c860bf644bd5e3d6f4cae67848c4fc769184ae652fcb41cac670042b185d217a

Resubmissions

30/09/2024, 13:59

240930-ralrrayfnq 10

09/02/2022, 12:42

220209-pxfsxaaebj 10

Analysis

max time kernel
1205s
max time network
956s
platform
windows10-2004_x64
resource
win10v2004-en-20220112
submitted
09/02/2022, 12:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh_enc.exe
Size

7.6MB
MD5

33f612338b6b5e6b4fe8cbb17208795c
SHA1

66535700bbce7f90d2add7c504bc0e0523d4d71d
SHA256

c860bf644bd5e3d6f4cae67848c4fc769184ae652fcb41cac670042b185d217a
SHA512

7dfce042f5287858cf1d2942f6672084d01ad5677c7b47a1e9c2bcd4e0a2ea375ccd3a33676dc64dbe28edfe4fd19d25de5232c8fd23c0c7b24708c85b647fb2

Score

10^/10

ransomware spyware stealer

Malware Config

Extracted

Path

C:\re_ad_me.txt

Ransom Note

All of your files are currently encrypted by ZEON strain. As you know (if you don't - just "google it"), all of the data that has been encrypted by our software cannot be recovered by any means without contacting our team directly. If you try to use any additional recovery software - the files might be damaged, so if you are willing to try - try it on the data of the lowest value. To make sure that we REALLY CAN get your data back - we offer you to decrypt 2 random files completely free of charge. You can contact our team directly for further instructions through our website : TOR VERSION : (you should download and install TOR browser first https://torproject.org) http://zeonrefpbompx6rwdqa5hxgtp2cxgfmoymlli3azoanisze33pp3x3yd.onion/ YOU SHOULD BE AWARE! Just in case, if you try to ignore us. We've downloaded a pack of your internal data and are ready to publish it on out news website if you do not respond. So it will be better for both sides if you contact us as soon as possible. ---BEGIN ID--- FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh ---END ID---

URLs

http://zeonrefpbompx6rwdqa5hxgtp2cxgfmoymlli3azoanisze33pp3x3yd.onion/

Signatures

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 812 created 2584	812	WerFault.exe	63

Modifies extensions of user files 12 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File created	C:\Users\Admin\Pictures\FormatSearch.tiff.zeon	FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh_enc.exe
File created	C:\Users\Admin\Pictures\PingReceive.raw.zeon	FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh_enc.exe
File created	C:\Users\Admin\Pictures\StartResize.raw.zeon	FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh_enc.exe
File opened for modification	C:\Users\Admin\Pictures\BlockResolve.tiff	FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh_enc.exe
File opened for modification	C:\Users\Admin\Pictures\FormatSearch.tiff	FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh_enc.exe
File opened for modification	C:\Users\Admin\Pictures\ResolveReceive.tiff	FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh_enc.exe
File created	C:\Users\Admin\Pictures\BlockResolve.tiff.zeon	FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh_enc.exe
File created	C:\Users\Admin\Pictures\FindCompress.raw.zeon	FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh_enc.exe
File created	C:\Users\Admin\Pictures\GroupTest.raw.zeon	FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh_enc.exe
File created	C:\Users\Admin\Pictures\PingExit.raw.zeon	FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh_enc.exe
File created	C:\Users\Admin\Pictures\ResolveReceive.tiff.zeon	FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh_enc.exe
File created	C:\Users\Admin\Pictures\UnregisterBlock.raw.zeon	FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh_enc.exe

Loads dropped DLL 31 IoCs

pid	Process
1368	FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh_enc.exe
1368	FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh_enc.exe
1368	FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh_enc.exe
1368	FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh_enc.exe
1368	FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh_enc.exe
1368	FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh_enc.exe
1368	FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh_enc.exe
1368	FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh_enc.exe
1368	FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh_enc.exe
1368	FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh_enc.exe
1368	FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh_enc.exe
1368	FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh_enc.exe
1368	FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh_enc.exe
1368	FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh_enc.exe
1368	FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh_enc.exe
1368	FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh_enc.exe
1368	FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh_enc.exe
1368	FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh_enc.exe
1368	FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh_enc.exe
1368	FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh_enc.exe
1368	FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh_enc.exe
1368	FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh_enc.exe
1368	FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh_enc.exe
1368	FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh_enc.exe
1368	FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh_enc.exe
1368	FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh_enc.exe
1368	FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh_enc.exe
1368	FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh_enc.exe
1368	FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh_enc.exe
1368	FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh_enc.exe
1368	FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh_enc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\pqBxGx.jpg"	FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh_enc.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1368	FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh_enc.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat	svchost.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3136	2584	WerFault.exe	63

