8dff91cfab0e19c504ff9e9f207ce1e4a4ca5ef8585513e008ffe02bca9075cc

Analysis

max time kernel
182s
max time network
189s
platform
windows10-2004_x64
resource
win10v2004-en-20220112
submitted
12-02-2022 00:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8dff91cfab0e19c504ff9e9f207ce1e4a4ca5ef8585513e008ffe02bca9075cc.exe
Size

994KB
MD5

21a69dfb179a807024a0b8d5838c945c
SHA1

78e680ace5f3c0c226a12210f093f0c5b0e85542
SHA256

8dff91cfab0e19c504ff9e9f207ce1e4a4ca5ef8585513e008ffe02bca9075cc
SHA512

55567a6859f33f2d18a59136cd87458a9219eb9ef9585a305e08ea8f42508460b36b95ef3b5474d5e6eddd64e691cd45fbd9ccb755825a1e336815fe45a04c0a

Score

8^/10

evasion

Malware Config

Signatures

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Drops file in Windows directory 1 IoCs

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat	svchost.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

MusNotifyIcon.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MusNotifyIcon.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	MusNotifyIcon.exe

Modifies data under HKEY_USERS 49 IoCs

Processes:

svchost.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.000000"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "2.036155"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132892758129522791"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4100"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "2.272793"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4304"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings	svchost.exe

Runs net.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

8dff91cfab0e19c504ff9e9f207ce1e4a4ca5ef8585513e008ffe02bca9075cc.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.exe

