dbcc1bec2dbc4002cfdade40966eb639ccf4da67a7b9728f444beb1d35ed4f7f

Resubmissions

12/06/2024, 08:28

240612-kcy2jawckj 10

10/06/2024, 17:27

240610-v1ktxsvbpk 10

Analysis

max time kernel
15s
max time network
24s
platform
windows11-21h2_x64
resource
win11-20240426-en
resource tags

arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
submitted
10/06/2024, 17:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Mydoom/Mydoom Ransomwares/1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
Size

127KB
MD5

93a7ed73f2245a1f043b74e724705f54
SHA1

6b97b4cd5d44e607540b841081f68b7755ce59f5
SHA256

1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406
SHA512

ab1d5999d7bdeb0a2d93a7476cbcace92971417d45a7459fbe294ed66d0466f0e121a68fe9ade89c3c71d4afab3b81b94aaaeabc99e6f02f79c307acbf574090
SSDEEP

3072:bhADm5OPINYUsx0Ki6uA9bKHtBdQex7Coy5q5l:bhAcO7xhjuA9bQQzq

Score

10^/10

evasion execution ransomware

Malware Config

Signatures

Disables service(s) 3 TTPs
evasion execution

Windows Service
T1543.003

Service Stop
T1489

Service Execution
T1569.002
Renames multiple (228) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe

Drops file in Program Files directory 60 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\RemoveAssert.DVR-MS	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
File opened for modification	C:\Program Files\RemoveAssert.DVR-MS.secure[[email protected]]	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
File opened for modification	C:\Program Files\BackupExit.jpg	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
File opened for modification	C:\Program Files\BackupExit.jpg.secure[[email protected]]	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
File opened for modification	C:\Program Files\ImportFormat.vb.secure[[email protected]]	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
File opened for modification	C:\Program Files\MountSplit.xht	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
File opened for modification	C:\Program Files\DenyCompare.wav.secure[[email protected]]	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
File opened for modification	C:\Program Files\NewUndo.avi	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
File opened for modification	C:\Program Files\OutAdd.vsw	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
File opened for modification	C:\Program Files\ProtectRequest.xla	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
File opened for modification	C:\Program Files\MountOut.mp4v	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
File opened for modification	C:\Program Files\NewDeny.cfg	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
File opened for modification	C:\Program Files\ResizeDeny.3gp2	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
File opened for modification	C:\Program Files\ResetCompress.mpg.secure[[email protected]]	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
File opened for modification	C:\Program Files\ResizeDebug.ram.secure[[email protected]]	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
File opened for modification	C:\Program Files\ResolveCheckpoint.mp4v	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
File opened for modification	C:\Program Files\TraceOpen.mp4	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
File opened for modification	C:\Program Files\CloseUndo.wma	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
File opened for modification	C:\Program Files\ImportFormat.vb	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
File opened for modification	C:\Program Files\InitializeRestart.aifc.secure[[email protected]]	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
File opened for modification	C:\Program Files\ResizeDebug.ram	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
File opened for modification	C:\Program Files\InitializeRestart.aifc	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
File opened for modification	C:\Program Files\ShowRemove.M2TS	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
File opened for modification	C:\Program Files\OutAdd.vsw.secure[[email protected]]	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
File opened for modification	C:\Program Files\StopConvertFrom.7z	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
File opened for modification	C:\Program Files\StopConvertFrom.7z.secure[[email protected]]	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
File opened for modification	C:\Program Files\FormatInvoke.vstm	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
File opened for modification	C:\Program Files\NewUndo.avi.secure[[email protected]]	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
File opened for modification	C:\Program Files\ResetCompress.mpg	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
File opened for modification	C:\Program Files\MountOut.mp4v.secure[[email protected]]	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
File opened for modification	C:\Program Files\ResolveCheckpoint.mp4v.secure[[email protected]]	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
File opened for modification	C:\Program Files\FindPublish.nfo.secure[[email protected]]	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
File opened for modification	C:\Program Files\CopyConvertTo.mp3	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
File opened for modification	C:\Program Files\DenyCompare.wav	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
File opened for modification	C:\Program Files\DismountSuspend.mht.secure[[email protected]]	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
File opened for modification	C:\Program Files\EnableSet.bat.secure[[email protected]]	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
File opened for modification	C:\Program Files\DismountAssert.wax.secure[[email protected]]	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
File opened for modification	C:\Program Files\LimitGrant.xps	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
File opened for modification	C:\Program Files\RemoveDebug.asx	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
File opened for modification	C:\Program Files\TraceOpen.mp4.secure[[email protected]]	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
File opened for modification	C:\Program Files\ShowRemove.M2TS.secure[[email protected]]	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
File opened for modification	C:\Program Files\EnableSet.bat	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
File opened for modification	C:\Program Files\FindClose.emf	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
File opened for modification	C:\Program Files\FormatInvoke.vstm.secure[[email protected]]	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
File opened for modification	C:\Program Files\NewDeny.cfg.secure[[email protected]]	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
File opened for modification	C:\Program Files\FindClose.emf.secure[[email protected]]	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
File opened for modification	C:\Program Files\SelectResolve.xla.secure[[email protected]]	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
File opened for modification	C:\Program Files\RequestPop.wdp	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
File opened for modification	C:\Program Files\RequestPop.wdp.secure[[email protected]]	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
File opened for modification	C:\Program Files\ResizeDeny.3gp2.secure[[email protected]]	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
File opened for modification	C:\Program Files\DismountSuspend.mht	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
File opened for modification	C:\Program Files\FindPublish.nfo	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
File opened for modification	C:\Program Files\LimitGrant.xps.secure[[email protected]]	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
File opened for modification	C:\Program Files\MountSplit.xht.secure[[email protected]]	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
File opened for modification	C:\Program Files\RemoveDebug.asx.secure[[email protected]]	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
File opened for modification	C:\Program Files\SelectResolve.xla	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
File opened for modification	C:\Program Files\CloseUndo.wma.secure[[email protected]]	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
File opened for modification	C:\Program Files\CopyConvertTo.mp3.secure[[email protected]]	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
File opened for modification	C:\Program Files\DismountAssert.wax	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
File opened for modification	C:\Program Files\ProtectRequest.xla.secure[[email protected]]	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe

Drops file in Windows directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system.ini.secure[[email protected]]	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
File opened for modification	C:\Windows\win.ini	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
File opened for modification	C:\Windows\DtcInstall.log.secure[[email protected]]	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
File opened for modification	C:\Windows\lsasetup.log	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
File opened for modification	C:\Windows\setupact.log	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
File opened for modification	C:\Windows\setuperr.log	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
File opened for modification	C:\Windows\SysmonDrv.sys	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
File opened for modification	C:\Windows\system.ini	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
File opened for modification	C:\Windows\mib.bin	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
File opened for modification	C:\Windows\PFRO.log.secure[[email protected]]	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
File opened for modification	C:\Windows\WindowsShell.Manifest	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
File opened for modification	C:\Windows\setupact.log.secure[[email protected]]	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
File opened for modification	C:\Windows\SysmonDrv.sys.secure[[email protected]]	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
File opened for modification	C:\Windows\WindowsUpdate.log	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
File opened for modification	C:\Windows\WMSysPr9.prx	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
File opened for modification	C:\Windows\win.ini.secure[[email protected]]	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
File opened for modification	C:\Windows\WindowsUpdate.log.secure[[email protected]]	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
File opened for modification	C:\Windows\bootstat.dat	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
File opened for modification	C:\Windows\DtcInstall.log	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
File opened for modification	C:\Windows\lsasetup.log.secure[[email protected]]	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
File opened for modification	C:\Windows\PFRO.log	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
File opened for modification	C:\Windows\Professional.xml	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
File opened for modification	C:\Windows\Professional.xml.secure[[email protected]]	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
File created	C:\Windows\RESTORE_FILES_INFO.txt	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe

Launches sc.exe 8 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
904	sc.exe
2508	sc.exe
4904	sc.exe
1284	sc.exe
2260	sc.exe
1236	sc.exe
956	sc.exe
3940	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 48 IoCs