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MusNotifyIcon.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	MusNotifyIcon.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe

Creates scheduled task(s) 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1628	schtasks.exe
3456	schtasks.exe
1808	schtasks.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe

Kills process with taskkill 53 IoCs

evasion

pid	Process
1272	taskkill.exe
1928	taskkill.exe
2844	taskkill.exe
2996	taskkill.exe
2456	taskkill.exe
3832	taskkill.exe
1036	taskkill.exe
3120	taskkill.exe
2156	taskkill.exe
1064	taskkill.exe
2912	taskkill.exe
3732	taskkill.exe
3632	taskkill.exe
1952	taskkill.exe
1704	taskkill.exe
3192	taskkill.exe
3232	taskkill.exe
3812	taskkill.exe
3608	taskkill.exe
2108	taskkill.exe
3928	taskkill.exe
1952	taskkill.exe
1052	taskkill.exe
636	taskkill.exe
1136	taskkill.exe
1548	taskkill.exe
3176	taskkill.exe
4020	taskkill.exe
3312	taskkill.exe
3608	taskkill.exe
1616	taskkill.exe
64	taskkill.exe
2504	taskkill.exe
3420	taskkill.exe
816	taskkill.exe
4036	taskkill.exe
1684	taskkill.exe
3000	taskkill.exe
1292	taskkill.exe
1272	taskkill.exe
2864	taskkill.exe
3864	taskkill.exe
812	taskkill.exe
1908	taskkill.exe
3396	taskkill.exe
2692	taskkill.exe
3992	taskkill.exe
2156	taskkill.exe
3624	taskkill.exe
3404	taskkill.exe
1136	taskkill.exe
3728	taskkill.exe
512	taskkill.exe

Modifies data under HKEY_USERS 58 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132890605745190612"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.006509"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.032556"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "3744"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.003255"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "3748"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.006566"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.013019"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "3824"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.000000"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "3752"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "4.225218"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "3768"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4052"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "3868"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.019534"	svchost.exe

Opens file in notepad (likely ransom note) 2 IoCs

ransomware

pid	Process
820	NOTEPAD.EXE
3832	NOTEPAD.EXE

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
3136	WerFault.exe
3136	WerFault.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2508	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 58 IoCs

