Analysis
-
max time kernel
149s -
max time network
148s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
18-04-2021 05:50
Static task
static1
Behavioral task
behavioral1
Sample
6EC77929D5F70F9BC4724D23DDBC2653.exe
Resource
win7v20210410
General
-
Target
6EC77929D5F70F9BC4724D23DDBC2653.exe
-
Size
838KB
-
MD5
6ec77929d5f70f9bc4724d23ddbc2653
-
SHA1
da208bfa51ed091056f03dff8f1ba540472210d8
-
SHA256
03e3837f16d46a1a0a13904fae467c105b1aae66b382e8313b20b90269e53ed6
-
SHA512
370d956fb270a6f136a85983542195414790b116dd4166d448b7c55c9846e18959758117cd399196c62c51f1817a2e633e2e95d10565c4858250f7162f0ddfe6
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 4 IoCs
Processes:
explorer.exedescription ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" explorer.exe -
Executes dropped EXE 5 IoCs
Processes:
K480101741BH.exemodylsid.exemodylsid.exe1s75i91qs3_1.exe959m3m1kk7o7aq1.exepid Process 3856 K480101741BH.exe 932 modylsid.exe 2660 modylsid.exe 1352 1s75i91qs3_1.exe 2924 959m3m1kk7o7aq1.exe -
Sets file execution options in registry 2 TTPs
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
explorer.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorer.exe -
Adds Run key to start application 2 TTPs 6 IoCs
Processes:
explorer.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Google Updater 2.09 = "C:\\ProgramData\\Google Updater 2.09\\1s75i91qs3.exe" explorer.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Google Updater 2.09 = "\"C:\\ProgramData\\Google Updater 2.09\\1s75i91qs3.exe\"" explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Google Updater 2.09 = "\"C:\\ProgramData\\Google Updater 2.09\\1s75i91qs3.exe\"" explorer.exe -
Processes:
modylsid.execmd.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA modylsid.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cmd.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
explorer.exedescription ioc Process File opened for modification C:\ProgramData\Google Updater 2.09\desktop.ini explorer.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 11 IoCs
Processes:
modylsid.exeexplorer.exepid Process 2660 modylsid.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
modylsid.exe1s75i91qs3_1.exedescription pid Process procid_target PID 932 set thread context of 2660 932 modylsid.exe 91 PID 1352 set thread context of 0 1352 1s75i91qs3_1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
modylsid.exeexplorer.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 modylsid.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString modylsid.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe -
Delays execution with timeout.exe 5 IoCs
Processes:
timeout.exetimeout.exetimeout.exetimeout.exetimeout.exepid Process 3708 timeout.exe 2528 timeout.exe 2848 timeout.exe 3532 timeout.exe 2324 timeout.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer explorer.exe -
Kills process with taskkill 2 IoCs
Processes:
taskkill.exetaskkill.exepid Process 3736 taskkill.exe 2792 taskkill.exe -
Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs
Processes:
explorer.exedescription ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3" explorer.exe -
Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
Processes:
explorer.exedescription ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" explorer.exe -
