7d017b752826bf83685828bebc8a00b050490f46aaa8c21b0dd1020f0c9b563e

Analysis

max time kernel
110s
max time network
75s
platform
windows7_x64
resource
win7v20201028
submitted
18-01-2021 22:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7d017b752826bf83685828bebc8a00b050490f46aaa8c21b0dd1020f0c9b563e.bin.exe
Size

18KB
MD5

d360e4b15da3d3b89640a3ba98464214
SHA1

67816c29b8f35cff28bb4f3f1428d001a8f1f280
SHA256

7d017b752826bf83685828bebc8a00b050490f46aaa8c21b0dd1020f0c9b563e
SHA512

d00295e6d7192c0a2dfa8ccbf18fb344852fae9de074fc843b6ef20967b003c7fcff2b6835fc3dd7bd69c0bfdf714c22f972a5e609f5859d051579c94967179a

Score

10^/10

persistence ransomware spyware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\READ_ME.hta

Ransom Note

E P S I L O N Ransomware ⠀ As you can see, all your files got encrypted. Thats why your files are no longer readable. If you want them back, please contact us at our email below. You can send us a couple of files and we will return the restored ones to prove that only we can do it. [email protected] You can ask for more details and more help by email. You can learn more about bitcoin and encryption on wikipedia. https://wikipedia.org/wiki/Bitcoinhttps://wikipedia.org/wiki/Encryption ⠀ If you already submited your payement, you will receive your private key and another decryption key with the special decryption software. More informations: 1. the infection was due to vulnerabilities in your software. 2. our goal is to return your data, but if you don't contact us, we will not succeed. IMPORTANT: 1. if you want to make sure that it is impossible to recover files using third-party software, do this not on all files, otherwise you may lose all data. 2. only communication through our email can guarantee file recover for you. We are not responsible for the actions of third parties who promise to help you - most often they are scammers. 3. please, do not try to rename encrypted files.

Emails

[email protected]

URLs

https://wikipedia.org/wiki/Bitcoinhttps://wikipedia.org/wiki/Encryption

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Executes dropped EXE 2 IoCs

Processes:

0t23jqcr.exeTaskHostHelper.exe

pid process

800 0t23jqcr.exe
1596 TaskHostHelper.exe
Drops startup file 1 IoCs

Processes:

TaskHostHelper.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\READ_ME.hta TaskHostHelper.exe
Loads dropped DLL 2 IoCs

Processes:

0t23jqcr.exe

pid process

800 0t23jqcr.exe
800 0t23jqcr.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
800	0t23jqcr.exe
1596	TaskHostHelper.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\READ_ME.hta	TaskHostHelper.exe

pid	process
800	0t23jqcr.exe
800	0t23jqcr.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

TaskHostHelper.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\rundll.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TaskHostHelper.exe"	TaskHostHelper.exe

Drops file in System32 directory 3 IoCs

Processes:

TaskHostHelper.exe

description	ioc	process
File created	C:\Windows\SysWOW64\locationnotificationsview.xml	TaskHostHelper.exe
File created	C:\Windows\SysWOW64\OSPQKA32.vbs	TaskHostHelper.exe
File opened for modification	C:\Windows\SysWOW64\license.rtf	TaskHostHelper.exe

Drops file in Program Files directory 995 IoCs

Processes:

TaskHostHelper.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-autoupdate-ui.xml	TaskHostHelper.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Opulent.xml	TaskHostHelper.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\WebToolIconImages.jpg	TaskHostHelper.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightOrange.css	TaskHostHelper.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ro.txt	TaskHostHelper.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\about.html	TaskHostHelper.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\GreenTea.css	TaskHostHelper.exe
File opened for modification	C:\Program Files\7-Zip\Lang\it.txt	TaskHostHelper.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-modules-startup.xml	TaskHostHelper.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\THIRDPARTYLICENSEREADME.txt	TaskHostHelper.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-editor-mimelookup-impl.xml	TaskHostHelper.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-print.xml	TaskHostHelper.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-spi-quicksearch.xml	TaskHostHelper.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\Class.zip	TaskHostHelper.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\FrameworkList.xml	TaskHostHelper.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4-dark_win.css	TaskHostHelper.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\gtkHandle.png	TaskHostHelper.exe
File created	C:\Program Files\Windows Media Player\Media Renderer\avtransport.xml	TaskHostHelper.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\UnreadIcon.jpg	TaskHostHelper.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\feature.xml	TaskHostHelper.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightYellow.css	TaskHostHelper.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Lime.css	TaskHostHelper.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\Class.zip	TaskHostHelper.exe
File opened for modification	C:\Program Files\7-Zip\Lang\vi.txt	TaskHostHelper.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\epl-v10.html	TaskHostHelper.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-lib-profiler.xml	TaskHostHelper.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Module.xml	TaskHostHelper.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Waveform.xml	TaskHostHelper.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Discussion\DiscussionToolIconImages.jpg	TaskHostHelper.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Slate.css	TaskHostHelper.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\SplashScreen.zip	TaskHostHelper.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\feature.xml	TaskHostHelper.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Composite.xml	TaskHostHelper.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\DiscussionToolIconImagesMask.bmp	TaskHostHelper.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\Form_StatusImageMask.bmp	TaskHostHelper.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsHomePage.html	TaskHostHelper.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ZoomIcons.jpg	TaskHostHelper.exe
File opened for modification	C:\Program Files\7-Zip\readme.txt	TaskHostHelper.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\license.html	TaskHostHelper.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\MessageHistoryIconImagesMask.bmp	TaskHostHelper.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BabyBlue.css	TaskHostHelper.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\epl-v10.html	TaskHostHelper.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-queries.xml	TaskHostHelper.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-lib-profiler-common.xml	TaskHostHelper.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hy.txt	TaskHostHelper.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPBlue.png	TaskHostHelper.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\vlm.html	TaskHostHelper.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Couture.xml	TaskHostHelper.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay.css	TaskHostHelper.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\SectionHeading.jpg	TaskHostHelper.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SoftBlue.css	TaskHostHelper.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pt.txt	TaskHostHelper.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BrightYellow.css	TaskHostHelper.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMFormServices\InfoPathOMFormServicesV12\Microsoft.Office.InfoPath.xml	TaskHostHelper.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\86.0.4240.111\VisualElements\SmallLogoCanary.png	TaskHostHelper.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\plugin.xml	TaskHostHelper.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\drag.png	TaskHostHelper.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ca.txt	TaskHostHelper.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_classic_winxp.css	TaskHostHelper.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\WinFXList.xml	TaskHostHelper.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Hardcover.xml	TaskHostHelper.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Earthy.css	TaskHostHelper.exe
File opened for modification	C:\Program Files\7-Zip\Lang\af.txt	TaskHostHelper.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\feature.xml	TaskHostHelper.exe

