5a2b9ddddea96f21d905036761ab27627bd6db4f5973b006f1e39d4acb04a618

Analysis

max time kernel
129s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
13/06/2024, 01:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5a2b9ddddea96f21d905036761ab27627bd6db4f5973b006f1e39d4acb04a618.hta
Size

46KB
MD5

a5d0578d4bbde7d8018b57a182b8704b
SHA1

437ddcf15b6f7f57afe1a945b2b4e120d8b905ba
SHA256

5a2b9ddddea96f21d905036761ab27627bd6db4f5973b006f1e39d4acb04a618
SHA512

06a533d477d2b171df9b8428f1b4ed8d3c131d3c7c086f4689b93698a8acedeb21c673e26c4df0baa6efbdc6cefd51fccb82e788eb7e41504d0c42f8f6296c47
SSDEEP

768:5f5twU0wvnwlEw9DuA7OYqWT81vc8hTqNQbprWegtyTDvYzS:tkU0a3w9nNT8L1qKbYftRe

Score

9^/10

ransomware

Malware Config

Signatures

Renames multiple (1999) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Blocklisted process makes network request 5 IoCs

flow	pid	Process
4	1892	mshta.exe
12	1892	mshta.exe
13	1892	mshta.exe
14	1892	mshta.exe
15	1892	mshta.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\PREVIEWTEMPLATE2.POTX	mshta.exe
File created	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\LargeTile.scale-100.png.locked	mshta.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\LiveTile\Icons_Icon_PoP_sm.png.locked	mshta.exe
File created	C:\Program Files\InitializeRemove.mpg.locked	mshta.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_neutral_~_8wekyb3d8bbwe\READ_ME10.html	mshta.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-linkedentity.png	mshta.exe
File created	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\Assets\GetHelpOffline2.png.locked	mshta.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\6445_48x48x32.png.locked	mshta.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Square44x44Logo.targetsize-16.png.locked	mshta.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\illustrations_retina.png.locked	mshta.exe
File created	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\SmallTile.scale-125_contrast-black.png.locked	mshta.exe
File created	C:\Program Files\WindowsApps\Microsoft.UI.Xaml.2.0_2.1810.18004.0_x64__8wekyb3d8bbwe\Microsoft.UI.Xaml\Assets\READ_ME10.html	mshta.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsMedTile.contrast-white_scale-200.png.locked	mshta.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\en-ae\ui-strings.js.locked	mshta.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Configuration\card_expiration_terms_dict.txt	mshta.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ff\LC_MESSAGES\READ_ME10.html	mshta.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\intf\dumpmeta.luac	mshta.exe
File created	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\Assets\tinytile.targetsize-48_altform-unplated_contrast-white.png.locked	mshta.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\TimerWideTile.contrast-white_scale-100.png.locked	mshta.exe
File created	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-96_altform-lightunplated_devicefamily-colorfulunplated.png.locked	mshta.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	mshta.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Place\contrast-white\LargeTile.scale-125.png.locked	mshta.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\en-us\onenote_whatsnew.xml.locked	mshta.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\pdf.gif	mshta.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\THANKS.txt	mshta.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\InsiderHubLargeTile.scale-125_contrast-white.png.locked	mshta.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\animations\OneNoteFirstRunCarousel_Animation2.mp4.locked	mshta.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Generic-Dark.scale-250.png.locked	mshta.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\acrobat_pdf.svg	mshta.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	mshta.exe
File created	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.targetsize-48_contrast-white.png.locked	mshta.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarBadge.scale-200.png.locked	mshta.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailMediumTile.scale-400.png.locked	mshta.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\91.jpg.locked	mshta.exe
File created	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SmallTile.scale-100_contrast-black.png.locked	mshta.exe
File created	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-96_altform-unplated.png.locked	mshta.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\javafx\libxml2.md.locked	mshta.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MEDIA\COIN.WAV.locked	mshta.exe
File created	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Star.png.locked	mshta.exe
File created	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\_Resources\1.rsrc.locked	mshta.exe
File created	C:\Program Files\Microsoft Office\root\rsod\proof.fr-fr.msi.16.fr-fr.tree.dat.locked	mshta.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\Cultures\OFFICE.ODF	mshta.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\LibrarySquare150x150Logo.scale-100_contrast-black.png.locked	mshta.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteAppList.scale-150.png.locked	mshta.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\pdf.gif.locked	mshta.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\s_filetype_xd.svg.locked	mshta.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\it-it\ui-strings.js.locked	mshta.exe
File created	C:\Program Files\VideoLAN\VLC\hrtfs\READ_ME10.html	mshta.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\win32_LinkNoDrop32x32.gif.locked	mshta.exe
File created	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.scale-200_contrast-black.png.locked	mshta.exe
File created	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\Logo.scale-100_contrast-black.png.locked	mshta.exe
File opened for modification	C:\Program Files\Java\jre-1.8\legal\javafx\webkit.md	mshta.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\AppxMetadata\READ_ME10.html	mshta.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.contrast-white_targetsize-36.png.locked	mshta.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\LTR\contrast-black\READ_ME10.html	mshta.exe
File created	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxManifest.xml.locked	mshta.exe
File created	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-256_contrast-black.png.locked	mshta.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-24.png.locked	mshta.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0016-0000-1000-0000000FF1CE.xml	mshta.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\meta\reader\filename.luac	mshta.exe
File created	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-48_contrast-white.png.locked	mshta.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\ContactPhoto.scale-100.png.locked	mshta.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailWideTile.scale-400.png.locked	mshta.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailSplashLogo.scale-250.png.locked	mshta.exe

