hakbit | 38bc13ef112b2f17d4d1a80243fac6a521b5d58228984aae0752d79487fa3b66

Resubmissions

16/04/2025, 11:04

250416-m58gsaz1ay 10

15/04/2025, 17:34

15/04/2025, 06:16

14/04/2025, 08:06

14/04/2025, 07:59

14/04/2025, 07:22

14/04/2025, 07:16

11/04/2025, 21:39

Analysis

max time kernel
147s
max time network
156s
platform
windows11-21h2_x64
resource
win11-20250411-en
resource tags

arch:x64arch:x86image:win11-20250411-enlocale:en-usos:windows11-21h2-x64system
submitted
14/04/2025, 07:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
Size

80KB
MD5

8152a3d0d76f7e968597f4f834fdfa9d
SHA1

c3cf05f3f79851d3c0d4266ab77c8e3e3f88c73e
SHA256

69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b
SHA512

eb1a18cb03131466a4152fa2f6874b70c760317148684ca9b95044e50dc9cd19316d6e68e680ce18599114ba73e75264de5dab5afe611165b9c6c0b5f01002b4
SSDEEP

1536:SHbigeMiIeMfZ7tOBbFv0CIG0dDh/suIicRtpNf8SgRXt+AacRDVX8C4OntD4acN:SHbigeMiIeMfZ7tOBbFv0CIG0dDh/su0

Score

10^/10

hakbit credential_access defense_evasion discovery execution ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt

Family

hakbit

Ransom Note

To recover your data contact the email below [email protected] Key Identifier: yf7QWxVWLSFbqYZD/TN+CkKMxKvCNaL6oRSh7OJxjZbyBHKgh+8EkpvS2Wf/+NWrFNwrPU9+qSeZgZ+TgTWgEKCzXOhNBWc5YXkWsHBH8tcHYwXcWU4PFBKzl52RIjjvJIsJGlEJzGVRiQFmPJhdRWihC/DcLHZ5E/DA1GiFVCnQ/Mzrl45pYHM31gkbinEXcI2XDjIz/S0Up9pvpBKX8vUuCeBLNwukS+Cp6GrRVmTAi4yLlilo4BVFzvICh8JF03FHMjp/1uUqigxA1qmY3OfJhMsVRVV2NymiV+93It0leHWVbSsZ/9lk4I8qApDoyLfTFnOsonrt4HLsoxeTlqtX814vr5UjZsZBHw2fTW+Npsux1DdTUQG7m/1y/2SrGBz54iSVLWmw+eH7mILys+Pd2IkOSMOlyLSSLDi9bD4TWZy15/s9P2/Dy9OQlvWP+FydI+z3oIAvd4BDlPLMJrCw1Vke2w9dLqLNEYOkfQfDE3zUm11IyGCcE2YYv1jg96bHS9BWcQNa9O2j0mi+CQW1E24yMlCNIwv7YJoK+1X+/TRxxuanuMc2lezqg0hrcHrW3ZMWWmXXBC+MuCluiY55JrTjzXEEbM+dQ58rWUBGN37fczqoV8LztY19pyzaHokIKGLRPHtJ8M8jqQgEUzWn80Gf4tQqx8OBArXno1k= Number of files that were processed is: 418

Emails

[email protected]

Signatures

Disables service(s) 3 TTPs
defense_evasion execution

Windows Service
T1543.003

Service Stop
T1489

Service Execution
T1569.002
Hakbit
Ransomware which encrypts files using AES, first seen in November 2019.
ransomware hakbit
Hakbit family
hakbit
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2456	sc.exe
5176	sc.exe
3516	sc.exe
3540	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
5252	cmd.exe
2668	PING.EXE

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchHost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchHost.exe

