Overview
overview
10Static
static
1004035f6fdd...f9.exe
windows7-x64
100ed3c87ce3...07.exe
windows7-x64
41ce291b079...c9.exe
windows7-x64
730e66f95b4...49.exe
windows7-x64
9335160bee7...cf.exe
windows7-x64
103d7dd597a4...67.exe
windows7-x64
142dcc46f9d...46.exe
windows7-x64
94fcaca23e9...f2.exe
windows7-x64
105994300c1c...a7.exe
windows7-x64
10627a5569d4...e3.exe
windows7-x64
763fa775052...2f.exe
windows7-x64
1645b8dfe73...79.exe
windows7-x64
164862ec699...1b.exe
windows7-x64
10741d75a02d...5e.exe
windows7-x64
107554a27519...2d.exe
windows7-x64
780bf2731a8...e4.exe
windows7-x64
108cc9f83e2e...92.exe
windows7-x64
79c80067790...95.exe
windows7-x64
9de1793d8db...df.exe
windows7-x64
3de6da70478...6e.exe
windows7-x64
1dfef52ffde...fe.exe
windows7-x64
7f3c6dac2d2...0f.exe
windows7-x64
10f682e063bc...40.exe
windows7-x64
10f7537bf47c...0b.exe
windows7-x64
10f89ee06ed2...6f.exe
windows7-x64
10Analysis
-
max time kernel
1802s -
max time network
1820s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
18-04-2024 18:50
Behavioral task
behavioral1
Sample
04035f6fdd921309391aef9c88e550d8b3d31c7a4ea80267cb436f491aedd1f9.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
0ed3c87ce3ae58f3dcbf46fa022acd3cbbe0b96af2e9f7a47eee0dd50af88507.exe
Resource
win7-20240215-en
Behavioral task
behavioral3
Sample
1ce291b079977e7a3f81c44b644fe1f63ae34a0a1a5c264e9f6085c184f7a1c9.exe
Resource
win7-20240319-en
Behavioral task
behavioral4
Sample
30e66f95b46c8162c921648e31f8c4146ba3f0580f4e5aa3b4c4de18687f6a49.exe
Resource
win7-20240221-en
Behavioral task
behavioral5
Sample
335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
3d7dd597a465d5275ef31d9e4f9dd80ed4de6139a1b3707cb3b0ffa068595567.exe
Resource
win7-20240221-en
Behavioral task
behavioral7
Sample
42dcc46f9d6e6e8efe3f95bc09dbdfb6206a52a4347dbb652f315cec483a2046.exe
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
4fcaca23e9cfb7e5448f41bb520c9c35c68fd795ac6b3707d0c64cf92738acf2.exe
Resource
win7-20240215-en
Behavioral task
behavioral9
Sample
5994300c1c7d099bec13d2a6aec942a6a866966e9545773d3fbe26cc5e308da7.exe
Resource
win7-20231129-en
Behavioral task
behavioral10
Sample
627a5569d47d6c66be6888e4f68f0a50e491404a08da1a7d9242c2d29e3e8ee3.exe
Resource
win7-20240221-en
Behavioral task
behavioral11
Sample
63fa775052a5c7258d44a00d9f2b4a9263f96fb7c61778cbb1ba9102fed2082f.exe
Resource
win7-20240221-en
Behavioral task
behavioral12
Sample
645b8dfe73255d9e5be6e778292f3dde84ff8c5918a044ae42bcace0fe9ca279.exe
Resource
win7-20240221-en
Behavioral task
behavioral13
Sample
64862ec69991a7d454c3ea3a0c3a8f1cc9c80192078740b9c753abbf1b7bef1b.exe
Resource
win7-20240220-en
Behavioral task
behavioral14
Sample
741d75a02d0c4974968f0738a8b67104e1c24a58143b73b5ed1c25ac023b695e.exe
Resource
win7-20240221-en
Behavioral task
behavioral15
Sample
7554a27519a2c960152cbe49ecef3948cf7bad12fa21cda62c8c236bbddb502d.exe
Resource
win7-20240221-en
Behavioral task
behavioral16
Sample
80bf2731a81c113432f061b397d70cac72d907c39102513abe0f2bae079373e4.exe
Resource
win7-20240319-en
Behavioral task
behavioral17
Sample
8cc9f83e2ec4d36e50ec8407932ff3b8a7ad188a0cb95dad78028cce7921e492.exe
Resource
win7-20240221-en
Behavioral task
behavioral18
Sample
9c80067790a910e99831e1c546fd569fb273cb34db2710fe99281d1c53475795.exe
Resource
win7-20240221-en
Behavioral task
behavioral19
Sample
de1793d8db7f58f0ef53bee7fb0942ef4c6c348e4a547b6cfeb74ffa8de56cdf.exe
Resource
win7-20231129-en
Behavioral task
behavioral20
Sample
de6da70478e7f84cd06ace1a0934cc9d5732f35aa20e960dc121fd8cf2388d6e.exe
Resource
win7-20240221-en
Behavioral task
behavioral21
Sample
dfef52ffdea9d5129cd6bf0b3df2997db40091a4bdb7f356f48feec5ac5ebcfe.exe
Resource
win7-20240221-en
Behavioral task
behavioral22
Sample
f3c6dac2d21f7289e2807c0479a76105a5e8ed3a5c7ccbeae6d289e0b6e6880f.exe
Resource
win7-20240221-en
Behavioral task
behavioral23
Sample
f682e063bc2c822fbe3083507b0717b1f8bc244149ed9acd9a78566f5a79a140.exe
Resource
win7-20240215-en
Behavioral task
behavioral24
Sample
f7537bf47cc039b9cda59c844faa90a75ba80f08148166fd83ff10a0bf55120b.exe
Resource
win7-20240221-en
Behavioral task
behavioral25
Sample
f89ee06ed27ff00fa5d8f6a5811a9e57063c72c9ec7d478321cdf2a2f018866f.exe
Resource
win7-20240220-en
General
-
Target
9c80067790a910e99831e1c546fd569fb273cb34db2710fe99281d1c53475795.exe
-
Size
1.3MB
-
MD5
22a975eb038011095e8b9ff9a3078ffa
-
SHA1
f2762fb4a819dad55daf7ae3f9e96753f04df94c
-
SHA256
9c80067790a910e99831e1c546fd569fb273cb34db2710fe99281d1c53475795
-
SHA512
6cecf00b511ac39acf1b5920996b920787e13c6fbc9cc3fe46526c044f0d6813da55ee88205b8138033b55915ae6fd31c1149bef07b3116cb2459de017334a52
-
SSDEEP
24576:qI0Clbs7Kjsbs0pwKR1aQ9qVLUOHkXzWsfI9mO35s8RI93VZ4+nnI6i207pCS1Rp:oClbs7Kjsbs0pdR199qVLUOHkDWsfimT
Malware Config
Signatures
-
Clears Windows event logs 1 TTPs 3 IoCs