description	pid	process	target process
PID 3644 wrote to memory of 1548	3644	8dff91cfab0e19c504ff9e9f207ce1e4a4ca5ef8585513e008ffe02bca9075cc.exe	cmd.exe
PID 3644 wrote to memory of 1548	3644	8dff91cfab0e19c504ff9e9f207ce1e4a4ca5ef8585513e008ffe02bca9075cc.exe	cmd.exe
PID 3644 wrote to memory of 1548	3644	8dff91cfab0e19c504ff9e9f207ce1e4a4ca5ef8585513e008ffe02bca9075cc.exe	cmd.exe
PID 1548 wrote to memory of 1308	1548	cmd.exe	net.exe
PID 1548 wrote to memory of 1308	1548	cmd.exe	net.exe
PID 1548 wrote to memory of 1308	1548	cmd.exe	net.exe
PID 1308 wrote to memory of 3056	1308	net.exe	net1.exe
PID 1308 wrote to memory of 3056	1308	net.exe	net1.exe
PID 1308 wrote to memory of 3056	1308	net.exe	net1.exe
PID 3644 wrote to memory of 3944	3644	8dff91cfab0e19c504ff9e9f207ce1e4a4ca5ef8585513e008ffe02bca9075cc.exe	cmd.exe
PID 3644 wrote to memory of 3944	3644	8dff91cfab0e19c504ff9e9f207ce1e4a4ca5ef8585513e008ffe02bca9075cc.exe	cmd.exe
PID 3644 wrote to memory of 3944	3644	8dff91cfab0e19c504ff9e9f207ce1e4a4ca5ef8585513e008ffe02bca9075cc.exe	cmd.exe
PID 3944 wrote to memory of 3460	3944	cmd.exe	net.exe
PID 3944 wrote to memory of 3460	3944	cmd.exe	net.exe
PID 3944 wrote to memory of 3460	3944	cmd.exe	net.exe
PID 3460 wrote to memory of 3168	3460	net.exe	net1.exe
PID 3460 wrote to memory of 3168	3460	net.exe	net1.exe
PID 3460 wrote to memory of 3168	3460	net.exe	net1.exe
PID 3644 wrote to memory of 1800	3644	8dff91cfab0e19c504ff9e9f207ce1e4a4ca5ef8585513e008ffe02bca9075cc.exe	cmd.exe
PID 3644 wrote to memory of 1800	3644	8dff91cfab0e19c504ff9e9f207ce1e4a4ca5ef8585513e008ffe02bca9075cc.exe	cmd.exe
PID 3644 wrote to memory of 1800	3644	8dff91cfab0e19c504ff9e9f207ce1e4a4ca5ef8585513e008ffe02bca9075cc.exe	cmd.exe
PID 1800 wrote to memory of 3320	1800	cmd.exe	net.exe
PID 1800 wrote to memory of 3320	1800	cmd.exe	net.exe
PID 1800 wrote to memory of 3320	1800	cmd.exe	net.exe
PID 3320 wrote to memory of 3724	3320	net.exe	net1.exe
PID 3320 wrote to memory of 3724	3320	net.exe	net1.exe
PID 3320 wrote to memory of 3724	3320	net.exe	net1.exe
PID 3644 wrote to memory of 3620	3644	8dff91cfab0e19c504ff9e9f207ce1e4a4ca5ef8585513e008ffe02bca9075cc.exe	cmd.exe
PID 3644 wrote to memory of 3620	3644	8dff91cfab0e19c504ff9e9f207ce1e4a4ca5ef8585513e008ffe02bca9075cc.exe	cmd.exe
PID 3644 wrote to memory of 3620	3644	8dff91cfab0e19c504ff9e9f207ce1e4a4ca5ef8585513e008ffe02bca9075cc.exe	cmd.exe
PID 3620 wrote to memory of 3032	3620	cmd.exe	net.exe
PID 3620 wrote to memory of 3032	3620	cmd.exe	net.exe
PID 3620 wrote to memory of 3032	3620	cmd.exe	net.exe
PID 3032 wrote to memory of 2372	3032	net.exe	net1.exe
PID 3032 wrote to memory of 2372	3032	net.exe	net1.exe
PID 3032 wrote to memory of 2372	3032	net.exe	net1.exe
PID 3644 wrote to memory of 1256	3644	8dff91cfab0e19c504ff9e9f207ce1e4a4ca5ef8585513e008ffe02bca9075cc.exe	cmd.exe
PID 3644 wrote to memory of 1256	3644	8dff91cfab0e19c504ff9e9f207ce1e4a4ca5ef8585513e008ffe02bca9075cc.exe	cmd.exe
PID 3644 wrote to memory of 1256	3644	8dff91cfab0e19c504ff9e9f207ce1e4a4ca5ef8585513e008ffe02bca9075cc.exe	cmd.exe
PID 1256 wrote to memory of 3396	1256	cmd.exe	net.exe
PID 1256 wrote to memory of 3396	1256	cmd.exe	net.exe
PID 1256 wrote to memory of 3396	1256	cmd.exe	net.exe
PID 3396 wrote to memory of 1852	3396	net.exe	net1.exe
PID 3396 wrote to memory of 1852	3396	net.exe	net1.exe
PID 3396 wrote to memory of 1852	3396	net.exe	net1.exe
PID 3644 wrote to memory of 932	3644	8dff91cfab0e19c504ff9e9f207ce1e4a4ca5ef8585513e008ffe02bca9075cc.exe	cmd.exe
PID 3644 wrote to memory of 932	3644	8dff91cfab0e19c504ff9e9f207ce1e4a4ca5ef8585513e008ffe02bca9075cc.exe	cmd.exe
PID 3644 wrote to memory of 932	3644	8dff91cfab0e19c504ff9e9f207ce1e4a4ca5ef8585513e008ffe02bca9075cc.exe	cmd.exe
PID 3644 wrote to memory of 2636	3644	8dff91cfab0e19c504ff9e9f207ce1e4a4ca5ef8585513e008ffe02bca9075cc.exe	cmd.exe
PID 3644 wrote to memory of 2636	3644	8dff91cfab0e19c504ff9e9f207ce1e4a4ca5ef8585513e008ffe02bca9075cc.exe	cmd.exe
PID 3644 wrote to memory of 2636	3644	8dff91cfab0e19c504ff9e9f207ce1e4a4ca5ef8585513e008ffe02bca9075cc.exe	cmd.exe
PID 3644 wrote to memory of 1320	3644	8dff91cfab0e19c504ff9e9f207ce1e4a4ca5ef8585513e008ffe02bca9075cc.exe	cmd.exe
PID 3644 wrote to memory of 1320	3644	8dff91cfab0e19c504ff9e9f207ce1e4a4ca5ef8585513e008ffe02bca9075cc.exe	cmd.exe