Kills process with taskkill 47 IoCs

defense_evasion

pid	Process
4876	taskkill.exe
3112	taskkill.exe
2536	taskkill.exe
4892	taskkill.exe
4540	taskkill.exe
3468	taskkill.exe
5268	taskkill.exe
2068	taskkill.exe
4724	taskkill.exe
4940	taskkill.exe
2364	taskkill.exe
1512	taskkill.exe
5208	taskkill.exe
3132	taskkill.exe
5276	taskkill.exe
1120	taskkill.exe
4816	taskkill.exe
5988	taskkill.exe
2008	taskkill.exe
880	taskkill.exe
3640	taskkill.exe
3044	taskkill.exe
5236	taskkill.exe
2276	taskkill.exe
4932	taskkill.exe
4828	taskkill.exe
5360	taskkill.exe
5564	taskkill.exe
5964	taskkill.exe
3916	taskkill.exe
1332	taskkill.exe
2944	taskkill.exe
5884	taskkill.exe
5808	taskkill.exe
4868	taskkill.exe
2284	taskkill.exe
5696	taskkill.exe
1112	taskkill.exe
488	taskkill.exe
4860	taskkill.exe
4904	taskkill.exe
5300	taskkill.exe
4052	taskkill.exe
4896	taskkill.exe
5016	taskkill.exe
952	taskkill.exe
788	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Internet Explorer\GPU	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Internet Explorer\GPU	SearchHost.exe

Modifies registry class 50 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "165"	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "14058"	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "1132"	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "15471"	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "1099"	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "132"	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "14058"	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "14504"	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "8327"	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\bing.com	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "14504"	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "7360"	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "165"	SearchHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\www.bing.com	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "165"	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "12413"	SearchHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "132"	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "7360"	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "12413"	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\bing.com	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000_Classes\Local Settings\MuiCache	SearchHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "1132"	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "15025"	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "132"	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "165"	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "13380"	SearchHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\www.bing.com	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000_Classes\Local Settings\MuiCache	SearchHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "1099"	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "132"	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchHost.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2788	notepad.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2668	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1488	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1488	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1488	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1488	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1488	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1488	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1488	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1488	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1488	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1488	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1488	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1488	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1488	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1488	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1488	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1488	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1488	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1488	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1488	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1488	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1488	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1488	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1488	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1488	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1488	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1488	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1488	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1488	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1488	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1488	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1488	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1488	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1488	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1488	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1488	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1488	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1488	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1488	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1488	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1488	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1488	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1488	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1488	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1488	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1488	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1488	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1488	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1488	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1488	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1488	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1488	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1488	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1488	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1488	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1488	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1488	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1488	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1488	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1488	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1488	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1488	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1488	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1488	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1488	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