Drops file in Windows directory 319 IoCs

Processes:

TaskHostHelper.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\watermark.bmp	TaskHostHelper.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Security\Permissions\createPermission.aspx	TaskHostHelper.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\ASPdotNET_logo.jpg	TaskHostHelper.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\UninstallPersistSqlState.sql	TaskHostHelper.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\UninstallMembership.sql	TaskHostHelper.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\AppConfig\DefineErrorPage.aspx	TaskHostHelper.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\App_Data\GroupedProviders.xml	TaskHostHelper.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\WebAdminHelp_Security.aspx	TaskHostHelper.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\SubsetList\Client.xml	TaskHostHelper.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Security\Wizard\wizard.aspx	TaskHostHelper.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\WebAdminHelp_Security.aspx	TaskHostHelper.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Security\security.aspx	TaskHostHelper.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\UninstallWebEventSqlProvider.sql	TaskHostHelper.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\AppConfig\DebugAndTrace.aspx	TaskHostHelper.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Security\Roles\manageAllRoles.aspx	TaskHostHelper.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\NetFx45_IIS_schema_update.xml	TaskHostHelper.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Security\security.aspx	TaskHostHelper.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\SQL\en\DropSqlWorkflowInstanceStoreLogic.sql	TaskHostHelper.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\SQL\en\SqlPersistenceService_Schema.sql	TaskHostHelper.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\UninstallWebEventSqlProvider.sql	TaskHostHelper.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SQL\en\SqlPersistenceProviderSchema.sql	TaskHostHelper.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\SQL\en\DropSqlPersistenceProviderLogic.sql	TaskHostHelper.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\home2.aspx	TaskHostHelper.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\AppConfig\CreateAppSetting.aspx	TaskHostHelper.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallPersistSqlState.sql	TaskHostHelper.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v3.0\Windows Workflow Foundation\SQL\en\Tracking_Logic.sql	TaskHostHelper.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Providers\chooseProviderManagement.aspx	TaskHostHelper.exe
File created	C:\Windows\Web\Wallpaper\Architecture\img13.jpg	TaskHostHelper.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\SQL\en\SqlPersistenceProviderLogic.sql	TaskHostHelper.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Security\Users\editUser.aspx	TaskHostHelper.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\1033\LocalizedData.xml	TaskHostHelper.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Providers\ManageConsolidatedProviders.aspx	TaskHostHelper.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Security\Roles\manageAllRoles.aspx	TaskHostHelper.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\UninstallMembership.sql	TaskHostHelper.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\security_watermark.jpg	TaskHostHelper.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\header.bmp	TaskHostHelper.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\UninstallCommon.sql	TaskHostHelper.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\UninstallRoles.sql	TaskHostHelper.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\darkBlue_GRAD.jpg	TaskHostHelper.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Security\Wizard\wizard.aspx	TaskHostHelper.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallRoles.sql	TaskHostHelper.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\2052\LocalizedData.xml	TaskHostHelper.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	TaskHostHelper.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\UninstallPersistSqlState.sql	TaskHostHelper.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\WebAdminHelp_Internals.aspx	TaskHostHelper.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Security\security0.aspx	TaskHostHelper.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Security\Permissions\managePermissions.aspx	TaskHostHelper.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallSqlStateTemplate.sql	TaskHostHelper.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Security\Users\findUsers.aspx	TaskHostHelper.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\1031\LocalizedData.xml	TaskHostHelper.exe
File opened for modification	C:\Windows\Panther\diagwrn.xml	TaskHostHelper.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\SQL\en\SqlWorkflowInstanceStoreLogic.sql	TaskHostHelper.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\AppConfig\CreateAppSetting.aspx	TaskHostHelper.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\AppConfig\SmtpSettings.aspx	TaskHostHelper.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\SplashScreen.bmp	TaskHostHelper.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\1028\LocalizedData.xml	TaskHostHelper.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\1029\LocalizedData.xml	TaskHostHelper.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\1038\eula.rtf	TaskHostHelper.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\1049\eula.rtf	TaskHostHelper.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Security\security.aspx	TaskHostHelper.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\WebAdminHelp_Internals.aspx	TaskHostHelper.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\1053\LocalizedData.xml	TaskHostHelper.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\SQL\en\SqlPersistenceService_Logic.sql	TaskHostHelper.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\home2.aspx	TaskHostHelper.exe

