b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0

Analysis

max time kernel
139s
max time network
110s
platform
windows10_x64
resource
win10v20201028
submitted
18-01-2021 22:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
Size

29KB
MD5

c6ec91aaa2bba2deb31fb645a2f9b9e4
SHA1

a921f8a827897250ebbc9847ea113f56dbb1c18d
SHA256

b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0
SHA512

13571cf45881b5d4ef0904f2aa0e091e9fe895bf038b71075f09a051318cf052e0737ad1fab5549e5143e866fda816ce282a2330dea128357e201948b8ce7019

Score

10^/10

persistence ransomware spyware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\READ_ME.hta

Ransom Note

E P S I L O N Ransomware ⠀ As you can see, all your files got encrypted. Thats why your files are no longer readable. If you want them back, please contact us at our email below. You can send us a couple of files and we will return the restored ones to prove that only we can do it. [email protected] You can ask for more details and more help by email. You can learn more about bitcoin and encryption on wikipedia. https://wikipedia.org/wiki/Bitcoinhttps://wikipedia.org/wiki/Encryption ⠀ If you already submited your payement, you will receive your private key and another decryption key with the special decryption software. More informations: 1. the infection was due to vulnerabilities in your software. 2. our goal is to return your data, but if you don't contact us, we will not succeed. IMPORTANT: 1. if you want to make sure that it is impossible to recover files using third-party software, do this not on all files, otherwise you may lose all data. 2. only communication through our email can guarantee file recover for you. We are not responsible for the actions of third parties who promise to help you - most often they are scammers. 3. please, do not try to rename encrypted files.

Emails

[email protected]

URLs

https://wikipedia.org/wiki/Bitcoinhttps://wikipedia.org/wiki/Encryption

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Drops startup file 1 IoCs

Processes:

b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\READ_ME.hta	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\rundll.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe"	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe

Drops file in System32 directory 1 IoCs

Processes:

b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe

description ioc process

File created C:\Windows\SysWOW64\@AudioToastIcon.png b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe

description	ioc	process
File created	C:\Windows\SysWOW64\@AudioToastIcon.png	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe

Drops file in Program Files directory 1674 IoCs

Processes:

b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe

description	ioc	process
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_25.25.13009.0_neutral_split.scale-200_8wekyb3d8bbwe\AppxBlockMap.xml	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\themes\dark\illustrations.png	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\error_window.html	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.scale-80.png	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\WINWORD.VisualElementsManifest.xml	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-white_scale-140.png	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\ClientOSub_eula.txt	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\themes\dark\rhp_world_icon_2x.png	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\new_icons_retina.png	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\combine_poster.jpg	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\Info2x.png	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-core-multitabs.xml	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-api-caching.xml	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\themes\dark\checkmark.png	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\Bears.jpg	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-modules-uihandler.xml	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\reduced_mode.png	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File created	C:\Program Files (x86)\Windows Media Player\Media Renderer\avtransport.xml	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\dark\example_icons2x.png	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\Close.png	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\rhp_world_icon_hover.png	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\HomeBanner.png	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\check-mark-1x.png	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-moreimages.png	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-modules-options-api.xml	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\jvm.hprof.txt	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Blue Warm.xml	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\Alphabet.xml	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00E2-0000-1000-0000000FF1CE.xml	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\themes\dark\rhp_world_icon_hover.png	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-openide-explorer.xml	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File created	C:\Program Files\WindowsApps\Microsoft.XboxIdentityProvider_2016.719.1035.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\bg_patterns_header.png	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Configuration\card_terms_dict.txt	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.office32ww.msi.16.x-none.xml	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\sat_logo.png	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.excelmui.msi.16.en-us.xml	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\86.0.4240.111\VisualElements\LogoDev.png	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File created	C:\Program Files\WindowsApps\Microsoft.Advertising.Xaml_10.0.1605.0_x86__8wekyb3d8bbwe\AppxBlockMap.xml	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Program Files\7-Zip\Lang\af.txt	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\themes\dark\bun.png	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\css\main.css	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File created	C:\Program Files\WindowsApps\Microsoft.NET.Native.Runtime.1.3_1.3.23901.0_x86__8wekyb3d8bbwe\AppxBlockMap.xml	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-keyring-fallback.xml	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.PowerView.PowerView.x-none.msi.16.x-none.xml	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account-select\css\main.css	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\bin\ij.bat	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\lets-get-started-2x.png	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\CancelGlyph.16.GrayF.png	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\media_poster.jpg	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-oql.xml	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\plugin.xml	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\core_icons_retina.png	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\themes\dark\Close2x.png	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lij.txt	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-white_scale-140.png	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\illustrations.png	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-spi-quicksearch.xml	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\css\main.css	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\rhp_world_icon.png	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.OSMUX.OSMUX.x-none.msi.16.x-none.xml	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\images\themes\dark\rhp_world_icon_hover_2x.png	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe

Drops file in Windows directory 386 IoCs

Processes:

b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe

description	ioc	process
File created	C:\Windows\InfusedApps\Packages\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File created	C:\Windows\InfusedApps\Packages\Microsoft.OneConnect_2.1701.277.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxBlockMap.xml	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Shows Desktop.lnk	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\computer.lnk	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File created	C:\Windows\InfusedApps\Applications\Microsoft.XboxIdentityProvider_2016.719.1035.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File created	C:\Windows\InfusedApps\Packages\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File created	C:\Windows\InfusedApps\Packages\Microsoft.XboxApp_25.25.13009.0_neutral_split.scale-200_8wekyb3d8bbwe\AppxBlockMap.xml	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallMembership.sql	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\home1.aspx	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\AppConfig\DefineErrorPage.aspx	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Windows\Panther\diagwrn.xml	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Control Panel.lnk	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File created	C:\Windows\Globalization\Time Zone\timezoneMapping.xml	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\AppxBlockMap.xml	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group1\1 - Desktop.lnk	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\AppxBlockMap.xml	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Images\ASPdotNET_logo.jpg	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File created	C:\Windows\InfusedApps\Packages\Microsoft.MicrosoftStickyNotes_1.4.101.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxBlockMap.xml	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File created	C:\Windows\InfusedApps\Packages\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\AppxBlockMap.xml	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\AppConfig\DefineErrorPage.aspx	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallSqlState.sql	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\AppxBlockMap.xml	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File created	C:\Windows\SystemResources\Windows.SystemToast.Calling\Images\Answer.scale-100.png	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File created	C:\Windows\Help\en-US\credits.rtf	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File created	C:\Windows\InfusedApps\Applications\Microsoft.ZuneMusic_2019.16112.11621.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File created	C:\Windows\InfusedApps\Packages\Microsoft.SkypeApp_11.8.204.0_neutral_split.scale-100_kzf8qxf38zg5c\AppxBlockMap.xml	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\SubsetList\Client.xml	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\App_Data\GroupedProviders.xml	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Security\Wizard\wizard.aspx	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\DefaultWsdlHelpGenerator.aspx	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group3\01a - Windows PowerShell.lnk	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File created	C:\Windows\InfusedApps\Applications\Microsoft.Getstarted_4.5.6.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Notepad.lnk	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group3\04 - Disk Management.lnk	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File created	C:\Windows\InfusedApps\Packages\Microsoft.People_10.1.10531.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxBlockMap.xml	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File created	C:\Windows\InfusedApps\Packages\Microsoft.Windows.Photos_16.511.8780.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxBlockMap.xml	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\AppConfig\ManageAppSettings.aspx	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group2\2 - Search.lnk	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group3\01a - Windows PowerShell.lnk	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Shows Desktop.lnk	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File created	C:\Windows\SystemApps\microsoft.creddialoghost_cw5n1h2txyewy\AppxBlockMap.xml	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File created	C:\Windows\InfusedApps\Applications\Microsoft.XboxSpeechToTextOverlay_1.14.2002.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\AppxBlockMap.xml	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\AppConfig\AppConfigHome.aspx	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Security\security0.aspx	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group2\4 - Control Panel.lnk	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group3\04-1 - NetworkStatus.lnk	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File created	C:\Windows\SystemApps\Microsoft.PPIProjection_cw5n1h2txyewy\AppxBlockMap.xml	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File created	C:\Windows\InfusedApps\Applications\Microsoft.MicrosoftOfficeHub_2017.311.255.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File created	C:\Windows\InfusedApps\Packages\Microsoft.WindowsStore_11701.1001.87.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxBlockMap.xml	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Narrator.lnk	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File created	C:\Windows\InfusedApps\Applications\Microsoft.WindowsCamera_2017.125.40.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File created	C:\Windows\InfusedApps\Packages\Microsoft.ZuneVideo_10.16112.11601.0_neutral_resources.scale-200_8wekyb3d8bbwe\AppxBlockMap.xml	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File created	C:\Windows\Performance\WinSAT\Clip_1080_5sec_10mbps_h264.mp4	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group2\5 - Task Manager.lnk	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group3\02a - Windows PowerShell.lnk	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File created	C:\Windows\SystemApps\Microsoft.BioEnrollment_cw5n1h2txyewy\AppxBlockMap.xml	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File created	C:\Windows\diagnostics\index\AeroDiagnostic.xml	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File created	C:\Windows\InfusedApps\Packages\Microsoft.ZuneMusic_10.16112.11621.0_neutral_resources.scale-200_8wekyb3d8bbwe\AppxBlockMap.xml	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.ConfigCI.Commands\v4.0_10.0.0.0__31bf3856ad364e35\DefaultWindows_Audit.xml	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RedistList\FrameworkList.xml	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\WebAdminHelp_Internals.aspx	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.FileExplorer_cw5n1h2txyewy\AppxBlockMap.xml	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe

Interacts with shadow copies 2 TTPs 3 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exevssadmin.exe

pid process

3004 vssadmin.exe
2280 vssadmin.exe
1896 vssadmin.exe

pid	process
3004	vssadmin.exe
2280	vssadmin.exe
1896	vssadmin.exe

Modifies registry class 1 IoCs

Processes:

b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe

Suspicious use of AdjustPrivilegeToken 138 IoCs

Processes:

b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exeWMIC.exevssvc.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	740	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
Token: 33	740	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
Token: SeIncBasePriorityPrivilege	740	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
Token: SeIncreaseQuotaPrivilege	3424	WMIC.exe
Token: SeSecurityPrivilege	3424	WMIC.exe
Token: SeTakeOwnershipPrivilege	3424	WMIC.exe
Token: SeLoadDriverPrivilege	3424	WMIC.exe
Token: SeSystemProfilePrivilege	3424	WMIC.exe
Token: SeSystemtimePrivilege	3424	WMIC.exe
Token: SeProfSingleProcessPrivilege	3424	WMIC.exe
Token: SeIncBasePriorityPrivilege	3424	WMIC.exe
Token: SeCreatePagefilePrivilege	3424	WMIC.exe
Token: SeBackupPrivilege	3424	WMIC.exe
Token: SeRestorePrivilege	3424	WMIC.exe
Token: SeShutdownPrivilege	3424	WMIC.exe
Token: SeDebugPrivilege	3424	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3424	WMIC.exe
Token: SeRemoteShutdownPrivilege	3424	WMIC.exe
Token: SeUndockPrivilege	3424	WMIC.exe
Token: SeManageVolumePrivilege	3424	WMIC.exe
Token: 33	3424	WMIC.exe
Token: 34	3424	WMIC.exe
Token: 35	3424	WMIC.exe
Token: 36	3424	WMIC.exe
Token: SeBackupPrivilege	4024	vssvc.exe
Token: SeRestorePrivilege	4024	vssvc.exe
Token: SeAuditPrivilege	4024	vssvc.exe
Token: SeIncreaseQuotaPrivilege	3424	WMIC.exe
Token: SeSecurityPrivilege	3424	WMIC.exe
Token: SeTakeOwnershipPrivilege	3424	WMIC.exe
Token: SeLoadDriverPrivilege	3424	WMIC.exe
Token: SeSystemProfilePrivilege	3424	WMIC.exe
Token: SeSystemtimePrivilege	3424	WMIC.exe
Token: SeProfSingleProcessPrivilege	3424	WMIC.exe
Token: SeIncBasePriorityPrivilege	3424	WMIC.exe
Token: SeCreatePagefilePrivilege	3424	WMIC.exe
Token: SeBackupPrivilege	3424	WMIC.exe
Token: SeRestorePrivilege	3424	WMIC.exe
Token: SeShutdownPrivilege	3424	WMIC.exe
Token: SeDebugPrivilege	3424	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3424	WMIC.exe
Token: SeRemoteShutdownPrivilege	3424	WMIC.exe
Token: SeUndockPrivilege	3424	WMIC.exe
Token: SeManageVolumePrivilege	3424	WMIC.exe
Token: 33	3424	WMIC.exe
Token: 34	3424	WMIC.exe
Token: 35	3424	WMIC.exe
Token: 36	3424	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3604	WMIC.exe
Token: SeSecurityPrivilege	3604	WMIC.exe
Token: SeTakeOwnershipPrivilege	3604	WMIC.exe
Token: SeLoadDriverPrivilege	3604	WMIC.exe
Token: SeSystemProfilePrivilege	3604	WMIC.exe
Token: SeSystemtimePrivilege	3604	WMIC.exe
Token: SeProfSingleProcessPrivilege	3604	WMIC.exe
Token: SeIncBasePriorityPrivilege	3604	WMIC.exe
Token: SeCreatePagefilePrivilege	3604	WMIC.exe
Token: SeBackupPrivilege	3604	WMIC.exe
Token: SeRestorePrivilege	3604	WMIC.exe
Token: SeShutdownPrivilege	3604	WMIC.exe
Token: SeDebugPrivilege	3604	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3604	WMIC.exe
Token: SeRemoteShutdownPrivilege	3604	WMIC.exe
Token: SeUndockPrivilege	3604	WMIC.exe