pid Process 1532 wevtutil.exe 2320 wevtutil.exe 2392 wevtutil.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini 9c80067790a910e99831e1c546fd569fb273cb34db2710fe99281d1c53475795.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 30 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI 9c80067790a910e99831e1c546fd569fb273cb34db2710fe99281d1c53475795.exe File created C:\Users\Admin\Videos\desktop.ini 9c80067790a910e99831e1c546fd569fb273cb34db2710fe99281d1c53475795.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini 9c80067790a910e99831e1c546fd569fb273cb34db2710fe99281d1c53475795.exe File created C:\Users\Admin\Favorites\Links for United States\desktop.ini 9c80067790a910e99831e1c546fd569fb273cb34db2710fe99281d1c53475795.exe File created C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini 9c80067790a910e99831e1c546fd569fb273cb34db2710fe99281d1c53475795.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini 9c80067790a910e99831e1c546fd569fb273cb34db2710fe99281d1c53475795.exe File created C:\Users\Admin\Favorites\desktop.ini 9c80067790a910e99831e1c546fd569fb273cb34db2710fe99281d1c53475795.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini 9c80067790a910e99831e1c546fd569fb273cb34db2710fe99281d1c53475795.exe File created C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RHQCJM0I\desktop.ini 9c80067790a910e99831e1c546fd569fb273cb34db2710fe99281d1c53475795.exe File created C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SBRLW161\desktop.ini 9c80067790a910e99831e1c546fd569fb273cb34db2710fe99281d1c53475795.exe File created C:\Users\Admin\Music\desktop.ini 9c80067790a910e99831e1c546fd569fb273cb34db2710fe99281d1c53475795.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini 9c80067790a910e99831e1c546fd569fb273cb34db2710fe99281d1c53475795.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini 9c80067790a910e99831e1c546fd569fb273cb34db2710fe99281d1c53475795.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini 9c80067790a910e99831e1c546fd569fb273cb34db2710fe99281d1c53475795.exe File created C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini 9c80067790a910e99831e1c546fd569fb273cb34db2710fe99281d1c53475795.exe File created C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini 9c80067790a910e99831e1c546fd569fb273cb34db2710fe99281d1c53475795.exe File created C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YQZLIS18\desktop.ini 9c80067790a910e99831e1c546fd569fb273cb34db2710fe99281d1c53475795.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini 9c80067790a910e99831e1c546fd569fb273cb34db2710fe99281d1c53475795.exe File created C:\Users\Admin\Desktop\desktop.ini 9c80067790a910e99831e1c546fd569fb273cb34db2710fe99281d1c53475795.exe File created C:\Users\Admin\Favorites\Links\desktop.ini 9c80067790a910e99831e1c546fd569fb273cb34db2710fe99281d1c53475795.exe File created C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini 9c80067790a910e99831e1c546fd569fb273cb34db2710fe99281d1c53475795.exe File created C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LPUQSI86\desktop.ini 9c80067790a910e99831e1c546fd569fb273cb34db2710fe99281d1c53475795.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini 9c80067790a910e99831e1c546fd569fb273cb34db2710fe99281d1c53475795.exe File created C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini 9c80067790a910e99831e1c546fd569fb273cb34db2710fe99281d1c53475795.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini 9c80067790a910e99831e1c546fd569fb273cb34db2710fe99281d1c53475795.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini 9c80067790a910e99831e1c546fd569fb273cb34db2710fe99281d1c53475795.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini 9c80067790a910e99831e1c546fd569fb273cb34db2710fe99281d1c53475795.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini 9c80067790a910e99831e1c546fd569fb273cb34db2710fe99281d1c53475795.exe File created C:\Users\Admin\Pictures\desktop.ini 9c80067790a910e99831e1c546fd569fb273cb34db2710fe99281d1c53475795.exe File created C:\Program Files (x86)\desktop.ini 9c80067790a910e99831e1c546fd569fb273cb34db2710fe99281d1c53475795.exe -
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\Users\Admin\AppData\Local\autorun.inf cmd.exe File created C:\Users\Admin\AppData\Local\autorun.inf cmd.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files (x86)\Common Files\microsoft shared\ink\fr-FR\mshwLatin.dll.mui 9c80067790a910e99831e1c546fd569fb273cb34db2710fe99281d1c53475795.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00234_.WMF 9c80067790a910e99831e1c546fd569fb273cb34db2710fe99281d1c53475795.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21421_.GIF 9c80067790a910e99831e1c546fd569fb273cb34db2710fe99281d1c53475795.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\POWERPNT.DEV.HXS 9c80067790a910e99831e1c546fd569fb273cb34db2710fe99281d1c53475795.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\drag.png 9c80067790a910e99831e1c546fd569fb273cb34db2710fe99281d1c53475795.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_blue_snow.png 9c80067790a910e99831e1c546fd569fb273cb34db2710fe99281d1c53475795.