evasion

pid	Process
868	taskkill.exe
4856	taskkill.exe
4956	taskkill.exe
2908	taskkill.exe
1224	taskkill.exe
2164	taskkill.exe
3244	taskkill.exe
5068	taskkill.exe
2892	taskkill.exe
2040	taskkill.exe
4852	taskkill.exe
2740	taskkill.exe
3168	taskkill.exe
436	taskkill.exe
4712	taskkill.exe
4740	taskkill.exe
4896	taskkill.exe
1704	taskkill.exe
3344	taskkill.exe
1500	taskkill.exe
4464	taskkill.exe
5000	taskkill.exe
2280	taskkill.exe
2700	taskkill.exe
1124	taskkill.exe
3556	taskkill.exe
4008	taskkill.exe
2916	taskkill.exe
1304	taskkill.exe
3612	taskkill.exe
2948	taskkill.exe
1480	taskkill.exe
2120	taskkill.exe
3800	taskkill.exe
4628	taskkill.exe
1392	taskkill.exe
3412	taskkill.exe
1940	taskkill.exe
2692	taskkill.exe
2096	taskkill.exe
1200	taskkill.exe
3148	taskkill.exe
544	taskkill.exe
2336	taskkill.exe
4372	taskkill.exe
4768	taskkill.exe
444	taskkill.exe
4560	taskkill.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
3480	reg.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4192	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3664	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
3664	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
3664	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
3664	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
3664	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
3664	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
3664	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
3664	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
3664	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
3664	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
3664	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
3664	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
3664	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
3664	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
3664	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
3664	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
3664	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
3664	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
3664	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
3664	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
3664	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
3664	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
3664	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
3664	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
3664	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
3664	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
3664	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
3664	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
3664	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
3664	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
3664	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
3664	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
3664	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
3664	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
3664	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
3664	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
3664	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
3664	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
3664	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
3664	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
3664	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
3664	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
3664	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
3664	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
3664	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
3664	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
3664	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
3664	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
3664	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
3664	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
3664	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
3664	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
3664	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
3664	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
3664	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
3664	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
3664	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
3664	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
3664	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
3664	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
3664	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
3664	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
3664	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
3664	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

