Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
1008751be484...2d.dll
windows7-x64
100a9f79abd4...51.exe
windows7-x64
30di3x.exe
windows7-x64
102019-09-02...10.exe
windows7-x64
102c01b00772...eb.exe
windows7-x64
731.exe
windows7-x64
103DMark 11 ...on.exe
windows7-x64
342f9729255...61.exe
windows7-x64
105da0116af4...18.exe
windows7-x64
769c56d12ed...6b.exe
windows7-x64
10905d572f23...50.exe
windows7-x64
10948340be97...54.exe
windows7-x64
1095560f1a46...f9.dll
windows7-x64
3Archive.zi...3e.exe
windows7-x64
8DiskIntern...en.exe
windows7-x64
3ForceOp 2....ce.exe
windows7-x64
7HYDRA.exe
windows7-x64
10KLwC6vii.exe
windows7-x64
1Keygen.exe
windows7-x64
10Lonelyscre...ox.exe
windows7-x64
3LtHv0O2KZDK4M637.exe
windows7-x64
10Magic_File...ja.exe
windows7-x64
3OnlineInstaller.exe
windows7-x64
8Remouse.Mi...cg.exe
windows7-x64
3SecuriteIn...dE.exe
windows7-x64
10SecuriteIn...ee.dll
windows7-x64
10SecurityTa...up.exe
windows7-x64
4Treasure.V...ox.exe
windows7-x64
3VyprVPN.exe
windows7-x64
10WSHSetup[1].exe
windows7-x64
3Yard.dll
windows7-x64
10b2bd3de3e5...2).exe
windows7-x64
10Analysis
-
max time kernel
150s -
max time network
130s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
11/02/2025, 00:12
Static task
static1
Behavioral task
behavioral1
Sample
08751be484e1572995ebb085df1c2c6372084d63a64dce7fab28130d79a6ea2d.dll
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
0a9f79abd48b95544d7e2b6658637d1eb23067a94e10bf06d05c9ecc73cf4b51.exe
Resource
win7-20240729-en
Behavioral task
behavioral3
Sample
0di3x.exe
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
2019-09-02_22-41-10.exe
Resource
win7-20240729-en
Behavioral task
behavioral5
Sample
2c01b007729230c415420ad641ad92eb.exe
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
31.exe
Resource
win7-20240903-en
Behavioral task
behavioral7
Sample
3DMark 11 Advanced Edition.exe
Resource
win7-20241010-en
Behavioral task
behavioral8
Sample
42f972925508a82236e8533567487761.exe
Resource
win7-20240903-en
Behavioral task
behavioral9
Sample
5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
Resource
win7-20240729-en
Behavioral task
behavioral11
Sample
905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
Resource
win7-20241010-en
Behavioral task
behavioral12
Sample
948340be97cc69c2cf8e5c8327ee52a89eeb50095f978696c710ad773a46b654.exe
Resource
win7-20240729-en
Behavioral task
behavioral13
Sample
95560f1a465e8ba87a73f8e60a6657545073d55c3b5cfc2ffdaf3d69d46afcf9.dll
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
Archive.zip__ccacaxs2tbz2t6ob3e.exe
Resource
win7-20241010-en
Behavioral task
behavioral15
Sample
DiskInternals_Uneraser_v5_keygen.exe
Resource
win7-20240903-en
Behavioral task
behavioral16
Sample
ForceOp 2.8.7 - By RaiSence.exe
Resource
win7-20241010-en
Behavioral task
behavioral17
Sample
HYDRA.exe
Resource
win7-20240903-en
Behavioral task
behavioral18
Sample
KLwC6vii.exe
Resource
win7-20240729-en
Behavioral task
behavioral19
Sample
Keygen.exe
Resource
win7-20240729-en
Behavioral task
behavioral20
Sample
Lonelyscreen.1.2.9.keygen.by.Paradox.exe
Resource
win7-20240903-en
Behavioral task
behavioral21
Sample
LtHv0O2KZDK4M637.exe
Resource
win7-20240729-en
Behavioral task
behavioral22
Sample
Magic_File_v3_keygen_by_KeygenNinja.exe
Resource
win7-20240903-en
Behavioral task
behavioral23
Sample
OnlineInstaller.exe
Resource
win7-20241010-en
Behavioral task
behavioral24
Sample
Remouse.Micro.Micro.v3.5.3.serial.maker.by.aaocg.exe
Resource
win7-20240903-en
Behavioral task
behavioral26
Sample
SecuriteInfo.com.Generic.mg.cde56cf0169830ee.dll
Resource
win7-20241010-en
Behavioral task
behavioral27
Sample
SecurityTaskManager_Setup.exe
Resource
win7-20240903-en
Behavioral task
behavioral28
Sample
Treasure.Vault.3D.Screensaver.keygen.by.Paradox.exe
Resource
win7-20241010-en
Behavioral task
behavioral29
Sample
VyprVPN.exe
Resource
win7-20241010-en
Behavioral task
behavioral30
Sample
WSHSetup[1].exe
Resource
win7-20240729-en
Behavioral task
behavioral31
Sample
Yard.dll
Resource
win7-20240903-en
Behavioral task
behavioral32
Sample
b2bd3de3e5b0e35313263bef4b1ca49c5478d472f6d37d1070a57b1f6aa4f7bb (2).exe
Resource
win7-20240729-en
General
-
Target
69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
-
Size
80KB
-
MD5
8152a3d0d76f7e968597f4f834fdfa9d
-
SHA1
c3cf05f3f79851d3c0d4266ab77c8e3e3f88c73e
-
SHA256
69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b
-
SHA512
eb1a18cb03131466a4152fa2f6874b70c760317148684ca9b95044e50dc9cd19316d6e68e680ce18599114ba73e75264de5dab5afe611165b9c6c0b5f01002b4
-
SSDEEP
1536:SHbigeMiIeMfZ7tOBbFv0CIG0dDh/suIicRtpNf8SgRXt+AacRDVX8C4OntD4acN:SHbigeMiIeMfZ7tOBbFv0CIG0dDh/su0
Malware Config
Extracted
C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt
hakbit
Signatures
-
Disables service(s) 3 TTPs
-
Hakbit
Ransomware which encrypts files using AES, first seen in November 2019.
-
Hakbit family
-
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
-
Deletes itself 1 IoCs
pid Process 2600 cmd.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2116 sc.exe 1788 sc.exe 1516 sc.exe 2100 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 3528 cmd.exe 3980 PING.EXE -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe -
Kills process with taskkill 47 IoCs