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00158_.GIF 9c80067790a910e99831e1c546fd569fb273cb34db2710fe99281d1c53475795.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR14F.GIF 9c80067790a910e99831e1c546fd569fb273cb34db2710fe99281d1c53475795.exe File created C:\Program Files (x86)\Windows Media Player\en-US\wmlaunch.exe.mui 9c80067790a910e99831e1c546fd569fb273cb34db2710fe99281d1c53475795.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_OliveGreen.gif 9c80067790a910e99831e1c546fd569fb273cb34db2710fe99281d1c53475795.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\INDOMAIN.ICO 9c80067790a910e99831e1c546fd569fb273cb34db2710fe99281d1c53475795.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-waxing-crescent.png 9c80067790a910e99831e1c546fd569fb273cb34db2710fe99281d1c53475795.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR46F.GIF 9c80067790a910e99831e1c546fd569fb273cb34db2710fe99281d1c53475795.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\MMSS.ICO 9c80067790a910e99831e1c546fd569fb273cb34db2710fe99281d1c53475795.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\BG_ADOBE.GIF 9c80067790a910e99831e1c546fd569fb273cb34db2710fe99281d1c53475795.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0178639.JPG 9c80067790a910e99831e1c546fd569fb273cb34db2710fe99281d1c53475795.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\OOFL.ICO 9c80067790a910e99831e1c546fd569fb273cb34db2710fe99281d1c53475795.exe File created C:\Program Files (x86)\Common Files\microsoft shared\ink\rtscom.dll 9c80067790a910e99831e1c546fd569fb273cb34db2710fe99281d1c53475795.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN01060_.WMF 9c80067790a910e99831e1c546fd569fb273cb34db2710fe99281d1c53475795.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14514_.GIF 9c80067790a910e99831e1c546fd569fb273cb34db2710fe99281d1c53475795.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\logo.png 9c80067790a910e99831e1c546fd569fb273cb34db2710fe99281d1c53475795.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00820_.WMF 9c80067790a910e99831e1c546fd569fb273cb34db2710fe99281d1c53475795.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Data.DataSetExtensions.Resources.dll 9c80067790a910e99831e1c546fd569fb273cb34db2710fe99281d1c53475795.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01172_.WMF 9c80067790a910e99831e1c546fd569fb273cb34db2710fe99281d1c53475795.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0199283.WMF 9c80067790a910e99831e1c546fd569fb273cb34db2710fe99281d1c53475795.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18191_.WMF 9c80067790a910e99831e1c546fd569fb273cb34db2710fe99281d1c53475795.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BrightYellow\TAB_OFF.GIF 9c80067790a910e99831e1c546fd569fb273cb34db2710fe99281d1c53475795.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE02265_.WMF 9c80067790a910e99831e1c546fd569fb273cb34db2710fe99281d1c53475795.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21364_.GIF 9c80067790a910e99831e1c546fd569fb273cb34db2710fe99281d1c53475795.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PARNT_08.MID 9c80067790a910e99831e1c546fd569fb273cb34db2710fe99281d1c53475795.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SY00642_.WMF 9c80067790a910e99831e1c546fd569fb273cb34db2710fe99281d1c53475795.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGSTORY.XML 9c80067790a910e99831e1c546fd569fb273cb34db2710fe99281d1c53475795.exe File created C:\Program Files (x86)\Common Files\System\Ole DB\en-US\msdasqlr.dll.mui 9c80067790a910e99831e1c546fd569fb273cb34db2710fe99281d1c53475795.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveIntlResource.dll 9c80067790a910e99831e1c546fd569fb273cb34db2710fe99281d1c53475795.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\Things\COUPLER.WAV 9c80067790a910e99831e1c546fd569fb273cb34db2710fe99281d1c53475795.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00296_.WMF 9c80067790a910e99831e1c546fd569fb273cb34db2710fe99281d1c53475795.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS01637_.WMF 9c80067790a910e99831e1c546fd569fb273cb34db2710fe99281d1c53475795.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105306.WMF 9c80067790a910e99831e1c546fd569fb273cb34db2710fe99281d1c53475795.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0185786.WMF 9c80067790a910e99831e1c546fd569fb273cb34db2710fe99281d1c53475795.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO01575_.WMF 9c80067790a910e99831e1c546fd569fb273cb34db2710fe99281d1c53475795.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\slideShow.html 9c80067790a910e99831e1c546fd569fb273cb34db2710fe99281d1c53475795.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RICEPAPR\RICEPAPR.ELM 9c80067790a910e99831e1c546fd569fb273cb34db2710fe99281d1c53475795.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Entity.dll 9c80067790a910e99831e1c546fd569fb273cb34db2710fe99281d1c53475795.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\js\settings.js 9c80067790a910e99831e1c546fd569fb273cb34db2710fe99281d1c53475795.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00444_.WMF 9c80067790a910e99831e1c546fd569fb273cb34db2710fe99281d1c53475795.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107182.WMF 9c80067790a910e99831e1c546fd569fb273cb34db2710fe99281d1c53475795.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0386764.JPG 9c80067790a910e99831e1c546fd569fb273cb34db2710fe99281d1c53475795.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0195384.WMF 9c80067790a910e99831e1c546fd569fb273cb34db2710fe99281d1c53475795.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE 9c80067790a910e99831e1c546fd569fb273cb34db2710fe99281d1c53475795.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\groove.net\Servers\RELAY.CER 9c80067790a910e99831e1c546fd569fb273cb34db2710fe99281d1c53475795.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\css\slideShow.css 9c80067790a910e99831e1c546fd569fb273cb34db2710fe99281d1c53475795.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02412K.JPG 9c80067790a910e99831e1c546fd569fb273cb34db2710fe99281d1c53475795.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\modern_m.png 9c80067790a910e99831e1c546fd569fb273cb34db2710fe99281d1c53475795.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0186360.WMF 9c80067790a910e99831e1c546fd569fb273cb34db2710fe99281d1c53475795.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\CNFNOT32.EXE 9c80067790a910e99831e1c546fd569fb273cb34db2710fe99281d1c53475795.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\mscss7cm_en.dub 9c80067790a910e99831e1c546fd569fb273cb34db2710fe99281d1c53475795.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR10F.GIF 9c80067790a910e99831e1c546fd569fb273cb34db2710fe99281d1c53475795.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\SUBMIT.JS 9c80067790a910e99831e1c546fd569fb273cb34db2710fe99281d1c53475795.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\STORYBB.DPV 9c80067790a910e99831e1c546fd569fb273cb34db2710fe99281d1c53475795.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02752U.BMP 9c80067790a910e99831e1c546fd569fb273cb34db2710fe99281d1c53475795.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02465_.WMF 9c80067790a910e99831e1c546fd569fb273cb34db2710fe99281d1c53475795.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14656_.GIF 9c80067790a910e99831e1c546fd569fb273cb34db2710fe99281d1c53475795.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\SNIPE.POC 9c80067790a910e99831e1c546fd569fb273cb34db2710fe99281d1c53475795.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0302827.JPG 9c80067790a910e99831e1c546fd569fb273cb34db2710fe99281d1c53475795.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 2724 vssadmin.exe -
Kills process with taskkill 2 IoCs
pid Process 560 taskkill.exe 816 taskkill.exe -
Modifies registry class 27 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "NoBitchesFile " cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.exe cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.js\ = "NoBitchesFile " cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.VBE\ = "NoBitchesFile " cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.ps1\ = "NoBitchesFile " cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.rb cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.pl\ = "NoBitchesFile " cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.cmd cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.cmd\ = "NoBitchesFile " cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "NoBitchesFile " cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.rb\ = "NoBitchesFile " cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.jar cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.jar\ = "NoBitchesFile" cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.lnk cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbe cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.ps1 cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.com cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.dll cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.dll\ = "NoBitchesFile " cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "NoBitchesFile " cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.js cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.com\ = "NoBitchesFile " cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.pl cmd.exe Key created \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000_Classes\Local Settings rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.lnk\ = "NoBitchesFile " cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs cmd.exe -
Runs net.exe