description	pid	Process
Token: SeDebugPrivilege	3664	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
Token: SeDebugPrivilege	4560	taskkill.exe
Token: SeDebugPrivilege	3168	taskkill.exe
Token: SeDebugPrivilege	5000	taskkill.exe
Token: SeDebugPrivilege	2892	taskkill.exe
Token: SeDebugPrivilege	5068	taskkill.exe
Token: SeDebugPrivilege	2040	taskkill.exe
Token: SeDebugPrivilege	2916	taskkill.exe
Token: SeDebugPrivilege	2336	taskkill.exe
Token: SeDebugPrivilege	1392	taskkill.exe
Token: SeDebugPrivilege	868	taskkill.exe
Token: SeDebugPrivilege	1304	taskkill.exe
Token: SeDebugPrivilege	544	taskkill.exe
Token: SeDebugPrivilege	4372	taskkill.exe
Token: SeDebugPrivilege	4856	taskkill.exe
Token: SeDebugPrivilege	3412	taskkill.exe
Token: SeDebugPrivilege	4712	taskkill.exe
Token: SeDebugPrivilege	4740	taskkill.exe
Token: SeDebugPrivilege	1940	taskkill.exe
Token: SeDebugPrivilege	1124	taskkill.exe
Token: SeDebugPrivilege	1704	taskkill.exe
Token: SeDebugPrivilege	3344	taskkill.exe
Token: SeDebugPrivilege	4768	taskkill.exe
Token: SeDebugPrivilege	4956	taskkill.exe
Token: SeDebugPrivilege	3612	taskkill.exe
Token: SeDebugPrivilege	4852	taskkill.exe
Token: SeDebugPrivilege	444	taskkill.exe
Token: SeDebugPrivilege	1500	taskkill.exe
Token: SeDebugPrivilege	2948	taskkill.exe
Token: SeDebugPrivilege	4464	taskkill.exe
Token: SeDebugPrivilege	2692	taskkill.exe
Token: SeDebugPrivilege	2908	taskkill.exe
Token: SeDebugPrivilege	2700	taskkill.exe
Token: SeDebugPrivilege	1224	taskkill.exe
Token: SeDebugPrivilege	3556	taskkill.exe
Token: SeDebugPrivilege	2096	taskkill.exe
Token: SeDebugPrivilege	2164	taskkill.exe
Token: SeDebugPrivilege	1200	taskkill.exe
Token: SeDebugPrivilege	2740	taskkill.exe
Token: SeDebugPrivilege	1480	taskkill.exe
Token: SeDebugPrivilege	4008	taskkill.exe
Token: SeDebugPrivilege	2280	taskkill.exe
Token: SeDebugPrivilege	3244	taskkill.exe
Token: SeDebugPrivilege	2120	taskkill.exe
Token: SeDebugPrivilege	3800	taskkill.exe
Token: SeDebugPrivilege	4628	taskkill.exe
Token: SeDebugPrivilege	3148	taskkill.exe
Token: SeDebugPrivilege	436	taskkill.exe
Token: SeDebugPrivilege	1336	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3664	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
3664	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3664 wrote to memory of 4560	3664	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe	77
PID 3664 wrote to memory of 4560	3664	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe	77
PID 3664 wrote to memory of 4560	3664	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe	77
PID 3664 wrote to memory of 704	3664	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe	79
PID 3664 wrote to memory of 704	3664	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe	79
PID 3664 wrote to memory of 704	3664	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe	79
PID 3664 wrote to memory of 3480	3664	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe	81
PID 3664 wrote to memory of 3480	3664	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe	81
PID 3664 wrote to memory of 3480	3664	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe	81
PID 3664 wrote to memory of 3700	3664	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe	83
PID 3664 wrote to memory of 3700	3664	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe	83
PID 3664 wrote to memory of 3700	3664	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe	83
PID 3664 wrote to memory of 1284	3664	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe	85
PID 3664 wrote to memory of 1284	3664	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe	85
PID 3664 wrote to memory of 1284	3664	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe	85
PID 3664 wrote to memory of 2260	3664	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe	86
PID 3664 wrote to memory of 2260	3664	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe	86
PID 3664 wrote to memory of 2260	3664	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe	86
PID 3664 wrote to memory of 1236	3664	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe	87
PID 3664 wrote to memory of 1236	3664	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe	87
PID 3664 wrote to memory of 1236	3664	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe	87
PID 3664 wrote to memory of 2172	3664	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe	91
PID 3664 wrote to memory of 2172	3664	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe	91
PID 3664 wrote to memory of 2172	3664	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe	91
PID 3664 wrote to memory of 956	3664	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe	93
PID 3664 wrote to memory of 956	3664	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe	93
PID 3664 wrote to memory of 956	3664	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe	93
PID 3664 wrote to memory of 3940	3664	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe	94
PID 3664 wrote to memory of 3940	3664	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe	94
PID 3664 wrote to memory of 3940	3664	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe	94
PID 3664 wrote to memory of 904	3664	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe	95
PID 3664 wrote to memory of 904	3664	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe	95
PID 3664 wrote to memory of 904	3664	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe	95
PID 3664 wrote to memory of 2508	3664	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe	99
PID 3664 wrote to memory of 2508	3664	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe	99
PID 3664 wrote to memory of 2508	3664	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe	99
PID 3664 wrote to memory of 4904	3664	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe	100
PID 3664 wrote to memory of 4904	3664	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe	100
PID 3664 wrote to memory of 4904	3664	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe	100
PID 3664 wrote to memory of 5000	3664	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe	103
PID 3664 wrote to memory of 5000	3664	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe	103
PID 3664 wrote to memory of 5000	3664	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe	103
PID 3664 wrote to memory of 3168	3664	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe	104
PID 3664 wrote to memory of 3168	3664	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe	104
PID 3664 wrote to memory of 3168	3664	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe	104
PID 3664 wrote to memory of 2892	3664	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe	107
PID 3664 wrote to memory of 2892	3664	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe	107
PID 3664 wrote to memory of 2892	3664	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe	107
PID 3664 wrote to memory of 5068	3664	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe	109
PID 3664 wrote to memory of 5068	3664	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe	109
PID 3664 wrote to memory of 5068	3664	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe	109
PID 3664 wrote to memory of 2040	3664	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe	111
PID 3664 wrote to memory of 2040	3664	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe	111
PID 3664 wrote to memory of 2040	3664	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe	111
PID 3664 wrote to memory of 2916	3664	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe	113
PID 3664 wrote to memory of 2916	3664	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe	113
PID 3664 wrote to memory of 2916	3664	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe	113
PID 3664 wrote to memory of 2336	3664	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe	181
PID 3664 wrote to memory of 2336	3664	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe	181
PID 3664 wrote to memory of 2336	3664	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe	181
PID 3664 wrote to memory of 1392	3664	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe	117
PID 3664 wrote to memory of 1392	3664	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe	117
PID 3664 wrote to memory of 1392	3664	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe	117
PID 3664 wrote to memory of 868	3664	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe	119