PID 3644 wrote to memory of 1320	3644	8dff91cfab0e19c504ff9e9f207ce1e4a4ca5ef8585513e008ffe02bca9075cc.exe	cmd.exe
PID 3644 wrote to memory of 1532	3644	8dff91cfab0e19c504ff9e9f207ce1e4a4ca5ef8585513e008ffe02bca9075cc.exe	cmd.exe
PID 3644 wrote to memory of 1532	3644	8dff91cfab0e19c504ff9e9f207ce1e4a4ca5ef8585513e008ffe02bca9075cc.exe	cmd.exe
PID 3644 wrote to memory of 1532	3644	8dff91cfab0e19c504ff9e9f207ce1e4a4ca5ef8585513e008ffe02bca9075cc.exe	cmd.exe
PID 1532 wrote to memory of 3164	1532	cmd.exe	net.exe
PID 1532 wrote to memory of 3164	1532	cmd.exe	net.exe
PID 1532 wrote to memory of 3164	1532	cmd.exe	net.exe
PID 3164 wrote to memory of 3052	3164	net.exe	net1.exe
PID 3164 wrote to memory of 3052	3164	net.exe	net1.exe
PID 3164 wrote to memory of 3052	3164	net.exe	net1.exe
PID 3644 wrote to memory of 3236	3644	8dff91cfab0e19c504ff9e9f207ce1e4a4ca5ef8585513e008ffe02bca9075cc.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\8dff91cfab0e19c504ff9e9f207ce1e4a4ca5ef8585513e008ffe02bca9075cc.exe
"C:\Users\Admin\AppData\Local\Temp\8dff91cfab0e19c504ff9e9f207ce1e4a4ca5ef8585513e008ffe02bca9075cc.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3644
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop SQLWriter
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1548
- - C:\Windows\SysWOW64\net.exe
    net stop SQLWriter
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1308
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLWriter
      4⤵
      PID:3056
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop SQLBrowser
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3944
- - C:\Windows\SysWOW64\net.exe
    net stop SQLBrowser
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3460
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLBrowser
      4⤵
      PID:3168
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1800
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQLSERVER
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3320
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQLSERVER
      4⤵
      PID:3724
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSSQL$CONTOSO1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3620
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQL$CONTOSO1
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3032
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQL$CONTOSO1
      4⤵
      PID:2372
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSDTC
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1256
- - C:\Windows\SysWOW64\net.exe
    net stop MSDTC
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3396
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSDTC
      4⤵
      PID:1852
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  PID:932
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c bcdedit /set {default} recoveryenabled no
  2⤵
  PID:2636
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c wbadmin delete catalog -quiet
  2⤵
  PID:1320
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop SQLSERVERAGENT
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1532
- - C:\Windows\SysWOW64\net.exe
    net stop SQLSERVERAGENT
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3164
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLSERVERAGENT
      4⤵
      PID:3052
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
  2⤵
  PID:3236
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQLSERVER
    3⤵
    PID:3968
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQLSERVER
      4⤵
      PID:3820
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop vds
  2⤵
  PID:3504
- - C:\Windows\SysWOW64\net.exe
    net stop vds
    3⤵
    PID:3528
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop vds
      4⤵
      PID:3944
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall set currentprofile state off
  2⤵
  PID:1224
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall set currentprofile state off
    3⤵
    PID:1800

C:\Windows\system32\MusNotifyIcon.exe
%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13
1⤵
- Checks processor information in registry
PID:2092

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:3736

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads