Overview
overview
10Static
static
10Dropper/Berbew.exe
windows7-x64
10Dropper/Berbew.exe
windows10-2004-x64
10Dropper/Phorphiex.exe
windows7-x64
10Dropper/Phorphiex.exe
windows10-2004-x64
10RAT/31.exe
windows7-x64
10RAT/31.exe
windows10-2004-x64
10RAT/XClient.exe
windows7-x64
10RAT/XClient.exe
windows10-2004-x64
10RAT/file.exe
windows7-x64
7RAT/file.exe
windows10-2004-x64
7Ransomware...-2.exe
windows7-x64
10Ransomware...-2.exe
windows10-2004-x64
10Ransomware...01.exe
windows7-x64
10Ransomware...01.exe
windows10-2004-x64
10Ransomware...lt.exe
windows7-x64
10Ransomware...lt.exe
windows10-2004-x64
10Stealers/Azorult.exe
windows7-x64
10Stealers/Azorult.exe
windows10-2004-x64
10Stealers/B...on.exe
windows7-x64
10Stealers/B...on.exe
windows10-2004-x64
10Stealers/Dridex.dll
windows7-x64
10Stealers/Dridex.dll
windows10-2004-x64
10Stealers/M..._2.exe
windows7-x64
10Stealers/M..._2.exe
windows10-2004-x64
10Stealers/lumma.exe
windows7-x64
10Stealers/lumma.exe
windows10-2004-x64
10Trojan/BetaBot.exe
windows7-x64
10Trojan/BetaBot.exe
windows10-2004-x64
10Trojan/Smo...er.exe
windows7-x64
10Trojan/Smo...er.exe
windows10-2004-x64
10Resubmissions
03/09/2024, 14:02
240903-rb57sazdqf 1003/09/2024, 13:51
240903-q59avszclf 1002/09/2024, 19:51
240902-yk8gtsxbpd 1002/09/2024, 02:27
240902-cxh7tazflg 1002/09/2024, 02:26
240902-cwxc2sygll 1021/06/2024, 19:37
240621-yca7cszgnd 1009/06/2024, 17:07
240609-vm7rjadd73 1013/05/2024, 17:36
240513-v6qblafe3y 1012/05/2024, 17:17
240512-vty3zafh5s 10Analysis
-
max time kernel
93s -
max time network
99s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
03/09/2024, 14:02
Behavioral task
behavioral1
Sample
Dropper/Berbew.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
Dropper/Berbew.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
Dropper/Phorphiex.exe
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
Dropper/Phorphiex.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral5
Sample
RAT/31.exe
Resource
win7-20240708-en
Behavioral task
behavioral6
Sample
RAT/31.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral7
Sample
RAT/XClient.exe
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
RAT/XClient.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral9
Sample
RAT/file.exe
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
RAT/file.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral11
Sample
Ransomware/Client-2.exe
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
Ransomware/Client-2.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral13
Sample
Ransomware/criticalupdate01.exe
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
Ransomware/criticalupdate01.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral15
Sample
Ransomware/default.exe
Resource
win7-20240903-en
Behavioral task
behavioral16
Sample
Ransomware/default.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral17
Sample
Stealers/Azorult.exe
Resource
win7-20240704-en
Behavioral task
behavioral18
Sample
Stealers/Azorult.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral19
Sample
Stealers/BlackMoon.exe
Resource
win7-20240903-en
Behavioral task
behavioral20
Sample
Stealers/BlackMoon.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral21
Sample
Stealers/Dridex.dll
Resource
win7-20240708-en
Behavioral task
behavioral22
Sample
Stealers/Dridex.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral23
Sample
Stealers/Masslogger/mouse_2.exe
Resource
win7-20240903-en
Behavioral task
behavioral24
Sample
Stealers/Masslogger/mouse_2.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral25
Sample
Stealers/lumma.exe
Resource
win7-20240903-en
Behavioral task
behavioral26
Sample
Stealers/lumma.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral27
Sample
Trojan/BetaBot.exe
Resource
win7-20240903-en
Behavioral task
behavioral28
Sample
Trojan/BetaBot.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral29
Sample
Trojan/SmokeLoader.exe
Resource
win7-20240708-en
Behavioral task
behavioral30
Sample
Trojan/SmokeLoader.exe
Resource
win10v2004-20240802-en
General
-
Target
Ransomware/Client-2.exe
-
Size
80KB
-
MD5
8152a3d0d76f7e968597f4f834fdfa9d
-
SHA1
c3cf05f3f79851d3c0d4266ab77c8e3e3f88c73e
-
SHA256
69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b
-
SHA512
eb1a18cb03131466a4152fa2f6874b70c760317148684ca9b95044e50dc9cd19316d6e68e680ce18599114ba73e75264de5dab5afe611165b9c6c0b5f01002b4
-
SSDEEP
1536:SHbigeMiIeMfZ7tOBbFv0CIG0dDh/suIicRtpNf8SgRXt+AacRDVX8C4OntD4acN:SHbigeMiIeMfZ7tOBbFv0CIG0dDh/su0
Malware Config
Extracted
C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt
hakbit
Signatures
-
Hakbit
Ransomware which encrypts files using AES, first seen in November 2019.