C:\Users\Admin\AppData\Local\Temp\Mydoom\Mydoom Ransomwares\1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
"C:\Users\Admin\AppData\Local\Temp\Mydoom\Mydoom Ransomwares\1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe"
1⤵
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3664
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill" /F /IM RaccineSettings.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4560
- C:\Windows\SysWOW64\reg.exe
  "reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F
  2⤵
  PID:704
- C:\Windows\SysWOW64\reg.exe
  "reg" delete HKCU\Software\Raccine /F
  2⤵
  - Modifies registry key
  PID:3480
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks" /DELETE /TN "Raccine Rules Updater" /F
  2⤵
  PID:3700
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config Dnscache start= auto
  2⤵
  - Launches sc.exe
  PID:1284
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config FDResPub start= auto
  2⤵
  - Launches sc.exe
  PID:2260
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SSDPSRV start= auto
  2⤵
  - Launches sc.exe
  PID:1236
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin
  2⤵
  PID:2172
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config upnphost start= auto
  2⤵
  - Launches sc.exe
  PID:956
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SQLTELEMETRY start= disabled
  2⤵
  - Launches sc.exe
  PID:3940
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
  2⤵
  - Launches sc.exe
  PID:904
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SQLWriter start= disabled
  2⤵
  - Launches sc.exe
  PID:2508
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SstpSvc start= disabled
  2⤵
  - Launches sc.exe
  PID:4904
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5000
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM firefoxconfig.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3168
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM excel.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2892
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM agntsvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5068
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2040
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM CNTAoSMgr.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2916
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM thebat.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2336
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1392
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqlwriter.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:868
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM steam.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1304
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mysqld.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:544
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM tbirdconfig.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4856
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM thebat64.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4372
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM encsvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3412
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqbcoreservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4712
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM ocomm.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4740
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM dbeng50.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1940
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mbamtray.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1124
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" IM thunderbird.exe /F
  2⤵
  - Kills process with taskkill
  PID:4896
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM infopath.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1704
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM zoolz.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3344
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM isqlplussvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4768
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM dbsnmp.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4956
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM tmlisten.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4852
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM onenote.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1500
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM xfssvccon.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:444
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM visio.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3612
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2948
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM msftesql.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4464
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2908
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM PccNTMon.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2692
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM winword.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2700
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM powerpnt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1224
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM msaccess.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3556
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM Ntrtscan.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2096
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mysqld-nt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1200
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2164
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM outlook.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2740
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM ocautoupds.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1480
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2336
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqlservr.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2280
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM wordpad.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4008
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM ocssd.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3244
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mysqld-opt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2120
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM synctime.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3800
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM oracle.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4628
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqlagent.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3148
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqlbrowser.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:436
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1336
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\System32\mshta.exe" C:\Users\Admin\Desktop\RESTORE_FILES_INFO.hta
  2⤵
  PID:4756
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
  2⤵
  PID:1188
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.7 -n 3
    3⤵
    - Runs ping.exe
    PID:4192
- - C:\Windows\SysWOW64\fsutil.exe
    fsutil file setZeroData offset=0 length=524288 “%s”
    3⤵
    PID:688
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Mydoom\Mydoom Ransomwares\1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
  2⤵
  PID:1984
- - C:\Windows\SysWOW64\choice.exe
    choice /C Y /N /D Y /T 3
    3⤵
    PID:2740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Search\Data\Applications\Windows\edbres00002.jrs.secure[[email protected]]

Filesize
1024KB

MD5
9029fcc695c76bb1afb6c5a4bb32a8fb

SHA1
7313a07e22ed6d07e29668d3f77d8331f6f1b798

SHA256
6f5b064710656c170fbff82e7a6200a29fe09911fae8d563a56780bfe29511cf

SHA512
cc15e7362a08998726aab0de494b9ef58e182325fd8ba65fc6735967870661aab8c38dc7f6b95bc15df2b9eed2afb3619599d82eb16d8505997b77917ed3ce12

Download Submit
C:\ProgramData\Package Cache\{01B2627D-8443-41C0-97F0-9F72AC2FD6A0}v56.64.8804\windowsdesktop-runtime-7.0.16-win-x64.msi.secure[[email protected]]

Filesize
28.8MB

MD5
d7c3b5ede7cc08eb8840fdb9b1ddeebf

SHA1
c3773f4b213fc9f3094900649718b9588defa037

SHA256
bd27fa9513d8c0bbcfc1f90288ff3799f4a0673c2c6c365637023ff8b0bf001d

SHA512
675f17a400c018c15a36a992e8bb426fc9e68fc88a60bc16ff61d3ad5b326d8499e4a47080f24b7b3ee44aab3e865f54af30b1f66356f1d813e358d5cf7d5074

Download Submit
C:\ProgramData\Package Cache\{2BB73336-4F69-4141-9797-E9BD6FE3980A}v64.8.8795\dotnet-host-8.0.2-win-x64.msi.secure[[email protected]]