Processes:
explorer.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main explorer.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\DownloadVersionList = "0" explorer.exe -
Modifies registry class 2 IoCs
Processes:
6EC77929D5F70F9BC4724D23DDBC2653.execmd.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings 6EC77929D5F70F9BC4724D23DDBC2653.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings cmd.exe -
NTFS ADS 2 IoCs
Processes:
explorer.exedescription ioc Process File opened for modification C:\Users\Admin\AppData\Local\Temp\1s75i91qs3_1.exe:14EDFC78 explorer.exe File created C:\Users\Admin\AppData\Local\Temp\1s75i91qs3_1.exe:14EDFC78 explorer.exe -
Suspicious behavior: EnumeratesProcesses 44 IoCs
Processes:
explorer.exepowershell.exepowershell.exepowershell.exepowershell.exepid Process 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2128 powershell.exe 3164 powershell.exe 3044 powershell.exe 3164 powershell.exe 3044 powershell.exe 3856 powershell.exe 3856 powershell.exe 3044 powershell.exe 2128 powershell.exe 3856 powershell.exe 3164 powershell.exe 2128 powershell.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
modylsid.exeexplorer.exepid Process 2660 modylsid.exe 2660 modylsid.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
taskkill.exemodylsid.exetaskkill.exeexplorer.exepowershell.exepowershell.exepowershell.exepowershell.exedescription pid Process Token: SeDebugPrivilege 3736 taskkill.exe Token: SeDebugPrivilege 2660 modylsid.exe Token: SeRestorePrivilege 2660 modylsid.exe Token: SeBackupPrivilege 2660 modylsid.exe Token: SeLoadDriverPrivilege 2660 modylsid.exe Token: SeCreatePagefilePrivilege 2660 modylsid.exe Token: SeShutdownPrivilege 2660 modylsid.exe Token: SeTakeOwnershipPrivilege 2660 modylsid.exe Token: SeChangeNotifyPrivilege 2660 modylsid.exe Token: SeCreateTokenPrivilege 2660 modylsid.exe Token: SeMachineAccountPrivilege 2660 modylsid.exe Token: SeSecurityPrivilege 2660 modylsid.exe Token: SeAssignPrimaryTokenPrivilege 2660 modylsid.exe Token: SeCreateGlobalPrivilege 2660 modylsid.exe Token: 33 2660 modylsid.exe Token: SeDebugPrivilege 2792 taskkill.exe Token: SeDebugPrivilege 2464 explorer.exe Token: SeRestorePrivilege 2464 explorer.exe Token: SeBackupPrivilege 2464 explorer.exe Token: SeLoadDriverPrivilege 2464 explorer.exe Token: SeCreatePagefilePrivilege 2464 explorer.exe Token: SeShutdownPrivilege 2464 explorer.exe Token: SeTakeOwnershipPrivilege 2464 explorer.exe Token: SeChangeNotifyPrivilege 2464 explorer.exe Token: SeCreateTokenPrivilege 2464 explorer.exe Token: SeMachineAccountPrivilege 2464 explorer.exe Token: SeSecurityPrivilege 2464 explorer.exe Token: SeAssignPrimaryTokenPrivilege 2464 explorer.exe Token: SeCreateGlobalPrivilege 2464 explorer.exe Token: 33 2464 explorer.exe Token: SeDebugPrivilege 2128 powershell.exe Token: SeDebugPrivilege 3164 powershell.exe Token: SeDebugPrivilege 3044 powershell.exe Token: SeDebugPrivilege 3856 powershell.exe Token: SeIncreaseQuotaPrivilege 3164 powershell.exe Token: SeSecurityPrivilege 3164 powershell.exe Token: SeTakeOwnershipPrivilege 3164 powershell.exe Token: SeLoadDriverPrivilege 3164 powershell.exe Token: SeSystemProfilePrivilege 3164 powershell.exe Token: SeSystemtimePrivilege 3164 powershell.exe Token: SeProfSingleProcessPrivilege 