description	pid	Process
Token: SeDebugPrivilege	3728	taskkill.exe
Token: SeDebugPrivilege	1548	taskkill.exe
Token: SeDebugPrivilege	1272	taskkill.exe
Token: SeDebugPrivilege	512	taskkill.exe
Token: SeDebugPrivilege	3232	taskkill.exe
Token: SeDebugPrivilege	3812	taskkill.exe
Token: SeDebugPrivilege	1908	taskkill.exe
Token: SeDebugPrivilege	1036	taskkill.exe
Token: SeDebugPrivilege	1684	taskkill.exe
Token: SeDebugPrivilege	1064	taskkill.exe
Token: SeDebugPrivilege	2844	taskkill.exe
Token: SeDebugPrivilege	2912	taskkill.exe
Token: SeDebugPrivilege	3000	taskkill.exe
Token: SeDebugPrivilege	2508	taskmgr.exe
Token: SeSystemProfilePrivilege	2508	taskmgr.exe
Token: SeCreateGlobalPrivilege	2508	taskmgr.exe
Token: SeDebugPrivilege	2692	taskkill.exe
Token: SeDebugPrivilege	3928	taskkill.exe
Token: SeDebugPrivilege	3176	taskkill.exe
Token: SeDebugPrivilege	4020	taskkill.exe
Token: SeDebugPrivilege	3732	taskkill.exe
Token: SeDebugPrivilege	2456	taskkill.exe
Token: SeDebugPrivilege	3312	Conhost.exe
Token: SeDebugPrivilege	2996	net.exe
Token: SeDebugPrivilege	3632	taskkill.exe
Token: SeDebugPrivilege	1952	taskkill.exe
Token: SeDebugPrivilege	1272	taskkill.exe
Token: SeDebugPrivilege	1952	taskkill.exe
Token: SeDebugPrivilege	1052	taskkill.exe
Token: SeDebugPrivilege	1704	taskkill.exe
Token: SeDebugPrivilege	3608	taskkill.exe
Token: SeDebugPrivilege	816	taskkill.exe
Token: SeDebugPrivilege	3832	taskkill.exe
Token: SeDebugPrivilege	636	taskkill.exe
Token: SeDebugPrivilege	1616	taskkill.exe
Token: SeDebugPrivilege	3624	taskkill.exe
Token: SeDebugPrivilege	2864	taskkill.exe
Token: SeDebugPrivilege	1292	taskkill.exe
Token: SeDebugPrivilege	3864	taskkill.exe
Token: SeDebugPrivilege	3992	taskkill.exe
Token: SeDebugPrivilege	64	taskkill.exe
Token: SeDebugPrivilege	812	taskkill.exe
Token: SeDebugPrivilege	1136	taskkill.exe
Token: SeDebugPrivilege	2156	taskkill.exe
Token: SeDebugPrivilege	3608	taskkill.exe
Token: SeDebugPrivilege	2108	taskkill.exe
Token: SeDebugPrivilege	3404	taskkill.exe
Token: SeDebugPrivilege	1136	taskkill.exe
Token: SeDebugPrivilege	3120	taskkill.exe
Token: SeDebugPrivilege	2156	taskkill.exe
Token: SeDebugPrivilege	3396	taskkill.exe
Token: SeDebugPrivilege	2504	taskkill.exe
Token: SeDebugPrivilege	3420	taskkill.exe
Token: SeDebugPrivilege	4036	taskkill.exe
Token: SeDebugPrivilege	1928	taskkill.exe
Token: SeDebugPrivilege	3192	taskkill.exe
Token: 33	2508	taskmgr.exe
Token: SeIncBasePriorityPrivilege	2508	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3880 wrote to memory of 1368	3880	FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh_enc.exe	57
PID 3880 wrote to memory of 1368	3880	FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh_enc.exe	57
PID 3880 wrote to memory of 1368	3880	FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh_enc.exe	57
PID 1368 wrote to memory of 3120	1368	FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh_enc.exe	60
PID 1368 wrote to memory of 3120	1368	FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh_enc.exe	60
PID 1368 wrote to memory of 3120	1368	FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh_enc.exe	60
PID 3120 wrote to memory of 2752	3120	net.exe	62
PID 3120 wrote to memory of 2752	3120	net.exe	62
PID 3120 wrote to memory of 2752	3120	net.exe	62
PID 1368 wrote to memory of 3664	1368	FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh_enc.exe	64
PID 1368 wrote to memory of 3664	1368	FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh_enc.exe	64
PID 1368 wrote to memory of 3664	1368	FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh_enc.exe	64
PID 1368 wrote to memory of 3728	1368	FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh_enc.exe	67
PID 1368 wrote to memory of 3728	1368	FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh_enc.exe	67
PID 1368 wrote to memory of 3728	1368	FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh_enc.exe	67
PID 1368 wrote to memory of 640	1368	FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh_enc.exe	71