Suspicious use of WriteProcessMemory 51 IoCs

Processes:

b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 740 wrote to memory of 960	740	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe	mshta.exe
PID 740 wrote to memory of 960	740	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe	mshta.exe
PID 740 wrote to memory of 960	740	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe	mshta.exe
PID 740 wrote to memory of 2920	740	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe	WScript.exe
PID 740 wrote to memory of 2920	740	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe	WScript.exe
PID 740 wrote to memory of 2920	740	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe	WScript.exe
PID 740 wrote to memory of 3024	740	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe	cmd.exe
PID 740 wrote to memory of 3024	740	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe	cmd.exe
PID 740 wrote to memory of 3024	740	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe	cmd.exe
PID 740 wrote to memory of 208	740	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe	cmd.exe
PID 740 wrote to memory of 208	740	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe	cmd.exe
PID 740 wrote to memory of 208	740	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe	cmd.exe
PID 740 wrote to memory of 1036	740	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe	cmd.exe
PID 740 wrote to memory of 1036	740	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe	cmd.exe
PID 740 wrote to memory of 1036	740	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe	cmd.exe
PID 3024 wrote to memory of 3004	3024	cmd.exe	vssadmin.exe
PID 3024 wrote to memory of 3004	3024	cmd.exe	vssadmin.exe
PID 3024 wrote to memory of 3004	3024	cmd.exe	vssadmin.exe
PID 208 wrote to memory of 3424	208	cmd.exe	WMIC.exe
PID 208 wrote to memory of 3424	208	cmd.exe	WMIC.exe
PID 208 wrote to memory of 3424	208	cmd.exe	WMIC.exe
PID 740 wrote to memory of 1812	740	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe	cmd.exe
PID 740 wrote to memory of 1812	740	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe	cmd.exe
PID 740 wrote to memory of 1812	740	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe	cmd.exe
PID 740 wrote to memory of 3988	740	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe	cmd.exe
PID 740 wrote to memory of 3988	740	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe	cmd.exe
PID 740 wrote to memory of 3988	740	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe	cmd.exe
PID 740 wrote to memory of 1648	740	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe	cmd.exe
PID 740 wrote to memory of 1648	740	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe	cmd.exe
PID 740 wrote to memory of 1648	740	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe	cmd.exe
PID 1812 wrote to memory of 2280	1812	cmd.exe	vssadmin.exe
PID 1812 wrote to memory of 2280	1812	cmd.exe	vssadmin.exe
PID 1812 wrote to memory of 2280	1812	cmd.exe	vssadmin.exe
PID 3988 wrote to memory of 3604	3988	cmd.exe	WMIC.exe
PID 3988 wrote to memory of 3604	3988	cmd.exe	WMIC.exe
PID 3988 wrote to memory of 3604	3988	cmd.exe	WMIC.exe
PID 740 wrote to memory of 2740	740	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe	cmd.exe
PID 740 wrote to memory of 2740	740	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe	cmd.exe
PID 740 wrote to memory of 2740	740	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe	cmd.exe
PID 740 wrote to memory of 3688	740	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe	cmd.exe
PID 740 wrote to memory of 3688	740	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe	cmd.exe
PID 740 wrote to memory of 3688	740	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe	cmd.exe
PID 740 wrote to memory of 3928	740	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe	cmd.exe
PID 740 wrote to memory of 3928	740	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe	cmd.exe
PID 740 wrote to memory of 3928	740	b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe	cmd.exe
PID 2740 wrote to memory of 1896	2740	cmd.exe	vssadmin.exe
PID 2740 wrote to memory of 1896	2740	cmd.exe	vssadmin.exe
PID 2740 wrote to memory of 1896	2740	cmd.exe	vssadmin.exe
PID 3688 wrote to memory of 2624	3688	cmd.exe	WMIC.exe
PID 3688 wrote to memory of 2624	3688	cmd.exe	WMIC.exe
PID 3688 wrote to memory of 2624	3688	cmd.exe	WMIC.exe