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeSecurityPrivilege 1532 wevtutil.exe Token: SeBackupPrivilege 1532 wevtutil.exe Token: SeSecurityPrivilege 2392 wevtutil.exe Token: SeBackupPrivilege 2392 wevtutil.exe Token: SeSecurityPrivilege 2320 wevtutil.exe Token: SeBackupPrivilege 2320 wevtutil.exe Token: SeIncreaseQuotaPrivilege 2364 WMIC.exe Token: SeSecurityPrivilege 2364 WMIC.exe Token: SeTakeOwnershipPrivilege 2364 WMIC.exe Token: SeLoadDriverPrivilege 2364 WMIC.exe Token: SeSystemProfilePrivilege 2364 WMIC.exe Token: SeSystemtimePrivilege 2364 WMIC.exe Token: SeProfSingleProcessPrivilege 2364 WMIC.exe Token: SeIncBasePriorityPrivilege 2364 WMIC.exe Token: SeCreatePagefilePrivilege 2364 WMIC.exe Token: SeBackupPrivilege 2364 WMIC.exe Token: SeRestorePrivilege 2364 WMIC.exe Token: SeShutdownPrivilege 2364 WMIC.exe Token: SeDebugPrivilege 2364 WMIC.exe Token: SeSystemEnvironmentPrivilege 2364 WMIC.exe Token: SeRemoteShutdownPrivilege 2364 WMIC.exe Token: SeUndockPrivilege 2364 WMIC.exe Token: SeManageVolumePrivilege 2364 WMIC.exe Token: 33 2364 WMIC.exe Token: 34 2364 WMIC.exe Token: 35 2364 WMIC.exe Token: SeIncreaseQuotaPrivilege 2708 WMIC.exe Token: SeSecurityPrivilege 2708 WMIC.exe Token: SeTakeOwnershipPrivilege 2708 WMIC.exe Token: SeLoadDriverPrivilege 2708 WMIC.exe Token: SeSystemProfilePrivilege 2708 WMIC.exe Token: SeSystemtimePrivilege 2708 WMIC.exe Token: SeProfSingleProcessPrivilege 2708 WMIC.exe Token: SeIncBasePriorityPrivilege 2708 WMIC.exe Token: SeCreatePagefilePrivilege 2708 WMIC.exe Token: SeBackupPrivilege 2708 WMIC.exe Token: SeRestorePrivilege 2708 WMIC.exe Token: SeShutdownPrivilege 2708 WMIC.exe Token: SeDebugPrivilege 2708 WMIC.exe Token: SeSystemEnvironmentPrivilege 2708 WMIC.exe Token: SeRemoteShutdownPrivilege 2708 WMIC.exe Token: SeUndockPrivilege 2708 WMIC.exe Token: SeManageVolumePrivilege 2708 WMIC.exe Token: 33 2708 WMIC.exe Token: 34 2708 WMIC.exe Token: 35 2708 WMIC.exe Token: SeDebugPrivilege 560 taskkill.exe Token: SeDebugPrivilege 816 taskkill.exe Token: SeIncreaseQuotaPrivilege 2708 WMIC.exe Token: SeSecurityPrivilege 2708 WMIC.exe Token: SeTakeOwnershipPrivilege 2708 WMIC.exe Token: SeLoadDriverPrivilege 2708 WMIC.exe Token: SeSystemProfilePrivilege 2708 WMIC.exe Token: SeSystemtimePrivilege 2708 WMIC.exe Token: SeProfSingleProcessPrivilege 2708 WMIC.exe Token: SeIncBasePriorityPrivilege 2708 WMIC.exe Token: SeCreatePagefilePrivilege 2708 WMIC.exe Token: SeBackupPrivilege 2708 WMIC.exe Token: SeRestorePrivilege 2708 WMIC.exe Token: SeShutdownPrivilege 2708 WMIC.exe Token: SeDebugPrivilege 2708 WMIC.exe Token: SeSystemEnvironmentPrivilege 2708 WMIC.exe Token: SeRemoteShutdownPrivilege 2708 WMIC.exe Token: SeUndockPrivilege 2708 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1708 wrote to memory of 2520 1708 9c80067790a910e99831e1c546fd569fb273cb34db2710fe99281d1c53475795.exe 29 PID 1708 wrote to memory of 2520 1708 9c80067790a910e99831e1c546fd569fb273cb34db2710fe99281d1c53475795.exe 29 PID 1708 wrote to memory of 2520 1708 9c80067790a910e99831e1c546fd569fb273cb34db2710fe99281d1c53475795.exe 29 PID 1708 wrote to memory of 2520 1708 9c80067790a910e99831e1c546fd569fb273cb34db2710fe99281d1c53475795.exe 29 PID 1708 wrote to memory of 2508 1708 9c80067790a910e99831e1c546fd569fb273cb34db2710fe99281d1c53475795.exe 31 PID 1708 wrote to memory of 2508 1708 9c80067790a910e99831e1c546fd569fb273cb34db2710fe99281d1c53475795.exe 31 PID 1708 wrote to memory of 2508 1708 9c80067790a910e99831e1c546fd569fb273cb34db2710fe99281d1c53475795.exe 31 PID 1708 wrote to memory of 2508 1708 9c80067790a910e99831e1c546fd569fb273cb34db2710fe99281d1c53475795.exe 31 PID 1708 wrote to memory of 2636 1708 9c80067790a910e99831e1c546fd569fb273cb34db2710fe99281d1c53475795.exe 32 PID 1708 wrote to memory of 2636 1708 9c80067790a910e99831e1c546fd569fb273cb34db2710fe99281d1c53475795.exe 32 PID 1708 wrote to memory of 2636 1708 9c80067790a910e99831e1c546fd569fb273cb34db2710fe99281d1c53475795.exe 32 PID 1708 wrote to memory of 2636 1708 9c80067790a910e99831e1c546fd569fb273cb34db2710fe99281d1c53475795.exe 32 PID 1708 wrote to memory of 2676 1708 9c80067790a910e99831e1c546fd569fb273cb34db2710fe99281d1c53475795.exe 35 PID 1708 wrote to memory of 2676 1708 9c80067790a910e99831e1c546fd569fb273cb34db2710fe99281d1c53475795.exe 35 PID 1708 wrote to memory of 2676 1708 9c80067790a910e99831e1c546fd569fb273cb34db2710fe99281d1c53475795.exe 35 PID 1708 wrote to memory of 2676 1708 9c80067790a910e99831e1c546fd569fb273cb34db2710fe99281d1c53475795.exe 35 PID 1708 wrote to memory of 2652 1708 9c80067790a910e99831e1c546fd569fb273cb34db2710fe99281d1c53475795.exe 37 PID 1708 wrote to memory of 2652 1708 9c80067790a910e99831e1c546fd569fb273cb34db2710fe99281d1c53475795.exe 37 PID 1708 wrote to memory of 2652 1708 9c80067790a910e99831e1c546fd569fb273cb34db2710fe99281d1c53475795.exe 37 PID 1708 wrote to memory of 2652 1708 9c80067790a910e99831e1c546fd569fb273cb34db2710fe99281d1c53475795.exe 37 PID 1708 wrote to memory of 1648 1708 9c80067790a910e99831e1c546fd569fb273cb34db2710fe99281d1c53475795.exe 39 PID 1708 wrote to memory of 1648 1708 9c80067790a910e99831e1c546fd569fb273cb34db2710fe99281d1c53475795.exe 39 PID 1708 wrote to memory of 1648 1708 