PID 1368 wrote to memory of 640	1368	FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh_enc.exe	71
PID 1368 wrote to memory of 640	1368	FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh_enc.exe	71
PID 640 wrote to memory of 1748	640	net.exe	73
PID 640 wrote to memory of 1748	640	net.exe	73
PID 640 wrote to memory of 1748	640	net.exe	73
PID 1368 wrote to memory of 3040	1368	FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh_enc.exe	74
PID 1368 wrote to memory of 3040	1368	FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh_enc.exe	74
PID 1368 wrote to memory of 3040	1368	FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh_enc.exe	74
PID 3040 wrote to memory of 3208	3040	net.exe	76
PID 3040 wrote to memory of 3208	3040	net.exe	76
PID 3040 wrote to memory of 3208	3040	net.exe	76
PID 1368 wrote to memory of 3608	1368	FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh_enc.exe	77
PID 1368 wrote to memory of 3608	1368	FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh_enc.exe	77
PID 1368 wrote to memory of 3608	1368	FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh_enc.exe	77
PID 3608 wrote to memory of 3232	3608	net.exe	79
PID 3608 wrote to memory of 3232	3608	net.exe	79
PID 3608 wrote to memory of 3232	3608	net.exe	79
PID 1368 wrote to memory of 1548	1368	FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh_enc.exe	80
PID 1368 wrote to memory of 1548	1368	FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh_enc.exe	80
PID 1368 wrote to memory of 1548	1368	FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh_enc.exe	80
PID 1368 wrote to memory of 724	1368	FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh_enc.exe	82
PID 1368 wrote to memory of 724	1368	FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh_enc.exe	82
PID 1368 wrote to memory of 724	1368	FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh_enc.exe	82
PID 724 wrote to memory of 1588	724	net.exe	84
PID 724 wrote to memory of 1588	724	net.exe	84
PID 724 wrote to memory of 1588	724	net.exe	84
PID 1368 wrote to memory of 3176	1368	FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh_enc.exe	85
PID 1368 wrote to memory of 3176	1368	FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh_enc.exe	85
PID 1368 wrote to memory of 3176	1368	FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh_enc.exe	85
PID 3176 wrote to memory of 1908	3176	net.exe	87
PID 3176 wrote to memory of 1908	3176	net.exe	87
PID 3176 wrote to memory of 1908	3176	net.exe	87
PID 1368 wrote to memory of 1272	1368	FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh_enc.exe	88
PID 1368 wrote to memory of 1272	1368	FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh_enc.exe	88
PID 1368 wrote to memory of 1272	1368	FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh_enc.exe	88
PID 1368 wrote to memory of 512	1368	FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh_enc.exe	90
PID 1368 wrote to memory of 512	1368	FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh_enc.exe	90
PID 1368 wrote to memory of 512	1368	FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh_enc.exe	90
PID 1368 wrote to memory of 2468	1368	FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh_enc.exe	92
PID 1368 wrote to memory of 2468	1368	FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh_enc.exe	92
PID 1368 wrote to memory of 2468	1368	FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh_enc.exe	92
PID 2468 wrote to memory of 3712	2468	net.exe	94
PID 2468 wrote to memory of 3712	2468	net.exe	94
PID 2468 wrote to memory of 3712	2468	net.exe	94
PID 1368 wrote to memory of 1684	1368	FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh_enc.exe	95
PID 1368 wrote to memory of 1684	1368	FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh_enc.exe	95
PID 1368 wrote to memory of 1684	1368	FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh_enc.exe	95
PID 1684 wrote to memory of 3728	1684	net.exe	97