pid Process 2756 taskkill.exe 2620 taskkill.exe 840 taskkill.exe 748 taskkill.exe 1988 taskkill.exe 2664 taskkill.exe 2828 taskkill.exe 2952 taskkill.exe 2580 taskkill.exe 2704 taskkill.exe 2568 taskkill.exe 2080 taskkill.exe 2532 taskkill.exe 2508 taskkill.exe 2852 taskkill.exe 2168 taskkill.exe 2368 taskkill.exe 2120 taskkill.exe 1796 taskkill.exe 1728 taskkill.exe 2836 taskkill.exe 2868 taskkill.exe 1276 taskkill.exe 2936 taskkill.exe 2564 taskkill.exe 2544 taskkill.exe 2624 taskkill.exe 2636 taskkill.exe 1028 taskkill.exe 1824 taskkill.exe 2492 taskkill.exe 2524 taskkill.exe 1196 taskkill.exe 2496 taskkill.exe 2832 taskkill.exe 2768 taskkill.exe 2976 taskkill.exe 2700 taskkill.exe 2784 taskkill.exe 1628 taskkill.exe 2028 taskkill.exe 2332 taskkill.exe 2296 taskkill.exe 1228 taskkill.exe 2500 taskkill.exe 2648 taskkill.exe 3008 taskkill.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_Classes\Local Settings rundll32.exe -
Opens file in notepad (likely ransom note) 2 IoCs
pid Process 572 notepad.exe 3128 NOTEPAD.EXE -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 3980 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2436 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 2436 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 2436 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 2436 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 2436 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 2436 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 2436 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 2436 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 2436 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 2436 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 2436 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 2436 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 2436 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 2436 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 2436 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 2436 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 2436 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 2436 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 2436 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 2436 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 2436 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 2436 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 2436 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 2436 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 2436 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 2436 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 2436 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 2436 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 2436 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 2436 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 2436 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 2436 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 2436 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 2436 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 2436 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 2436 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 2436 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 2436 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 2436 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 2436 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 2436 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 2436 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 2436 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 2436 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 2436 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 2436 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 2436 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 2436 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 2436 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 2436 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 2436 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 2436 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 2436 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 2436 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 2436 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 2436 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 2436 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 2436 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 2436 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 2436 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 2436 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 2436 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 2436 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 2436 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1032 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
description pid Process Token: SeDebugPrivilege 2436 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe Token: SeDebugPrivilege 2852 taskkill.exe Token: SeDebugPrivilege 2080 taskkill.exe Token: SeDebugPrivilege 2168 taskkill.exe Token: SeDebugPrivilege 2768 taskkill.exe Token: SeDebugPrivilege 2524 taskkill.exe Token: SeDebugPrivilege 1988 taskkill.exe Token: SeDebugPrivilege 2828 taskkill.exe Token: SeDebugPrivilege 2784 taskkill.exe Token: SeDebugPrivilege 1728 taskkill.exe Token: SeDebugPrivilege 1228 taskkill.exe Token: SeDebugPrivilege 1196 taskkill.exe Token: SeDebugPrivilege 2756 taskkill.exe Token: SeDebugPrivilege 1276 taskkill.exe Token: SeDebugPrivilege 840 taskkill.exe Token: SeDebugPrivilege 2296 taskkill.exe Token: SeDebugPrivilege 1028 taskkill.exe Token: SeDebugPrivilege 2028 taskkill.exe Token: SeDebugPrivilege 2624 taskkill.exe Token: SeDebugPrivilege 2332 taskkill.exe Token: SeDebugPrivilege 2836 