description	pid	Process
Token: SeDebugPrivilege	1488	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
Token: SeDebugPrivilege	5236	taskkill.exe
Token: SeDebugPrivilege	2944	taskkill.exe
Token: SeDebugPrivilege	788	taskkill.exe
Token: SeDebugPrivilege	5808	taskkill.exe
Token: SeDebugPrivilege	4932	taskkill.exe
Token: SeDebugPrivilege	3640	taskkill.exe
Token: SeDebugPrivilege	3044	taskkill.exe
Token: SeDebugPrivilege	4724	taskkill.exe
Token: SeDebugPrivilege	4052	taskkill.exe
Token: SeDebugPrivilege	4860	taskkill.exe
Token: SeDebugPrivilege	5268	taskkill.exe
Token: SeDebugPrivilege	5964	taskkill.exe
Token: SeDebugPrivilege	2536	taskkill.exe
Token: SeDebugPrivilege	5208	taskkill.exe
Token: SeDebugPrivilege	488	taskkill.exe
Token: SeDebugPrivilege	880	taskkill.exe
Token: SeDebugPrivilege	1112	taskkill.exe
Token: SeDebugPrivilege	4876	taskkill.exe
Token: SeDebugPrivilege	2068	taskkill.exe
Token: SeDebugPrivilege	2276	taskkill.exe
Token: SeDebugPrivilege	1512	taskkill.exe
Token: SeDebugPrivilege	4896	taskkill.exe
Token: SeDebugPrivilege	952	taskkill.exe
Token: SeDebugPrivilege	5696	taskkill.exe
Token: SeDebugPrivilege	5300	taskkill.exe
Token: SeDebugPrivilege	5884	taskkill.exe
Token: SeDebugPrivilege	5988	taskkill.exe
Token: SeDebugPrivilege	3916	taskkill.exe
Token: SeDebugPrivilege	5040	powershell.exe
Token: SeDebugPrivilege	2364	taskkill.exe
Token: SeDebugPrivilege	1332	taskkill.exe
Token: SeDebugPrivilege	3132	taskkill.exe
Token: SeDebugPrivilege	4828	taskkill.exe
Token: SeDebugPrivilege	5016	taskkill.exe
Token: SeDebugPrivilege	5564	taskkill.exe
Token: SeDebugPrivilege	2284	taskkill.exe
Token: SeDebugPrivilege	4892	taskkill.exe
Token: SeDebugPrivilege	4868	taskkill.exe
Token: SeDebugPrivilege	4816	taskkill.exe
Token: SeDebugPrivilege	2008	taskkill.exe
Token: SeDebugPrivilege	4540	taskkill.exe
Token: SeDebugPrivilege	4940	taskkill.exe
Token: SeDebugPrivilege	4904	taskkill.exe
Token: SeDebugPrivilege	5360	taskkill.exe
Token: SeDebugPrivilege	3112	taskkill.exe
Token: SeDebugPrivilege	1120	taskkill.exe
Token: SeDebugPrivilege	3468	taskkill.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1488	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
1488	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2788	SearchHost.exe
2860	SearchHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1488 wrote to memory of 2456	1488	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	78
PID 1488 wrote to memory of 2456	1488	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	78
PID 1488 wrote to memory of 3796	1488	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	79
PID 1488 wrote to memory of 3796	1488	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	79
PID 1488 wrote to memory of 3540	1488	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	80
PID 1488 wrote to memory of 3540	1488	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	80
PID 1488 wrote to memory of 3516	1488	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	81
PID 1488 wrote to memory of 3516	1488	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	81
PID 1488 wrote to memory of 5176	1488	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	82
PID 1488 wrote to memory of 5176	1488	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	82
PID 1488 wrote to memory of 5808	1488	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	83
PID 1488 wrote to memory of 5808	1488	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	83
PID 1488 wrote to memory of 4724	1488	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	84
PID 1488 wrote to memory of 4724	1488	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	84
PID 1488 wrote to memory of 5884	1488	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	86
PID 1488 wrote to memory of 5884	1488	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	86
PID 1488 wrote to memory of 2944	1488	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	87
PID 1488 wrote to memory of 2944	1488	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	87
PID 1488 wrote to memory of 4052	1488	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	88
PID 1488 wrote to memory of 4052	1488	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	88
PID 1488 wrote to memory of 5300	1488	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	90
PID 1488 wrote to memory of 5300	1488	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	90
PID 1488 wrote to memory of 1332	1488	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	91
PID 1488 wrote to memory of 1332	1488	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	91
PID 1488 wrote to memory of 788	1488	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	92
PID 1488 wrote to memory of 788	1488	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	92
PID 1488 wrote to memory of 2536	1488	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	93
PID 1488 wrote to memory of 2536	1488	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	93
PID 1488 wrote to memory of 3916	1488	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	94
PID 1488 wrote to memory of 3916	1488	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	94
PID 1488 wrote to memory of 2276	1488	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	95
PID 1488 wrote to memory of 2276	1488	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	95
PID 1488 wrote to memory of 2068	1488	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	96
PID 1488 wrote to memory of 2068	1488	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	96
PID 1488 wrote to memory of 4860	1488	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	97
PID 1488 wrote to memory of 4860	1488	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	97
PID 1488 wrote to memory of 488	1488	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	98
PID 1488 wrote to memory of 488	1488	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	98
PID 1488 wrote to memory of 5964	1488	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	99
PID 1488 wrote to memory of 5964	1488	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	99
PID 1488 wrote to memory of 5268	1488	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	100
PID 1488 wrote to memory of 5268	1488	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	100
PID 1488 wrote to memory of 5236	1488	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	102
PID 1488 wrote to memory of 5236	1488	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	102
PID 1488 wrote to memory of 3044	1488	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	103
PID 1488 wrote to memory of 3044	1488	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	103
PID 1488 wrote to memory of 1120	1488	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	104
PID 1488 wrote to memory of 1120	1488	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	104
PID 1488 wrote to memory of 3640	1488	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	105
PID 1488 wrote to memory of 3640	1488	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	105
PID 1488 wrote to memory of 5276	1488	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	106
PID 1488 wrote to memory of 5276	1488	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	106
PID 1488 wrote to memory of 3132	1488	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	107
PID 1488 wrote to memory of 3132	1488	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	107
PID 1488 wrote to memory of 1112	1488	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	108
PID 1488 wrote to memory of 1112	1488	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	108
PID 1488 wrote to memory of 5564	1488	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	109
PID 1488 wrote to memory of 5564	1488	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	109
PID 1488 wrote to memory of 5696	1488	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	110
PID 1488 wrote to memory of 5696	1488	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	110
PID 1488 wrote to memory of 880	1488	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	111
PID 1488 wrote to memory of 880	1488	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	111
PID 1488 wrote to memory of 5208	1488	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	112
PID 1488 wrote to memory of 5208	1488	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	112