C:\Users\Admin\AppData\Local\Temp\FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh_enc.exe
"C:\Users\Admin\AppData\Local\Temp\FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh_enc.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3880
- C:\Users\Admin\AppData\Local\Temp\FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh_enc.exe
  "C:\Users\Admin\AppData\Local\Temp\FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh_enc.exe"
  2⤵
  - Modifies extensions of user files
  - Loads dropped DLL
  - Sets desktop wallpaper using registry
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of WriteProcessMemory
  PID:1368
- - C:\Windows\SysWOW64\net.exe
    net stop /y sql
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3120
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y sql
      4⤵
      PID:2752
- - C:\Windows\SysWOW64\net.exe
    net stop /y CCSF
    3⤵
    PID:3664
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y CCSF
      4⤵
      PID:3092
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im mydesktop.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3728
- - C:\Windows\SysWOW64\net.exe
    net stop /y Exchange
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:640
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y Exchange
      4⤵
      PID:1748
- - C:\Windows\SysWOW64\net.exe
    net stop /y SNAC
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3040
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y SNAC
      4⤵
      PID:3208
- - C:\Windows\SysWOW64\net.exe
    net stop /y NetMsmq
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3608
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y NetMsmq
      4⤵
      PID:3232
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im synctime.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1548
- - C:\Windows\SysWOW64\net.exe
    net stop /y xchange
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:724
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y xchange
      4⤵
      PID:1588
- - C:\Windows\SysWOW64\net.exe
    net stop /y AcrSch
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3176
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y AcrSch
      4⤵
      PID:1908
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im msaccess.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1272
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im visio.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:512
- - C:\Windows\SysWOW64\net.exe
    net stop /y EsgShKernel
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2468
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y EsgShKernel
      4⤵
      PID:3712
- - C:\Windows\SysWOW64\net.exe
    net stop /y Enterprise
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1684
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y Enterprise
      4⤵
      PID:3728
- - C:\Windows\SysWOW64\net.exe
    net stop /y UIODetect
    3⤵
    PID:3736
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y UIODetect
      4⤵
      PID:636
- - C:\Windows\SysWOW64\net.exe
    net stop /y backup
    3⤵
    PID:3368
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y backup
      4⤵
      PID:916
- - C:\Windows\SysWOW64\net.exe
    net stop /y mfemms
    3⤵
    PID:3252
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y mfemms
      4⤵
      PID:1344
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im sqlbcoreservice.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3232
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im mspub.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3812
- - C:\Windows\SysWOW64\net.exe
    net stop /y ESHASRV
    3⤵
    PID:1596
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y ESHASRV
      4⤵
      PID:2224
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im thunderbird.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1908
- - C:\Windows\SysWOW64\net.exe
    net stop /y Smcinst
    3⤵
    PID:3532
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y Smcinst
      4⤵
      PID:3588
- - C:\Windows\SysWOW64\net.exe
    net stop /y acronis
    3⤵
    PID:64
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y acronis
      4⤵
      PID:4020
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im sql.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1036
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im CNTAoSMgr.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1684
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im mbamtray.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1064
- - C:\Windows\SysWOW64\net.exe
    net stop /y wbengine
    3⤵
    PID:2204
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y wbengine
      4⤵
      PID:4036
- - C:\Windows\SysWOW64\net.exe
    net stop /y WRSVC
    3⤵
    PID:812
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y WRSVC
      4⤵
      PID:1008
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im tmlisten.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2844
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im PccNTMon.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2912
- - C:\Windows\SysWOW64\net.exe
    net stop /y Veeam
    3⤵
    PID:2448
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y Veeam
      4⤵
      PID:2564
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im winword.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3000
- - C:\Windows\SysWOW64\net.exe
    net stop /y ekrn
    3⤵
    PID:2540
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y ekrn
      4⤵
      PID:2108
- - C:\Windows\SysWOW64\net.exe
    net stop /y DCAgent
    3⤵
    PID:3340
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y DCAgent
      4⤵
      PID:312
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im oracle.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2692
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im xchange.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3928
- - C:\Windows\SysWOW64\net.exe
    net stop /y ntrt
    3⤵
    PID:3652
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y ntrt
      4⤵
      PID:1760
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im calc.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3176
- - C:\Windows\SysWOW64\net.exe
    net stop /y VeeamNFSSvc
    3⤵
    PID:2564
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y VeeamNFSSvc
      4⤵
      PID:1052
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im mydesktopqos.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4020
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im sofos.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3732
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im encsvc.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2456
- - C:\Windows\SysWOW64\net.exe
    net stop /y MsDts
    3⤵
    PID:2512