taskkill.exe Token: SeDebugPrivilege 2648 taskkill.exe Token: SeDebugPrivilege 2636 taskkill.exe Token: SeDebugPrivilege 1796 taskkill.exe Token: SeDebugPrivilege 2664 taskkill.exe Token: SeDebugPrivilege 2868 taskkill.exe Token: SeDebugPrivilege 2508 taskkill.exe Token: SeDebugPrivilege 2620 taskkill.exe Token: SeDebugPrivilege 2500 taskkill.exe Token: SeDebugPrivilege 2568 taskkill.exe Token: SeDebugPrivilege 2532 taskkill.exe Token: SeDebugPrivilege 2704 taskkill.exe Token: SeDebugPrivilege 2368 taskkill.exe Token: SeDebugPrivilege 2492 taskkill.exe Token: SeDebugPrivilege 2496 taskkill.exe Token: SeDebugPrivilege 2580 taskkill.exe Token: SeDebugPrivilege 2564 taskkill.exe Token: SeDebugPrivilege 3008 taskkill.exe Token: SeDebugPrivilege 2544 taskkill.exe Token: SeDebugPrivilege 1824 taskkill.exe Token: SeDebugPrivilege 2952 taskkill.exe Token: SeDebugPrivilege 1628 taskkill.exe Token: SeDebugPrivilege 2832 taskkill.exe Token: SeDebugPrivilege 2936 taskkill.exe Token: SeDebugPrivilege 2120 taskkill.exe Token: SeDebugPrivilege 748 taskkill.exe Token: SeDebugPrivilege 2700 taskkill.exe Token: SeDebugPrivilege 3576 powershell.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2436 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 2436 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2436 wrote to memory of 1516 2436 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 31 PID 2436 wrote to memory of 1516 2436 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 31 PID 2436 wrote to memory of 1516 2436 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 31 PID 2436 wrote to memory of 1788 2436 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 32 PID 2436 wrote to memory of 1788 2436 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 32 PID 2436 wrote to memory of 1788 2436 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 32 PID 2436 wrote to memory of 2116 2436 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 33 PID 2436 wrote to memory of 2116 2436 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 33 PID 2436 wrote to memory of 2116 2436 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 33 PID 2436 wrote to memory of 2100 2436 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 34 PID 2436 wrote to memory of 2100 2436 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 34 PID 2436 wrote to memory of 2100 2436 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 34 PID 2436 wrote to memory of 1988 2436 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 35 PID 2436 wrote to memory of 1988 2436 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 35 PID 2436 wrote to memory of 1988 2436 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 35 PID 2436 wrote to memory of 1196 2436 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 40 PID 2436 wrote to memory of 1196 2436 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 40 PID 2436 wrote to memory of 1196 2436 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 40 PID 2436 wrote to memory of 2080 2436 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 41 PID 2436 wrote to memory of 2080 2436 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 41 PID 2436 wrote to memory of 2080 2436 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 41 PID 2436 wrote to memory of 2568 2436 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 42 PID 2436 wrote to memory of 2568 2436 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 42 PID 2436 wrote to memory of 2568 2436 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 42 PID 2436 wrote to memory of 2852 2436 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 43 PID 2436 wrote to memory of 2852 2436 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 43 PID 2436 wrote to memory of 2852 2436 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 43 PID 2436 wrote to memory of 3008 2436 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 46 PID 2436 wrote to memory of 3008 2436 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 46 PID 2436 wrote to memory of 3008 2436 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 46 PID 2436 wrote to memory of 2580 2436 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 47 PID 2436 wrote to memory of 2580 2436 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 47 PID 2436 wrote to memory of 2580 2436 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 47 PID 2436 wrote to memory of 2756 2436 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 53 PID 2436 wrote to memory of 2756 2436 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 53 PID 2436 wrote to memory of 2756 2436 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 53 PID 2436 wrote to memory of 2704 2436 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 55 PID 2436 wrote to memory of 2704 2436 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 55 PID 2436 wrote to memory of 2704 2436 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 55 PID 2436 wrote to memory of 2636 2436 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 56 PID 2436 wrote to memory of 2636 2436 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 56 PID 2436 wrote to memory of 2636 2436 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 56 PID 2436 wrote to memory of 2868 2436 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 58 PID 2436 wrote to memory of 2868 2436 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 58 PID 2436 wrote to memory of 2868 2436 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 