ammyyadmin | 70debce3a545cacca8b0bdb6008945852084b36e9160424fb63479c2991dcade

pid	Process
2236	bcdedit.exe
1300	bcdedit.exe

Renames multiple (86) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Deletes backup catalog 3 TTPs 1 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command and Scripting Interpreter

T1059

File Deletion

T1070.004

Inhibit System Recovery

pid	Process
1860	wbadmin.exe

Downloads MZ/PE file

Modifies Windows Firewall 1 TTPs 2 IoCs

evasion

Windows Service

T1543.003

pid	Process
2768	netsh.exe
2720	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Control Panel\International\Geo\Nation	svchost.exe

Deletes itself 1 IoCs

pid	Process
2584	certreq.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\D578.exe	D578.exe

Executes dropped EXE 25 IoCs

pid	Process
1960	YE)OB.exe
2432	YE)OB.exe
1616	YE)OB.exe
320	YE)OB.exe
1920	YE)OB.exe
1520	YE)OB.exe
2736	YE)OB.exe
1544	YE)OB.exe
564	YE)OB.exe
596	YE)OB.exe
692	YE)OB.exe
368	zj%6EfCu.exe
296	zj%6EfCu.exe
1296	D578.exe
2424	D578.exe
1808	D578.exe
1120	D9FB.exe
832	D578.exe
2176	D578.exe
1536	D578.exe
1552	D578.exe
1388	D578.exe
672	D9FB.exe
2584	svchost.exe
2624	D9FB.exe

Loads dropped DLL 14 IoCs

pid	Process
1296	D578.exe
1808	D578.exe
1808	D578.exe
1808	D578.exe
1808	D578.exe
1808	D578.exe
1120	D9FB.exe
1120	D9FB.exe
2712	explorer.exe
2712	explorer.exe
1736	rundll32.exe
1736	rundll32.exe
1736	rundll32.exe
1736	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 9 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\D578 = "C:\\Users\\Admin\\AppData\\Local\\D578.exe"	D578.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Windows\CurrentVersion\Run\D578 = "C:\\Users\\Admin\\AppData\\Local\\D578.exe"	D578.exe

Drops desktop.ini file(s) 4 IoCs

description	ioc	Process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-3849525425-30183055-657688904-1000\desktop.ini	D578.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-3849525425-30183055-657688904-1000\desktop.ini	D578.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	D578.exe
File opened for modification	C:\Program Files\desktop.ini	D578.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	svchost.exe

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 2700 set thread context of 2776	2700	534e8c1d3d71f8736793b80048c3dbdd.exe	31
PID 368 set thread context of 296	368	zj%6EfCu.exe	43
PID 1296 set thread context of 2424	1296	D578.exe	51
PID 1808 set thread context of 1388	1808	D578.exe	55
PID 1120 set thread context of 2624	1120	D9FB.exe	78

