96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a

Analysis

max time kernel
157s
max time network
166s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
27-02-2024 17:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
Size

333KB
MD5

57504bca0f333befa73476e449f6a8a0
SHA1

c207f136cda100bb9b319d3276914f697ccb3499
SHA256

96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a
SHA512

cfe9f07fadbf874b9694990c631c8562ad511bbedd7ea91451d80a5c934f4c1036596b0043e441d3078a37cfef6bba818264ef64044606d77657e7a4a0c29bfc
SSDEEP

6144:AemY9cZrt2pF+M9htFl/1M0lpj9G/OaZE8A8otk1:n9cm+M9vFl/1HrN2otk1

Score

10^/10

evasion ransomware

Malware Config

Extracted

Path

C:\odt\How_to_back_files.html

Ransom Note

<html> <style type="text/css"> body { background-color: #f5f5f5; } h1, h3{ text-align: center; text-transform: uppercase; font-weight: normal; } /*---*/ .tabs1{ display: block; margin: auto; } .tabs1 .head{ text-align: center; float: top; padding: 0px; text-transform: uppercase; font-weight: normal; display: block; background: #81bef7; color: #DF0101; font-size: 30px; } .tabs1 .identi { font-size: 10px; text-align: center; float: top; padding: 15px; display: block; background: #81bef7; color: #DFDFDF; word-break: break-all; } .tabs .content { background: #f5f5f5; /*text-align: center;*/ color: #000000; padding: 25px 15px; font-size: 15px; font-weight: 400; line-height: 20px; } .tabs .content a { color: #df0130; font-size: 23px; font-style: italic; text-decoration: none; line-height: 35px; } .tabs .content .text{ padding: 25px; line-height: 1.2; } </style> <body> <div class="tabs1"> <div class="head" ><b>Your personal ID:</b></div> <div class="identi"> <span style="width:1000px; color: #ffffff; font-size: 10px;">BPB51h738+lafLhElzKD5R1+wmgK4WGeHuQXIrmA9uWP6UhUprwDzd3NX+LUukqIxjkOwESVLvMxmO2OtPMwJiNYDK874Ae648bp+OFwuOGJoympIVk2Bba2A3newc5+qjybB3OEzrLhgZYGF1J3TnrDQFTnCBW1pAEJcHPDAu85kDg5nfRCLZk96/n0x5X1nazalnvkyGfmny1SBvekgVmfNumdiIINmoOMW02r+pQBvdtCEFdMUhuyDKwCouHNhLfWF7PwRbVObMS14eNWriFAHMprevW3UvzvlCEG41B+mOVbGTuIj7NJA+W0ynWbe7cfD+6LCxCXBhmi/IItzU5MOkP2l/eH4xeGc0tUK3mx2rdiTd9Lq8ePVuvpHn0KKoaM/ou7oB+uFngLekXceqhZKfYmkrsWLCOoH1LkxWtuAk0I1K1xsPs/ncPyNV+X2ql9ZSac7G0YeHKDH5wPc0/MuybvjuMcIMoYt2XSPq1xNkj/zMzhKnE+KhyiEWPY/xK5TWKbSvWE7Pk1Xg7N5I0iOMIjc6zJOLFlPnChEGRa/wxqHYZEfXTNb4FZLGEGA9bNKhLZM1O+WB0wmsT0NhwBhhZ2lSxaZcZokNmuBjEl032p50oeoB3EgudDQMmKu7jhTUfYiwbB6sMMHjMBnaedValNaK4lOLkGnJDWjJlzySBTDru6fryXrOFEACuh9S+gGspZ3bTmm4Uz7n7ynuO5/Sf75znyZ1tXwq6c3d0WcN/zqmd+2Wxw6+YgDIhX6ZJVwIbey/tMw2ZP2BoyXRUsv4m+bP96UU50YoEXeCO+rIWtznb3zj5b9ctx65ncpZ9Ec+zr4xo6XlUngQE0Qx8YKxcwhCzgkW+EQg07wv0l07W7RgS/v