054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9

Analysis

max time kernel
107s
max time network
108s
platform
windows7_x64
resource
win7v200722
submitted
23/09/2020, 05:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe
Size

1.3MB
MD5

f4c92c5896d92368dab37f277f74220a
SHA1

e5763d7e58f39b9f2130abcfadaa34e5e46b04a9
SHA256

054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9
SHA512

99d06cd0288d892c1e018439e75a5f62ad909a1a6d35de4101a1fa99d55ea3c34685857e39cc385f9aedd0d4f027dc3592d1605919b91bc0a44ea8126343b0e5

Score

10^/10

evasion persistence ransomware spyware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Roaming\Microsoft\Visio\Recover files.hta

Ransom Note

Your personal ID ☣Your files are encrypted!☣ ⬇ To decrypt, follow the instructions below.⬇ To recover data you need decrypt tool. To get the decrypt tool you should: Send 3 crypted test image or text file or document to [email protected] Or alternate mail [email protected] In the letter include your personal ID (look at the beginning of this document). Send me this ID in your first email to me. We will give you free test for decrypt few files (NOT VALUE) and assign the price for decryption all files. After we send you instruction how to pay for decrypt tool and after payment you will receive a decrypt tool and instructions how to use it We can decrypt few files in quality the evidence that we have the decoder. MOST IMPORTANT!!! Do not contact other services that promise to decrypt your files, this is fraud on their part! They will buy a decoder from us, and you will pay more for his services. No one, except [email protected] ([email protected]), will decrypt your files. Only [email protected] ([email protected]) can decrypt your files Do not trust anyone besides [email protected] ([email protected]) Antivirus programs can delete this document and you can not contact us later. Attempts to self-decrypting files will result in the loss of your data Decoders other users are not compatible with your data, because each user's unique encryption key

Emails

[email protected]

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Blocklisted process makes network request 2 IoCs

flow	pid	Process
5	1436	mshta.exe
7	1256	mshta.exe

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recover files.hta	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Software\Microsoft\Windows\CurrentVersion\Run\Readme = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Visio\\readme.bat"	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Software\Microsoft\Windows\CurrentVersion\Run\Readme_c = "C:\\\\readme.bat"	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Software\Microsoft\Windows\CurrentVersion\Run	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsUpdateCheck = "C:\\Users\\Admin\\AppData\\Local\\Temp\\054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe"	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Software\Microsoft\Windows\CurrentVersion\Run\Readme = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Visio\\readme.bat"	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Software\Microsoft\Windows\CurrentVersion\Run\Readme_c = "C:\\\\readme.bat"	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Software\Microsoft\Windows\CurrentVersion\Run	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsUpdateCheck = "C:\\Users\\Admin\\AppData\\Local\\Temp\\054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe"	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe

Drops desktop.ini file(s) 37 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\JSOYQ5ME\desktop.ini	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe
File opened for modification	C:\Users\Public\desktop.ini	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\DUF815Z1\desktop.ini	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-2090973689-680783404-4292415065-1000\desktop.ini	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe
File opened for modification	C:\Program Files\desktop.ini	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\Z1YRRYOY\desktop.ini	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\YAUNGDT1\desktop.ini	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\OCEAN_01.MID	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsBlankPage.html	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Sts.css	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\VDK10.THD	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Publisher.en-us\Recover files.hta	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\FORMS\1033\TASKL.ICO	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe
File created	C:\Program Files\VideoLAN\VLC\locale\nn\Recover files.hta	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe
File created	C:\Program Files (x86)\Microsoft Office\Recover files.hta	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\CST6	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\Recover files.hta	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.sdk.nl_zh_4.4.0.v20140623020002.jar	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Tarawa	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\BL00195_.WMF	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0185828.WMF	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\FORMS\1033\TASKACCS.ICO	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyScenesBackground.wmv	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\lib\derby.jar	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\HH01329_.WMF	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\PPINTL.DLL.IDX_DLL	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe
File opened for modification	C:\Program Files\Java\jre7\bin\keytool.exe	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0179963.JPG	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH01235U.BMP	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\MEDIA\OFFICE14\BULLETS\J0115839.GIF	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\mset7fr.kic	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\PUBBA\MSPUB3A.BDR	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-keyring-impl.xml	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\FORMS\1033\SECRECL.ICO	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\pmd.cer	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\Groove\Certificates\Verisign\Components\VS_ComponentSigningIntermediate.cer	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipssrb.xml	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Outlook.en-us\SETUP.XML	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Small_News.jpg	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\pagecurl.png	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0153307.WMF	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SO00828_.WMF	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\GrooveForms5\bg_Casual.gif	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\STS2\tab_on.gif	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsPreviewTemplateRTL.html	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\PUBWIZ\WEBCALSO.POC	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\Recover files.hta	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0250997.WMF	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PE00559_.WMF	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\org-openide-util-lookup_ja.jar	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\AG00037_.GIF	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0152600.WMF	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\PUBSPAPR\PDIR43F.GIF	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\Groove\ToolIcons\GWE.ICO	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\PUBWIZ\CALSO11.POC	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\images\vlc-48.png	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\playlist\vimeo.luac	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\AppInfoDocument\Recover files.hta	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\Ole DB\oledb32r.dll	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\include\jvmti.h	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-modules-appui.jar	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\Document Themes 14\Theme Effects\Essential.eftx	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\WINWORD.DEV_K_COL.HXK	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\CONVERT\OL.SAM	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\IA32.api	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.35.452\goopdateres_ja.dll	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.35.452\psuser_64.dll	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\THEMES14\RICEPAPR\RICEPAPR.INF	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Pago_Pago	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Majuro	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.