C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
"C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe"
1⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1488
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLTELEMETRY start= disabled
  2⤵
  - Launches sc.exe
  PID:2456
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\$Recycle.bin
  2⤵
  PID:3796
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
  2⤵
  - Launches sc.exe
  PID:3540
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLWriter start= disabled
  2⤵
  - Launches sc.exe
  PID:3516
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SstpSvc start= disabled
  2⤵
  - Launches sc.exe
  PID:5176
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5808
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4724
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5884
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mysqld.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2944
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqbcoreservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4052
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM firefoxconfig.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5300
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM agntsvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1332
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM thebat.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:788
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM steam.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2536
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM encsvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3916
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM excel.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2276
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM CNTAoSMgr.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2068
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqlwriter.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4860
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM tbirdconfig.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:488
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM dbeng50.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5964
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM thebat64.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5268
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM ocomm.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5236
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM infopath.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3044
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mbamtray.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1120
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM zoolz.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3640
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" IM thunderbird.exe /F
  2⤵
  - Kills process with taskkill
  PID:5276
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM dbsnmp.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3132
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM xfssvccon.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1112
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5564
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM Ntrtscan.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5696
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM isqlplussvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:880
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM onenote.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5208
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM PccNTMon.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:952
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM msaccess.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2008
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM outlook.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1512
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM tmlisten.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2284
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM msftesql.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5016
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM powerpnt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3468
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2364
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM visio.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5988
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4540
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM winword.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3112
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mysqld-nt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5360
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM wordpad.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4892
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mysqld-opt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4896
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM ocautoupds.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4904
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM ocssd.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4876
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM oracle.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4828
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqlagent.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4868
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqlbrowser.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4932
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqlservr.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4940
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM synctime.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4816
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5040
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:2788
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:5252
- - C:\Windows\system32\PING.EXE
    ping 127.0.0.7 -n 3
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2668
- - C:\Windows\system32\fsutil.exe
    fsutil file setZeroData offset=0 length=524288 “%s”
    3⤵
    PID:4252
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
  2⤵
  PID:2536
- - C:\Windows\system32\choice.exe
    choice /C Y /N /D Y /T 3
    3⤵
    PID:3108

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2788

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2860

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Windows Credential Manager

T1555.004

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Network\Downloader\edbtmp.log

Filesize
1.3MB

MD5
d060b517c5dd863c98d39737a6843ec5

SHA1
ef9daee6b7c7af8719b1b32c045aff51e10e9456

SHA256
12415bd95cb291a3fdaede39226b74de673c8511230911d0f8e5fba9dc5471bf

SHA512
0171b86a44ebe46647bc79536eb7b14f1329725f48e93065dcbf38a270d3ce12fe9e65e51ec703a99e660dfa646d5f44a82e63615ba4fd231564b0377714262e

Download Submit
C:\ProgramData\Package Cache\{01B2627D-8443-41C0-97F0-9F72AC2FD6A0}v56.64.8804\windowsdesktop-runtime-7.0.16-win-x64.msi

Filesize
28.8MB

MD5
1ed9dd46916da6542ec693802456ab11

SHA1
ef02473d55574efdd685cd14fc9b7f4969e6d31e

SHA256
e288ab756048e7c6f0f6c2c5ef0d192a534998cd48bc8eb68eebab35334ad25c

SHA512
d9660b9e479a654b70e575fc7b31d9bd17de57ff1e9d186b84e978ba06b36158b65601e973af2ac3bad25ef57577750c2a57fd1208bb627515910adfb20229ca

Download Submit
C:\ProgramData\Package Cache\{2BB73336-4F69-4141-9797-E9BD6FE3980A}v64.8.8795\dotnet-host-8.0.2-win-x64.msi.energy[[email protected]]