3164 powershell.exe Token: SeIncBasePriorityPrivilege 3164 powershell.exe Token: SeCreatePagefilePrivilege 3164 powershell.exe Token: SeBackupPrivilege 3164 powershell.exe Token: SeRestorePrivilege 3164 powershell.exe Token: SeShutdownPrivilege 3164 powershell.exe Token: SeDebugPrivilege 3164 powershell.exe Token: SeSystemEnvironmentPrivilege 3164 powershell.exe Token: SeRemoteShutdownPrivilege 3164 powershell.exe Token: SeUndockPrivilege 3164 powershell.exe Token: SeManageVolumePrivilege 3164 powershell.exe Token: 33 3164 powershell.exe Token: 34 3164 powershell.exe Token: 35 3164 powershell.exe Token: 36 3164 powershell.exe Token: SeIncreaseQuotaPrivilege 2128 powershell.exe Token: SeSecurityPrivilege 2128 powershell.exe Token: SeTakeOwnershipPrivilege 2128 powershell.exe Token: SeLoadDriverPrivilege 2128 powershell.exe Token: SeSystemProfilePrivilege 2128 powershell.exe Token: SeSystemtimePrivilege 2128 powershell.exe Token: SeProfSingleProcessPrivilege 2128 powershell.exe Token: SeIncBasePriorityPrivilege 2128 powershell.exe Token: SeCreatePagefilePrivilege 2128 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
959m3m1kk7o7aq1.exepid Process 2924 959m3m1kk7o7aq1.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
6EC77929D5F70F9BC4724D23DDBC2653.exeWScript.execmd.exeWScript.execmd.exemodylsid.exemodylsid.exeexplorer.exedescription pid Process procid_target PID 784 wrote to memory of 200 784 6EC77929D5F70F9BC4724D23DDBC2653.exe 75 PID 784 wrote to memory of 200 784 6EC77929D5F70F9BC4724D23DDBC2653.exe 75 PID 784 wrote to memory of 200 784 6EC77929D5F70F9BC4724D23DDBC2653.exe 75 PID 200 wrote to memory of 4092 200 WScript.exe 76 PID 200 wrote to memory of 4092 200 WScript.exe 76 PID 200 wrote to memory of 4092 200 WScript.exe 76 PID 4092 wrote to memory of 3708 4092 cmd.exe 78 PID 4092 wrote to memory of 3708 4092 cmd.exe 78 PID 4092 wrote to memory of 3708 4092 cmd.exe 78 PID 4092 wrote to memory of 3856 4092 cmd.exe 82 PID 4092 wrote to memory of 3856 4092 cmd.exe 82 PID 4092 wrote to memory of 3856 4092 cmd.exe 82 PID 4092 wrote to memory of 2528 4092 cmd.exe 83 PID 4092 wrote to memory of 2528 4092 cmd.exe 83 PID 4092 wrote to memory of 2528 4092 cmd.exe 83 PID 4092 wrote to memory of 2844 4092 cmd.exe 84 PID 4092 wrote to memory of 2844 4092 cmd.exe 84 PID 4092 wrote to memory of 2844 4092 cmd.exe 84 PID 4092 wrote to memory of 2848 4092 cmd.exe 85 PID 4092 wrote to memory of 2848 4092 cmd.exe 85 PID 4092 wrote to memory of 2848 4092 cmd.exe 85 PID 2844 wrote to memory of 1456 2844 WScript.exe 86 PID 2844 wrote to memory of 1456 2844 WScript.exe 86 PID 2844 wrote to memory of 1456 2844 WScript.exe 86 PID 1456 wrote to memory of 3712 1456 cmd.exe 88 PID 1456 wrote to memory of 3712 1456 cmd.exe 88 PID 1456 wrote to memory of 3712 1456 cmd.exe 88 PID 1456 wrote to memory of 3532 1456 cmd.exe 89 PID 1456 wrote to memory of 3532 1456 cmd.exe 89 PID 1456 wrote to memory of 3532 1456 cmd.exe 89 PID 1456 wrote to memory of 932 1456 cmd.exe 90 PID 1456 wrote to memory of 932 1456 cmd.exe 90 PID 1456 wrote to memory of 932 1456 cmd.exe 90 PID 932 wrote to memory of 2660 932 modylsid.exe 91 PID 932 wrote to memory of 2660 932 modylsid.exe 91 PID 932 wrote to memory of 2660 932 modylsid.exe 91 PID 932 wrote to memory of 2660 932 modylsid.exe 91 PID 