Kills process with taskkill 40 IoCs

evasion

pid	Process
892	taskkill.exe
4936	taskkill.exe
4900	taskkill.exe
4268	taskkill.exe
1220	taskkill.exe
1292	taskkill.exe
3848	taskkill.exe
1300	taskkill.exe
4940	taskkill.exe
656	taskkill.exe
4008	taskkill.exe
4012	taskkill.exe
3856	taskkill.exe
972	taskkill.exe
608	taskkill.exe
2324	taskkill.exe
2156	taskkill.exe
4808	taskkill.exe
1456	taskkill.exe
4896	taskkill.exe
2972	taskkill.exe
3140	taskkill.exe
1604	taskkill.exe
2568	taskkill.exe
4072	taskkill.exe
4528	taskkill.exe
5016	taskkill.exe
2188	taskkill.exe
2832	taskkill.exe
2368	taskkill.exe
1088	taskkill.exe
2448	taskkill.exe
5076	taskkill.exe
4772	taskkill.exe
1312	taskkill.exe
4796	taskkill.exe
4956	taskkill.exe
2232	taskkill.exe
4396	taskkill.exe
632	taskkill.exe

Runs net.exe

Suspicious use of AdjustPrivilegeToken 40 IoCs

description	pid	Process
Token: SeDebugPrivilege	2568	taskkill.exe
Token: SeDebugPrivilege	2324	taskkill.exe
Token: SeDebugPrivilege	4012	taskkill.exe
Token: SeDebugPrivilege	2832	taskkill.exe
Token: SeDebugPrivilege	4900	taskkill.exe
Token: SeDebugPrivilege	4396	taskkill.exe
Token: SeDebugPrivilege	2156	taskkill.exe
Token: SeDebugPrivilege	4072	taskkill.exe
Token: SeDebugPrivilege	2368	taskkill.exe
Token: SeDebugPrivilege	4528	taskkill.exe
Token: SeDebugPrivilege	4808	taskkill.exe
Token: SeDebugPrivilege	4268	taskkill.exe
Token: SeDebugPrivilege	1456	taskkill.exe
Token: SeDebugPrivilege	1088	taskkill.exe
Token: SeDebugPrivilege	1220	taskkill.exe
Token: SeDebugPrivilege	1300	taskkill.exe
Token: SeDebugPrivilege	4940	taskkill.exe
Token: SeDebugPrivilege	3856	taskkill.exe
Token: SeDebugPrivilege	5016	taskkill.exe
Token: SeDebugPrivilege	656	taskkill.exe
Token: SeDebugPrivilege	972	taskkill.exe
Token: SeDebugPrivilege	1312	taskkill.exe
Token: SeDebugPrivilege	4008	taskkill.exe
Token: SeDebugPrivilege	4796	taskkill.exe
Token: SeDebugPrivilege	4956	taskkill.exe
Token: SeDebugPrivilege	608	taskkill.exe
Token: SeDebugPrivilege	2232	taskkill.exe
Token: SeDebugPrivilege	1292	taskkill.exe
Token: SeDebugPrivilege	2448	taskkill.exe
Token: SeDebugPrivilege	5076	taskkill.exe
Token: SeDebugPrivilege	2188	taskkill.exe
Token: SeDebugPrivilege	4896	taskkill.exe
Token: SeDebugPrivilege	3848	taskkill.exe
Token: SeDebugPrivilege	2972	taskkill.exe
Token: SeDebugPrivilege	892	taskkill.exe
Token: SeDebugPrivilege	4772	taskkill.exe
Token: SeDebugPrivilege	3140	taskkill.exe
Token: SeDebugPrivilege	4936	taskkill.exe
Token: SeDebugPrivilege	1604	taskkill.exe
Token: SeDebugPrivilege	632	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1892 wrote to memory of 5108	1892	mshta.exe	86
PID 1892 wrote to memory of 5108	1892	mshta.exe	86
PID 1892 wrote to memory of 5108	1892	mshta.exe	86
PID 5108 wrote to memory of 3572	5108	cmd.exe	88
PID 5108 wrote to memory of 3572	5108	cmd.exe	88
PID 5108 wrote to memory of 3572	5108	cmd.exe	88