9kCeLyZUrrzfDiYNtWmvD4pnEqk2pevFA82JjB40tBXlE6uJGMp6AzaZbr2HN9BnWZCvlz4JYJRXC2lQqwKnQhqtSfulOgFeL2PckBJ2jPHAnqXuQcQV8A+bTnlKlpfkYK7ZTRCTA64o3Z+9LHjocKtC2J9TYvAy72Mjh5mxHX9AJ5b9CsWZ0jtVEPPeBwn//KvdGJUHyLPn0DJY80A5jr+mpZOV6rh4bCk+S9oWbLhbHOKA1q1AziRv/QhlvLJ3BfBrMhpLvnXGXhfuh8O7U4SyVUARL2mpV8/bJ//xnVTTYW94oq6lEeeXC9NKf50qfuCXKyGM0h9iAas3kGxcXaj/lf/p0wquAtnKJnqzJp+AdONEpm46psxjnKa8iwue4C+dbXucIead4sw/bYCI84Iaa/FD8Ji2VsogF4jFXS7K8V9uaNVITZAi4eDiiwzv/TONQs/WUU2Zb6LLUWgYJNiq3NWr254zm1E5aWNvCKa50zUqxvxt7do06Te3xgoq+xO6xe07q64gUiJtLZMTmrcCQEb+ZLxgtg3DKwiynEdrWHtDKkDRK4VBcMlDWmCHidGMeqgUY3giwjtctYB7ZaP/4+0LagwaBxFocplHhSeu36DshJ1mUxbRtsxHQh0E+yvTSnPp29Epp+cJNEL/huLC/7ukiX/oo7CarpDDWp1JNbKx8B5kSi+cgiSyFsTV2m6VcSFHUJTGitm+MRYuLmaDlOygeGwe8pUubtN1J3l9UTT1kGwIYRLrNX/aNYhuydA1ZCWGjoKJdfBOCM3fdh2kHkuBELEmIAxkeXp4IDgVMHi6xWXcoE=</span> <br>  </div> </div>  <div class="tabs">  <div class="tab"> <div id="tab-content1" class="content"> <div class="text">  <b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br> <b>All your important files have been encrypted!</b><br><br> <hr> Your files are safe! Only modified. (RSA+AES)<br><br> ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br> WILL PERMANENTLY CORRUPT IT.<br> DO NOT MODIFY ENCRYPTED FILES.<br> DO NOT RENAME ENCRYPTED FILES.<br><br> No software available on internet can help you. We are the only ones able to<br> solve your problem.<br><br> We gathered highly confidential/personal data. These data are currently stored on<br> a private server. This server will be immediately destroyed after your payment.<br> If you decide to not pay, we will release your data to public or re-seller.<br> So you can expect your data to be publicly available in the near future..<br><br> We only seek money and our goal is not to damage your reputation or prevent<br> your business from running.<br><br> You will can send us 2-3 non-important files and we will decrypt it for free<br> to prove we are able to give your files back.<br><br>  <hr> <b>Contact us for price and get decryption software.</b><br><br> <hr> <b>email:</b><br> <a href="[email protected] ">[email protected] </a> <br> <a href="[email protected] ">[email protected] </a> <br> <p>* To contact us, create a new free email account on the site: <a href="https://protonmail.com">protonmail.com <br> <b> IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</b><br> <p>* Tor-chat to always be in touch: <a href<a href<b> </div> </div> </div>  <b> <b> <b> <span style="font-size: 22px">qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion</span> </b><br><br> </b><br>  </div> </div>  </div> </div> </body> </html>