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-selector-ui_ja.jar.id[588A7ED8-3483].[[email protected]].8base	D578.exe
File created	C:\Program Files\Java\jre7\bin\jfr.dll.id[588A7ED8-3483].[[email protected]].8base	D578.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Shanghai.id[588A7ED8-3483].[[email protected]].8base	D578.exe
File opened for modification	C:\Program Files\Internet Explorer\sqmapi.dll	D578.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Khartoum	D578.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Juneau.id[588A7ED8-3483].[[email protected]].8base	D578.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.model.workbench.nl_ja_4.4.0.v20140623020002.jar	D578.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-keyring-impl.xml	D578.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-dialogs.jar.id[588A7ED8-3483].[[email protected]].8base	D578.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-selector-ui.xml.id[588A7ED8-3483].[[email protected]].8base	D578.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationLeft_SelectionSubpicture.png	D578.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe.id[588A7ED8-3483].[[email protected]].8base	D578.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe.id[588A7ED8-3483].[[email protected]].8base	D578.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\license.html.id[588A7ED8-3483].[[email protected]].8base	D578.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.runtime_3.10.0.v20140318-2214.jar.id[588A7ED8-3483].[[email protected]].8base	D578.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.core.nl_zh_4.4.0.v20140623020002.jar	D578.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\th.pak	D578.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Pontianak.id[588A7ED8-3483].[[email protected]].8base	D578.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\boot_ja.jar.id[588A7ED8-3483].[[email protected]].8base	D578.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-sendopts_ja.jar.id[588A7ED8-3483].[[email protected]].8base	D578.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe	D578.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Eirunepe	D578.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-1.id[588A7ED8-3483].[[email protected]].8base	D578.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-queries_zh_CN.jar.id[588A7ED8-3483].[[email protected]].8base	D578.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-lib-profiler.xml.id[588A7ED8-3483].[[email protected]].8base	D578.exe
File opened for modification	C:\Program Files\Internet Explorer\en-US\eula.rtf	D578.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core.xml	D578.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-swing-tabcontrol.xml	D578.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-core.xml	D578.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-uisupport_zh_CN.jar.id[588A7ED8-3483].[[email protected]].8base	D578.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ur.pak.id[588A7ED8-3483].[[email protected]].8base	D578.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Matamoros.id[588A7ED8-3483].[[email protected]].8base	D578.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.beans_1.2.200.v20140214-0004.jar.id[588A7ED8-3483].[[email protected]].8base	D578.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ktab.exe	D578.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\sawindbg.dll.id[588A7ED8-3483].[[email protected]].8base	D578.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\sw.pak	D578.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\Mawson.id[588A7ED8-3483].[[email protected]].8base	D578.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.emf.common_2.10.1.v20140901-1043.jar	D578.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-application_ja.jar	D578.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\msaddsr.dll	D578.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Noumea	D578.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-threaddump.xml	D578.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\tabskb.dll.mui	D578.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationLeft_ButtonGraphic.png	D578.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	D578.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\MANIFEST.MF	D578.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.core.services_1.2.1.v20140808-1251.jar	D578.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.osgi.compatibility.state.nl_zh_4.4.0.v20140623020002.jar.id[588A7ED8-3483].[[email protected]].8base	D578.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\mshwLatin.dll.mui	D578.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\cs.pak.id[588A7ED8-3483].[[email protected]].8base	D578.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.commands_5.5.0.165303.jar	D578.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\mshwLatin.dll.mui	D578.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mr.txt	D578.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\userContent_16x9_imagemask.png	D578.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\nl.pak.id[588A7ED8-3483].[[email protected]].8base	D578.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT	D578.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ecf.provider.filetransfer.httpclient4.ssl_1.0.0.v20140827-1444.jar	D578.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-host.xml	D578.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ar.txt	D578.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\decora-sse.dll.id[588A7ED8-3483].[[email protected]].8base	D578.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Brussels	D578.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\Reunion.id[588A7ED8-3483].[[email protected]].8base	D578.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.filesystem_1.4.100.v20140514-1614.jar	D578.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-sampler_zh_CN.jar	D578.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	zj%6EfCu.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	zj%6EfCu.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	zj%6EfCu.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	certreq.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	certreq.exe

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

pid	Process
2292	vssadmin.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2700	534e8c1d3d71f8736793b80048c3dbdd.exe
2700	534e8c1d3d71f8736793b80048c3dbdd.exe
2700	534e8c1d3d71f8736793b80048c3dbdd.exe
2776	534e8c1d3d71f8736793b80048c3dbdd.exe
2776	534e8c1d3d71f8736793b80048c3dbdd.exe
2776	534e8c1d3d71f8736793b80048c3dbdd.exe
2776	534e8c1d3d71f8736793b80048c3dbdd.exe
2584	certreq.exe
2584	certreq.exe
2584	certreq.exe
2584	certreq.exe
1960	YE)OB.exe
1960	YE)OB.exe
1960	YE)OB.exe
1960	YE)OB.exe
1960	YE)OB.exe
1960	YE)OB.exe
1960	YE)OB.exe
1960	YE)OB.exe
1960	YE)OB.exe
1960	YE)OB.exe
1960	YE)OB.exe
1960	YE)OB.exe
1960	YE)OB.exe
1960	YE)OB.exe
1960	YE)OB.exe
1960	YE)OB.exe
1960	YE)OB.exe
1960	YE)OB.exe
1960	YE)OB.exe
1960	YE)OB.exe
296	zj%6EfCu.exe
296	zj%6EfCu.exe
1216	Explorer.EXE
1216	Explorer.EXE
1216	Explorer.EXE
1216	Explorer.EXE
1216	Explorer.EXE
1216	Explorer.EXE
1216	Explorer.EXE
1216	Explorer.EXE
1216	Explorer.EXE
1216	Explorer.EXE
1216	Explorer.EXE
1216	Explorer.EXE
1216	Explorer.EXE
1216	Explorer.EXE
1216	Explorer.EXE
1216	Explorer.EXE
1216	Explorer.EXE
1216	Explorer.EXE
1216	Explorer.EXE
1216	Explorer.EXE
1216	Explorer.EXE
1216	Explorer.EXE
1216	Explorer.EXE
1216	Explorer.EXE
1216	Explorer.EXE
1216	Explorer.EXE
1216	Explorer.EXE
1216	Explorer.EXE
1216	Explorer.EXE
1216	Explorer.EXE
1216	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1216	Explorer.EXE