Interacts with shadow copies 2 TTPs 3 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exevssadmin.exe

pid process

2248 vssadmin.exe
780 vssadmin.exe
2060 vssadmin.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1664 taskkill.exe
Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

mshta.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main mshta.exe

pid	process
2248	vssadmin.exe
780	vssadmin.exe
2060	vssadmin.exe

pid	process
1664	taskkill.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

TaskHostHelper.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	TaskHostHelper.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	TaskHostHelper.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d0030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	TaskHostHelper.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa20f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	TaskHostHelper.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

0t23jqcr.exe

pid process

800 0t23jqcr.exe

pid	process
800	0t23jqcr.exe

Suspicious behavior: EnumeratesProcesses 10137 IoCs

Processes:

7d017b752826bf83685828bebc8a00b050490f46aaa8c21b0dd1020f0c9b563e.bin.exe

pid	process
644	7d017b752826bf83685828bebc8a00b050490f46aaa8c21b0dd1020f0c9b563e.bin.exe
644	7d017b752826bf83685828bebc8a00b050490f46aaa8c21b0dd1020f0c9b563e.bin.exe
644	7d017b752826bf83685828bebc8a00b050490f46aaa8c21b0dd1020f0c9b563e.bin.exe
644	7d017b752826bf83685828bebc8a00b050490f46aaa8c21b0dd1020f0c9b563e.bin.exe
644	7d017b752826bf83685828bebc8a00b050490f46aaa8c21b0dd1020f0c9b563e.bin.exe
644	7d017b752826bf83685828bebc8a00b050490f46aaa8c21b0dd1020f0c9b563e.bin.exe
644	7d017b752826bf83685828bebc8a00b050490f46aaa8c21b0dd1020f0c9b563e.bin.exe
644	7d017b752826bf83685828bebc8a00b050490f46aaa8c21b0dd1020f0c9b563e.bin.exe
644	7d017b752826bf83685828bebc8a00b050490f46aaa8c21b0dd1020f0c9b563e.bin.exe
644	7d017b752826bf83685828bebc8a00b050490f46aaa8c21b0dd1020f0c9b563e.bin.exe
644	7d017b752826bf83685828bebc8a00b050490f46aaa8c21b0dd1020f0c9b563e.bin.exe
644	7d017b752826bf83685828bebc8a00b050490f46aaa8c21b0dd1020f0c9b563e.bin.exe
644	7d017b752826bf83685828bebc8a00b050490f46aaa8c21b0dd1020f0c9b563e.bin.exe
644	7d017b752826bf83685828bebc8a00b050490f46aaa8c21b0dd1020f0c9b563e.bin.exe
644	7d017b752826bf83685828bebc8a00b050490f46aaa8c21b0dd1020f0c9b563e.bin.exe
644	7d017b752826bf83685828bebc8a00b050490f46aaa8c21b0dd1020f0c9b563e.bin.exe
644	7d017b752826bf83685828bebc8a00b050490f46aaa8c21b0dd1020f0c9b563e.bin.exe
644	7d017b752826bf83685828bebc8a00b050490f46aaa8c21b0dd1020f0c9b563e.bin.exe
644	7d017b752826bf83685828bebc8a00b050490f46aaa8c21b0dd1020f0c9b563e.bin.exe
644	7d017b752826bf83685828bebc8a00b050490f46aaa8c21b0dd1020f0c9b563e.bin.exe
644	7d017b752826bf83685828bebc8a00b050490f46aaa8c21b0dd1020f0c9b563e.bin.exe
644	7d017b752826bf83685828bebc8a00b050490f46aaa8c21b0dd1020f0c9b563e.bin.exe
644	7d017b752826bf83685828bebc8a00b050490f46aaa8c21b0dd1020f0c9b563e.bin.exe
644	7d017b752826bf83685828bebc8a00b050490f46aaa8c21b0dd1020f0c9b563e.bin.exe
644	7d017b752826bf83685828bebc8a00b050490f46aaa8c21b0dd1020f0c9b563e.bin.exe
644	7d017b752826bf83685828bebc8a00b050490f46aaa8c21b0dd1020f0c9b563e.bin.exe