932 wrote to memory of 2660 932 modylsid.exe 91 PID 1456 wrote to memory of 3736 1456 cmd.exe 92 PID 1456 wrote to memory of 3736 1456 cmd.exe 92 PID 1456 wrote to memory of 3736 1456 cmd.exe 92 PID 1456 wrote to memory of 2792 1456 cmd.exe 93 PID 1456 wrote to memory of 2792 1456 cmd.exe 93 PID 1456 wrote to memory of 2792 1456 cmd.exe 93 PID 1456 wrote to memory of 2384 1456 cmd.exe 94 PID 1456 wrote to memory of 2384 1456 cmd.exe 94 PID 1456 wrote to memory of 2384 1456 cmd.exe 94 PID 1456 wrote to memory of 2324 1456 cmd.exe 95 PID 1456 wrote to memory of 2324 1456 cmd.exe 95 PID 1456 wrote to memory of 2324 1456 cmd.exe 95 PID 2660 wrote to memory of 2464 2660 modylsid.exe 96 PID 2660 wrote to memory of 2464 2660 modylsid.exe 96 PID 2660 wrote to memory of 2464 2660 modylsid.exe 96 PID 2464 wrote to memory of 4092 2464 explorer.exe 76 PID 2464 wrote to memory of 4092 2464 explorer.exe 76 PID 2464 wrote to memory of 2848 2464 explorer.exe 85 PID 2464 wrote to memory of 2848 2464 explorer.exe 85 PID 2464 wrote to memory of 1456 2464 explorer.exe 86 PID 2464 wrote to memory of 1456 2464 explorer.exe 86 PID 2464 wrote to memory of 2324 2464 explorer.exe 95 PID 2464 wrote to memory of 2324 2464 explorer.exe 95 PID 2464 wrote to memory of 1352 2464 explorer.exe 97 PID 2464 wrote to memory of 1352 2464 explorer.exe 97 PID 2464 wrote to memory of 1352 2464 explorer.exe 97 -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid Process 3712 attrib.exe 2384 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6EC77929D5F70F9BC4724D23DDBC2653.exe"C:\Users\Admin\AppData\Local\Temp\6EC77929D5F70F9BC4724D23DDBC2653.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:784 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\booking\data\startbook.vbs" /f=CREATE_NO_WINDOW install.cmd2⤵
- Suspicious use of WriteProcessMemory
PID:200 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\booking\data\start1.bat" "3⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4092 -
C:\Windows\SysWOW64\timeout.exetimeout 74⤵
- Delays execution with timeout.exe
PID:3708
-
-
C:\booking\data\K480101741BH.exe"K480101741BH.exe" e -psetup wid.rar4⤵
- Executes dropped EXE
PID:3856
-
-
C:\Windows\SysWOW64\timeout.exetimeout 64⤵
- Delays execution with timeout.exe
PID:2528
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\booking\data\fbk.vbs"4⤵
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\booking\data\445.bat" "5⤵
- Checks whether UAC is enabled
- Suspicious use of WriteProcessMemory
PID:1456 -
C:\Windows\SysWOW64\attrib.exeattrib +s +h "C:\booking"6⤵
- Views/modifies file attributes
PID:3712
-
-
C:\Windows\SysWOW64\timeout.exetimeout 26⤵
- Delays execution with timeout.exe
PID:3532
-
-
C:\booking\data\modylsid.exemodylsid.exe /start6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:932 -
C:\booking\data\modylsid.exemodylsid.exe /start7⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe8⤵
- Modifies firewall policy service
- Checks BIOS information in registry
- Adds Run key to start application
- Drops desktop.ini file(s)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2464 -
C:\Users\Admin\AppData\Local\Temp\1s75i91qs3_1.exe/suac9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1352
-
-