C:\Users\Admin\AppData\Local\Temp\b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe
"C:\Users\Admin\AppData\Local\Temp\b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:740
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\READ_ME.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
  2⤵
  PID:960
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\M6B32XB9.vbs"
  2⤵
  PID:2920
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin.exe delete shadows /all /quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3024
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin.exe delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:3004
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C wmic shadowcopy delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:208
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic shadowcopy delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3424
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
  2⤵
  PID:1036
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin.exe delete shadows /all /quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1812
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin.exe delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:2280
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C wmic shadowcopy delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3988
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic shadowcopy delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3604
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
  2⤵
  PID:1648
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin.exe delete shadows /all /quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2740
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin.exe delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:1896
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
  2⤵
  PID:3928
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C wmic shadowcopy delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3688
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic shadowcopy delete
    3⤵
    PID:2624

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4024

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3d0
1⤵
PID:2464

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\M6B32XB9.vbs

MD5
07641762ad9c0d4b5983babccecb071b

SHA1
84afb077fccaa75f82338c30c5d03f4b67e39c62

SHA256
c65ff4443a32b8144455278a1fd98d442e1ad76f738a82668b2229acd7a2a117

SHA512
4be951540e9ad6c0eba31a1c31899ee1b327b4f37410cfc1f8a2fa8b27d705a265053f4ace0e8997b2ba337d293adb8d122860a85b775c41dfea5e1f252977ff

Download Submit
C:\Users\Admin\Desktop\READ_ME.hta

MD5
a076b2df780ea7d573ffd70ce0c603ea

SHA1
226531b08d9cdccf6de988172ed1e144b1d0be57

SHA256
6d5c611b01516055bbc4a56e992e7d90fcab562448d5b56a179d0f286c4b356a

SHA512
aa610f6f9c1b7cefe0f4bffe6acaae668b33e19430e137523193a51f30dd89b096b9fd29f323e9c1f71da0e6d99b8d8cb2eb334275db5ac02375af447a0e7fdd

Download Submit
memory/208-13-0x0000000000000000-mapping.dmp

Download
memory/740-9-0x0000000005153000-0x0000000005155000-memory.dmp

Filesize
8KB

Download
memory/740-3-0x0000000000770000-0x0000000000771000-memory.dmp

Filesize
4KB

Download
memory/740-8-0x0000000005040000-0x0000000005041000-memory.dmp

Filesize
4KB

Download
memory/740-2-0x0000000073EE0000-0x00000000745CE000-memory.dmp

Filesize
6.9MB

Download
memory/740-7-0x0000000005150000-0x0000000005151000-memory.dmp

Filesize
4KB

Download
memory/740-5-0x00000000055A0000-0x00000000055A1000-memory.dmp

Filesize
4KB

Download
memory/740-6-0x0000000004F90000-0x0000000004F91000-memory.dmp

Filesize
4KB

Download
memory/960-10-0x0000000000000000-mapping.dmp

Download
memory/1036-14-0x0000000000000000-mapping.dmp

Download
memory/1648-21-0x0000000000000000-mapping.dmp

Download
memory/1812-19-0x0000000000000000-mapping.dmp

Download
memory/1896-27-0x0000000000000000-mapping.dmp

Download
memory/2280-22-0x0000000000000000-mapping.dmp

Download
memory/2624-28-0x0000000000000000-mapping.dmp

Download
memory/2740-24-0x0000000000000000-mapping.dmp

Download
memory/2920-11-0x0000000000000000-mapping.dmp

Download
memory/3004-17-0x0000000000000000-mapping.dmp

Download
memory/3024-12-0x0000000000000000-mapping.dmp

Download
memory/3424-18-0x0000000000000000-mapping.dmp

Download
memory/3604-23-0x0000000000000000-mapping.dmp

Download
memory/3688-25-0x0000000000000000-mapping.dmp

Download
memory/3928-26-0x0000000000000000-mapping.dmp

Download
memory/3988-20-0x0000000000000000-mapping.dmp

Download