644	7d017b752826bf83685828bebc8a00b050490f46aaa8c21b0dd1020f0c9b563e.bin.exe
644	7d017b752826bf83685828bebc8a00b050490f46aaa8c21b0dd1020f0c9b563e.bin.exe
644	7d017b752826bf83685828bebc8a00b050490f46aaa8c21b0dd1020f0c9b563e.bin.exe
644	7d017b752826bf83685828bebc8a00b050490f46aaa8c21b0dd1020f0c9b563e.bin.exe
644	7d017b752826bf83685828bebc8a00b050490f46aaa8c21b0dd1020f0c9b563e.bin.exe
644	7d017b752826bf83685828bebc8a00b050490f46aaa8c21b0dd1020f0c9b563e.bin.exe
644	7d017b752826bf83685828bebc8a00b050490f46aaa8c21b0dd1020f0c9b563e.bin.exe
644	7d017b752826bf83685828bebc8a00b050490f46aaa8c21b0dd1020f0c9b563e.bin.exe
644	7d017b752826bf83685828bebc8a00b050490f46aaa8c21b0dd1020f0c9b563e.bin.exe
644	7d017b752826bf83685828bebc8a00b050490f46aaa8c21b0dd1020f0c9b563e.bin.exe
644	7d017b752826bf83685828bebc8a00b050490f46aaa8c21b0dd1020f0c9b563e.bin.exe
644	7d017b752826bf83685828bebc8a00b050490f46aaa8c21b0dd1020f0c9b563e.bin.exe
644	7d017b752826bf83685828bebc8a00b050490f46aaa8c21b0dd1020f0c9b563e.bin.exe
644	7d017b752826bf83685828bebc8a00b050490f46aaa8c21b0dd1020f0c9b563e.bin.exe
644	7d017b752826bf83685828bebc8a00b050490f46aaa8c21b0dd1020f0c9b563e.bin.exe
644	7d017b752826bf83685828bebc8a00b050490f46aaa8c21b0dd1020f0c9b563e.bin.exe
644	7d017b752826bf83685828bebc8a00b050490f46aaa8c21b0dd1020f0c9b563e.bin.exe
644	7d017b752826bf83685828bebc8a00b050490f46aaa8c21b0dd1020f0c9b563e.bin.exe
644	7d017b752826bf83685828bebc8a00b050490f46aaa8c21b0dd1020f0c9b563e.bin.exe
644	7d017b752826bf83685828bebc8a00b050490f46aaa8c21b0dd1020f0c9b563e.bin.exe
644	7d017b752826bf83685828bebc8a00b050490f46aaa8c21b0dd1020f0c9b563e.bin.exe
644	7d017b752826bf83685828bebc8a00b050490f46aaa8c21b0dd1020f0c9b563e.bin.exe
644	7d017b752826bf83685828bebc8a00b050490f46aaa8c21b0dd1020f0c9b563e.bin.exe
644	7d017b752826bf83685828bebc8a00b050490f46aaa8c21b0dd1020f0c9b563e.bin.exe
644	7d017b752826bf83685828bebc8a00b050490f46aaa8c21b0dd1020f0c9b563e.bin.exe
644	7d017b752826bf83685828bebc8a00b050490f46aaa8c21b0dd1020f0c9b563e.bin.exe
644	7d017b752826bf83685828bebc8a00b050490f46aaa8c21b0dd1020f0c9b563e.bin.exe
644	7d017b752826bf83685828bebc8a00b050490f46aaa8c21b0dd1020f0c9b563e.bin.exe
644	7d017b752826bf83685828bebc8a00b050490f46aaa8c21b0dd1020f0c9b563e.bin.exe
644	7d017b752826bf83685828bebc8a00b050490f46aaa8c21b0dd1020f0c9b563e.bin.exe
644	7d017b752826bf83685828bebc8a00b050490f46aaa8c21b0dd1020f0c9b563e.bin.exe
644	7d017b752826bf83685828bebc8a00b050490f46aaa8c21b0dd1020f0c9b563e.bin.exe
644	7d017b752826bf83685828bebc8a00b050490f46aaa8c21b0dd1020f0c9b563e.bin.exe
644	7d017b752826bf83685828bebc8a00b050490f46aaa8c21b0dd1020f0c9b563e.bin.exe
644	7d017b752826bf83685828bebc8a00b050490f46aaa8c21b0dd1020f0c9b563e.bin.exe
644	7d017b752826bf83685828bebc8a00b050490f46aaa8c21b0dd1020f0c9b563e.bin.exe
644	7d017b752826bf83685828bebc8a00b050490f46aaa8c21b0dd1020f0c9b563e.bin.exe
644	7d017b752826bf83685828bebc8a00b050490f46aaa8c21b0dd1020f0c9b563e.bin.exe

Suspicious use of AdjustPrivilegeToken 137 IoCs

Processes:

7d017b752826bf83685828bebc8a00b050490f46aaa8c21b0dd1020f0c9b563e.bin.exetaskkill.exe0t23jqcr.exeTaskHostHelper.exeWMIC.exevssvc.execmd.exeAUDIODG.EXEWMIC.exe

description	pid	process
Token: SeDebugPrivilege	644	7d017b752826bf83685828bebc8a00b050490f46aaa8c21b0dd1020f0c9b563e.bin.exe
Token: SeDebugPrivilege	1664	taskkill.exe
Token: SeDebugPrivilege	800	0t23jqcr.exe
Token: SeDebugPrivilege	1596	TaskHostHelper.exe
Token: 33	1596	TaskHostHelper.exe
Token: SeIncBasePriorityPrivilege	1596	TaskHostHelper.exe
Token: SeIncreaseQuotaPrivilege	948	WMIC.exe
Token: SeSecurityPrivilege	948	WMIC.exe
Token: SeTakeOwnershipPrivilege	948	WMIC.exe
Token: SeLoadDriverPrivilege	948	WMIC.exe
Token: SeSystemProfilePrivilege	948	WMIC.exe
Token: SeSystemtimePrivilege	948	WMIC.exe
Token: SeProfSingleProcessPrivilege	948	WMIC.exe
Token: SeIncBasePriorityPrivilege	948	WMIC.exe
Token: SeCreatePagefilePrivilege	948	WMIC.exe
Token: SeBackupPrivilege	948	WMIC.exe
Token: SeRestorePrivilege	948	WMIC.exe
Token: SeShutdownPrivilege	948	WMIC.exe
Token: SeDebugPrivilege	948	WMIC.exe
Token: SeSystemEnvironmentPrivilege	948	WMIC.exe
Token: SeRemoteShutdownPrivilege	948	WMIC.exe
Token: SeUndockPrivilege	948	WMIC.exe
Token: SeManageVolumePrivilege	948	WMIC.exe
Token: 33	948	WMIC.exe
Token: 34	948	WMIC.exe
Token: 35	948	WMIC.exe
Token: SeBackupPrivilege	1892	vssvc.exe
Token: SeRestorePrivilege	1892	vssvc.exe
Token: SeAuditPrivilege	1892	vssvc.exe
Token: SeIncreaseQuotaPrivilege	948	cmd.exe
Token: SeSecurityPrivilege	948	cmd.exe
Token: SeTakeOwnershipPrivilege	948	cmd.exe
Token: SeLoadDriverPrivilege	948	cmd.exe
Token: SeSystemProfilePrivilege	948	cmd.exe
Token: SeSystemtimePrivilege	948	cmd.exe
Token: SeProfSingleProcessPrivilege	948	cmd.exe
Token: SeIncBasePriorityPrivilege	948	cmd.exe
Token: SeCreatePagefilePrivilege	948	cmd.exe
Token: SeBackupPrivilege	948	cmd.exe
Token: SeRestorePrivilege	948	cmd.exe
Token: SeShutdownPrivilege	948	cmd.exe
Token: SeDebugPrivilege	948	cmd.exe
Token: SeSystemEnvironmentPrivilege	948	cmd.exe
Token: SeRemoteShutdownPrivilege	948	cmd.exe
Token: SeUndockPrivilege	948	cmd.exe
Token: SeManageVolumePrivilege	948	cmd.exe
Token: 33	948	cmd.exe
Token: 34	948	cmd.exe
Token: 35	948	cmd.exe
Token: 33	1720	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1720	AUDIODG.EXE
Token: 33	1720	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1720	AUDIODG.EXE
Token: SeIncreaseQuotaPrivilege	2108	WMIC.exe
Token: SeSecurityPrivilege	2108	WMIC.exe
Token: SeTakeOwnershipPrivilege	2108	WMIC.exe
Token: SeLoadDriverPrivilege	2108	WMIC.exe
Token: SeSystemProfilePrivilege	2108	WMIC.exe
Token: SeSystemtimePrivilege	2108	WMIC.exe
Token: SeProfSingleProcessPrivilege	2108	WMIC.exe
Token: SeIncBasePriorityPrivilege	2108	WMIC.exe
Token: SeCreatePagefilePrivilege	2108	WMIC.exe
Token: SeBackupPrivilege	2108	WMIC.exe
Token: SeRestorePrivilege	2108	WMIC.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

7d017b752826bf83685828bebc8a00b050490f46aaa8c21b0dd1020f0c9b563e.bin.exe

pid	process
644	7d017b752826bf83685828bebc8a00b050490f46aaa8c21b0dd1020f0c9b563e.bin.exe
644	7d017b752826bf83685828bebc8a00b050490f46aaa8c21b0dd1020f0c9b563e.bin.exe

Suspicious use of WriteProcessMemory 79 IoCs

Processes:

7d017b752826bf83685828bebc8a00b050490f46aaa8c21b0dd1020f0c9b563e.bin.execmd.exe0t23jqcr.exeTaskHostHelper.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 644 wrote to memory of 1180	644	7d017b752826bf83685828bebc8a00b050490f46aaa8c21b0dd1020f0c9b563e.bin.exe	cmstp.exe
PID 644 wrote to memory of 1180	644	7d017b752826bf83685828bebc8a00b050490f46aaa8c21b0dd1020f0c9b563e.bin.exe	cmstp.exe
PID 644 wrote to memory of 1180	644	7d017b752826bf83685828bebc8a00b050490f46aaa8c21b0dd1020f0c9b563e.bin.exe	cmstp.exe
PID 1008 wrote to memory of 800	1008	cmd.exe	0t23jqcr.exe
PID 1008 wrote to memory of 800	1008	cmd.exe	0t23jqcr.exe
PID 1008 wrote to memory of 800	1008	cmd.exe	0t23jqcr.exe
PID 1008 wrote to memory of 800	1008	cmd.exe	0t23jqcr.exe
PID 800 wrote to memory of 1596	800	0t23jqcr.exe	TaskHostHelper.exe
PID 800 wrote to memory of 1596	800	0t23jqcr.exe	TaskHostHelper.exe
PID 800 wrote to memory of 1596	800	0t23jqcr.exe	TaskHostHelper.exe
PID 800 wrote to memory of 1596	800	0t23jqcr.exe	TaskHostHelper.exe
PID 1596 wrote to memory of 1976	1596	TaskHostHelper.exe	mshta.exe
PID 1596 wrote to memory of 1976	1596	TaskHostHelper.exe	mshta.exe
PID 1596 wrote to memory of 1976	1596	TaskHostHelper.exe	mshta.exe
PID 1596 wrote to memory of 1976	1596	TaskHostHelper.exe	mshta.exe
PID 1596 wrote to memory of 1164	1596	TaskHostHelper.exe	WScript.exe
PID 1596 wrote to memory of 1164	1596	TaskHostHelper.exe	WScript.exe
PID 1596 wrote to memory of 1164	1596	TaskHostHelper.exe	WScript.exe
PID 1596 wrote to memory of 1164	1596	TaskHostHelper.exe	WScript.exe
PID 1596 wrote to memory of 1812	1596	TaskHostHelper.exe	cmd.exe
PID 1596 wrote to memory of 1812	1596	TaskHostHelper.exe	cmd.exe
PID 1596 wrote to memory of 1812	1596	TaskHostHelper.exe	cmd.exe
PID 1596 wrote to memory of 1812	1596	TaskHostHelper.exe	cmd.exe
PID 1596 wrote to memory of 968	1596	TaskHostHelper.exe	cmd.exe
PID 1596 wrote to memory of 968	1596	TaskHostHelper.exe	cmd.exe
PID 1596 wrote to memory of 968	1596	TaskHostHelper.exe	cmd.exe
PID 1596 wrote to memory of 968	1596	TaskHostHelper.exe	cmd.exe
PID 1596 wrote to memory of 1956	1596	TaskHostHelper.exe	cmd.exe
PID 1596 wrote to memory of 1956	1596	TaskHostHelper.exe	cmd.exe
PID 1596 wrote to memory of 1956	1596	TaskHostHelper.exe	cmd.exe
PID 1596 wrote to memory of 1956	1596	TaskHostHelper.exe	cmd.exe
PID 1812 wrote to memory of 780	1812	cmd.exe	vssadmin.exe
PID 1812 wrote to memory of 780	1812	cmd.exe	vssadmin.exe
PID 1812 wrote to memory of 780	1812	cmd.exe	vssadmin.exe
PID 1812 wrote to memory of 780	1812	cmd.exe	vssadmin.exe
PID 968 wrote to memory of 948	968	cmd.exe	WMIC.exe
PID 968 wrote to memory of 948	968	cmd.exe	WMIC.exe
PID 968 wrote to memory of 948	968	cmd.exe	WMIC.exe
PID 968 wrote to memory of 948	968	cmd.exe	WMIC.exe
PID 1596 wrote to memory of 508	1596	TaskHostHelper.exe	cmd.exe
PID 1596 wrote to memory of 508	1596	TaskHostHelper.exe	cmd.exe
PID 1596 wrote to memory of 508	1596	TaskHostHelper.exe	cmd.exe
PID 1596 wrote to memory of 508	1596	TaskHostHelper.exe	cmd.exe
PID 1596 wrote to memory of 948	1596	TaskHostHelper.exe	cmd.exe
PID 1596 wrote to memory of 948	1596	TaskHostHelper.exe	cmd.exe
PID 1596 wrote to memory of 948	1596	TaskHostHelper.exe	cmd.exe
PID 1596 wrote to memory of 948	1596	TaskHostHelper.exe	cmd.exe
PID 1596 wrote to memory of 2012	1596	TaskHostHelper.exe	cmd.exe
PID 1596 wrote to memory of 2012	1596	TaskHostHelper.exe	cmd.exe
PID 1596 wrote to memory of 2012	1596	TaskHostHelper.exe	cmd.exe
PID 1596 wrote to memory of 2012	1596	TaskHostHelper.exe	cmd.exe
PID 508 wrote to memory of 2060	508	cmd.exe	vssadmin.exe
PID 508 wrote to memory of 2060	508	cmd.exe	vssadmin.exe
PID 508 wrote to memory of 2060	508	cmd.exe	vssadmin.exe
PID 508 wrote to memory of 2060	508	cmd.exe	vssadmin.exe
PID 948 wrote to memory of 2108	948	cmd.exe	WMIC.exe
PID 948 wrote to memory of 2108	948	cmd.exe	WMIC.exe
PID 948 wrote to memory of 2108	948	cmd.exe	WMIC.exe
PID 948 wrote to memory of 2108	948	cmd.exe	WMIC.exe
PID 1596 wrote to memory of 2156	1596	TaskHostHelper.exe	cmd.exe
PID 1596 wrote to memory of 2156	1596	TaskHostHelper.exe	cmd.exe
PID 1596 wrote to memory of 2156	1596	TaskHostHelper.exe	cmd.exe
PID 1596 wrote to memory of 2156	1596	TaskHostHelper.exe	cmd.exe
PID 1596 wrote to memory of 2168	1596	TaskHostHelper.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\7d017b752826bf83685828bebc8a00b050490f46aaa8c21b0dd1020f0c9b563e.bin.exe
"C:\Users\Admin\AppData\Local\Temp\7d017b752826bf83685828bebc8a00b050490f46aaa8c21b0dd1020f0c9b563e.bin.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:644