Filesize
728KB

MD5
b9fbd4b796fc96caa6a7fcc545043681

SHA1
485a50ca641f446b5cdf081bc2656603a2ec213a

SHA256
019cf99fbdda72338029ca4341e4e13a077cc7f2dcd7a66d772521063bd0993b

SHA512
00fe2a639c1680cd83861a8dbcb469bc9e304b197b81cc4c76d17dc1963a4baef1557719b860c9b108790aec0f096e347555b77ff3c1f4699930bafd91600501

Download Submit
C:\ProgramData\Package Cache\{79043ED0-7ED1-4227-A5E5-04C5594D21F7}v48.108.8828\dotnet-runtime-6.0.27-win-x64.msi.energy[[email protected]]

Filesize
25.7MB

MD5
974fac575f26e18be2d13fa19a8d5041

SHA1
8f0c1575e2d71a4c89de9695bb4cbfe6f8723cf4

SHA256
03405a7fb21eeb127857c762f1adcfa734edc3837351726c879abcd7a8159acf

SHA512
1b7657a64ce01370d6ee692a49349479a2c0f5f138ae0c5cd56b030c464d282875f1340bd9c4025032b3de972654ca9561949d9613c4955ff123c31fb6fd6d37

Download Submit
C:\ProgramData\Package Cache\{BF08E976-B92E-4336-B56F-2171179476C4}v14.30.30704\packages\vcRuntimeAdditional_x86\vc_runtimeAdditional_x86.msi.energy[[email protected]]

Filesize
180KB

MD5
b40a022b6e691f728ee75f6c28ec7f47

SHA1
98ee11a4622e0e37eb8d571f4f0b3f353ad113c1

SHA256
64a5d86047ba5b58c1c021f4277634d0803566af36e89252481e0eb089ac5ecb

SHA512
b074bd4fb0a8b6fe8ba00fbfafff6b7cd9f4c3b1bc06f95ab8a6dba0ef7154ff470f9103c79b8957f826c9be1e6b5666393dfa7fd268723d4b49f76fe8a5dd42

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
45f53352160cf0903c729c35c8edfdce

SHA1
b35a4d4fbaf2a3cc61e540fc03516dd70f3c34ab

SHA256
9cf18d157a858fc143a6de5c2dd3f618516a527b34478ac478d8c94ff027b0d2

SHA512
e3fa27a80a1df58acb49106c306dab22e5ed582f6b0cd7d9c3ef0a85e9f5919333257e88aa44f42a0e095fd577c9e12a02957a7845c0d109f821f32d8d3343f3

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\62MVDHQO\www.bing[1].xml

Filesize
15KB

MD5
52770da296dd3b9adec7372419107969

SHA1
8b1c5cb01337108a504b9e26ce48ffe00754edbd

SHA256
408573e3cd8ec7f59762cdb878abb7da76eeac57660ce580541981b638f5db07

SHA512
89cbac3ce29f951e2227847a7eab34cf8c786c4ad6656bc2b5393bd9ddcaa8f677b7d3911a4e002fa89b6271e603972aae1fca79522cfbfaea89df08774e37c2

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\62MVDHQO\www.bing[1].xml

Filesize
328B

MD5
b5c358a336ab51543c700ac0538866ec

SHA1
e7731d2894b3bdc553a89ad81fdcead11cea97bc

SHA256
fb4da8e677637f8f451b5add8199f587b1a056de252f86f765e4c8ed8915b355

SHA512
2660b8a8419a75f9c9750095690cf451c03e556e6a66ce86e2e6ea76b9197c046151264ede4cf851de5395e3b2b9324112f2dc6735e771515e4930d53aced314

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\Microsoft\ServiceWorkerFiles\F38C3645-9D44-4877-842F-3D6A3D4A1E1E\Zrtu2hQ08VU_1.bytecode

Filesize
66KB

MD5
561e5bff686af614140b7a3c94ee0a24

SHA1
9340634474d92a508adaed0e365e0f3e597f68b4

SHA256
acbdb1a9de8e6b8ea8168b8e4fb9cbcc1dd56c77470566b3a8c9bfd41cab475c

SHA512
182f55025f7b95f91032e37743633c73bf05e8a0c7ca7edc229b9261d14059bd5296e2bf815d8c9627c09d271b45b7370364e37882136fd8dcc3d60d971fc60c