PID 3572 wrote to memory of 1556	3572	net.exe	89
PID 3572 wrote to memory of 1556	3572	net.exe	89
PID 3572 wrote to memory of 1556	3572	net.exe	89
PID 1892 wrote to memory of 4864	1892	mshta.exe	90
PID 1892 wrote to memory of 4864	1892	mshta.exe	90
PID 1892 wrote to memory of 4864	1892	mshta.exe	90
PID 4864 wrote to memory of 2008	4864	cmd.exe	92
PID 4864 wrote to memory of 2008	4864	cmd.exe	92
PID 4864 wrote to memory of 2008	4864	cmd.exe	92
PID 2008 wrote to memory of 3212	2008	net.exe	93
PID 2008 wrote to memory of 3212	2008	net.exe	93
PID 2008 wrote to memory of 3212	2008	net.exe	93
PID 1892 wrote to memory of 4928	1892	mshta.exe	94
PID 1892 wrote to memory of 4928	1892	mshta.exe	94
PID 1892 wrote to memory of 4928	1892	mshta.exe	94
PID 4928 wrote to memory of 4692	4928	cmd.exe	96
PID 4928 wrote to memory of 4692	4928	cmd.exe	96
PID 4928 wrote to memory of 4692	4928	cmd.exe	96
PID 4692 wrote to memory of 4108	4692	net.exe	97
PID 4692 wrote to memory of 4108	4692	net.exe	97
PID 4692 wrote to memory of 4108	4692	net.exe	97
PID 1892 wrote to memory of 4268	1892	mshta.exe	98
PID 1892 wrote to memory of 4268	1892	mshta.exe	98
PID 1892 wrote to memory of 4268	1892	mshta.exe	98
PID 4268 wrote to memory of 1824	4268	cmd.exe	100
PID 4268 wrote to memory of 1824	4268	cmd.exe	100
PID 4268 wrote to memory of 1824	4268	cmd.exe	100
PID 1824 wrote to memory of 4632	1824	net.exe	101
PID 1824 wrote to memory of 4632	1824	net.exe	101
PID 1824 wrote to memory of 4632	1824	net.exe	101
PID 1892 wrote to memory of 1996	1892	mshta.exe	102
PID 1892 wrote to memory of 1996	1892	mshta.exe	102
PID 1892 wrote to memory of 1996	1892	mshta.exe	102
PID 1996 wrote to memory of 4664	1996	cmd.exe	104
PID 1996 wrote to memory of 4664	1996	cmd.exe	104
PID 1996 wrote to memory of 4664	1996	cmd.exe	104
PID 4664 wrote to memory of 4636	4664	net.exe	105
PID 4664 wrote to memory of 4636	4664	net.exe	105
PID 4664 wrote to memory of 4636	4664	net.exe	105
PID 1892 wrote to memory of 1196	1892	mshta.exe	106
PID 1892 wrote to memory of 1196	1892	mshta.exe	106
PID 1892 wrote to memory of 1196	1892	mshta.exe	106
PID 1196 wrote to memory of 748	1196	cmd.exe	108
PID 1196 wrote to memory of 748	1196	cmd.exe	108
PID 1196 wrote to memory of 748	1196	cmd.exe	108
PID 748 wrote to memory of 2232	748	net.exe	109
PID 748 wrote to memory of 2232	748	net.exe	109
PID 748 wrote to memory of 2232	748	net.exe	109
PID 1892 wrote to memory of 4624	1892	mshta.exe	110
PID 1892 wrote to memory of 4624	1892	mshta.exe	110
PID 1892 wrote to memory of 4624	1892	mshta.exe	110
PID 4624 wrote to memory of 3784	4624	cmd.exe	112
PID 4624 wrote to memory of 3784	4624	cmd.exe	112
PID 4624 wrote to memory of 3784	4624	cmd.exe	112
PID 3784 wrote to memory of 3124	3784	net.exe	113
PID 3784 wrote to memory of 3124	3784	net.exe	113
PID 3784 wrote to memory of 3124	3784	net.exe	113
PID 1892 wrote to memory of 1068	1892	mshta.exe	114

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\5a2b9ddddea96f21d905036761ab27627bd6db4f5973b006f1e39d4acb04a618.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
1⤵
- Blocklisted process makes network request
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1892
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c net stop SQLTELEMETRY
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5108
- - C:\Windows\SysWOW64\net.exe
    net stop SQLTELEMETRY
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3572
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLTELEMETRY
      4⤵
      PID:1556
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c net stop ReportServer
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4864
- - C:\Windows\SysWOW64\net.exe
    net stop ReportServer
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2008
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop ReportServer
      4⤵
      PID:3212
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c net stop SQLSERVERAGENT
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4928
- - C:\Windows\SysWOW64\net.exe
    net stop SQLSERVERAGENT
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4692
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLSERVERAGENT
      4⤵
      PID:4108
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c net stop MSSQLServerOLAPService
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4268
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQLServerOLAPService
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1824
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQLServerOLAPService
      4⤵
      PID:4632
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c net stop SQLBrowser
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1996
- - C:\Windows\SysWOW64\net.exe
    net stop SQLBrowser
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4664
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLBrowser
      4⤵
      PID:4636
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c net stop SQLWriter
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1196
- - C:\Windows\SysWOW64\net.exe
    net stop SQLWriter
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:748
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLWriter
      4⤵
      PID:2232
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c net stop mssqlserver
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4624
- - C:\Windows\SysWOW64\net.exe
    net stop mssqlserver
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3784
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop mssqlserver
      4⤵
      PID:3124
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c net stop msmq
  2⤵
  PID:1068
- - C:\Windows\SysWOW64\net.exe
    net stop msmq
    3⤵
    PID:1608
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop msmq
      4⤵
      PID:3316
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c net stop mssql
  2⤵
  PID:552
- - C:\Windows\SysWOW64\net.exe
    net stop mssql
    3⤵
    PID:3588
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop mssql
      4⤵
      PID:4652
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c net stop mysql
  2⤵
  PID:2840
- - C:\Windows\SysWOW64\net.exe
    net stop mysql
    3⤵
    PID:3500
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop mysql
      4⤵
      PID:4116
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c net stop mongodb
  2⤵
  PID:4312
- - C:\Windows\SysWOW64\net.exe
    net stop mongodb
    3⤵
    PID:880
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop mongodb
      4⤵
      PID:2640
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c net stop rabbitmq
  2⤵
  PID:4024
- - C:\Windows\SysWOW64\net.exe
    net stop rabbitmq
    3⤵
    PID:2592
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop rabbitmq
      4⤵
      PID:2860
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c vssadmin delete shadows /all
  2⤵
  PID:4376
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /f /im msftesql.exe
  2⤵
  PID:1868
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im msftesql.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2568
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /f /im sqlagent.exe
  2⤵
  PID:2200
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im sqlagent.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2324
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /f /im sqlbrowser.exe
  2⤵
  PID:3240
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im sqlbrowser.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4012
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /f /im sqlservr.exe
  2⤵
  PID:4156
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im sqlservr.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2832
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /f /im sqlwriter.exe
  2⤵
  PID:4352
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im sqlwriter.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4900
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /f /im oracle.exe
  2⤵
  PID:3284
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im oracle.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4396
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /f /im ocssd.exe
  2⤵
  PID:2884
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im ocssd.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2156
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /f /im dbsnmp.exe
  2⤵
  PID:4188
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im dbsnmp.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4072
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /f /im synctime.exe
  2⤵
  PID:3828
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im synctime.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2368
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /f /im mydesktopqos.exe
  2⤵
  PID:1708
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im mydesktopqos.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4528
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /f /im agntsvc.exeisqlplussvc.exe
  2⤵
  PID:4004
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im agntsvc.exeisqlplussvc.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4808
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /f /im xfssvccon.exe
  2⤵
  PID:1968
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im xfssvccon.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4268
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /f /im mydesktopservice.exe
  2⤵
  PID:4684
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im mydesktopservice.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1456
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /f /im ocautoupds.exe
  2⤵
  PID:1208
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im ocautoupds.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1088
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /f /im agntsvc.exeagntsvc.exe
  2⤵
  PID:548
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im agntsvc.exeagntsvc.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1220
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /f /im agntsvc.exeencsvc.exe
  2⤵
  PID:1596
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im agntsvc.exeencsvc.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1300
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /f /im firefoxconfig.exe
  2⤵
  PID:1776
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im firefoxconfig.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4940
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /f /im tbirdconfig.exe
  2⤵
  PID:3820
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im tbirdconfig.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3856
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /f /im ocomm.exe
  2⤵
  PID:3724
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im ocomm.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5016
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /f /im mysqld.exe
  2⤵
  PID:4388
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im mysqld.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:656
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /f /im mysqld-nt.exe
  2⤵
  PID:4680
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im mysqld-nt.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:972
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /f /im mysqld-opt.exe
  2⤵
  PID:3260
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im mysqld-opt.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1312
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /f /im dbeng50.exe
  2⤵
  PID:2200
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im dbeng50.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4008
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /f /im sqbcoreservice.exe
  2⤵
  PID:468
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im sqbcoreservice.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4796
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /f /im excel.exe
  2⤵
  PID:4296
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im excel.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4956
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /f /im infopath.exe
  2⤵
  PID:4352
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im infopath.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:608
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /f /im msaccess.exe
  2⤵
  PID:4572
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im msaccess.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2232
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /f /im mspub.exe
  2⤵
  PID:4636
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im mspub.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1292
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /f /im onenote.exe
  2⤵
  PID:1316
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im onenote.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2448
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /f /im outlook.exe
  2⤵
  PID:4972
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im outlook.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5076
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /f /im powerpnt.exe
  2⤵
  PID:1012
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im powerpnt.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2188
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /f /im steam.exe
  2⤵
  PID:4544
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im steam.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4896
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /f /im sqlservr.exe
  2⤵
  PID:3600
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im sqlservr.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3848
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /f /im thebat.exe
  2⤵
  PID:2948
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im thebat.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2972
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /f /im thebat64.exe
  2⤵
  PID:4528
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im thebat64.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:892
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /f /im thunderbird.exe
  2⤵
  PID:1208
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im thunderbird.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4772
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /f /im visio.exe
  2⤵
  PID:1828
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im visio.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3140
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /f /im winword.exe
  2⤵
  PID:2116
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im winword.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4936
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /f /im wordpad.exe
  2⤵
  PID:3388
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im wordpad.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1604
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /f /im tnslsnr.exe
  2⤵
  PID:1272
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im tnslsnr.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:632

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\READ_ME10.html

Filesize
1KB

MD5
24111e141b8833c19b76ab2ce993100a

SHA1
4dee0d74887ce00039ad28142e61889ce809ea4c

SHA256
76f360fc9606f508530f53dfe50558e987d639b9f20aea9c6600b9e8110cdbc7

SHA512
35394c465bfaea736562b893674651836dc0432cce6e2fde691e00e30e755682384a550d0b79980a525ab019112ee39b9260023afeca4a9cba87513d4832c6ea

Download Submit
memory/1892-0-0x00000000722A2000-0x00000000722A3000-memory.dmp

Filesize
4KB

Download
memory/1892-1-0x00000000722A0000-0x0000000072851000-memory.dmp

Filesize
5.7MB

Download
memory/1892-2-0x00000000722A0000-0x0000000072851000-memory.dmp

Filesize
5.7MB

Download
memory/1892-7-0x00000000722A0000-0x0000000072851000-memory.dmp

Filesize
5.7MB

Download
memory/1892-10-0x00000000722A2000-0x00000000722A3000-memory.dmp

Filesize
4KB

Download
memory/1892-11-0x00000000722A0000-0x0000000072851000-memory.dmp

Filesize
5.7MB

Download