9c80067790a910e99831e1c546fd569fb273cb34db2710fe99281d1c53475795.exe 39 PID 1708 wrote to memory of 1648 1708 9c80067790a910e99831e1c546fd569fb273cb34db2710fe99281d1c53475795.exe 39 PID 2520 wrote to memory of 1072 2520 cmd.exe 40 PID 2520 wrote to memory of 1072 2520 cmd.exe 40 PID 2520 wrote to memory of 1072 2520 cmd.exe 40 PID 2520 wrote to memory of 1072 2520 cmd.exe 40 PID 1708 wrote to memory of 1044 1708 9c80067790a910e99831e1c546fd569fb273cb34db2710fe99281d1c53475795.exe 41 PID 1708 wrote to memory of 1044 1708 9c80067790a910e99831e1c546fd569fb273cb34db2710fe99281d1c53475795.exe 41 PID 1708 wrote to memory of 1044 1708 9c80067790a910e99831e1c546fd569fb273cb34db2710fe99281d1c53475795.exe 41 PID 1708 wrote to memory of 1044 1708 9c80067790a910e99831e1c546fd569fb273cb34db2710fe99281d1c53475795.exe 41 PID 2636 wrote to memory of 1176 2636 cmd.exe 42 PID 2636 wrote to memory of 1176 2636 cmd.exe 42 PID 2636 wrote to memory of 1176 2636 cmd.exe 42 PID 2636 wrote to memory of 1176 2636 cmd.exe 42 PID 1708 wrote to memory of 2136 1708 9c80067790a910e99831e1c546fd569fb273cb34db2710fe99281d1c53475795.exe 43 PID 1708 wrote to memory of 2136 1708 9c80067790a910e99831e1c546fd569fb273cb34db2710fe99281d1c53475795.exe 43 PID 1708 wrote to memory of 2136 1708 9c80067790a910e99831e1c546fd569fb273cb34db2710fe99281d1c53475795.exe 43 PID 1708 wrote to memory of 2136 1708 9c80067790a910e99831e1c546fd569fb273cb34db2710fe99281d1c53475795.exe 43 PID 1708 wrote to memory of 932 1708 9c80067790a910e99831e1c546fd569fb273cb34db2710fe99281d1c53475795.exe 44 PID 1708 wrote to memory of 932 1708 9c80067790a910e99831e1c546fd569fb273cb34db2710fe99281d1c53475795.exe 44 PID 1708 wrote to memory of 932 1708 9c80067790a910e99831e1c546fd569fb273cb34db2710fe99281d1c53475795.exe 44 PID 1708 wrote to memory of 932 1708 9c80067790a910e99831e1c546fd569fb273cb34db2710fe99281d1c53475795.exe 44 PID 1072 wrote to memory of 2256 1072 cmd.exe 45 PID 1072 wrote to memory of 2256 1072 cmd.exe 45 PID 1072 wrote to memory of 2256 1072 cmd.exe 45 PID 1072 wrote to memory of 2256 1072 cmd.exe 45 PID 1708 wrote to memory of 2008 1708 9c80067790a910e99831e1c546fd569fb273cb34db2710fe99281d1c53475795.exe 46 PID 1708 wrote to memory of 2008 1708 9c80067790a910e99831e1c546fd569fb273cb34db2710fe99281d1c53475795.exe 46 PID 1708 wrote to memory of 2008 1708 9c80067790a910e99831e1c546fd569fb273cb34db2710fe99281d1c53475795.exe 46 PID 1708 wrote to memory of 2008 1708 9c80067790a910e99831e1c546fd569fb273cb34db2710fe99281d1c53475795.exe 46 PID 2508 wrote to memory of 1092 2508 cmd.exe 48 PID 2508 wrote to memory of 1092 2508 cmd.exe 48 PID 2508 wrote to memory of 1092 2508 cmd.exe 48 PID 2508 wrote to memory of 1092 2508 cmd.exe 48 PID 1708 wrote to memory of 1592 1708 9c80067790a910e99831e1c546fd569fb273cb34db2710fe99281d1c53475795.exe 50 PID 1708 wrote to memory of 1592 1708 9c80067790a910e99831e1c546fd569fb273cb34db2710fe99281d1c53475795.exe 50 PID 1708 wrote to memory of 1592 1708 9c80067790a910e99831e1c546fd569fb273cb34db2710fe99281d1c53475795.exe 50 PID 1708 wrote to memory of 1592 1708 9c80067790a910e99831e1c546fd569fb273cb34db2710fe99281d1c53475795.exe 50 PID 1176 wrote to memory of 1876 1176 cmd.exe 51 PID 1176 wrote to memory of 1876 1176 cmd.exe 51 PID 1176 wrote to memory of 1876 1176 cmd.exe 51 PID 1176 wrote to memory of 1876 1176 cmd.exe 51 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\9c80067790a910e99831e1c546fd569fb273cb34db2710fe99281d1c53475795.exe"C:\Users\Admin\AppData\Local\Temp\9c80067790a910e99831e1c546fd569fb273cb34db2710fe99281d1c53475795.exe"1⤵
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C cmd.exe /c net users %username% LOCKEDBYROZBEH2⤵
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Windows\SysWOW64\cmd.execmd.exe /c net users Admin LOCKEDBYROZBEH3⤵
- Suspicious use of WriteProcessMemory
PID:1072 -
C:\Windows\SysWOW64\net.exenet users Admin LOCKEDBYROZBEH4⤵PID:2256
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 users Admin LOCKEDBYROZBEH5⤵PID:1060
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C cmd.exe /c net users Administrator LOCKEDBYROZBEH2⤵
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Windows\SysWOW64\cmd.execmd.exe /c net users Administrator LOCKEDBYROZBEH3⤵PID:1092
-
C:\Windows\SysWOW64\net.exenet users Administrator LOCKEDBYROZBEH4⤵PID:1984
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 users Administrator LOCKEDBYROZBEH5⤵PID:2060
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C cmd.exe /c net user %username% LOCKEDBYROZBEH2⤵
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\SysWOW64\cmd.execmd.exe /c net user Admin LOCKEDBYROZBEH3⤵
- Suspicious use of WriteProcessMemory
PID:1176 -
C:\Windows\SysWOW64\net.exenet user Admin LOCKEDBYROZBEH4⤵PID:1876
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user Admin LOCKEDBYROZBEH5⤵PID:3008
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C cmd.exe /c net user Administrator LOCKEDBYROZBEH2⤵PID:2676
-