\??\c:\windows\system32\cmstp.exe
"c:\windows\system32\cmstp.exe" /au C:\Windows\temp\bo2yxcq5.inf
2⤵
PID:1180

C:\Windows\system32\cmd.exe
cmd /c start C:\Windows\temp\0t23jqcr.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1008

C:\Windows\temp\0t23jqcr.exe
C:\Windows\temp\0t23jqcr.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:800

C:\Users\Admin\AppData\Local\Temp\TaskHostHelper.exe
"C:\Users\Admin\AppData\Local\Temp\TaskHostHelper.exe"
3⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1596

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\READ_ME.hta"
4⤵
- Modifies Internet Explorer settings
PID:1976

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\System32\OSPQKA32.vbs"
4⤵
PID:1164

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin.exe delete shadows /all /quiet
4⤵
- Suspicious use of WriteProcessMemory
PID:1812

C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
5⤵
- Interacts with shadow copies
PID:780

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C wmic shadowcopy delete
4⤵
- Suspicious use of WriteProcessMemory
PID:968

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:948

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
4⤵
PID:1956

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin.exe delete shadows /all /quiet
4⤵
- Suspicious use of WriteProcessMemory
PID:508

C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
5⤵
- Interacts with shadow copies
PID:2060

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C wmic shadowcopy delete
4⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:948

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2108

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
4⤵
PID:2012

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin.exe delete shadows /all /quiet
4⤵
PID:2156

C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
5⤵
- Interacts with shadow copies
PID:2248

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C wmic shadowcopy delete
4⤵
PID:2168

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
5⤵
PID:2260

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
4⤵
PID:2200

C:\Windows\system32\taskkill.exe
taskkill /IM cmstp.exe /F
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1664

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1892

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
1⤵
PID:1644

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x568
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1720

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\TaskHostHelper.exe
MD5
c6ec91aaa2bba2deb31fb645a2f9b9e4

SHA1
a921f8a827897250ebbc9847ea113f56dbb1c18d

SHA256
b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0

SHA512
13571cf45881b5d4ef0904f2aa0e091e9fe895bf038b71075f09a051318cf052e0737ad1fab5549e5143e866fda816ce282a2330dea128357e201948b8ce7019

Download Submit
C:\Users\Admin\AppData\Local\Temp\TaskHostHelper.exe
MD5
c6ec91aaa2bba2deb31fb645a2f9b9e4

SHA1
a921f8a827897250ebbc9847ea113f56dbb1c18d

SHA256
b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0

SHA512
13571cf45881b5d4ef0904f2aa0e091e9fe895bf038b71075f09a051318cf052e0737ad1fab5549e5143e866fda816ce282a2330dea128357e201948b8ce7019

Download Submit
C:\Users\Admin\Desktop\READ_ME.hta
MD5
a076b2df780ea7d573ffd70ce0c603ea

SHA1
226531b08d9cdccf6de988172ed1e144b1d0be57

SHA256
6d5c611b01516055bbc4a56e992e7d90fcab562448d5b56a179d0f286c4b356a

SHA512
aa610f6f9c1b7cefe0f4bffe6acaae668b33e19430e137523193a51f30dd89b096b9fd29f323e9c1f71da0e6d99b8d8cb2eb334275db5ac02375af447a0e7fdd

Download Submit
C:\Windows\SysWOW64\OSPQKA32.vbs
MD5
07641762ad9c0d4b5983babccecb071b

SHA1
84afb077fccaa75f82338c30c5d03f4b67e39c62

SHA256
c65ff4443a32b8144455278a1fd98d442e1ad76f738a82668b2229acd7a2a117

SHA512
4be951540e9ad6c0eba31a1c31899ee1b327b4f37410cfc1f8a2fa8b27d705a265053f4ace0e8997b2ba337d293adb8d122860a85b775c41dfea5e1f252977ff

Download Submit
C:\Windows\Temp\0t23jqcr.exe
MD5
f3d78f15bf85aa14f71979585d310ae7

SHA1
1e73b89abd5e0e0e74291d5ebb4f10574a9ef2e2

SHA256
bb1b5b72a867a401876a6ad6a9bcc1f4af9f4e4fdb568ef7ce2b812796b48c7a

SHA512
ef251e35c6047df225d937b568ded6ad9ee8e72235fac6ce6c04e9287f01aad65c63ada7e65e304ac094029f0a768d2697c3960dde818f7cf0f73cd81283e087

Download Submit
C:\Windows\temp\0t23jqcr.exe
MD5
f3d78f15bf85aa14f71979585d310ae7

SHA1
1e73b89abd5e0e0e74291d5ebb4f10574a9ef2e2

SHA256
bb1b5b72a867a401876a6ad6a9bcc1f4af9f4e4fdb568ef7ce2b812796b48c7a

SHA512
ef251e35c6047df225d937b568ded6ad9ee8e72235fac6ce6c04e9287f01aad65c63ada7e65e304ac094029f0a768d2697c3960dde818f7cf0f73cd81283e087

Download Submit
C:\Windows\temp\bo2yxcq5.inf
MD5
a11f49d62b9befb320bdccef447bd0f9