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y MsDts
      4⤵
      PID:988
- - C:\Windows\SysWOW64\net.exe
    net stop /y EhttpSrv
    3⤵
    PID:3928
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y EhttpSrv
      4⤵
      PID:3812
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im word.exe /f
    3⤵
    - Kills process with taskkill
    PID:3312
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im virtual.exe /f
    3⤵
    - Kills process with taskkill
    PID:2996
- - C:\Windows\SysWOW64\net.exe
    net stop /y Sophos
    3⤵
    PID:3000
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y Sophos
      4⤵
      PID:4040
- - C:\Windows\SysWOW64\net.exe
    net stop /y Afee
    3⤵
    PID:3748
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y Afee
      4⤵
      PID:3152
- - C:\Windows\SysWOW64\net.exe
    net stop /y Back
    3⤵
    PID:812
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y Back
      4⤵
      PID:2484
- - C:\Windows\SysWOW64\net.exe
    net stop /y RESvc
    3⤵
    PID:4036
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y RESvc
      4⤵
      PID:3832
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im ekrn.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3632
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im raccine.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1952
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3312
- - C:\Windows\SysWOW64\net.exe
    net stop /y Antivirus
    3⤵
    PID:828
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y Antivirus
      4⤵
      PID:3188
- - C:\Windows\SysWOW64\net.exe
    net stop /y W3S
    3⤵
    PID:3560
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y W3S
      4⤵
      PID:3732
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im outlook.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1272
- - C:\Windows\SysWOW64\net.exe
    net stop /y Endpoint
    3⤵
    PID:3016
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y Endpoint
      4⤵
      PID:1596
- - C:\Windows\SysWOW64\net.exe
    net stop /y EPUpdate
    3⤵
    PID:3700
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y EPUpdate
      4⤵
      PID:3652
- - C:\Windows\SysWOW64\net.exe
    net stop /y klnagent
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2996
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y klnagent
      4⤵
      PID:2912
- - C:\Windows\SysWOW64\net.exe
    net stop /y swi_
    3⤵
    PID:3000
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4040
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y swi_
      4⤵
      PID:2880
- - C:\Windows\SysWOW64\net.exe
    net stop /y task
    3⤵
    PID:3376
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3748
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y task
      4⤵
      PID:3732
- - C:\Windows\SysWOW64\net.exe
    net stop /y AVP
    3⤵
    PID:2540
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2484
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y AVP
      4⤵
      PID:3492
- - C:\Windows\SysWOW64\net.exe
    net stop /y TrueKey
    3⤵
    PID:2512
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y TrueKey
      4⤵
      PID:3392
- - C:\Windows\SysWOW64\net.exe
    net stop /y vss
    3⤵
    PID:3928
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y vss
      4⤵
      PID:3464
- - C:\Windows\SysWOW64\net.exe
    net stop /y EPSecurity
    3⤵
    PID:2100
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y EPSecurity
      4⤵
      PID:872
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im backup.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1952
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im xfssvccon.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1052
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im veeam.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1704
- - C:\Windows\SysWOW64\net.exe
    net stop /y IMAP4
    3⤵
    PID:3640
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y IMAP4
      4⤵
      PID:2216
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im Backup.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3608
- - C:\Windows\SysWOW64\net.exe
    net stop /y vmwp
    3⤵
    PID:60
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y vmwp
      4⤵
      PID:3864
- - C:\Windows\SysWOW64\net.exe
    net stop /y mms
    3⤵
    PID:3548
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y mms
      4⤵
      PID:1616
- - C:\Windows\SysWOW64\net.exe
    net stop /y Eraser
    3⤵
    PID:2204
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y Eraser
      4⤵
      PID:3588
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im wordpad.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:816
- - C:\Windows\SysWOW64\net.exe
    net stop /y KAVF
    3⤵
    PID:2932
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y KAVF
      4⤵
      PID:4040
- - C:\Windows\SysWOW64\net.exe
    net stop /y PDVF
    3⤵
    PID:3716
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y PDVF
      4⤵
      PID:3396
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im zoolz.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3832
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im ocssd.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:636
- - C:\Windows\SysWOW64\net.exe
    net stop /y mfefire
    3⤵
    PID:1516
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y mfefire
      4⤵
      PID:3812
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im isqlplussvc.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1616
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im notepad.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3624
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im sqbcoreservice.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2864
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im vmwp.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1292
- - C:\Windows\SysWOW64\net.exe
    net stop /y Monitor
    3⤵
    PID:260
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y Monitor
      4⤵
      PID:1184
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im onenote.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3864
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im firefox.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3992
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im mydesktopservice.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:64
- - C:\Windows\SysWOW64\net.exe
    net stop /y bedbg
    3⤵
    PID:3000
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y bedbg
      4⤵
      PID:4040
- - C:\Windows\SysWOW64\net.exe
    net stop /y IISAdmin
    3⤵
    PID:3552
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y IISAdmin
      4⤵
      PID:3016
- - C:\Windows\SysWOW64\net.exe
    net stop /y FA_Scheduler
    3⤵
    PID:2540
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y FA_Scheduler
      4⤵
      PID:3652
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im Ntrtscan.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:812
- - C:\Windows\SysWOW64\net.exe
    net stop /y mfevtp
    3⤵
    PID:372
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y mfevtp
      4⤵
      PID:2488
- - C:\Windows\SysWOW64\net.exe
    net stop /y SMTP
    3⤵
    PID:1576
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y SMTP
      4⤵
      PID:2220
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im tbirdconfig.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1136
- - C:\Windows\SysWOW64\net.exe
    net stop /y McShield
    3⤵
    PID:820
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y McShield
      4⤵
      PID:3152
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im infopath.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2156
- - C:\Windows\SysWOW64\net.exe
    net stop /y SmcService
    3⤵
    PID:3528
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y SmcService
      4⤵
      PID:3552
- - C:\Windows\SysWOW64\net.exe
    net stop /y vmcomp
    3⤵
    PID:3396
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y vmcomp
      4⤵
      PID:3652
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im ocomm.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3608
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im steam.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2108
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im powerpnt.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3404
- - C:\Windows\SysWOW64\net.exe
    net stop /y POP3
    3⤵
    PID:3360
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y POP3
      4⤵
      PID:2316
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im dbeng.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1136
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im excel.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3120
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im vmcomp.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2156
- - C:\Windows\SysWOW64\net.exe
    net stop /y tmlisten
    3⤵
    PID:3552
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y tmlisten
      4⤵
      PID:1184
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im thebat.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3396
- - C:\Windows\SysWOW64\net.exe
    net stop /y veeam
    3⤵
    PID:3184
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y veeam
      4⤵
      PID:3444
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im dbeng50.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2504
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im Raccine.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3420
- - C:\Windows\SysWOW64\net.exe
    net stop /y VeeamTransportSvc
    3⤵
    PID:3360
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y VeeamTransportSvc
      4⤵
      PID:2240
- - C:\Windows\SysWOW64\net.exe
    net stop /y MBAM
    3⤵
    PID:3656
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y MBAM
      4⤵
      PID:432
- - C:\Windows\SysWOW64\net.exe
    net stop /y Report
    3⤵
    PID:1012
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y Report
      4⤵
      PID:3260
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im ocautoupds.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4036
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im firefoxconfig.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1928
- - C:\Windows\SysWOW64\net.exe
    net stop /y Backup
    3⤵
    PID:3348
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y Backup
      4⤵
      PID:3640
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im dbsnmp.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3192
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c schtasks.exe /Create /TN zE0xO6us /TR "CMD.EXE DEL /F /Q "{DNAME}\{PRNAME}" >> NUL" /sc once /st 00:00 /RL HIGHEST
    3⤵
    PID:1576
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /Create /TN zE0xO6us /TR "CMD.EXE DEL /F /Q "{DNAME}\{PRNAME}" >> NUL" /sc once /st 00:00 /RL HIGHEST
      4⤵
      Creates scheduled task(s)
      PID:1628
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c schtasks.exe /Create /TN zE0xO6tMpus /TR "CMD.EXE DEL /F /Q "{PATHIM}" >> NUL" /sc once /st 00:00 /RL HIGHEST
    3⤵
    PID:2160
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /Create /TN zE0xO6tMpus /TR "CMD.EXE DEL /F /Q "{PATHIM}" >> NUL" /sc once /st 00:00 /RL HIGHEST
      4⤵
      Creates scheduled task(s)
      PID:3456
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c schtasks.exe /Create /TN zE0xO6bGus /TR "CMD.EXE DEL /F /Q "C:\ProgramData\pqBxGx.jpg" >> NUL" /sc once /st 00:00 /RL HIGHEST
    3⤵
    PID:1784
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /Create /TN zE0xO6bGus /TR "CMD.EXE DEL /F /Q "C:\ProgramData\pqBxGx.jpg" >> NUL" /sc once /st 00:00 /RL HIGHEST
      4⤵
      Creates scheduled task(s)
      PID:1808
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c schtasks.exe /Run /TN zE0xO6us
    3⤵
    PID:3352
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /Run /TN zE0xO6us
      4⤵
      PID:3892
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c schtasks.exe /Run /TN zE0xO6tMpus
    3⤵
    PID:3120
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /Run /TN zE0xO6tMpus
      4⤵
      PID:3260
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c schtasks.exe /Run /TN zE0xO6bGus
    3⤵
    PID:2124
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /Run /TN zE0xO6bGus
      4⤵
      PID:2100

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:ShellFeedsUI.AppXnj65k2d1a1rnztt2t2nng5ctmk3e76pn.mca
1⤵
PID:2584
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2584 -s 2208
  2⤵
  - Program crash
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:3136

C:\Windows\system32\MusNotifyIcon.exe
%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13
1⤵
- Checks processor information in registry
PID:512

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2508

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:3340

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 464 -p 2584 -ip 2584
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:812

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\re_ad_me.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:820

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3752

C:\Windows\system32\CMD.EXE
CMD.EXE DEL /F /Q {DNAME}\{PRNAME} >> NUL
1⤵
PID:2960

C:\Windows\system32\CMD.EXE
CMD.EXE DEL /F /Q {PATHIM} >> NUL
1⤵
PID:1220

C:\Windows\system32\CMD.EXE
CMD.EXE DEL /F /Q C:\ProgramData\pqBxGx.jpg >> NUL
1⤵
PID:2216

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\re_ad_me.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:3832