Emails

href="[email protected]

">[email protected]

href="[email protected]

">[email protected]

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe

description pid process target process

PID 4568 created 3364 4568 96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe Explorer.EXE
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

1812 bcdedit.exe
928 bcdedit.exe
Renames multiple (1474) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Deletes System State backups 3 TTPs 1 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command and Scripting Interpreter
T1059

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

wbadmin.exe

pid process

3840 wbadmin.exe
Deletes system backups 3 TTPs 1 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command and Scripting Interpreter
T1059

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

wbadmin.exe

pid process

2104 wbadmin.exe

description	pid	process	target process
PID 4568 created 3364	4568	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe	Explorer.EXE

pid	process
1812	bcdedit.exe
928	bcdedit.exe

pid	process
3840	wbadmin.exe

pid	process
2104	wbadmin.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe

description	ioc	process
File opened (read-only)	\??\S:	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
File opened (read-only)	\??\V:	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
File opened (read-only)	\??\G:	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
File opened (read-only)	\??\J:	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
File opened (read-only)	\??\L:	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
File opened (read-only)	\??\O:	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
File opened (read-only)	\??\P:	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
File opened (read-only)	\??\Q:	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
File opened (read-only)	\??\K:	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
File opened (read-only)	\??\N:	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
File opened (read-only)	\??\U:	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
File opened (read-only)	\??\Y:	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
File opened (read-only)	\??\Z:	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
File opened (read-only)	\??\E:	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
File opened (read-only)	\??\H:	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
File opened (read-only)	\??\R:	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
File opened (read-only)	\??\W:	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
File opened (read-only)	\??\X:	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
File opened (read-only)	\??\F:	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
File opened (read-only)	\??\A:	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
File opened (read-only)	\??\B:	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
File opened (read-only)	\??\I:	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
File opened (read-only)	\??\M:	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
File opened (read-only)	\??\T:	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe

Drops file in Program Files directory 64 IoCs

Processes:

96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe

description	ioc	process
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\vstoee90.tlb	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\unlimited\How_to_back_files.html	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Grace-ppd.xrm-ms	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_OEM_Perp-ul-oob.xrm-ms	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\include\win32\jawt_md.h	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\security\trusted.libraries	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_OEM_Perp-ul-phn.xrm-ms	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail-pl.xrm-ms	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Trial2-ppd.xrm-ms	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription2-ppd.xrm-ms	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial4-pl.xrm-ms	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Trial-ppd.xrm-ms	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\ext\zipfs.jar	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
File opened for modification	C:\Program Files\Java\jre-1.8\legal\jdk\bcel.md	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Grace-ul-oob.xrm-ms	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_OEM_Perp-ul-phn.xrm-ms	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ba.txt	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\en-US\msaddsr.dll.mui	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
File opened for modification	C:\Program Files\dotnet\swidtag\Microsoft Windows Desktop Runtime - 8.0.0 (x64).swidtag	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Office Theme.thmx	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_OEM_Perp-ppd.xrm-ms	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcR_OEM_Perp-ul-phn.xrm-ms	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
File opened for modification	C:\Program Files\Java\jre-1.8\legal\jdk\icu.md	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\images\cursors\win32_LinkDrop32x32.gif	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_OEM_Perp-ul-oob.xrm-ms	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_PrepidBypass-ppd.xrm-ms	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Trial-pl.xrm-ms	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\tipresx.dll.mui	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
File created	C:\Program Files\Java\jre-1.8\bin\server\How_to_back_files.html	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ExcelVL_MAK-ppd.xrm-ms	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019XC2RVL_KMS_ClientC2R-ul-oob.xrm-ms	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProVL_MAK-ul-phn.xrm-ms	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-GB\How_to_back_files.html	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\uk-UA\How_to_back_files.html	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp-ul-phn.xrm-ms	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail2-ul-oob.xrm-ms	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\legal\javafx\mesa3d.md	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
File opened for modification	C:\Program Files\Java\jre-1.8\legal\jdk\ecc.md	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Trial-ppd.xrm-ms	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019XC2RVL_MAKC2R-ul-oob.xrm-ms	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProDemoR_BypassTrial180-ul-oob.xrm-ms	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ga.txt	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
File created	C:\Program Files\Java\jre-1.8\lib\security\policy\How_to_back_files.html	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019VL_KMS_Client_AE-ul.xrm-ms	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Grace-ppd.xrm-ms	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\unicode.md	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\legal\jdk\unicode.md	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\deploy\messages_es.properties	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Grace-ul-oob.xrm-ms	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Trial-pl.xrm-ms	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_zh_HK.properties	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Trial-ul-oob.xrm-ms	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_OEM_Perp-ul-phn.xrm-ms	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fy.txt	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\.version	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
File opened for modification	C:\Program Files\Java\jre-1.8\legal\jdk\pkcs11wrapper.md	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
File opened for modification	C:\Program Files\Java\jre-1.8\release	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_OEM_Perp-ul-oob.xrm-ms	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_KMS_Automation-ul.xrm-ms	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription2-ul-oob.xrm-ms	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019VL_MAK_AE-pl.xrm-ms	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\es-ES\TipTsf.dll.mui	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019VL_MAK_AE-ul-oob.xrm-ms	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessDemoR_BypassTrial365-ul-oob.xrm-ms	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe

Drops file in Windows directory 3 IoCs

Processes:

wbadmin.exe

description	ioc	process
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.1.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.3.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.2.etl	wbadmin.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

488 vssadmin.exe

pid	process
488	vssadmin.exe

Kills process with taskkill 14 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
1568	taskkill.exe
4744	taskkill.exe
3112	taskkill.exe
3604	taskkill.exe
4380	taskkill.exe
3404	taskkill.exe
4284	taskkill.exe
3552	taskkill.exe
4032	taskkill.exe
4512	taskkill.exe
1424	taskkill.exe
4164	taskkill.exe
3112	taskkill.exe
3552	taskkill.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

Processes:

96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe

pid	process
4568	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
4568	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
4568	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
4568	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
4568	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
4568	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
4568	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
4568	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
4568	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
4568	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
4568	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
4568	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
4568	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
4568	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
4568	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
4568	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
4568	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
4568	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
4568	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
4568	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
4568	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
4568	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
4568	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
4568	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
4568	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
4568	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
4568	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
4568	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
4568	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
4568	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
4568	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
4568	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exenet.exetaskkill.execmd.exetaskkill.exenet1.exeWMIC.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	4744	taskkill.exe
Token: SeDebugPrivilege	3404	taskkill.exe
Token: SeDebugPrivilege	1424	taskkill.exe
Token: SeDebugPrivilege	3112	taskkill.exe
Token: SeDebugPrivilege	4284	taskkill.exe
Token: SeDebugPrivilege	3552	taskkill.exe
Token: SeDebugPrivilege	1568	net.exe
Token: SeDebugPrivilege	4032	taskkill.exe
Token: SeDebugPrivilege	4512	cmd.exe
Token: SeDebugPrivilege	4164	taskkill.exe
Token: SeDebugPrivilege	3112	taskkill.exe
Token: SeDebugPrivilege	3604	net1.exe
Token: SeIncreaseQuotaPrivilege	3564	WMIC.exe
Token: SeSecurityPrivilege	3564	WMIC.exe
Token: SeTakeOwnershipPrivilege	3564	WMIC.exe
Token: SeLoadDriverPrivilege	3564	WMIC.exe
Token: SeSystemProfilePrivilege	3564	WMIC.exe
Token: SeSystemtimePrivilege	3564	WMIC.exe
Token: SeProfSingleProcessPrivilege	3564	WMIC.exe
Token: SeIncBasePriorityPrivilege	3564	WMIC.exe
Token: SeCreatePagefilePrivilege	3564	WMIC.exe
Token: SeBackupPrivilege	3564	WMIC.exe
Token: SeRestorePrivilege	3564	WMIC.exe
Token: SeShutdownPrivilege	3564	WMIC.exe
Token: SeDebugPrivilege	3564	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3564	WMIC.exe
Token: SeRemoteShutdownPrivilege	3564	WMIC.exe
Token: SeUndockPrivilege	3564	WMIC.exe
Token: SeManageVolumePrivilege	3564	WMIC.exe
Token: 33	3564	WMIC.exe
Token: 34	3564	WMIC.exe
Token: 35	3564	WMIC.exe
Token: 36	3564	WMIC.exe
Token: SeBackupPrivilege	4748	vssvc.exe
Token: SeRestorePrivilege	4748	vssvc.exe
Token: SeAuditPrivilege	4748	vssvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 4568 wrote to memory of 4336	4568	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe	cmd.exe
PID 4568 wrote to memory of 4336	4568	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe	cmd.exe
PID 4568 wrote to memory of 4336	4568	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe	cmd.exe