SHA1
9afb513704ec2a12bcdcece7f63355a35a9310cd

SHA256
c283a8286abac0a04291254344167143133657d40dccb55c5c3338f34c056df0

SHA512
64f298b1733658ceea5df4ff7b4a43b29324fac89b902ca5ed4b703a9961040e619cd2d24bbc5f15136a9b428698677b3da8b7aef8fff8a63dfeca55ef265354

Download Submit
\Users\Admin\AppData\Local\Temp\TaskHostHelper.exe
MD5
c6ec91aaa2bba2deb31fb645a2f9b9e4

SHA1
a921f8a827897250ebbc9847ea113f56dbb1c18d

SHA256
b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0

SHA512
13571cf45881b5d4ef0904f2aa0e091e9fe895bf038b71075f09a051318cf052e0737ad1fab5549e5143e866fda816ce282a2330dea128357e201948b8ce7019

Download Submit
\Users\Admin\AppData\Local\Temp\TaskHostHelper.exe
MD5
c6ec91aaa2bba2deb31fb645a2f9b9e4

SHA1
a921f8a827897250ebbc9847ea113f56dbb1c18d

SHA256
b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0

SHA512
13571cf45881b5d4ef0904f2aa0e091e9fe895bf038b71075f09a051318cf052e0737ad1fab5549e5143e866fda816ce282a2330dea128357e201948b8ce7019

Download Submit
memory/508-48-0x0000000000000000-mapping.dmp

Download
memory/644-19-0x000000001ADCB000-0x000000001ADCC000-memory.dmp

Filesize
4KB

Download
memory/644-3-0x00000000008E0000-0x00000000008E1000-memory.dmp

Filesize
4KB

Download
memory/644-16-0x000000001ADC9000-0x000000001ADCA000-memory.dmp

Filesize
4KB

Download
memory/644-2-0x000007FEF5BE0000-0x000007FEF65CC000-memory.dmp

Filesize
9.9MB

Download
memory/644-18-0x000000001ADCA000-0x000000001ADCB000-memory.dmp

Filesize
4KB

Download
memory/644-15-0x000000001ADC8000-0x000000001ADC9000-memory.dmp

Filesize
4KB

Download
memory/644-14-0x000000001ADC7000-0x000000001ADC8000-memory.dmp

Filesize
4KB

Download
memory/644-47-0x000007FEF5960000-0x000007FEF5BDA000-memory.dmp

Filesize
2.5MB

Download
memory/644-9-0x000000001ADA0000-0x000000001ADA2000-memory.dmp

Filesize
8KB

Download
memory/644-10-0x000000001ADA6000-0x000000001ADC5000-memory.dmp

Filesize
124KB

Download
memory/644-11-0x000000001ADC5000-0x000000001ADC6000-memory.dmp

Filesize
4KB

Download
memory/644-13-0x000000001ADC6000-0x000000001ADC7000-memory.dmp

Filesize
4KB

Download
memory/780-45-0x0000000000000000-mapping.dmp

Download
memory/800-21-0x0000000000000000-mapping.dmp

Download
memory/800-23-0x0000000074090000-0x000000007477E000-memory.dmp

Filesize
6.9MB

Download
memory/800-24-0x0000000000B50000-0x0000000000B51000-memory.dmp

Filesize
4KB

Download
memory/800-26-0x0000000004D40000-0x0000000004D41000-memory.dmp

Filesize
4KB

Download
memory/948-46-0x0000000000000000-mapping.dmp

Download
memory/948-49-0x0000000000000000-mapping.dmp

Download
memory/968-40-0x0000000000000000-mapping.dmp

Download
memory/1164-38-0x0000000000000000-mapping.dmp

Download
memory/1164-44-0x00000000765E1000-0x00000000765E3000-memory.dmp

Filesize
8KB

Download
memory/1180-5-0x0000000000000000-mapping.dmp

Download
memory/1180-17-0x0000000002100000-0x0000000002101000-memory.dmp

Filesize
4KB

Download
memory/1180-12-0x000007FEFBCD1000-0x000007FEFBCD3000-memory.dmp

Filesize
8KB

Download
memory/1596-36-0x00000000003E5000-0x00000000003F6000-memory.dmp

Filesize
68KB

Download
memory/1596-29-0x0000000000000000-mapping.dmp

Download
memory/1596-35-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/1596-33-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/1596-32-0x0000000074090000-0x000000007477E000-memory.dmp

Filesize
6.9MB

Download
memory/1812-39-0x0000000000000000-mapping.dmp

Download
memory/1956-41-0x0000000000000000-mapping.dmp

Download
memory/1976-37-0x0000000000000000-mapping.dmp

Download
memory/2012-50-0x0000000000000000-mapping.dmp

Download
memory/2060-51-0x0000000000000000-mapping.dmp

Download
memory/2108-52-0x0000000000000000-mapping.dmp

Download
memory/2156-53-0x0000000000000000-mapping.dmp

Download
memory/2168-54-0x0000000000000000-mapping.dmp

Download
memory/2200-55-0x0000000000000000-mapping.dmp

Download
memory/2248-56-0x0000000000000000-mapping.dmp

Download
memory/2260-57-0x0000000000000000-mapping.dmp

Download