58 PID 2436 wrote to memory of 2784 2436 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 59 PID 2436 wrote to memory of 2784 2436 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 59 PID 2436 wrote to memory of 2784 2436 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 59 PID 2436 wrote to memory of 2620 2436 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 60 PID 2436 wrote to memory of 2620 2436 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 60 PID 2436 wrote to memory of 2620 2436 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 60 PID 2436 wrote to memory of 2496 2436 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 61 PID 2436 wrote to memory of 2496 2436 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 61 PID 2436 wrote to memory of 2496 2436 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 61 PID 2436 wrote to memory of 2648 2436 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 64 PID 2436 wrote to memory of 2648 2436 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 64 PID 2436 wrote to memory of 2648 2436 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 64 PID 2436 wrote to memory of 2168 2436 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 65 PID 2436 wrote to memory of 2168 2436 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 65 PID 2436 wrote to memory of 2168 2436 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 65 PID 2436 wrote to memory of 2524 2436 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 66 PID 2436 wrote to memory of 2524 2436 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 66 PID 2436 wrote to memory of 2524 2436 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 66 PID 2436 wrote to memory of 2664 2436 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 68
Processes
-
C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe"C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe"1⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2436 -
C:\Windows\system32\sc.exe"sc.exe" config SQLTELEMETRY start= disabled2⤵
- Launches sc.exe
PID:1516
-
-
C:\Windows\system32\sc.exe"sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled2⤵
- Launches sc.exe
PID:1788
-
-
C:\Windows\system32\sc.exe"sc.exe" config SQLWriter start= disabled2⤵
- Launches sc.exe
PID:2116
-
-
C:\Windows\system32\sc.exe"sc.exe" config SstpSvc start= disabled2⤵
- Launches sc.exe
PID:2100
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM mspub.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1988
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM mydesktopqos.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1196
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM mydesktopservice.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2080
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM mysqld.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2568
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM sqbcoreservice.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2852
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM firefoxconfig.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3008
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM agntsvc.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2580
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM thebat.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2756
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM steam.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2704
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM encsvc.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2636
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM excel.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2868
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM CNTAoSMgr.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2784
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM sqlwriter.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2620
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM tbirdconfig.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2496
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM dbeng50.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2648
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM thebat64.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2168
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM ocomm.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2524
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM infopath.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2664
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM mbamtray.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2828
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM zoolz.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2836
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" IM thunderbird.exe /F2⤵
- Kills process with taskkill
PID:2976
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM dbsnmp.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2624
-
-
C:\Windows\system32\cmd.exe"cmd.exe" /c rd /s /q %SYSTEMDRIVE%\$Recycle.bin2⤵PID:572
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM xfssvccon.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2544
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM mspub.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2768
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM Ntrtscan.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2492