PID 4336 wrote to memory of 4680	4336	cmd.exe	cmd.exe
PID 4336 wrote to memory of 4680	4336	cmd.exe	cmd.exe
PID 4568 wrote to memory of 2808	4568	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe	cmd.exe
PID 4568 wrote to memory of 2808	4568	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe	cmd.exe
PID 4568 wrote to memory of 2808	4568	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe	cmd.exe
PID 2808 wrote to memory of 2760	2808	cmd.exe	cmd.exe
PID 2808 wrote to memory of 2760	2808	cmd.exe	cmd.exe
PID 2760 wrote to memory of 4744	2760	cmd.exe	taskkill.exe
PID 2760 wrote to memory of 4744	2760	cmd.exe	taskkill.exe
PID 4568 wrote to memory of 400	4568	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe	cmd.exe
PID 4568 wrote to memory of 400	4568	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe	cmd.exe
PID 4568 wrote to memory of 400	4568	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe	cmd.exe
PID 400 wrote to memory of 4608	400	cmd.exe	cmd.exe
PID 400 wrote to memory of 4608	400	cmd.exe	cmd.exe
PID 4608 wrote to memory of 4380	4608	cmd.exe	taskkill.exe
PID 4608 wrote to memory of 4380	4608	cmd.exe	taskkill.exe
PID 4568 wrote to memory of 4428	4568	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe	cmd.exe
PID 4568 wrote to memory of 4428	4568	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe	cmd.exe
PID 4568 wrote to memory of 4428	4568	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe	cmd.exe
PID 4428 wrote to memory of 676	4428	cmd.exe	cmd.exe
PID 4428 wrote to memory of 676	4428	cmd.exe	cmd.exe
PID 676 wrote to memory of 3404	676	cmd.exe	taskkill.exe
PID 676 wrote to memory of 3404	676	cmd.exe	taskkill.exe
PID 4568 wrote to memory of 2928	4568	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe	cmd.exe
PID 4568 wrote to memory of 2928	4568	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe	cmd.exe
PID 4568 wrote to memory of 2928	4568	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe	cmd.exe
PID 2928 wrote to memory of 2244	2928	cmd.exe	cmd.exe
PID 2928 wrote to memory of 2244	2928	cmd.exe	cmd.exe
PID 2244 wrote to memory of 1424	2244	cmd.exe	taskkill.exe
PID 2244 wrote to memory of 1424	2244	cmd.exe	taskkill.exe
PID 4568 wrote to memory of 2692	4568	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe	cmd.exe
PID 4568 wrote to memory of 2692	4568	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe	cmd.exe
PID 4568 wrote to memory of 2692	4568	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe	cmd.exe
PID 2692 wrote to memory of 1228	2692	cmd.exe	cmd.exe
PID 2692 wrote to memory of 1228	2692	cmd.exe	cmd.exe
PID 1228 wrote to memory of 3112	1228	cmd.exe	taskkill.exe
PID 1228 wrote to memory of 3112	1228	cmd.exe	taskkill.exe
PID 4568 wrote to memory of 1728	4568	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe	cmd.exe
PID 4568 wrote to memory of 1728	4568	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe	cmd.exe
PID 4568 wrote to memory of 1728	4568	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe	cmd.exe
PID 1728 wrote to memory of 4220	1728	cmd.exe	cmd.exe
PID 1728 wrote to memory of 4220	1728	cmd.exe	cmd.exe
PID 4220 wrote to memory of 4284	4220	cmd.exe	taskkill.exe
PID 4220 wrote to memory of 4284	4220	cmd.exe	taskkill.exe
PID 4568 wrote to memory of 1380	4568	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe	cmd.exe
PID 4568 wrote to memory of 1380	4568	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe	cmd.exe
PID 4568 wrote to memory of 1380	4568	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe	cmd.exe
PID 1380 wrote to memory of 4312	1380	cmd.exe	cmd.exe
PID 1380 wrote to memory of 4312	1380	cmd.exe	cmd.exe
PID 4312 wrote to memory of 3552	4312	cmd.exe	taskkill.exe
PID 4312 wrote to memory of 3552	4312	cmd.exe	taskkill.exe
PID 4568 wrote to memory of 2372	4568	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe	cmd.exe
PID 4568 wrote to memory of 2372	4568	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe	cmd.exe
PID 4568 wrote to memory of 2372	4568	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe	cmd.exe
PID 2372 wrote to memory of 3900	2372	cmd.exe	cmd.exe
PID 2372 wrote to memory of 3900	2372	cmd.exe	cmd.exe
PID 3900 wrote to memory of 1568	3900	cmd.exe	net.exe
PID 3900 wrote to memory of 1568	3900	cmd.exe	net.exe
PID 4568 wrote to memory of 4376	4568	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe	cmd.exe
PID 4568 wrote to memory of 4376	4568	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe	cmd.exe
PID 4568 wrote to memory of 4376	4568	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe	cmd.exe