Interacts with shadow copies 2 TTPs 4 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
664	vssadmin.exe
372	vssadmin.exe
1920	vssadmin.exe
2044	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
540	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe
540	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe
872	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe
872	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
540	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeBackupPrivilege	520	vssvc.exe
Token: SeRestorePrivilege	520	vssvc.exe
Token: SeAuditPrivilege	520	vssvc.exe
Token: SeShutdownPrivilege	540	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe
Token: SeSecurityPrivilege	540	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe
Token: SeSecurityPrivilege	540	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe
Token: SeSecurityPrivilege	540	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe
Token: SeSecurityPrivilege	540	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe
Token: SeSecurityPrivilege	540	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe
Token: SeSecurityPrivilege	540	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe
Token: SeSecurityPrivilege	540	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe
Token: SeSecurityPrivilege	540	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe
Token: SeSecurityPrivilege	540	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe
Token: SeSecurityPrivilege	540	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe
Token: SeSecurityPrivilege	540	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe
Token: SeSecurityPrivilege	540	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe
Token: SeSecurityPrivilege	540	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe
Token: SeSecurityPrivilege	540	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe
Token: SeSecurityPrivilege	540	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe
Token: SeSecurityPrivilege	540	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe
Token: SeSecurityPrivilege	540	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe
Token: SeSecurityPrivilege	540	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe
Token: SeSecurityPrivilege	540	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe
Token: SeSecurityPrivilege	540	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe
Token: SeSecurityPrivilege	540	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe
Token: SeSecurityPrivilege	540	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe
Token: SeSecurityPrivilege	540	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe
Token: SeSecurityPrivilege	540	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe
Token: SeSecurityPrivilege	540	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe
Token: SeSecurityPrivilege	540	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe
Token: SeSecurityPrivilege	540	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe
Token: SeSecurityPrivilege	540	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe
Token: SeSecurityPrivilege	540	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe
Token: SeSecurityPrivilege	540	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe
Token: SeSecurityPrivilege	540	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe
Token: SeSecurityPrivilege	540	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe
Token: SeSecurityPrivilege	540	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe
Token: SeSecurityPrivilege	540	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe
Token: SeSecurityPrivilege	540	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe
Token: SeSecurityPrivilege	540	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe
Token: SeSecurityPrivilege	540	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe
Token: SeSecurityPrivilege	540	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe
Token: SeSecurityPrivilege	540	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe
Token: SeSecurityPrivilege	540	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe
Token: SeSecurityPrivilege	540	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe
Token: SeSecurityPrivilege	540	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe
Token: SeSecurityPrivilege	540	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe
Token: SeSecurityPrivilege	540	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe
Token: SeSecurityPrivilege	540	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe
Token: SeSecurityPrivilege	540	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe
Token: SeSecurityPrivilege	540	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe
Token: SeSecurityPrivilege	540	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe
Token: SeSecurityPrivilege	540	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe
Token: SeSecurityPrivilege	540	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe
Token: SeSecurityPrivilege	540	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe
Token: SeSecurityPrivilege	540	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe
Token: SeSecurityPrivilege	540	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe
Token: SeSecurityPrivilege	540	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe
Token: SeSecurityPrivilege	540	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe
Token: SeSecurityPrivilege	540	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe
Token: SeSecurityPrivilege	540	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe
Token: SeSecurityPrivilege	540	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe
Token: SeSecurityPrivilege	540	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe
Token: SeSecurityPrivilege	540	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 540 wrote to memory of 1560	540	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe	28
PID 540 wrote to memory of 1560	540	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe	28
PID 540 wrote to memory of 1560	540	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe	28
PID 540 wrote to memory of 1560	540	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe	28
PID 540 wrote to memory of 1640	540	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe	30
PID 540 wrote to memory of 1640	540	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe	30
PID 540 wrote to memory of 1640	540	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe	30
PID 540 wrote to memory of 1640	540	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe	30
PID 1640 wrote to memory of 2004	1640	net.exe	32
PID 1640 wrote to memory of 2004	1640	net.exe	32
PID 1640 wrote to memory of 2004	1640	net.exe	32
PID 1640 wrote to memory of 2004	1640	net.exe	32
PID 540 wrote to memory of 1992	540	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe	33
PID 540 wrote to memory of 1992	540	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe	33
PID 540 wrote to memory of 1992	540	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe	33
PID 540 wrote to memory of 1992	540	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe	33
PID 1992 wrote to memory of 1152	1992	net.exe	35
PID 1992 wrote to memory of 1152	1992	net.exe	35
PID 1992 wrote to memory of 1152	1992	net.exe	35
PID 1992 wrote to memory of 1152	1992	net.exe	35
PID 540 wrote to memory of 2024	540	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe	36
PID 540 wrote to memory of 2024	540	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe	36
PID 540 wrote to memory of 2024	540	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe	36
PID 540 wrote to memory of 2024	540	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe	36
PID 540 wrote to memory of 1060	540	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe	37
PID 540 wrote to memory of 1060	540	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe	37
PID 540 wrote to memory of 1060	540	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe	37
PID 540 wrote to memory of 1060	540	054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe	37
PID 1060 wrote to memory of 664	1060	cmd.exe	39
PID 1060 wrote to memory of 664	1060	cmd.exe	39
PID 1060 wrote to memory of 664	1060	cmd.exe	39
PID 1060 wrote to memory of 664	1060	cmd.exe	39
PID 1060 wrote to memory of 1472	1060	cmd.exe	41
PID 1060 wrote to memory of 1472	1060	cmd.exe	41
PID 1060 wrote to memory of 1472	1060	cmd.exe	41
PID 1060 wrote to memory of 1472	1060	cmd.exe	41
PID 1060 wrote to memory of 1448	1060	cmd.exe	42
PID 1060 wrote to memory of 1448	1060	cmd.exe	42
PID 1060 wrote to memory of 1448	1060	cmd.exe	42
PID 1060 wrote to memory of 1448	1060	cmd.exe	42
PID 1060 wrote to memory of 572	1060	cmd.exe	43
PID 1060 wrote to memory of 572	1060	cmd.exe	43
PID 1060 wrote to memory of 572	1060	cmd.exe	43
PID 1060 wrote to memory of 572	1060	cmd.exe	43
PID 1060 wrote to memory of 972	1060	cmd.exe	44
PID 1060 wrote to memory of 972	1060	cmd.exe	44
PID 1060 wrote to memory of 972	1060	cmd.exe	44
PID 1060 wrote to memory of 972	1060	cmd.exe	44
PID 1060 wrote to memory of 1400	1060	cmd.exe	45
PID 1060 wrote to memory of 1400	1060	cmd.exe	45
PID 1060 wrote to memory of 1400	1060	cmd.exe	45
PID 1060 wrote to memory of 1400	1060	cmd.exe	45
PID 1060 wrote to memory of 628	1060	cmd.exe	46
PID 1060 wrote to memory of 628	1060	cmd.exe	46
PID 1060 wrote to memory of 628	1060	cmd.exe	46
PID 1060 wrote to memory of 628	1060	cmd.exe	46
PID 1060 wrote to memory of 1916	1060	cmd.exe	47
PID 1060 wrote to memory of 1916	1060	cmd.exe	47
PID 1060 wrote to memory of 1916	1060	cmd.exe	47
PID 1060 wrote to memory of 1916	1060	cmd.exe	47
PID 1060 wrote to memory of 1476	1060	cmd.exe	48
PID 1060 wrote to memory of 1476	1060	cmd.exe	48
PID 1060 wrote to memory of 1476	1060	cmd.exe	48
PID 1060 wrote to memory of 1476	1060	cmd.exe	48