C:\Windows\SysWOW64\cmd.execmd.exe /c net user Administrator LOCKEDBYROZBEH3⤵PID:1196
-
C:\Windows\SysWOW64\net.exenet user Administrator LOCKEDBYROZBEH4⤵PID:2384
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user Administrator LOCKEDBYROZBEH5⤵PID:3040
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C cmd.exe /c bcdedit /set {default} recoveryenabled No2⤵PID:2652
-
C:\Windows\SysWOW64\cmd.execmd.exe /c bcdedit /set {default} recoveryenabled No3⤵PID:2904
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures2⤵PID:1648
-
C:\Windows\SysWOW64\cmd.execmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵PID:820
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C cmd.exe /c vssadmin delete shadows /all /quiet2⤵PID:1044
-
C:\Windows\SysWOW64\cmd.execmd.exe /c vssadmin delete shadows /all /quiet3⤵PID:3036
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
PID:2724
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP deleteOldest2⤵PID:2136
-
C:\Windows\SysWOW64\cmd.execmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP deleteOldest3⤵PID:1544
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP2⤵PID:932
-
C:\Windows\SysWOW64\cmd.execmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP3⤵PID:2120
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C cmd.exe /c wbadmin delete catalog quiet2⤵PID:2008
-
C:\Windows\SysWOW64\cmd.execmd.exe /c wbadmin delete catalog quiet3⤵PID:2920
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C cmd.exe /c wevtutil cl system2⤵PID:1592
-
C:\Windows\SysWOW64\cmd.execmd.exe /c wevtutil cl system3⤵PID:2244
-
C:\Windows\SysWOW64\wevtutil.exewevtutil cl system4⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:1532
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C cmd.exe /c wevtutil cl security2⤵PID:1740
-
C:\Windows\SysWOW64\cmd.execmd.exe /c wevtutil cl security3⤵PID:396
-
C:\Windows\SysWOW64\wevtutil.exewevtutil cl security4⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:2320
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C cmd.exe /c wevtutil cl application2⤵PID:1516
-
C:\Windows\SysWOW64\cmd.execmd.exe /c wevtutil cl application3⤵PID:1156
-
C:\Windows\SysWOW64\wevtutil.exewevtutil cl application4⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:2392
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C cmd.exe /c wmic SHADOWCOPY /nointeractive2⤵PID:2908
-
C:\Windows\SysWOW64\cmd.execmd.exe /c wmic SHADOWCOPY /nointeractive3⤵PID:3032
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic SHADOWCOPY /nointeractive4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2364
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C cmd.exe /c wmic shadowcopy delete2⤵PID:1536
-
C:\Windows\SysWOW64\cmd.execmd.exe /c wmic shadowcopy delete3⤵PID:2576
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2708
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C cmd.exe /c assoc .lnk=NoBitchesFile && assoc .exe=NoBitchesFile && assoc .js=NoBitchesFile && assoc .dll=NoBitchesFile && assoc .vbs=NoBitchesFile && assoc .vbe=NoBitchesFile && assoc .ps1=NoBitchesFile && assoc .com=NoBitchesFile && assoc .bat=NoBitchesFile && assoc .cmd=NoBitchesFile && assoc .rb=NoBitchesFile && assoc .pl=NoBitchesFile && assoc .jar=NoBitchesFile2⤵
- Modifies registry class
PID:760 -
C:\Windows\SysWOW64\cmd.execmd.exe /c assoc .lnk=NoBitchesFile3⤵
- Modifies registry class
PID:2568
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C cmd.exe /c taskkill /im ComboCleaner.exe /f2⤵PID:1632
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /im ComboCleaner.exe /f3⤵PID:1728
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im ComboCleaner.exe /f4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:816
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C cmd.exe /c echo ^[autorun^] > ..\autorun.inf2⤵
- Drops autorun.inf file
PID:1040
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C cmd.exe /c echo open^=WindowsScan^.exe >> ..\autorun.inf2⤵
- Drops autorun.inf file
PID:2084 -
C:\Windows\SysWOW64\cmd.execmd.exe /c echo open=WindowsScan.exe3⤵PID:2396
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C cmd.exe /c netsh Interface Set Interface Wi-Fi 12 disable2⤵PID:1376
-
C:\Windows\SysWOW64\cmd.execmd.exe /c netsh Interface Set Interface Wi-Fi 12 disable3⤵PID:2592
-
C:\Windows\SysWOW64\netsh.exenetsh Interface Set Interface Wi-Fi 12 disable4⤵PID:2288
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C cmd.exe /c taskkill /im chrome.exe /f && taskkill /im WireShark.exe /f && taskkill /im MSASCUI.exe /f && taskkill /im taskmgr.exe /f && taskkill /im regedit.exe /f && taskkill /im Kaspersky.exe /f && taskkill /im msseces.exe /f && taskkill /im nod32.exe /f && taskkill /im msmpeng.exe /f && taskkill /im navapsvc.exe /f && taskkill /im avkwctl.exe /f && taskkill /im fsav32.exe /f2⤵PID:1908
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /im chrome.exe /f3⤵PID:2428
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im chrome.exe /f4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:560