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\Microsoft\ServiceWorkerFiles\F38C3645-9D44-4877-842F-3D6A3D4A1E1E\Zrtu2hQ08VU_1.metadata

Filesize
192B

MD5
504cae39746c524328b1d95bd1fc7993

SHA1
3d1a001515959c56e4121ce32306fbdedd856771

SHA256
d6bb7129f262d6750450207b2a148c38ffbd4d459df6f0795303378cb5925835

SHA512
bba8408e30102a9895197f6955a14da70542368f8ce2953a9b0cafcb149bf33c03cfe0671789d5f96212971639dc2697785dd4af20b2ab326a07642768222b98

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoftwindows.client.cbs_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\62MVDHQO\www.bing[1].xml

Filesize
17KB

MD5
9af73a48b07ab3cae3c613299624151b

SHA1
7140e5a9957caa6816168085b466d2cda0d6ce24

SHA256
fbda5528b191f29ecc91407009a87422c5145c94ee9799fb88aa268309c0579d

SHA512
58b13ab779bc651082f025d10b3db6f6fa596bef7a86e1b0747692a36bc68ead4066671b0f3b2d497ee98a890ec64ec6c6c2f6257ed51e0115380a86f85f2b5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0pzahljg.v41.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt

Filesize
828B

MD5
ab91d9eff7fb780752cf5057f3cecc0e

SHA1
cda24136a6021d8657df7c5af3edfa9810651121

SHA256
279626f38b2d2e511103ec55cee0f913c2582fae42340f262bd0099b2b9c6a30

SHA512
a21d258d705630c493ebd77cdb70a355fbbfbcf3ab0bb0202e922815b95b471bc2227fee0e7e90e1b4268f07f889c9c99dd7f3880a15d3308e8819e126b1abf7

Download Submit
memory/1488-3-0x00007FF966F10000-0x00007FF9679D2000-memory.dmp

Filesize
10.8MB

Download
memory/1488-1-0x0000000000830000-0x000000000084A000-memory.dmp

Filesize
104KB

Download
memory/1488-1007-0x00007FF966F10000-0x00007FF9679D2000-memory.dmp

Filesize
10.8MB

Download
memory/1488-365-0x00007FF966F13000-0x00007FF966F15000-memory.dmp

Filesize
8KB

Download
memory/1488-0-0x00007FF966F13000-0x00007FF966F15000-memory.dmp

Filesize
8KB

Download
memory/1488-533-0x00007FF966F10000-0x00007FF9679D2000-memory.dmp

Filesize
10.8MB

Download
memory/2788-366-0x000001E87D9D0000-0x000001E87D9F0000-memory.dmp

Filesize
128KB

Download
memory/2788-462-0x000001E881960000-0x000001E881A60000-memory.dmp

Filesize
1024KB

Download
memory/2788-461-0x000001E881960000-0x000001E881A60000-memory.dmp

Filesize
1024KB

Download
memory/2788-368-0x000001E87D890000-0x000001E87D8B0000-memory.dmp

Filesize
128KB

Download
memory/2788-367-0x000001E87DB70000-0x000001E87DC70000-memory.dmp

Filesize
1024KB

Download
memory/2788-284-0x000001E86A700000-0x000001E86A800000-memory.dmp

Filesize
1024KB

Download
memory/2860-680-0x0000020602D00000-0x0000020602E00000-memory.dmp

Filesize
1024KB

Download
memory/2860-746-0x0000020625D00000-0x0000020625E00000-memory.dmp

Filesize
1024KB

Download
memory/2860-745-0x0000020613C70000-0x0000020613C90000-memory.dmp

Filesize
128KB

Download
memory/2860-747-0x0000020625C40000-0x0000020625C60000-memory.dmp

Filesize
128KB

Download
memory/2860-852-0x0000020602D00000-0x0000020602E00000-memory.dmp

Filesize
1024KB

Download
memory/2860-846-0x0000020602D00000-0x0000020602E00000-memory.dmp

Filesize
1024KB

Download
memory/5040-15-0x000001EF75410000-0x000001EF75432000-memory.dmp

Filesize
136KB

Download