Suspicious behavior: MapViewOfSection 33 IoCs

pid	Process
296	zj%6EfCu.exe
1216	Explorer.EXE
1216	Explorer.EXE
1216	Explorer.EXE
1216	Explorer.EXE
1216	Explorer.EXE
1216	Explorer.EXE
1216	Explorer.EXE
1216	Explorer.EXE
1216	Explorer.EXE
1216	Explorer.EXE
1216	Explorer.EXE
1216	Explorer.EXE
1216	Explorer.EXE
1216	Explorer.EXE
1216	Explorer.EXE
1216	Explorer.EXE
1216	Explorer.EXE
1216	Explorer.EXE
1216	Explorer.EXE
1216	Explorer.EXE
1216	Explorer.EXE
1216	Explorer.EXE
1216	Explorer.EXE
1216	Explorer.EXE
1216	Explorer.EXE
1216	Explorer.EXE
1216	Explorer.EXE
1216	Explorer.EXE
1216	Explorer.EXE
1216	Explorer.EXE
2712	explorer.exe
2712	explorer.exe

Suspicious use of AdjustPrivilegeToken 53 IoCs

description	pid	Process
Token: SeDebugPrivilege	2700	534e8c1d3d71f8736793b80048c3dbdd.exe
Token: SeDebugPrivilege	1960	YE)OB.exe
Token: SeDebugPrivilege	368	zj%6EfCu.exe
Token: SeDebugPrivilege	1296	D578.exe
Token: SeDebugPrivilege	1808	D578.exe
Token: SeDebugPrivilege	1120	D9FB.exe
Token: SeDebugPrivilege	2424	D578.exe
Token: SeBackupPrivilege	1964	vssvc.exe
Token: SeRestorePrivilege	1964	vssvc.exe
Token: SeAuditPrivilege	1964	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1720	WMIC.exe
Token: SeSecurityPrivilege	1720	WMIC.exe
Token: SeTakeOwnershipPrivilege	1720	WMIC.exe
Token: SeLoadDriverPrivilege	1720	WMIC.exe
Token: SeSystemProfilePrivilege	1720	WMIC.exe
Token: SeSystemtimePrivilege	1720	WMIC.exe
Token: SeProfSingleProcessPrivilege	1720	WMIC.exe
Token: SeIncBasePriorityPrivilege	1720	WMIC.exe
Token: SeCreatePagefilePrivilege	1720	WMIC.exe
Token: SeBackupPrivilege	1720	WMIC.exe
Token: SeRestorePrivilege	1720	WMIC.exe
Token: SeShutdownPrivilege	1720	WMIC.exe
Token: SeDebugPrivilege	1720	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1720	WMIC.exe
Token: SeRemoteShutdownPrivilege	1720	WMIC.exe
Token: SeUndockPrivilege	1720	WMIC.exe
Token: SeManageVolumePrivilege	1720	WMIC.exe
Token: 33	1720	WMIC.exe
Token: 34	1720	WMIC.exe
Token: 35	1720	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1720	WMIC.exe
Token: SeSecurityPrivilege	1720	WMIC.exe
Token: SeTakeOwnershipPrivilege	1720	WMIC.exe
Token: SeLoadDriverPrivilege	1720	WMIC.exe
Token: SeSystemProfilePrivilege	1720	WMIC.exe
Token: SeSystemtimePrivilege	1720	WMIC.exe
Token: SeProfSingleProcessPrivilege	1720	WMIC.exe
Token: SeIncBasePriorityPrivilege	1720	WMIC.exe
Token: SeCreatePagefilePrivilege	1720	WMIC.exe
Token: SeBackupPrivilege	1720	WMIC.exe
Token: SeRestorePrivilege	1720	WMIC.exe
Token: SeShutdownPrivilege	1720	WMIC.exe
Token: SeDebugPrivilege	1720	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1720	WMIC.exe
Token: SeRemoteShutdownPrivilege	1720	WMIC.exe
Token: SeUndockPrivilege	1720	WMIC.exe
Token: SeManageVolumePrivilege	1720	WMIC.exe
Token: 33	1720	WMIC.exe
Token: 34	1720	WMIC.exe
Token: 35	1720	WMIC.exe
Token: SeBackupPrivilege	1820	wbengine.exe
Token: SeRestorePrivilege	1820	wbengine.exe
Token: SeSecurityPrivilege	1820	wbengine.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2584	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2700 wrote to memory of 2624	2700	534e8c1d3d71f8736793b80048c3dbdd.exe	28
PID 2700 wrote to memory of 2624	2700	534e8c1d3d71f8736793b80048c3dbdd.exe	28
PID 2700 wrote to memory of 2624	2700	534e8c1d3d71f8736793b80048c3dbdd.exe	28
PID 2700 wrote to memory of 2624	2700	534e8c1d3d71f8736793b80048c3dbdd.exe	28
PID 2700 wrote to memory of 2668	2700	534e8c1d3d71f8736793b80048c3dbdd.exe	29
PID 2700 wrote to memory of 2668	2700	534e8c1d3d71f8736793b80048c3dbdd.exe	29