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

Processes:

96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3364
- C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
  "C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:4568
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c rem Kill "SQL"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4336
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c rem Kill "SQL"
      4⤵
      PID:4680
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2808
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2760
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im sqlbrowser.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4744
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sql writer.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:400
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im sql writer.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4608
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im sql writer.exe
        5⤵
        Kills process with taskkill
        
        PID:4380
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlserv.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4428
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlserv.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:676
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im sqlserv.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3404
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2928
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2244
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im msmdsrv.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1424
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im ReportingServicesService.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4164
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2692
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1228
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im MsDtsSrvr.exe
        5⤵
        Kills process with taskkill
        
        PID:3112
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1728
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4220
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im sqlceip.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4284
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1380
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe
      4⤵
      PID:4312
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im fdlauncher.exe
        5⤵
        Kills process with taskkill
        
        PID:3552
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -impostgres.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3552
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im Ssms.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2372
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im Ssms.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3900
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE
    3⤵
    PID:4376
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE
      4⤵
      PID:1836
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdhost.exe
    3⤵
    PID:3840
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im fdhost.exe
      4⤵
      PID:1612
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im fdhost.exe
        5⤵
        Kills process with taskkill
        
        PID:4512
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe
    3⤵
    PID:3248
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe
      4⤵
      PID:2244
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msftesql.exe
    3⤵
    PID:4496
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im msftesql.exe
      4⤵
      PID:1860
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im msftesql.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3112
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe
    3⤵
    PID:3500
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe
      4⤵
      PID:4328
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im pg_ctl.exe
        5⤵
        Kills process with taskkill
        
        PID:3604
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -impostgres.exe
    3⤵
    PID:2276
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -impostgres.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4312
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQLServerADHelper100
    3⤵
    PID:4996
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop MSSQLServerADHelper100
      4⤵
      PID:4744
    - - C:\Windows\system32\net.exe
        
        net stop MSSQLServerADHelper100
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1568
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No
      4⤵
      PID:4420
    - - C:\Windows\system32\bcdedit.exe
        
        bcdedit.exe /set {default} recoverynabled No
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:1812
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$ISARS
    3⤵
    PID:2756
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop MSSQL$ISARS
      4⤵
      PID:4380
    - - C:\Windows\system32\net.exe
        
        net stop MSSQL$ISARS
        5⤵
        
        PID:4100
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$ISARS
        6⤵
        
        PID:4608
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$MSFW
    3⤵
    PID:636
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop MSSQL$MSFW
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4512
    - - C:\Windows\system32\net.exe
        
        net stop MSSQL$MSFW
        5⤵
        
        PID:2600
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$MSFW
        6⤵
        
        PID:3012
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$ISARS
    3⤵
    PID:2116
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop SQLAgent$ISARS
      4⤵
      PID:1044
    - - C:\Windows\system32\net.exe
        
        net stop SQLAgent$ISARS
        5⤵
        
        PID:3080
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop SQLAgent$ISARS
        6⤵
        
        PID:3248
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$MSFW
    3⤵
    PID:3352
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop SQLAgent$MSFW
      4⤵
      PID:928
    - - C:\Windows\system32\net.exe
        
        net stop SQLAgent$MSFW
        5⤵
        
        PID:2120
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop SQLAgent$MSFW
        6⤵
        
        PID:1972
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLBrowser
    3⤵
    PID:1680
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop SQLBrowser
      4⤵
      PID:4284
    - - C:\Windows\system32\net.exe
        
        net stop SQLBrowser
        5⤵
        
        PID:4220
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop SQLBrowser
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3604
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop REportServer$ISARS
    3⤵
    PID:3028
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop REportServer$ISARS
      4⤵
      PID:532
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLWriter
    3⤵
    PID:4352
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop SQLWriter
      4⤵
      PID:4180
    - - C:\Windows\system32\net.exe
        
        net stop SQLWriter
        5⤵
        
        PID:4528
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop SQLWriter
        6⤵
        