C:\Users\Admin\AppData\Local\Temp\959m3m1kk7o7aq1.exe"C:\Users\Admin\AppData\Local\Temp\959m3m1kk7o7aq1.exe"9⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2924 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\sysnative\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\'10⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2128
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\sysnative\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\'10⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3164
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\sysnative\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\ProgramData\Google Updater 2.09\'10⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3044
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\sysnative\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\'10⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3856
-
-
-
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im K480101741BH.exe6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3736
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im K480101741BH.exe6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2792
-
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h "C:\booking\data"6⤵
- Views/modifies file attributes
PID:2384
-
-
C:\Windows\SysWOW64\timeout.exetimeout 46⤵
- Delays execution with timeout.exe
PID:2324
-
-
-
-
C:\Windows\SysWOW64\timeout.exetimeout 84⤵
- Delays execution with timeout.exe
PID:2848
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
8592ba100a78835a6b94d5949e13dfc1
SHA163e901200ab9a57c7dd4c078d7f75dcd3b357020
SHA256fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c
SHA51287f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3
-
MD5
31f894d386c4374ba64eacfd1ab2b47f
SHA172181aca9d0cdc4232cf75f5275afc136b1e1aa4
SHA2568e66dd7b34130dba19567a5cf542c750400c582325e97e26e74e02e6be13baf2
SHA512c669fcc5fdc4ecc08cdebd0188aa81df9cc202be5f7174a56288cf7771a8fbbb3be3e07145d8c329f60a6ee354506fc81893c5130a8fb34785069597c789256c
-
MD5
31f894d386c4374ba64eacfd1ab2b47f
SHA172181aca9d0cdc4232cf75f5275afc136b1e1aa4
SHA2568e66dd7b34130dba19567a5cf542c750400c582325e97e26e74e02e6be13baf2
SHA512c669fcc5fdc4ecc08cdebd0188aa81df9cc202be5f7174a56288cf7771a8fbbb3be3e07145d8c329f60a6ee354506fc81893c5130a8fb34785069597c789256c
-
MD5
759ef4704efebb1d21ecebc379a0b999
SHA1271572feece625083caf1d1418ee90e55aaf2b3b
SHA256faafdb35e42dad41e7a052804d093529d094a2cd0b94b85ec45099605790a666
SHA5126081a208946d31ebc7d0ae9f58944584bd43f44712b8daf82209c75dbf7b4713a8eb048ef27af6eec57ed5754b8ffae214784f09be6e24ea2890936064db9a40
-
MD5
3b65b072503385254773acf8b3192a7e
SHA150b06faf9b45ca1fbb3d30d8c0974a153d17855b
SHA256e28c66491d701757a7b370aae235521e5e409edc45a1a90b544b4fb704324f70
SHA5128b5203cfe8b2413f5678c6ca999ae6a8f6ec5328dc74994d334e47e80cc6f51d3a4aa6efe5940b124fc5630a71ee85c15102f45f22a631a4c8deb4dc7d825b20
-
MD5
3b65b072503385254773acf8b3192a7e
SHA150b06faf9b45ca1fbb3d30d8c0974a153d17855b
SHA256e28c66491d701757a7b370aae235521e5e409edc45a1a90b544b4fb704324f70
SHA5128b5203cfe8b2413f5678c6ca999ae6a8f6ec5328dc74994d334e47e80cc6f51d3a4aa6efe5940b124fc5630a71ee85c15102f45f22a631a4c8deb4dc7d825b20
-
MD5
85f0fb9dafac47fb151d2a33f6556112
SHA10e021df3e0a91983c34bc9620bbcd6c9aa74edd7
SHA256fea0fdad9f440f68feb5c3b6f4952a952375397a6220c253fe7d3eeb15523397