C:\Users\Admin\AppData\Local\Temp\054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe
"C:\Users\Admin\AppData\Local\Temp\054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:540
- C:\Windows\SysWOW64\net.exe
  "net" use
  2⤵
  PID:1560
- C:\Windows\SysWOW64\net.exe
  "net" user
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1640
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 user
    3⤵
    PID:2004
- C:\Windows\SysWOW64\net.exe
  "net" session
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1992
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 session
    3⤵
    PID:1152
- C:\Users\Admin\AppData\Local\Temp\054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe
  "C:\Users\Admin\AppData\Local\Temp\054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe" 1
  2⤵
  PID:2024
- - C:\Windows\SysWOW64\net.exe
    "net" use
    3⤵
    PID:936
- - C:\Windows\SysWOW64\net.exe
    "net" user
    3⤵
    PID:108
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 user
      4⤵
      PID:1756
- - C:\Windows\SysWOW64\net.exe
    "net" session
    3⤵
    PID:1436
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 session
      4⤵
      PID:1380
- - C:\Users\Admin\AppData\Local\Temp\054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe
    C:\Users\Admin\AppData\Local\Temp\054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin.exe 1
    3⤵
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    PID:872
  - - C:\Windows\SysWOW64\net.exe
      "net" use
      4⤵
      PID:1492
  - - C:\Windows\SysWOW64\net.exe
      "net" user
      4⤵
      PID:1568
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 user
        5⤵
        
        PID:2012
  - - C:\Windows\SysWOW64\net.exe
      "net" session
      4⤵
      PID:1960
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 session
        5⤵
        
        PID:1152
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd" /C C:\Users\Admin\AppData\Roaming\Microsoft\Visio\start.bat
      4⤵
      PID:2044
    - - C:\Windows\SysWOW64\vssadmin.exe
        
        vssadmin delete shadows /all /quiet
        5⤵
        Interacts with shadow copies
        