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation Client-2.exe -
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk Client-2.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 4284 sc.exe 4432 sc.exe 1688 sc.exe 216 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 5896 cmd.exe 7112 PING.EXE -
Kills process with taskkill 47 IoCs
pid Process 2896 taskkill.exe 2100 taskkill.exe 3348 taskkill.exe 3372 taskkill.exe 3344 taskkill.exe 856 taskkill.exe 2344 taskkill.exe 1684 taskkill.exe 5088 taskkill.exe 3552 taskkill.exe 644 taskkill.exe 412 taskkill.exe 3104 taskkill.exe 1220 taskkill.exe 228 taskkill.exe 3976 taskkill.exe 2608 taskkill.exe 4156 taskkill.exe 4940 taskkill.exe 2380 taskkill.exe 4128 taskkill.exe 1076 taskkill.exe 2744 taskkill.exe 2348 taskkill.exe 3204 taskkill.exe 3268 taskkill.exe 4400 taskkill.exe 2364 taskkill.exe 2316 taskkill.exe 1420 taskkill.exe 3900 taskkill.exe 3036 taskkill.exe 1848 taskkill.exe 4020 taskkill.exe 2116 taskkill.exe 4368 taskkill.exe 592 taskkill.exe 2472 taskkill.exe 804 taskkill.exe 4372 taskkill.exe 1460 taskkill.exe 3924 taskkill.exe 1116 taskkill.exe 4864 taskkill.exe 4628 taskkill.exe 1720 taskkill.exe 2240 taskkill.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 4348 notepad.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 7112 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 520 Client-2.exe 520 Client-2.exe 520 Client-2.exe 520 Client-2.exe 520 Client-2.exe 520 Client-2.exe 520 Client-2.exe 520 Client-2.exe 520 Client-2.exe 520 Client-2.exe 520 Client-2.exe 520 Client-2.exe 520 Client-2.exe 520 Client-2.exe 520 Client-2.exe 520 Client-2.exe 520 Client-2.exe 520 Client-2.exe 520 Client-2.exe 520 Client-2.exe 520 Client-2.exe 520 Client-2.exe 520 Client-2.exe 520 Client-2.exe 520 Client-2.exe 520 Client-2.exe 520 Client-2.exe 520 Client-2.exe 520 Client-2.exe 520 Client-2.exe 520 Client-2.exe 520 Client-2.exe 520 Client-2.exe 520 Client-2.exe 520 Client-2.exe 520 Client-2.exe 520 Client-2.exe 520 Client-2.exe 520 Client-2.exe 520 Client-2.exe 520 Client-2.exe 520 Client-2.exe 520 Client-2.exe 520 Client-2.exe 520 Client-2.exe 520 Client-2.exe 520 Client-2.exe 520 Client-2.exe 520 Client-2.exe 520 Client-2.exe 520 Client-2.exe 520 Client-2.exe 520 Client-2.exe 520 Client-2.exe 520 Client-2.exe 520 Client-2.exe 520 Client-2.exe 520 Client-2.exe 520 Client-2.exe 520 Client-2.exe 520 Client-2.exe 520 Client-2.exe 520 Client-2.exe 520 Client-2.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
description pid Process Token: SeDebugPrivilege 520 Client-2.exe Token: SeDebugPrivilege 4864 taskkill.exe Token: SeDebugPrivilege 1116 taskkill.exe Token: SeDebugPrivilege 2364 taskkill.exe Token: SeDebugPrivilege 1220 taskkill.exe Token: SeDebugPrivilege 3372 taskkill.exe Token: SeDebugPrivilege 2240 taskkill.exe Token: SeDebugPrivilege 4368 taskkill.exe Token: SeDebugPrivilege 228 taskkill.exe Token: SeDebugPrivilege 4628 taskkill.exe Token: SeDebugPrivilege 856 taskkill.exe Token: SeDebugPrivilege 1076 taskkill.exe Token: SeDebugPrivilege 5088 taskkill.exe Token: SeDebugPrivilege 2380 taskkill.exe Token: SeDebugPrivilege 4940 taskkill.exe Token: SeDebugPrivilege 3036 taskkill.exe Token: SeDebugPrivilege 3976 taskkill.exe Token: SeDebugPrivilege 2316 taskkill.exe Token: SeDebugPrivilege 3900 taskkill.exe Token: SeDebugPrivilege 4372 taskkill.exe Token: SeDebugPrivilege 3268 taskkill.exe Token: SeDebugPrivilege 3348 taskkill.exe Token: SeDebugPrivilege 4400 taskkill.exe Token: SeDebugPrivilege 2100 taskkill.exe Token: SeDebugPrivilege 1684 taskkill.exe Token: SeDebugPrivilege 2116 taskkill.exe Token: SeDebugPrivilege 2608 taskkill.exe Token: SeDebugPrivilege 1848 taskkill.exe Token: SeDebugPrivilege 3344 taskkill.exe Token: SeDebugPrivilege 3552 taskkill.exe Token: SeDebugPrivilege 3924 taskkill.exe Token: SeDebugPrivilege 3104 taskkill.exe Token: SeDebugPrivilege 2348 taskkill.exe Token: SeDebugPrivilege 2344 taskkill.exe Token: SeDebugPrivilege 2744 taskkill.exe Token: SeDebugPrivilege 804 taskkill.exe Token: SeDebugPrivilege 4020 taskkill.exe Token: SeDebugPrivilege 4156 taskkill.exe Token: SeDebugPrivilege 1460 taskkill.exe Token: SeDebugPrivilege 2896 taskkill.exe Token: SeDebugPrivilege 1720 taskkill.exe Token: SeDebugPrivilege 592 taskkill.exe Token: SeDebugPrivilege 412 taskkill.exe Token: SeDebugPrivilege 3204 taskkill.exe Token: SeDebugPrivilege 2472 taskkill.exe Token: SeDebugPrivilege 1420 taskkill.exe Token: SeDebugPrivilege 4128 taskkill.exe Token: SeDebugPrivilege 4516 powershell.