PID 2700 wrote to memory of 2668	2700	534e8c1d3d71f8736793b80048c3dbdd.exe	29
PID 2700 wrote to memory of 2668	2700	534e8c1d3d71f8736793b80048c3dbdd.exe	29
PID 2700 wrote to memory of 2772	2700	534e8c1d3d71f8736793b80048c3dbdd.exe	30
PID 2700 wrote to memory of 2772	2700	534e8c1d3d71f8736793b80048c3dbdd.exe	30
PID 2700 wrote to memory of 2772	2700	534e8c1d3d71f8736793b80048c3dbdd.exe	30
PID 2700 wrote to memory of 2772	2700	534e8c1d3d71f8736793b80048c3dbdd.exe	30
PID 2700 wrote to memory of 2776	2700	534e8c1d3d71f8736793b80048c3dbdd.exe	31
PID 2700 wrote to memory of 2776	2700	534e8c1d3d71f8736793b80048c3dbdd.exe	31
PID 2700 wrote to memory of 2776	2700	534e8c1d3d71f8736793b80048c3dbdd.exe	31
PID 2700 wrote to memory of 2776	2700	534e8c1d3d71f8736793b80048c3dbdd.exe	31
PID 2700 wrote to memory of 2776	2700	534e8c1d3d71f8736793b80048c3dbdd.exe	31
PID 2700 wrote to memory of 2776	2700	534e8c1d3d71f8736793b80048c3dbdd.exe	31
PID 2700 wrote to memory of 2776	2700	534e8c1d3d71f8736793b80048c3dbdd.exe	31
PID 2700 wrote to memory of 2776	2700	534e8c1d3d71f8736793b80048c3dbdd.exe	31
PID 2700 wrote to memory of 2776	2700	534e8c1d3d71f8736793b80048c3dbdd.exe	31
PID 2776 wrote to memory of 2584	2776	534e8c1d3d71f8736793b80048c3dbdd.exe	33
PID 2776 wrote to memory of 2584	2776	534e8c1d3d71f8736793b80048c3dbdd.exe	33
PID 2776 wrote to memory of 2584	2776	534e8c1d3d71f8736793b80048c3dbdd.exe	33
PID 2776 wrote to memory of 2584	2776	534e8c1d3d71f8736793b80048c3dbdd.exe	33
PID 2776 wrote to memory of 2584	2776	534e8c1d3d71f8736793b80048c3dbdd.exe	33
PID 2776 wrote to memory of 2584	2776	534e8c1d3d71f8736793b80048c3dbdd.exe	33
PID 1960 wrote to memory of 2432	1960	YE)OB.exe	38
PID 1960 wrote to memory of 2432	1960	YE)OB.exe	38
PID 1960 wrote to memory of 2432	1960	YE)OB.exe	38
PID 1960 wrote to memory of 2432	1960	YE)OB.exe	38
PID 1960 wrote to memory of 1616	1960	YE)OB.exe	49
PID 1960 wrote to memory of 1616	1960	YE)OB.exe	49
PID 1960 wrote to memory of 1616	1960	YE)OB.exe	49
PID 1960 wrote to memory of 1616	1960	YE)OB.exe	49
PID 1960 wrote to memory of 320	1960	YE)OB.exe	48
PID 1960 wrote to memory of 320	1960	YE)OB.exe	48
PID 1960 wrote to memory of 320	1960	YE)OB.exe	48
PID 1960 wrote to memory of 320	1960	YE)OB.exe	48
PID 1960 wrote to memory of 1920	1960	YE)OB.exe	47
PID 1960 wrote to memory of 1920	1960	YE)OB.exe	47
PID 1960 wrote to memory of 1920	1960	YE)OB.exe	47
PID 1960 wrote to memory of 1920	1960	YE)OB.exe	47
PID 1960 wrote to memory of 1520	1960	YE)OB.exe	46
PID 1960 wrote to memory of 1520	1960	YE)OB.exe	46
PID 1960 wrote to memory of 1520	1960	YE)OB.exe	46
PID 1960 wrote to memory of 1520	1960	YE)OB.exe	46
PID 1960 wrote to memory of 2736	1960	YE)OB.exe	45
PID 1960 wrote to memory of 2736	1960	YE)OB.exe	45
PID 1960 wrote to memory of 2736	1960	YE)OB.exe	45
PID 1960 wrote to memory of 2736	1960	YE)OB.exe	45
PID 1960 wrote to memory of 1544	1960	YE)OB.exe	44
PID 1960 wrote to memory of 1544	1960	YE)OB.exe	44
PID 1960 wrote to memory of 1544	1960	YE)OB.exe	44
PID 1960 wrote to memory of 1544	1960	YE)OB.exe	44
PID 1960 wrote to memory of 564	1960	YE)OB.exe	42
PID 1960 wrote to memory of 564	1960	YE)OB.exe	42
PID 1960 wrote to memory of 564	1960	YE)OB.exe	42
PID 1960 wrote to memory of 564	1960	YE)OB.exe	42
PID 1960 wrote to memory of 596	1960	YE)OB.exe	41
PID 1960 wrote to memory of 596	1960	YE)OB.exe	41
PID 1960 wrote to memory of 596	1960	YE)OB.exe	41
PID 1960 wrote to memory of 596	1960	YE)OB.exe	41
PID 1960 wrote to memory of 692	1960	YE)OB.exe	40