Filesize
728KB

MD5
facdc669b77d4d79d9452dbcb9cb74b0

SHA1
f4627df3e19853f491708334588056ddc70bae27

SHA256
196396910ea9194e6d23df07e497da7631817404ab64700b5142eb2f4d8beff4

SHA512
9c3a1c263c23ab0bc9f02a285d329566e4582cf5624ea0d5f06115d467bd79f6d397318fb4199fb030e95e1456e3e3364b0053ce174a1b12db89a18d71cd3d39

Download Submit
C:\ProgramData\Package Cache\{79043ED0-7ED1-4227-A5E5-04C5594D21F7}v48.108.8828\dotnet-runtime-6.0.27-win-x64.msi.secure[[email protected]]

Filesize
25.7MB

MD5
8df2b76066131eb0d154861207774428

SHA1
89c49ddbf8acc3e268b1d8896af68661875745c1

SHA256
e67fc8c246b3186f84c7d451caa0450b9794e34f806b59b6f0b239762b44b873

SHA512
bd10a5c56c67c58e13f117596c512cbd85f41b33cbdb36bd15d4f3e0c3458f018adba3b6b94ee1e5948a53194d98db0f2a34ff5302deac2df741ebd30e493a0e

Download Submit
C:\ProgramData\Package Cache\{BF08E976-B92E-4336-B56F-2171179476C4}v14.30.30704\packages\vcRuntimeAdditional_x86\vc_runtimeAdditional_x86.msi.secure[[email protected]]

Filesize
180KB

MD5
a743bed37c5d6ea787a12d861718e6ed

SHA1
ececb001962d690b86bf174f19ad828a4745fe0a

SHA256
cb9bebc8312a1eec0b5eaaa29d17e61a8739604a0227822c24f5010e6f8ff73b

SHA512
b76a48ac65a848cf144c1469cf433ba4d19e370cb93c766d85f947b194a48523782e5a3b331d4775dfb3796b4571d0311c0ac5553c62f3d588d08e1d9934511a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lgiccj3l.rcl.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Desktop\RESTORE_FILES_INFO.hta

Filesize
1KB

MD5
10f4bace88d55713be6ede3929d0cee5

SHA1
2d2a5aa0293d8fae935acd72ff56bb0d09f4100d

SHA256
dac413e698454ddbbf167f839949f61aaec0f63d48cfa169bf66de767a1a105b

SHA512
ca8e061b8249b5bfb3a1abb1f19858d4c09bd0386d8227341894f0eb0cb52145f539ac5b446523f63f40d4f35766c993950a400248f7bdf7f244c46269051f97

Download Submit
C:\Users\Admin\Desktop\RESTORE_FILES_INFO.txt

Filesize
914B

MD5
dc2eeb9f35a4db55256e287e1fbc7f75

SHA1
df6b862e9590b8bf00f5286691e552e6ebbe4c0e

SHA256
36842cdd712e8168bef30bcf769b3ca7d6b61863f5b055e0f93a927bd2c6ca06

SHA512
1b45b75b0b31bb807fd92080bd404a74b678a9327b5cc1f0ec2c88a4b947bfffb370cfadf876b364b6b99391b43985a7b267718dee56b08deeb409fac9c376a0

Download Submit
memory/1336-80-0x0000000002CB0000-0x0000000002CE6000-memory.dmp

Filesize
216KB

Download
memory/1336-81-0x00000000056D0000-0x0000000005CFA000-memory.dmp

Filesize
6.2MB

Download
memory/1336-86-0x00000000055F0000-0x0000000005612000-memory.dmp

Filesize
136KB

Download
memory/1336-87-0x0000000005DF0000-0x0000000005E56000-memory.dmp

Filesize
408KB

Download
memory/1336-96-0x0000000006040000-0x0000000006397000-memory.dmp

Filesize
3.3MB

Download
memory/1336-102-0x0000000006470000-0x000000000648E000-memory.dmp

Filesize
120KB

Download
memory/1336-103-0x00000000064B0000-0x00000000064FC000-memory.dmp

Filesize
304KB

Download
memory/3664-3-0x0000000074270000-0x0000000074A21000-memory.dmp

Filesize
7.7MB

Download
memory/3664-1-0x0000000000DD0000-0x0000000000DF6000-memory.dmp

Filesize
152KB

Download
memory/3664-2-0x00000000056F0000-0x0000000005756000-memory.dmp

Filesize
408KB

Download
memory/3664-0-0x000000007427E000-0x000000007427F000-memory.dmp

Filesize
4KB

Download
memory/3664-632-0x0000000074270000-0x0000000074A21000-memory.dmp

Filesize
7.7MB

Download