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM isqlplussvc.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2500
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM onenote.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2508
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM PccNTMon.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2564
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM msaccess.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2936
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM outlook.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2532
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM tmlisten.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2952
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM msftesql.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1824
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM powerpnt.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1028
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM mydesktopqos.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1728
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM visio.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1228
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM mydesktopservice.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:840
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM winword.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1796
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM mysqld-nt.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1276
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM wordpad.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2028
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM mysqld-opt.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1628
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM ocautoupds.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2368
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM ocssd.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2332
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM oracle.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2832
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM sqlagent.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2120
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM sqlbrowser.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2296
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM sqlservr.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:748
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM synctime.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2700
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3576
-
-
C:\Windows\System32\notepad.exe"C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt2⤵
- Opens file in notepad (likely ransom note)
PID:572
-
-
C:\Windows\system32\cmd.exe"cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”2⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:3528 -
C:\Windows\system32\PING.EXEping 127.0.0.7 -n 33⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3980
-
-
C:\Windows\system32\fsutil.exefsutil file setZeroData offset=0 length=524288 “%s”3⤵PID:3360
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe2⤵
- Deletes itself
PID:2600 -
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 33⤵PID:3688
-
-
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\UnprotectTest.mp4.energy[[email protected]]1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
PID:1032
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt1⤵
- Opens file in notepad (likely ransom note)
PID:3128
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\VcMedia.rar1⤵
- Modifies registry class
PID:2696
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
PID:2312 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef74d9758,0x7fef74d9768,0x7fef74d97782⤵PID:1712
-
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
2Credentials from Web Browsers
1Windows Credential Manager
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft\Assistance\Client\1.0\es-ES\Help_MValidator.Lck.energy[[email protected]]
Filesize4KB
MD53ec577f18db2c0965da13339aaafcc98
SHA182db7e6fb4bca0e9d519a82f08a009bbb79cfbce
SHA256c078c0613697e63b35da641bb5e62be7c56069fb8577f5e03266edf442c79d46
SHA51218df7cd831d65fe08c16fb94e06e592818fd76f95821975efb1232f63c340955c215ffc8d7575f669fbd7c679de1efaba30777f15a6e8fd2758f9abd474d32a9
-
C:\ProgramData\Package Cache\{BF08E976-B92E-4336-B56F-2171179476C4}v14.30.30704\packages\vcRuntimeAdditional_x86\vc_runtimeAdditional_x86.msi.energy[[email protected]]
Filesize180KB
MD553391e50f5842732fb810c20bfeda978
SHA10856b811c7dd49eb60ff4620e45abc793b1408c8
SHA256ec13ca14b6e847ae6bd6d0dcfd6cae236d86ec4655ca5a83c51b6ab42ae65b03
SHA512756d86ecfc4fbc0bd3e4c3391dcddbaee56e6db91fdec38130d8a12241a181ba3231a94bc48353c900e225cd6d6894ff95b947a27017579d8796bc75e8286ff1
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD502d351c55ea8b84bbe215faf7a417bd0
SHA157aa7fae5a2ff1f19d6d833c192ec4856ef61fe5
SHA2563520e45f487e72a9dd8151d01f9d3395fea8a756661196d1d71b30df8883d864
SHA512e01e9b2df8dc800b3336715c2189049c0d38ed9cdcb60efeee4079f1f9c4bfb68e1263087c1bdf2cd69fa220c594952bac306238cea89708013607a9d192bb93
-
Filesize
828B
MD5d76270c5de853d93bfca190c720190e5
SHA1766a13ab5111cc11fbf402c36e49daf0e1f03cb9
SHA256ac611486579262f85e4bd6c6d2c4aafa19e9eb74754b521f6a7aa87cbb0c69f6
SHA5129124aca74bbceb2c95e089849be887d4c5b4af98a2abc5a6bf8fec86534a4805cc239df458f8a2c07ed5b6db0ce7df63eec89a9771d437ef4f5b5b42bfd55e1d