        PID:372
    - - C:\Windows\SysWOW64\sc.exe
        
        sc config browser
        5⤵
        
        PID:972
    - - C:\Windows\SysWOW64\sc.exe
        
        sc config browser start=enabled
        5⤵
        
        PID:1780
    - - C:\Windows\SysWOW64\sc.exe
        
        sc stop vss
        5⤵
        
        PID:928
    - - C:\Windows\SysWOW64\sc.exe
        
        sc config vss start=disabled
        5⤵
        
        PID:1476
    - - C:\Windows\SysWOW64\sc.exe
        
        sc stop MongoDB
        5⤵
        
        PID:620
    - - C:\Windows\SysWOW64\sc.exe
        
        sc config MongoDB start=disabled
        5⤵
        
        PID:996
    - - C:\Windows\SysWOW64\sc.exe
        
        sc stop SQLWriter
        5⤵
        
        PID:1756
    - - C:\Windows\SysWOW64\sc.exe
        
        sc config SQLWriter start=disabled
        5⤵
        
        PID:1860
    - - C:\Windows\SysWOW64\sc.exe
        
        sc stop MSSQLServerOLAPService
        5⤵
        
        PID:1864
    - - C:\Windows\SysWOW64\sc.exe
        
        sc config MSSQLServerOLAPService start=disabled
        5⤵
        
        PID:1548
    - - C:\Windows\SysWOW64\sc.exe
        
        sc stop MSSQLSERVER
        5⤵
        
        PID:1596
    - - C:\Windows\SysWOW64\sc.exe
        
        sc config MSSQLSERVER start=disabled
        5⤵
        
        PID:1484
    - - C:\Windows\SysWOW64\sc.exe
        
        sc stop MSSQL$SQLEXPRESS
        5⤵
        
        PID:1964
    - - C:\Windows\SysWOW64\sc.exe
        
        sc config MSSQL$SQLEXPRESS start=disabled
        5⤵
        
        PID:976
    - - C:\Windows\SysWOW64\sc.exe
        
        sc stop ReportServer
        5⤵
        
        PID:956
    - - C:\Windows\SysWOW64\sc.exe
        
        sc config ReportServer start=disabled
        5⤵
        
        PID:1576
    - - C:\Windows\SysWOW64\sc.exe
        
        sc stop OracleServiceORCL
        5⤵
        
        PID:1232
    - - C:\Windows\SysWOW64\sc.exe
        
        sc config OracleServiceORCL start=disabled
        5⤵
        
        PID:1612
    - - C:\Windows\SysWOW64\sc.exe
        
        sc stop OracleDBConsoleorcl
        5⤵
        
        PID:1564
    - - C:\Windows\SysWOW64\sc.exe
        
        sc config OracleDBConsoleorcl start=disabled
        5⤵
        
        PID:1640
    - - C:\Windows\SysWOW64\sc.exe
        
        sc stop OracleMTSRecoveryService
        5⤵
        
        PID:1568
    - - C:\Windows\SysWOW64\sc.exe
        
        sc config OracleMTSRecoveryService start=disabled
        5⤵
        
        PID:1956
    - - C:\Windows\SysWOW64\sc.exe
        
        sc stop OracleVssWriterORCL
        5⤵
        
        PID:2032
    - - C:\Windows\SysWOW64\sc.exe
        
        sc config OracleVssWriterORCL start=disabled
        5⤵
        
        PID:1552
    - - C:\Windows\SysWOW64\sc.exe
        
        sc stop MySQL
        5⤵
        
        PID:2036
    - - C:\Windows\SysWOW64\sc.exe
        
        sc config MySQL start=disabled
        5⤵
        
        PID:1416
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd" /C C:\Users\Admin\AppData\Roaming\Microsoft\Visio\start_after.bat
      4⤵
      PID:1752
    - - C:\Windows\SysWOW64\vssadmin.exe
        
        vssadmin Delete Shadows /all /quiet
        5⤵
        Interacts with shadow copies
        
        PID:1920
    - - C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" /va /f
        5⤵
        
        PID:1736
    - - C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers" /f
        5⤵
        
        PID:1156
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers"
        5⤵
        
        PID:1176
  - - C:\Windows\SysWOW64\mshta.exe
      "mshta" "C:\Users\Admin\AppData\Roaming\Microsoft\Visio/Recover files.hta"
      4⤵
      Blocklisted process makes network request
      Modifies Internet Explorer settings
      PID:1436
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /C C:\Users\Admin\AppData\Roaming\Microsoft\Visio\start.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1060
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:664
- - C:\Windows\SysWOW64\sc.exe
    sc config browser
    3⤵
    PID:1472
- - C:\Windows\SysWOW64\sc.exe
    sc config browser start=enabled
    3⤵
    PID:1448
- - C:\Windows\SysWOW64\sc.exe
    sc stop vss
    3⤵
    PID:572
- - C:\Windows\SysWOW64\sc.exe
    sc config vss start=disabled
    3⤵
    PID:972
- - C:\Windows\SysWOW64\sc.exe
    sc stop MongoDB
    3⤵
    PID:1400
- - C:\Windows\SysWOW64\sc.exe
    sc config MongoDB start=disabled
    3⤵
    PID:628
- - C:\Windows\SysWOW64\sc.exe
    sc stop SQLWriter
    3⤵
    PID:1916
- - C:\Windows\SysWOW64\sc.exe
    sc config SQLWriter start=disabled
    3⤵
    PID:1476
- - C:\Windows\SysWOW64\sc.exe
    sc stop MSSQLServerOLAPService
    3⤵
    PID:1920
- - C:\Windows\SysWOW64\sc.exe
    sc config MSSQLServerOLAPService start=disabled
    3⤵
    PID:1272
- - C:\Windows\SysWOW64\sc.exe
    sc stop MSSQLSERVER
    3⤵
    PID:1436
- - C:\Windows\SysWOW64\sc.exe
    sc config MSSQLSERVER start=disabled
    3⤵
    PID:316
- - C:\Windows\SysWOW64\sc.exe
    sc stop MSSQL$SQLEXPRESS
    3⤵
    PID:1260
- - C:\Windows\SysWOW64\sc.exe
    sc config MSSQL$SQLEXPRESS start=disabled
    3⤵
    PID:1492
- - C:\Windows\SysWOW64\sc.exe
    sc stop ReportServer
    3⤵
    PID:1928
- - C:\Windows\SysWOW64\sc.exe
    sc config ReportServer start=disabled
    3⤵
    PID:1208
- - C:\Windows\SysWOW64\sc.exe
    sc stop OracleServiceORCL
    3⤵
    PID:1624
- - C:\Windows\SysWOW64\sc.exe
    sc config OracleServiceORCL start=disabled
    3⤵
    PID:1560
- - C:\Windows\SysWOW64\sc.exe
    sc stop OracleDBConsoleorcl
    3⤵
    PID:1976
- - C:\Windows\SysWOW64\sc.exe
    sc config OracleDBConsoleorcl start=disabled
    3⤵
    PID:1960
- - C:\Windows\SysWOW64\sc.exe
    sc stop OracleMTSRecoveryService
    3⤵
    PID:1608
- - C:\Windows\SysWOW64\sc.exe
    sc config OracleMTSRecoveryService start=disabled
    3⤵
    PID:2032
- - C:\Windows\SysWOW64\sc.exe
    sc stop OracleVssWriterORCL
    3⤵
    PID:2028
- - C:\Windows\SysWOW64\sc.exe
    sc config OracleVssWriterORCL start=disabled
    3⤵
    PID:2008
- - C:\Windows\SysWOW64\sc.exe
    sc stop MySQL
    3⤵
    PID:372
- - C:\Windows\SysWOW64\sc.exe
    sc config MySQL start=disabled
    3⤵
    PID:2016
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /C C:\Users\Admin\AppData\Roaming\Microsoft\Visio\start_after.bat
  2⤵
  PID:1144
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:2044
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" /va /f
    3⤵
    PID:1756
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers" /f
    3⤵
    PID:1852
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers"
    3⤵
    PID:1864
- C:\Windows\SysWOW64\mshta.exe
  "mshta" "C:\Users\Admin\AppData\Roaming\Microsoft\Visio/Recover files.hta"
  2⤵
  - Blocklisted process makes network request
  - Modifies Internet Explorer settings
  PID:1256

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:520

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:628

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

memory/540-0-0x0000000000F60000-0x00000000010AE000-memory.dmp

Filesize
1.3MB

Download
memory/872-46-0x0000000000F60000-0x00000000010AE000-memory.dmp

Filesize
1.3MB

Download
memory/948-95-0x000007FEF7ED0000-0x000007FEF814A000-memory.dmp

Filesize
2.5MB

Download
memory/2024-7-0x0000000000F60000-0x00000000010AE000-memory.dmp

Filesize
1.3MB

Download