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
PID:1216
- C:\Users\Admin\AppData\Local\Temp\534e8c1d3d71f8736793b80048c3dbdd.exe
  "C:\Users\Admin\AppData\Local\Temp\534e8c1d3d71f8736793b80048c3dbdd.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2700
- - C:\Users\Admin\AppData\Local\Temp\534e8c1d3d71f8736793b80048c3dbdd.exe
    C:\Users\Admin\AppData\Local\Temp\534e8c1d3d71f8736793b80048c3dbdd.exe
    3⤵
    PID:2624
- - C:\Users\Admin\AppData\Local\Temp\534e8c1d3d71f8736793b80048c3dbdd.exe
    C:\Users\Admin\AppData\Local\Temp\534e8c1d3d71f8736793b80048c3dbdd.exe
    3⤵
    PID:2668
- - C:\Users\Admin\AppData\Local\Temp\534e8c1d3d71f8736793b80048c3dbdd.exe
    C:\Users\Admin\AppData\Local\Temp\534e8c1d3d71f8736793b80048c3dbdd.exe
    3⤵
    PID:2772
- - C:\Users\Admin\AppData\Local\Temp\534e8c1d3d71f8736793b80048c3dbdd.exe
    C:\Users\Admin\AppData\Local\Temp\534e8c1d3d71f8736793b80048c3dbdd.exe
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2776
- C:\Windows\system32\certreq.exe
  "C:\Windows\system32\certreq.exe"
  2⤵
  - Deletes itself
  - Accesses Microsoft Outlook profiles
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:2584
- C:\Users\Admin\AppData\Local\Temp\D578.exe
  C:\Users\Admin\AppData\Local\Temp\D578.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  PID:1296
- - C:\Users\Admin\AppData\Local\Temp\D578.exe
    C:\Users\Admin\AppData\Local\Temp\D578.exe
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops desktop.ini file(s)
    - Drops file in Program Files directory
    - Suspicious use of AdjustPrivilegeToken
    PID:2424
  - - C:\Users\Admin\AppData\Local\Temp\D578.exe
      "C:\Users\Admin\AppData\Local\Temp\D578.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      PID:1808
    - - C:\Users\Admin\AppData\Local\Temp\D578.exe
        