SHA5121a11801302042dde8706cb0a0f6ad27650d74396bf270bc0a0cc3969370d2324de20f46c4a619b6f275586e87fe489b80dfe69c70712c175c881740a14bfa9b1
-
MD5
85f0fb9dafac47fb151d2a33f6556112
SHA10e021df3e0a91983c34bc9620bbcd6c9aa74edd7
SHA256fea0fdad9f440f68feb5c3b6f4952a952375397a6220c253fe7d3eeb15523397
SHA5121a11801302042dde8706cb0a0f6ad27650d74396bf270bc0a0cc3969370d2324de20f46c4a619b6f275586e87fe489b80dfe69c70712c175c881740a14bfa9b1
-
MD5
3c4875cff185c701a9f28f58ead13d33
SHA17585bca806fdeb727177c3fba6c371aa8d9c2951
SHA256ad8c7a4cc068b36c5227b9076fe60e0529f080a6a849f8764750e2c173a0bf96
SHA512ad9404fad164a57eb9577ff2569f5e237901d2a03059267d032d5b853dd2d8f5bf50375c981baf2064ee3b0b9cb8929eccc32c920843bba43fb4f7cdde7cd972
-
MD5
061f64173293969577916832be29b90d
SHA1b05b80385de20463a80b6c9c39bd1d53123aab9b
SHA25634dfe4869b0a524c63cc4696fafe30c83a22dc5fe4b994b9fe777f2c986733ce
SHA51266e284f7c7e40af988ab09ff48cc786d287ac906368042d98d313be764058f01ecb5c3a7ab8d4336ee6494ea4a1347e73f0f2b4f3baec25ca6bcec1d888bd3da
-
MD5
061f64173293969577916832be29b90d
SHA1b05b80385de20463a80b6c9c39bd1d53123aab9b
SHA25634dfe4869b0a524c63cc4696fafe30c83a22dc5fe4b994b9fe777f2c986733ce
SHA51266e284f7c7e40af988ab09ff48cc786d287ac906368042d98d313be764058f01ecb5c3a7ab8d4336ee6494ea4a1347e73f0f2b4f3baec25ca6bcec1d888bd3da
-
MD5
12c302b2a7afa9d52bbc04875144319f
SHA15c5b5a2024a0f2838a0d94268282ad95ba388b25
SHA2563e8e92c822501efaae4e4ae0c4e63d6822bc5aa5e2178ab5f5cf6bb74c77e283
SHA51218b197db47f2bb2853de592a672a321f4188722eb48fd6165f9bc6d9f3dfe69dff2c0fdc49f9e5cfe939722c9ce47dd5dc31424619660c6e745122f5590a022f
-
MD5
f75ae8515bc7bc47354f22b6b4f20046
SHA103b1dc027bac21b149337e07d2d1f4af363cb6f4
SHA2562e5c9d234c85488239cc3c55ed2053ae166222bdb668defe9c3bd0d93ece632a
SHA512cdd90aaed29aac6e91fcb964480379e0e114b363c5e286d51e22ea1e617364319989143b205298dd15e875d8f349f2bec54001480e31d01acbb95e4eeaaad255
-
MD5
3b65b072503385254773acf8b3192a7e
SHA150b06faf9b45ca1fbb3d30d8c0974a153d17855b
SHA256e28c66491d701757a7b370aae235521e5e409edc45a1a90b544b4fb704324f70
SHA5128b5203cfe8b2413f5678c6ca999ae6a8f6ec5328dc74994d334e47e80cc6f51d3a4aa6efe5940b124fc5630a71ee85c15102f45f22a631a4c8deb4dc7d825b20
-
MD5
3b65b072503385254773acf8b3192a7e
SHA150b06faf9b45ca1fbb3d30d8c0974a153d17855b
SHA256e28c66491d701757a7b370aae235521e5e409edc45a1a90b544b4fb704324f70
SHA5128b5203cfe8b2413f5678c6ca999ae6a8f6ec5328dc74994d334e47e80cc6f51d3a4aa6efe5940b124fc5630a71ee85c15102f45f22a631a4c8deb4dc7d825b20
-
MD5
3b65b072503385254773acf8b3192a7e
SHA150b06faf9b45ca1fbb3d30d8c0974a153d17855b
SHA256e28c66491d701757a7b370aae235521e5e409edc45a1a90b544b4fb704324f70
SHA5128b5203cfe8b2413f5678c6ca999ae6a8f6ec5328dc74994d334e47e80cc6f51d3a4aa6efe5940b124fc5630a71ee85c15102f45f22a631a4c8deb4dc7d825b20
-
MD5
0ccf45b2c7aad8f25d8a8f3a6ff7b620
SHA17785a6d2b22a8b64dd549bc0a8a08a85b6404525
SHA2568df03bfad7860d4f609e48de215c6f40fbb0de78bdaeb08fdf3409e722585efb
SHA5123fb8dd5fa9cdbb59d5d195e66f6108954c4a89b358a2f75bbb6e03739a67965ead3d91a24a648a4204fc32c6d753815e4cf98e17a2fdc5913704c28fdb159f6c
-
MD5
594e0cb7f4486880945b986f1adf9f49
SHA18155f7be615cd60017a1af07aac17801de2a64ba
SHA256265d486a8fac96e0c3ce1309c50bcb88b0a37f739e533ed92483fe66b946c220
SHA5123093b6e45fc17654e2419b08d6519dd891afd1672bcf6e61c77dca19258ae8bf7d46db98facb38e0a27527cae865a8d1445d8546be78af6cbc465e5fd56d87c4