 d0cde86d47219e9c56b717f55dcdb01b0566344c13aa671613598cab427345b9.exe 4756 d0cde86d47219e9c56b717f55dcdb01b0566344c13aa671613598cab427345b9.exe 4756 d0cde86d47219e9c56b717f55dcdb01b0566344c13aa671613598cab427345b9.exe 4756 d0cde86d47219e9c56b717f55dcdb01b0566344c13aa671613598cab427345b9.exe 4756 d0cde86d47219e9c56b717f55dcdb01b0566344c13aa671613598cab427345b9.exe 4756 d0cde86d47219e9c56b717f55dcdb01b0566344c13aa671613598cab427345b9.exe 4756 d0cde86d47219e9c56b717f55dcdb01b0566344c13aa671613598cab427345b9.exe 4756 d0cde86d47219e9c56b717f55dcdb01b0566344c13aa671613598cab427345b9.exe 4756 d0cde86d47219e9c56b717f55dcdb01b0566344c13aa671613598cab427345b9.exe 4756 d0cde86d47219e9c56b717f55dcdb01b0566344c13aa671613598cab427345b9.exe 4756 d0cde86d47219e9c56b717f55dcdb01b0566344c13aa671613598cab427345b9.exe 4756 d0cde86d47219e9c56b717f55dcdb01b0566344c13aa671613598cab427345b9.exe 4756 d0cde86d47219e9c56b717f55dcdb01b0566344c13aa671613598cab427345b9.exe 4756 d0cde86d47219e9c56b717f55dcdb01b0566344c13aa671613598cab427345b9.exe 4756 d0cde86d47219e9c56b717f55dcdb01b0566344c13aa671613598cab427345b9.exe 4756 d0cde86d47219e9c56b717f55dcdb01b0566344c13aa671613598cab427345b9.exe 4756 d0cde86d47219e9c56b717f55dcdb01b0566344c13aa671613598cab427345b9.exe 4756 d0cde86d47219e9c56b717f55dcdb01b0566344c13aa671613598cab427345b9.exe 4756 d0cde86d47219e9c56b717f55dcdb01b0566344c13aa671613598cab427345b9.exe 4756 d0cde86d47219e9c56b717f55dcdb01b0566344c13aa671613598cab427345b9.exe 4756 d0cde86d47219e9c56b717f55dcdb01b0566344c13aa671613598cab427345b9.exe 4756 d0cde86d47219e9c56b717f55dcdb01b0566344c13aa671613598cab427345b9.exe 4756 d0cde86d47219e9c56b717f55dcdb01b0566344c13aa671613598cab427345b9.exe 4756 d0cde86d47219e9c56b717f55dcdb01b0566344c13aa671613598cab427345b9.exe 4756 d0cde86d47219e9c56b717f55dcdb01b0566344c13aa671613598cab427345b9.exe 4756 d0cde86d47219e9c56b717f55dcdb01b0566344c13aa671613598cab427345b9.exe 4756 d0cde86d47219e9c56b717f55dcdb01b0566344c13aa671613598cab427345b9.exe 4756 d0cde86d47219e9c56b717f55dcdb01b0566344c13aa671613598cab427345b9.exe 4756 d0cde86d47219e9c56b717f55dcdb01b0566344c13aa671613598cab427345b9.exe 4756 d0cde86d47219e9c56b717f55dcdb01b0566344c13aa671613598cab427345b9.exe 4756 d0cde86d47219e9c56b717f55dcdb01b0566344c13aa671613598cab427345b9.exe 4756 d0cde86d47219e9c56b717f55dcdb01b0566344c13aa671613598cab427345b9.exe 4756 d0cde86d47219e9c56b717f55dcdb01b0566344c13aa671613598cab427345b9.exe 4756 d0cde86d47219e9c56b717f55dcdb01b0566344c13aa671613598cab427345b9.exe 4756 d0cde86d47219e9c56b717f55dcdb01b0566344c13aa671613598cab427345b9.exe 4756 d0cde86d47219e9c56b717f55dcdb01b0566344c13aa671613598cab427345b9.exe 4756 d0cde86d47219e9c56b717f55dcdb01b0566344c13aa671613598cab427345b9.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
taskmgr.exedescription pid Process Token: SeDebugPrivilege 5056 taskmgr.exe Token: SeSystemProfilePrivilege 5056 taskmgr.exe Token: SeCreateGlobalPrivilege 5056 taskmgr.exe Token: 33 5056 taskmgr.exe Token: SeIncBasePriorityPrivilege 5056 taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
taskmgr.exepid Process 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
taskmgr.exepid Process 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d0cde86d47219e9c56b717f55dcdb01b0566344c13aa671613598cab427345b9.exe"C:\Users\Admin\AppData\Local\Temp\d0cde86d47219e9c56b717f55dcdb01b0566344c13aa671613598cab427345b9.exe"1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:4756
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /71⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5056
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4684
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\CloseStop.txt1⤵
- Opens file in notepad (likely ransom note)
PID:7272