        PID:2072
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet
    3⤵
    PID:2112
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet
      4⤵
      PID:2288
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin.exe Delete Shadows /All /Quiet
        5⤵
        Interacts with shadow copies
        
        PID:488
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP
    3⤵
    PID:4868
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP
      4⤵
      PID:2776
    - - C:\Windows\system32\wbadmin.exe
        
        wbadmin DELETE SYSTEMSTATEBACKUP
        5⤵
        Deletes System State backups
        Drops file in Windows directory
        
        PID:3840
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet
    3⤵
    PID:2372
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet
      4⤵
      PID:2484
    - - C:\Windows\system32\wbadmin.exe
        
        wbadmin delete backup -keepVersion:0 -quiet
        5⤵
        Deletes system backups
        
        PID:2104
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive
    3⤵
    PID:4744
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive
      4⤵
      PID:4428
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic.exe SHADOWCOPY /nointeractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3564
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    PID:3540
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
      4⤵
      PID:3956
    - - C:\Windows\system32\bcdedit.exe
        
        bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:928
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No
    3⤵
    PID:4996
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTABACKUP -deleteOldest
    3⤵
    PID:2760
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTABACKUP -deleteOldest
      4⤵
      PID:4148
    - - C:\Windows\system32\wbadmin.exe
        
        wbadmin DELETE SYSTEMSTABACKUP -deleteOldest
        5⤵
        
        PID:2928
- C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
  \\?\C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe -network
  2⤵
  - System policy modification
  PID:3736
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c pause
    3⤵
    PID:3552

C:\Windows\system32\taskkill.exe
taskkill -f -im Ssms.exe
1⤵
- Kills process with taskkill
PID:1568
- C:\Windows\system32\net1.exe
  C:\Windows\system32\net1 stop MSSQLServerADHelper100
  2⤵
  PID:2776

C:\Windows\system32\taskkill.exe
taskkill -f -im SQLAGENT.EXE
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4032

C:\Windows\system32\net.exe
net stop REportServer$ISARS
1⤵
PID:4092
- C:\Windows\system32\net1.exe
  C:\Windows\system32\net1 stop REportServer$ISARS
  2⤵
  PID:2168

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4748

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4244 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:8
1⤵
PID:2916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\win32_MoveNoDrop32x32.gif

Filesize
1KB

MD5
c8a36a9d1a8b89f5508a10ace4446eed

SHA1
ad48930ea5f0be2f4206e79ea5bd54cb053ab677

SHA256
bda6a7ced31b628dea9717aac6ced7746d76421ccaecd37b327503da6367a74f

SHA512
3b87eaba95dfa2ae5127ce71720f45beb8aa99b2dedeb469735f42a3b23171d6455d8bd5e91345e40847980ffaee9888678a3dd2cd78e76393d4b8769d4ed875

Download Submit
C:\Program Files\Java\jre-1.8\lib\images\cursors\win32_LinkNoDrop32x32.gif

Filesize
1KB

MD5
cd2fdd5398a38c636255025943a69083

SHA1
93c5dfaa2ff36eb7711c8f751df53598a3f9dc0f

SHA256
811cbde7d609e187d3bbabca2d81aaeeae5adc7c1928db0afad86324dfbc3ae8

SHA512
967c1c8cc12e5df5f43b39921b63278df8b43f2bd69c5a339422ef1a03d6e40f0c73c02d34c2a77cf9e833ce20be8b0029ae3b5ccf9a82f8dd65b7e84c75c73f

Download Submit
C:\odt\How_to_back_files.html

Filesize
5KB

MD5
99cfe652fdc08b0d5eca680122ad019a

SHA1
707e6d14af957212d3d0ef3c2173fa0cfca6f0b1

SHA256
0de3f72964b33f343894fc6086508b83da40cdc36ae7990193bf8b492c57fa2d

SHA512
97695be02db54aa1835da863bd596e6209208abf295ee336b06abc7781a37fda804983bbf55de4ac44396ed41db544449b951bc42c019b3c0673fa520709d439

Download Submit