-
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Windows\System32\cmd.exe2⤵
- Modifies registry class
PID:2316
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵PID:2952
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.0MB
MD53a949282b9bd8443e76f68e667b7b280
SHA1cde9e9a24a5d4f936ce31f136f24dbfb416dd64c
SHA2561a45650e297d7cf85a29227137c7fd7524949de980a0543b8acb6dad8955a388
SHA512ac09f26b016510736287ba842c89a2a53f602ed225defb5ea2aaed5c40eca8ea0d481d3fb6e691dc95db33897b62c81434cf4a05cf4a8304d97316c55523e070
-
Filesize
267KB
MD547cfb05bb17a6c2d9e6948f12f8ed7e5
SHA145bf92c7bf1eb6e829294a197da05b6618fd7e7f
SHA2567811d4a1e9c5eb3de6aa0dc59c0215e804376a93a719ead6bc2a09b23d77542b
SHA5123ddef21ab2d30c460f6cff21e80bea4ce237b22047994042ce8329f7fa375e69f3a7d942e62e2425b2fc40b16f058b129058559f0f3bbcee77802473bb7e7abf
-
Filesize
341KB
MD58b82a5fa188385ba27dbb6e3358961c2
SHA1850d92e914a330494c9c8e9bfff17898235d7e59
SHA256fbc1a6e137181a8a3d7cbbb16c6a5db2b3f4797a5f25ce125ab995f932c0a889
SHA51286f9574078df5dfa5f577c4f4508fe9b839d8afe9ba697d2b275d2996529a4bdb591f3850c0b0ef2f0d11e846569af87cd0e191a6b15a86ded9e684371a099ae
-
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightYellow\TAB_OFF.GIF
Filesize344B
MD5033fca8035f852d1793445e2d440d7b9
SHA109064f46b4d7f9ca01d0d82b5b45678fa35d48be
SHA25667eea18fc9c7192a93c070b80f350ebb78a6beae1453f03122a71539c6b97de7
SHA5126cee0c203132566a00f26765c2943a30a44a91902993b2a09df36ad3f1e7911098283846009587d8f03504a3cd0f037f83d390f81a47c29a2d8acfe1574e2418
-
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightYellow\TAB_ON.GIF
Filesize224B
MD54961d1e19970c262cd928df897b91b40
SHA177444883f212ace904b4c01697a83e89ea0dad16
SHA25689c902d0e13a37432ad05cc21bd8689f965d2db1d2397b5f57bc4a12a403fa79
SHA512450f671dc9fcb622647f7b03368ab9b520a09f8fe3e2fac6bd10930d37debf9e706466e48a2024bf91506223192d3b68b2a9cea7a2436889780f24a5e8c101b7
-
Filesize
120B
MD5cecd79c476fb755bff8d1dee43656e4d
SHA18092eb7a3e05185450e795f562ed902679f312db
SHA2561168cd10acfa58ef0cd941ac81d8c238edd301afc0137fbc4f46549d6bb64e75
SHA512bcdc6d22193c682c34091a96bf253299a0d97a7169f93cc63a382b9a50ebd71976078d3958102c7b7cebaa5b7062963984ad921a74d7c84342396babc2cc2ea0
-
Filesize
120B
MD51121e293cab5d0255a2e591718999ba8
SHA1585e3b820b503d92c27576f534b05e99c96685cb
SHA256aaac01ec688c0bb00d15ae21786fb72f423e388dfd14bb5245803bca3d208460
SHA512f5231f5869a732575a047fcbc719244b322faa8783a814b275bf0afbc764a83489e1d60b7cf6004d68af01ac0acc0141e9458ae7394ced13a5a9fc07f0cc7a58
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BabyBlue\BUTTON.GIF
Filesize192B
MD5ce384af0fd3ec8a8979f63e3b1a1014a
SHA1eed8c02b3bc34069358d6a0923f4c83a32a61479
SHA2566ff9cd8ee458e2217354683615ea2c3540b0c9866de593533432995855a13537
SHA5124ad2d6d1faf25f54d6a0a3c90f668b2635a9a90c48a0079730e6f4b712f91de1828eb8ea77f5335a3ece4795afbe3bf00d53c9eb1969ea7214242f9909f41423
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\TAB_OFF.GIF
Filesize504B
MD510f34180a5eba783355578e6d806479a
SHA19bef16dd8c5ccdc82542952075c79cedbcd3a9c8
SHA2562008f8f5f230b707bca296197d90b96bc0304e3a6d58798a0f4f6f097b54ecd1
SHA512ef0c7c5dd14a138eb1758e254410bd8b7a69050ca54d0271f68064b068bd5b0c1f6de728aa04f56effa5523623d42af9f2890c3d435e93c7789faa54fe077991
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\TAB_ON.GIF
Filesize1KB
MD53525e4a86067894b8540fc34046f6d25
SHA1a49a5ea719063ea7005720dd885ce947d66930ce
SHA256d640c97cdac506116754e195ce8cf16f1e7a580564f047e13ca9ada862b6d01c
SHA5120cc954960ca7820ee12c44190a51743ada9a7793a1a49a3b288d4180cd513b3add9c5f21386a62a48d248802c76a2fb766c40a490d85010036fecd5a61ac2ebd
-
Filesize
808B
MD5a0692882d5675eb699ac8ccf27803d5b
SHA1a09c71f907fdade3d714aa0259c82ca2ad9e3cab
SHA2560131a47810d3e6d5ecbcb359f24b4c5dd086fc07522b9c1af0a63398aaa58ac9
SHA512974ba90868d41a62d15970097ff951d3b406a32639006c3d3e22180f7b51f8392150117e2ff83a1cd563355a4516e7d084e6a46b741a9203c8475b76cf2d7cd1
-
Filesize
1.4MB
MD58dbef05dc88644417e1f976f66cb86cf
SHA1c06b89c118bd729962e1e8e5bff316d0695cf600
SHA256d5d561db029d1a61c5a213ae2d408b9e5b48e9c7d29617b2d9714b9b7ff84e9b
SHA512f3e324ee1043244880a86f31b0adaf7934830508cb3a5334a59fa7a1e92d519cf8f17e73149aa97220afe687989da031cc7cc137aebd17c943bbee4ec627f7cf
-
Filesize
8B
MD56c8b2128eae4d17dc492a9c5b0a2f415
SHA15bbfb3928ff233478cc5622972b5db1f854cc067
SHA256f887f9f5a73df0856e068e5cb0938586d02eee687acec8ed9fedb8e9df10e9eb
SHA5126096d485041c55c9f6901f9b90dba86b15b4107ea907ba7c06a29280dc674fd30fbfed4ab5abd046b569534ed160309848b9ea206ec6780281abc5bea073bfb6
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\m9nu9nej.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite
Filesize48KB
MD5bc3769413689289353ec9c706cf14193
SHA1609f3a77422f7171b80de3d6b4dfc242ab9104e7
SHA25645e21afcb69bd024c4f8e26e6f02c4febc75005f3c374644a3260ee28d5c51ad
SHA512b7526391d7a26eb76720351472a2203510643937b6a79a5539ffbefef77efd2eeec38993ebbb984ef30e2138bc2b7463611be7270c10e384020a21292a29feef