        C:\Users\Admin\AppData\Local\Temp\D578.exe
        5⤵
        Executes dropped EXE
        
        PID:832
    - - C:\Users\Admin\AppData\Local\Temp\D578.exe
        
        C:\Users\Admin\AppData\Local\Temp\D578.exe
        5⤵
        Executes dropped EXE
        
        PID:1388
    - - C:\Users\Admin\AppData\Local\Temp\D578.exe
        
        C:\Users\Admin\AppData\Local\Temp\D578.exe
        5⤵
        Executes dropped EXE
        
        PID:1536
    - - C:\Users\Admin\AppData\Local\Temp\D578.exe
        
        C:\Users\Admin\AppData\Local\Temp\D578.exe
        5⤵
        Executes dropped EXE
        
        PID:1552
    - - C:\Users\Admin\AppData\Local\Temp\D578.exe
        
        C:\Users\Admin\AppData\Local\Temp\D578.exe
        5⤵
        Executes dropped EXE
        
        PID:2176
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe"
      4⤵
      PID:2960
    - - C:\Windows\system32\netsh.exe
        
        netsh advfirewall set currentprofile state off
        5⤵
        Modifies Windows Firewall
        
        PID:2768
    - - C:\Windows\system32\netsh.exe
        
        netsh firewall set opmode mode=disable
        5⤵
        Modifies Windows Firewall
        
        PID:2720
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe"
      4⤵
      PID:544
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin delete shadows /all /quiet
        5⤵
        Interacts with shadow copies
        
        PID:2292
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1720
    - - C:\Windows\system32\bcdedit.exe
        
        bcdedit /set {default} bootstatuspolicy ignoreallfailures
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:2236
    - - C:\Windows\system32\bcdedit.exe
        
        bcdedit /set {default} recoveryenabled no
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:1300
    - - C:\Windows\system32\wbadmin.exe
        
        wbadmin delete catalog -quiet
        5⤵
        Deletes backup catalog
        
        PID:1860
- C:\Users\Admin\AppData\Local\Temp\D9FB.exe
  C:\Users\Admin\AppData\Local\Temp\D9FB.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  PID:1120
- - C:\Users\Admin\AppData\Local\Temp\D9FB.exe
    "C:\Users\Admin\AppData\Local\Temp\D9FB.exe"
    3⤵
    - Executes dropped EXE
    PID:672
- - C:\Users\Admin\AppData\Local\Temp\D9FB.exe
    "C:\Users\Admin\AppData\Local\Temp\D9FB.exe"
    3⤵
    - Executes dropped EXE
    PID:2624
- C:\Windows\SysWOW64\explorer.exe
  C:\Windows\SysWOW64\explorer.exe
  2⤵
  - Accesses Microsoft Outlook profiles
  - outlook_office_path
  - outlook_win_path
  PID:1012
- C:\Windows\explorer.exe
  C:\Windows\explorer.exe
  2⤵
  PID:2496
- C:\Windows\SysWOW64\explorer.exe
  C:\Windows\SysWOW64\explorer.exe
  2⤵
  PID:1568
- C:\Windows\SysWOW64\explorer.exe
  C:\Windows\SysWOW64\explorer.exe
  2⤵
  PID:2576
- C:\Windows\SysWOW64\explorer.exe
  C:\Windows\SysWOW64\explorer.exe
  2⤵
  PID:2884
- C:\Windows\explorer.exe
  C:\Windows\explorer.exe
  2⤵
  PID:1524
- C:\Windows\SysWOW64\explorer.exe
  C:\Windows\SysWOW64\explorer.exe
  2⤵
  PID:1804
- C:\Windows\explorer.exe
  C:\Windows\explorer.exe
  2⤵
  PID:2124
- C:\Windows\SysWOW64\explorer.exe
  C:\Windows\SysWOW64\explorer.exe
  2⤵
  PID:1592
- C:\Windows\explorer.exe
  C:\Windows\explorer.exe
  2⤵
  PID:2636
- C:\Windows\SysWOW64\explorer.exe
  C:\Windows\SysWOW64\explorer.exe
  2⤵
  PID:3056
- C:\Windows\SysWOW64\explorer.exe
  C:\Windows\SysWOW64\explorer.exe
  2⤵
  PID:3024
- C:\Windows\SysWOW64\explorer.exe
  C:\Windows\SysWOW64\explorer.exe
  2⤵
  PID:2380
- C:\Windows\explorer.exe
  C:\Windows\explorer.exe
  2⤵
  PID:2744
- C:\Windows\SysWOW64\explorer.exe
  C:\Windows\SysWOW64\explorer.exe
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: MapViewOfSection
  PID:2712
- - C:\Users\Admin\AppData\Local\Temp\930C.tmp\svchost.exe
    C:\Users\Admin\AppData\Local\Temp\930C.tmp\svchost.exe -debug
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    - Modifies system certificate store
    - Suspicious use of FindShellTrayWindow
    PID:2584
  - - C:\Windows\SysWOW64\ctfmon.exe
      ctfmon.exe
      4⤵
      PID:996
  - - C:\Windows\system32\rundll32.exe
      rundll32.exe "C:\Users\Admin\AppData\Local\Temp\930C.tmp\aa_nts.dll",run
      4⤵
      Loads dropped DLL
      PID:1736