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 520 Client-2.exe 4348 notepad.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 520 Client-2.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 520 wrote to memory of 4432 520 Client-2.exe 83 PID 520 wrote to memory of 4432 520 Client-2.exe 83 PID 520 wrote to memory of 4284 520 Client-2.exe 84 PID 520 wrote to memory of 4284 520 Client-2.exe 84 PID 520 wrote to memory of 5032 520 Client-2.exe 87 PID 520 wrote to memory of 5032 520 Client-2.exe 87 PID 520 wrote to memory of 216 520 Client-2.exe 88 PID 520 wrote to memory of 216 520 Client-2.exe 88 PID 520 wrote to memory of 1688 520 Client-2.exe 89 PID 520 wrote to memory of 1688 520 Client-2.exe 89 PID 520 wrote to memory of 1220 520 Client-2.exe 93 PID 520 wrote to memory of 1220 520 Client-2.exe 93 PID 520 wrote to memory of 5088 520 Client-2.exe 94 PID 520 wrote to memory of 5088 520 Client-2.exe 94 PID 520 wrote to memory of 4368 520 Client-2.exe 95 PID 520 wrote to memory of 4368 520 Client-2.exe 95 PID 520 wrote to memory of 3104 520 Client-2.exe 96 PID 520 wrote to memory of 3104 520 Client-2.exe 96 PID 520 wrote to memory of 412 520 Client-2.exe 97 PID 520 wrote to memory of 412 520 Client-2.exe 97 PID 520 wrote to memory of 856 520 Client-2.exe 98 PID 520 wrote to memory of 856 520 Client-2.exe 98 PID 520 wrote to memory of 4628 520 Client-2.exe 99 PID 520 wrote to memory of 4628 520 Client-2.exe 99 PID 520 wrote to memory of 4864 520 Client-2.exe 100 PID 520 wrote to memory of 4864 520 Client-2.exe 100 PID 520 wrote to memory of 4940 520 Client-2.exe 101 PID 520 wrote to memory of 4940 520 Client-2.exe 101 PID 520 wrote to memory of 3344 520 Client-2.exe 102 PID 520 wrote to memory of 3344 520 Client-2.exe 102 PID 520 wrote to memory of 3372 520 Client-2.exe 103 PID 520 wrote to memory of 3372 520 Client-2.exe 103 PID 520 wrote to memory of 3348 520 Client-2.exe 104 PID 520 wrote to memory of 3348 520 Client-2.exe 104 PID 520 wrote to memory of 1116 520 Client-2.exe 105 PID 520 wrote to memory of 1116 520 Client-2.exe 105 PID 520 wrote to memory of 1848 520 Client-2.exe 106 PID 520 wrote to memory of 1848 520 Client-2.exe 106 PID 520 wrote to memory of 1420 520 Client-2.exe 107 PID 520 wrote to memory of 1420 520 Client-2.exe 107 PID 520 wrote to memory of 2100 520 Client-2.exe 108 PID 520 wrote to memory of 2100 520 Client-2.exe 108 PID 520 wrote to memory of 4372 520 Client-2.exe 109 PID 520 wrote to memory of 4372 520 Client-2.exe 109 PID 520 wrote to memory of 804 520 Client-2.exe 110 PID 520 wrote to memory of 804 520 Client-2.exe 110 PID 520 wrote to memory of 3924 520 Client-2.exe 111 PID 520 wrote to memory of 3924 520 Client-2.exe 111 PID 520 wrote to memory of 2240 520 Client-2.exe 112 PID 520 wrote to memory of 2240 520 Client-2.exe 112 PID 520 wrote to memory of 644 520 Client-2.exe 113 PID 520 wrote to memory of 644 520 Client-2.exe 113 PID 520 wrote to memory of 1076 520 Client-2.exe 114 PID 520 wrote to memory of 1076 520 Client-2.exe 114 PID 520 wrote to memory of 2896 520 Client-2.exe 115 PID 520 wrote to memory of 2896 520 Client-2.exe 115 PID 520 wrote to memory of 2116 520 Client-2.exe 116 PID 520 wrote to memory of 2116 520 Client-2.exe 116 PID 520 wrote to memory of 2348 520 Client-2.exe 117 PID 520 wrote to memory of 2348 520 Client-2.exe 117 PID 520 wrote to memory of 4156 520 Client-2.exe 118 PID 520 wrote to memory of 4156 520 Client-2.exe 118 PID 520 wrote to memory of 2608 520 Client-2.exe 119 PID 520 wrote to memory of 2608 520 Client-2.exe 119
Processes
-
C:\Users\Admin\AppData\Local\Temp\Ransomware\Client-2.exe"C:\Users\Admin\AppData\Local\Temp\Ransomware\Client-2.exe"1⤵
- Checks computer location settings
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:520 -
C:\Windows\SYSTEM32\sc.exe"sc.exe" config SQLTELEMETRY start= disabled2⤵
- Launches sc.exe
PID:4432
-
-
C:\Windows\SYSTEM32\sc.exe"sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled2⤵
- Launches sc.exe
PID:4284
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c rd /s /q %SYSTEMDRIVE%\$Recycle.bin2⤵PID:5032
-
-
C:\Windows\SYSTEM32\sc.exe"sc.exe" config SQLWriter start= disabled2⤵
- Launches sc.exe
PID:216
-
-
C:\Windows\SYSTEM32\sc.exe"sc.exe" config SstpSvc start= disabled2⤵
- Launches sc.exe
PID:1688
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mspub.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1220
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mydesktopqos.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5088
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mydesktopservice.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4368
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mysqld.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3104
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM sqbcoreservice.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:412
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM firefoxconfig.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:856
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM agntsvc.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4628
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM thebat.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4864
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM steam.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4940
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM encsvc.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3344
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM excel.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3372
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM CNTAoSMgr.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3348
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM sqlwriter.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1116
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM tbirdconfig.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1848
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM dbeng50.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1420
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM thebat64.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2100
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM ocomm.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4372
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM infopath.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:804
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mbamtray.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3924
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM zoolz.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2240
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" IM thunderbird.exe /F2⤵
- Kills process with taskkill
PID:644
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM dbsnmp.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1076
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM xfssvccon.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2896
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mspub.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2116
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM Ntrtscan.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2348
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM isqlplussvc.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4156
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM onenote.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2608
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM PccNTMon.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2316
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM msaccess.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2744
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM outlook.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4128
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM tmlisten.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2364
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM msftesql.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3552
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM powerpnt.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3976
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mydesktopqos.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4020
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM visio.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1684
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mydesktopservice.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4400
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM winword.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2472
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mysqld-nt.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3268
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM wordpad.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3204
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mysqld-opt.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:228
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM ocautoupds.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2344
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM ocssd.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3036
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM oracle.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2380
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM sqlagent.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1720
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM sqlbrowser.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1460
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM sqlservr.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3900
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM synctime.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:592
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4516
-
-
C:\Windows\System32\notepad.exe"C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt2⤵
- Opens file in notepad (likely ransom note)
- Suspicious use of FindShellTrayWindow
PID:4348
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”2⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:5896 -
C:\Windows\system32\PING.EXEping 127.0.0.7 -n 33⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:7112
-
-
C:\Windows\system32\fsutil.exefsutil file setZeroData offset=0 length=524288 “%s”3⤵PID:5812
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Ransomware\Client-2.exe2⤵PID:5880
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 33⤵PID:6540
-
-
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
2Credentials from Web Browsers
1Windows Credential Manager
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD5f98bc6fd2bc2f25059611e85b4c5fda9
SHA1ea9e778d04f8f40ebe1bd1b2f522f33bba721889
SHA25690c7e3fd9b72357a80ad9003832ac0667281b260b767e25a85ac161b3a5bcc2d
SHA5127fb2b73bf8e7dac1304e3a2619dfd602ea90f364c90bc59013175805b3386e004c32d7d5c72e0f5be2a88c426b16c5042fc4df41d24fc77ddb8aa879852faf7e
-
C:\ProgramData\Package Cache\{01B2627D-8443-41C0-97F0-9F72AC2FD6A0}v56.64.8804\windowsdesktop-runtime-7.0.16-win-x64.msi
Filesize28.8MB
MD5315026d448c46df90cb18ab97b9ec664
SHA1b4abf3b6a84ae2d6217223de925bd94dd69550c9
SHA256cd875517a34abc2442867d3a3a7d5cff6d6e7a7a8a06f3549d9bca732474cc49
SHA5129a076bd3c72f6d6cf80d9a4ca32ffdb413489f9098efdf15db735d921676aea53b945f10a887a22b6de38e07d2a165cf1ff5b9e91124f62c384692089fa14ad6
-
C:\ProgramData\Package Cache\{2BB73336-4F69-4141-9797-E9BD6FE3980A}v64.8.8795\dotnet-host-8.0.2-win-x64.msi.energy[[email protected]]
Filesize728KB
MD573fe891a9c2f769d2a659d692b7ee575
SHA18ae29fdd9cf9e4759b5f8fb1622b08c2a6d60f08
SHA2565206dbc84f0c46be86cbf4c491229b453d2423b5c7b696d2531571da5dd5bf84
SHA512fd2f9a2cc3bcf170281167194a1471d8d5132ab9ca2d1c58d774580ddccfe573495d339dfa1db4ceb368363041337dcb166d425af9754e9494057fd7da0e7b7f
-
C:\ProgramData\Package Cache\{79043ED0-7ED1-4227-A5E5-04C5594D21F7}v48.108.8828\dotnet-runtime-6.0.27-win-x64.msi
Filesize25.7MB
MD5699617cd510b51b9421fadba4fc19530
SHA1d2b66169a6c9d5144ca05ac5ec510d50e296b24f
SHA256d53416ccf583dad0dd37909e6f7ad6113cf25a0a87300b24bb4fdf2878eeb2fe
SHA5129e64f8532346ecacdfb3ef2945ad6bd9f0bd35056a40d2b27024c5c761cda2fb341e7512971ccc63625ef59c087c5ce778364c52ccbcbf4980623b7d37daa008
-
C:\ProgramData\Package Cache\{BF08E976-B92E-4336-B56F-2171179476C4}v14.30.30704\packages\vcRuntimeAdditional_x86\vc_runtimeAdditional_x86.msi.energy[[email protected]]
Filesize180KB
MD50f61822f583ba82ccbefe2fe7a2f516d
SHA1db2c94557dea7a6eb87dc61365a1b3634dba25f0
SHA2564c50d71f4f59c9feb93d915b981e461411acd32d9db7286d39e95ccd25e4a3f9
SHA512e648568556e93001b673d71535456b2730050c022f83fb42085eb9efe0733d8fdadddb1397cb99ce2d6509179580c9d0f43102c85037ae749d522d54e370db11
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD5cadef9abd087803c630df65264a6c81c
SHA1babbf3636c347c8727c35f3eef2ee643dbcc4bd2
SHA256cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438
SHA5127278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
828B
MD5a68ab323f8c6fa0b6984c48cb8d7075d
SHA164150d1d46aca77deebcd4a2bac836a9dbf9fc0d
SHA256bc1f5d0ffaa8fa550aa138617909ed84eef22d0116bace66c20cc09ee42f741b
SHA51200405857160746d2ce3885ed6d9897335b856aab7c87540a294428ad15240726ca1effbdc36e0c22b02877f28eff31bc18f1ee3e2154b0410235b87295029c49