C:\Users\Admin\AppData\Local\Microsoft\YE)OB.exe
"C:\Users\Admin\AppData\Local\Microsoft\YE)OB.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1960
- C:\Users\Admin\AppData\Local\Microsoft\YE)OB.exe
  C:\Users\Admin\AppData\Local\Microsoft\YE)OB.exe
  2⤵
  - Executes dropped EXE
  PID:2432
- C:\Users\Admin\AppData\Local\Microsoft\YE)OB.exe
  C:\Users\Admin\AppData\Local\Microsoft\YE)OB.exe
  2⤵
  - Executes dropped EXE
  PID:692
- C:\Users\Admin\AppData\Local\Microsoft\YE)OB.exe
  C:\Users\Admin\AppData\Local\Microsoft\YE)OB.exe
  2⤵
  - Executes dropped EXE
  PID:596
- C:\Users\Admin\AppData\Local\Microsoft\YE)OB.exe
  C:\Users\Admin\AppData\Local\Microsoft\YE)OB.exe
  2⤵
  - Executes dropped EXE
  PID:564
- C:\Users\Admin\AppData\Local\Microsoft\YE)OB.exe
  C:\Users\Admin\AppData\Local\Microsoft\YE)OB.exe
  2⤵
  - Executes dropped EXE
  PID:1544
- C:\Users\Admin\AppData\Local\Microsoft\YE)OB.exe
  C:\Users\Admin\AppData\Local\Microsoft\YE)OB.exe
  2⤵
  - Executes dropped EXE
  PID:2736
- C:\Users\Admin\AppData\Local\Microsoft\YE)OB.exe
  C:\Users\Admin\AppData\Local\Microsoft\YE)OB.exe
  2⤵
  - Executes dropped EXE
  PID:1520
- C:\Users\Admin\AppData\Local\Microsoft\YE)OB.exe
  C:\Users\Admin\AppData\Local\Microsoft\YE)OB.exe
  2⤵
  - Executes dropped EXE
  PID:1920
- C:\Users\Admin\AppData\Local\Microsoft\YE)OB.exe
  C:\Users\Admin\AppData\Local\Microsoft\YE)OB.exe
  2⤵
  - Executes dropped EXE
  PID:320
- C:\Users\Admin\AppData\Local\Microsoft\YE)OB.exe
  C:\Users\Admin\AppData\Local\Microsoft\YE)OB.exe
  2⤵
  - Executes dropped EXE
  PID:1616

C:\Users\Admin\AppData\Local\Microsoft\zj%6EfCu.exe
"C:\Users\Admin\AppData\Local\Microsoft\zj%6EfCu.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:368
- C:\Users\Admin\AppData\Local\Microsoft\zj%6EfCu.exe
  C:\Users\Admin\AppData\Local\Microsoft\zj%6EfCu.exe
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:296

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1964

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1820

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:2012

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
PID:1712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Inhibit System Recovery