Analysis
-
max time kernel
151s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
14/05/2023, 18:32
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b5.exe
Resource
win7-20230220-en
windows7-x64
13 signatures
150 seconds
Behavioral task
behavioral2
Sample
c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b5.exe
Resource
win10v2004-20230220-en
windows10-2004-x64
19 signatures
150 seconds
General
-
Target
c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b5.exe
-
Size
518KB
-
MD5
d03823a205919b6927f3fa3164be5ac5
-
SHA1
409181132564166a62ee867321ebc07089e49085
-
SHA256
c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b
-
SHA512
b39a297dd63d9e52d9ccc50cdcb418a98d9e648a26af7a6fd31520f5299656e48dfd1b58174667a1b50410259cab62cffe9e8e549fb1fb3699150e22814204d2
-
SSDEEP
12288:yh1Lk70TnvjcrT/6wla486fIcf4cA5eBRDpPKAha2v:Gk70TrcrRlH86Acf4cAEBdP
Score
10/10
Malware Config
Signatures
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b5.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies Windows Firewall 1 TTPs 2 IoCs
pid Process 4664 netsh.exe 1468 netsh.exe -
Modifies extensions of user files 2 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File opened for modification C:\Users\Admin\Pictures\RenameUninstall.tiff c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b5.exe File opened for modification C:\Users\Admin\Pictures\SplitEnable.tiff c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b5.exe -
.NET Reactor proctector 34 IoCs
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
resource yara_rule behavioral2/memory/1672-134-0x0000000004B70000-0x0000000004C3A000-memory.dmp net_reactor behavioral2/memory/1672-135-0x0000000004B70000-0x0000000004C3A000-memory.dmp net_reactor behavioral2/memory/1672-137-0x0000000004B70000-0x0000000004C3A000-memory.dmp net_reactor behavioral2/memory/1672-139-0x0000000004B70000-0x0000000004C3A000-memory.dmp net_reactor behavioral2/memory/1672-141-0x0000000004B70000-0x0000000004C3A000-memory.dmp net_reactor behavioral2/memory/1672-143-0x0000000004B70000-0x0000000004C3A000-memory.dmp net_reactor behavioral2/memory/1672-145-0x0000000004B70000-0x0000000004C3A000-memory.dmp net_reactor behavioral2/memory/1672-155-0x0000000004B70000-0x0000000004C3A000-memory.dmp net_reactor behavioral2/memory/1672-153-0x0000000004B70000-0x0000000004C3A000-memory.dmp net_reactor behavioral2/memory/1672-149-0x0000000004B70000-0x0000000004C3A000-memory.dmp net_reactor behavioral2/memory/1672-157-0x0000000004B70000-0x0000000004C3A000-memory.dmp net_reactor behavioral2/memory/1672-159-0x0000000004B70000-0x0000000004C3A000-memory.dmp net_reactor behavioral2/memory/1672-161-0x0000000004B70000-0x0000000004C3A000-memory.dmp net_reactor behavioral2/memory/1672-163-0x0000000004B70000-0x0000000004C3A000-memory.dmp net_reactor behavioral2/memory/1672-165-0x0000000004B70000-0x0000000004C3A000-memory.dmp net_reactor behavioral2/memory/1672-169-0x0000000004B70000-0x0000000004C3A000-memory.dmp net_reactor behavioral2/memory/1672-167-0x0000000004B70000-0x0000000004C3A000-memory.dmp net_reactor behavioral2/memory/1672-171-0x0000000004B70000-0x0000000004C3A000-memory.dmp net_reactor behavioral2/memory/1672-173-0x0000000004B70000-0x0000000004C3A000-memory.dmp net_reactor behavioral2/memory/1672-175-0x0000000004B70000-0x0000000004C3A000-memory.dmp net_reactor behavioral2/memory/1672-177-0x0000000004B70000-0x0000000004C3A000-memory.dmp net_reactor behavioral2/memory/1672-179-0x0000000004B70000-0x0000000004C3A000-memory.dmp net_reactor behavioral2/memory/1672-181-0x0000000004B70000-0x0000000004C3A000-memory.dmp net_reactor behavioral2/memory/1672-183-0x0000000004B70000-0x0000000004C3A000-memory.dmp net_reactor behavioral2/memory/1672-185-0x0000000004B70000-0x0000000004C3A000-memory.dmp net_reactor behavioral2/memory/1672-187-0x0000000004B70000-0x0000000004C3A000-memory.dmp net_reactor behavioral2/memory/1672-189-0x0000000004B70000-0x0000000004C3A000-memory.dmp net_reactor behavioral2/memory/1672-191-0x0000000004B70000-0x0000000004C3A000-memory.dmp net_reactor behavioral2/memory/1672-193-0x0000000004B70000-0x0000000004C3A000-memory.dmp net_reactor behavioral2/memory/1672-195-0x0000000004B70000-0x0000000004C3A000-memory.dmp net_reactor behavioral2/memory/1672-197-0x0000000004B70000-0x0000000004C3A000-memory.dmp net_reactor behavioral2/memory/1672-199-0x0000000004B70000-0x0000000004C3A000-memory.dmp net_reactor behavioral2/memory/1672-201-0x0000000004B70000-0x0000000004C3A000-memory.dmp net_reactor behavioral2/memory/1672-2195-0x0000000004B60000-0x0000000004B70000-memory.dmp net_reactor -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b5.exe -
Drops startup file 3 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winlogon.exe c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b5.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winlogon.exe c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b5.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wvtymcow.bat c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b5.exe -
Drops desktop.ini file(s) 26 IoCs
description ioc Process File opened for modification C:\Users\Admin\Desktop\desktop.ini c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b5.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b5.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b5.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b5.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b5.exe File opened for modification C:\Users\Admin\Videos\desktop.ini c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b5.exe File opened for modification C:\Users\Admin\3D Objects\desktop.ini c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b5.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b5.exe File opened for modification C:\Users\Public\Libraries\desktop.ini c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b5.exe File opened for modification C:\Users\Public\Downloads\desktop.ini c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b5.exe File opened for modification C:\Users\Public\desktop.ini c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b5.exe File opened for modification C:\Users\Admin\Documents\desktop.ini c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b5.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b5.exe File opened for modification C:\Users\Admin\Music\desktop.ini c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b5.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b5.exe File opened for modification C:\Users\Public\Documents\desktop.ini c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b5.exe File opened for modification C:\Users\Public\Pictures\desktop.ini c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b5.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b5.exe File opened for modification C:\Users\Admin\Links\desktop.ini c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b5.exe File opened for modification C:\Users\Public\AccountPictures\desktop.ini c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b5.exe File opened for modification C:\Users\Public\Desktop\desktop.ini c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b5.exe File opened for modification C:\Users\Public\Music\desktop.ini c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b5.exe File opened for modification C:\Users\Public\Videos\desktop.ini c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b5.exe File opened for modification C:\Program Files\desktop.ini c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b5.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b5.exe File opened for modification C:\Users\Admin\Searches\desktop.ini c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b5.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\A: c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b5.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 757 ip-api.com -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\security\local_policy.jar c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b5.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\eclipse.inf c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b5.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.ibm.icu_52.1.0.v201404241930.jar c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b5.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\css\blafdoc.css c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b5.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\larrow.gif c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b5.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.model.workbench.nl_ja_4.4.0.v20140623020002.jar c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b5.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\dragHandle.png c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b5.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\pt-BR.pak c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b5.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.update.configurator_3.3.300.v20140518-1928.jar c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b5.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fr-FR\TipTsf.dll.mui c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b5.exe File created C:\Program Files\Common Files\System\ja-JP\Restore-My-Files.txt c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b5.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\he.pak c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b5.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\lv.pak c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b5.exe File opened for modification C:\Program Files\Internet Explorer\es-ES\iexplore.exe.mui c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b5.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.SF c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b5.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.core.nl_ja_4.4.0.v20140623020002.jar c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b5.exe File opened for modification C:\Program Files\7-Zip\Lang\hr.txt c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b5.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\core\locale\core_zh_CN.jar c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b5.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4-dark_mac.css c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b5.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\external_extensions.json c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b5.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\fonts\LucidaBrightItalic.ttf c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b5.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\Restore-My-Files.txt c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b5.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\Restore-My-Files.txt c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b5.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\masterix.gif c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b5.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\javax.inject_1.0.0.v20091030.jar c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b5.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\locale\org-openide-util_ja.jar c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b5.exe File created C:\Program Files\Common Files\System\Ole DB\Restore-My-Files.txt c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b5.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\uk.pak c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b5.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\toc.xml c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b5.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_winxp_blu.css c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b5.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.win32.nl_zh_4.4.0.v20140623020002.jar c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b5.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ar.pak c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b5.exe File opened for modification C:\Program Files\7-Zip\Lang\zh-cn.txt c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b5.exe File created C:\Program Files\Common Files\microsoft shared\ink\en-GB\Restore-My-Files.txt c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b5.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\msinfo32.exe.mui c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b5.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\feature.properties c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b5.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\feature.xml c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b5.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\oracle.gif c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b5.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx.ui.ja_5.5.0.165303.jar c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b5.exe File opened for modification C:\Program Files\7-Zip\Lang\mng.txt c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b5.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\hprof-16.png c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b5.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\pt-BR\tipresx.dll.mui c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b5.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\feature.xml c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b5.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.core_2.3.0.v20131211-1531.jar c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b5.exe File created C:\Program Files\Common Files\microsoft shared\ink\he-IL\Restore-My-Files.txt c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b5.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\[email protected] c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b5.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\notification_plugin.jar c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b5.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\dsn.jar c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b5.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\i640.cab.cat c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b5.exe File created C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS\Restore-My-Files.txt c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b5.exe File opened for modification C:\Program Files\Internet Explorer\fr-FR\iexplore.exe.mui c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b5.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\THIRDPARTYLICENSEREADME.txt c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b5.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\time-span-16.png c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b5.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.bindings.nl_ja_4.4.0.v20140623020002.jar c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b5.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.extensionlocation.nl_zh_4.4.0.v20140623020002.jar c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b5.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsid.xml c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b5.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\es-ES\msdasqlr.dll.mui c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b5.exe File opened for modification C:\Program Files\Internet Explorer\en-US\hmmapi.dll.mui c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b5.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.flightrecorder_5.5.0.165303\feature.xml c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b5.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.browser.jdp.ja_5.5.0.165303.jar c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b5.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.osgi.compatibility.state_1.0.1.v20140709-1414.jar c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b5.exe File created C:\Program Files\Common Files\microsoft shared\ink\sk-SK\Restore-My-Files.txt c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b5.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\es-ES\TipTsf.dll.mui c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b5.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrome.7z c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b5.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\winlogon.exe c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b5.exe File opened for modification C:\Windows\winlogon.exe c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b5.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2268 schtasks.exe -
Modifies registry class 7 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Loki\ = "Loki" c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Loki\shell\open\command c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Loki c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Loki\shell c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Loki\shell\open c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Loki\shell\open\command\ = "C:\\ProgramData\\os1tzm54.exe \"%l\" " c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.Loki c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b5.exe -
Suspicious behavior: EnumeratesProcesses 27 IoCs
pid Process 1672 c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b5.exe 1672 c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b5.exe 1672 c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b5.exe 1672 c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b5.exe 1672 c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b5.exe 1672 c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b5.exe 1672 c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b5.exe 1672 c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b5.exe 1672 c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b5.exe 1672 c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b5.exe 1672 c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b5.exe 1672 c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b5.exe 1672 c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b5.exe 1672 c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b5.exe 1672 c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b5.exe 1672 c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b5.exe 1672 c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b5.exe 1672 c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b5.exe 1672 c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b5.exe 1672 c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b5.exe 1672 c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b5.exe 1672 c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b5.exe 1672 c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b5.exe 1672 c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b5.exe 1672 c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b5.exe 4204 powershell.exe 4204 powershell.exe -
Suspicious use of AdjustPrivilegeToken 47 IoCs
description pid Process Token: SeDebugPrivilege 1672 c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b5.exe Token: SeIncreaseQuotaPrivilege 2320 WMIC.exe Token: SeSecurityPrivilege 2320 WMIC.exe Token: SeTakeOwnershipPrivilege 2320 WMIC.exe Token: SeLoadDriverPrivilege 2320 WMIC.exe Token: SeSystemProfilePrivilege 2320 WMIC.exe Token: SeSystemtimePrivilege 2320 WMIC.exe Token: SeProfSingleProcessPrivilege 2320 WMIC.exe Token: SeIncBasePriorityPrivilege 2320 WMIC.exe Token: SeCreatePagefilePrivilege 2320 WMIC.exe Token: SeBackupPrivilege 2320 WMIC.exe Token: SeRestorePrivilege 2320 WMIC.exe Token: SeShutdownPrivilege 2320 WMIC.exe Token: SeDebugPrivilege 2320 WMIC.exe Token: SeSystemEnvironmentPrivilege 2320 WMIC.exe Token: SeRemoteShutdownPrivilege 2320 WMIC.exe Token: SeUndockPrivilege 2320 WMIC.exe Token: SeManageVolumePrivilege 2320 WMIC.exe Token: 33 2320 WMIC.exe Token: 34 2320 WMIC.exe Token: 35 2320 WMIC.exe Token: 36 2320 WMIC.exe Token: SeIncreaseQuotaPrivilege 2320 WMIC.exe Token: SeSecurityPrivilege 2320 WMIC.exe Token: SeTakeOwnershipPrivilege 2320 WMIC.exe Token: SeLoadDriverPrivilege 2320 WMIC.exe Token: SeSystemProfilePrivilege 2320 WMIC.exe Token: SeSystemtimePrivilege 2320 WMIC.exe Token: SeProfSingleProcessPrivilege 2320 WMIC.exe Token: SeIncBasePriorityPrivilege 2320 WMIC.exe Token: SeCreatePagefilePrivilege 2320 WMIC.exe Token: SeBackupPrivilege 2320 WMIC.exe Token: SeRestorePrivilege 2320 WMIC.exe Token: SeShutdownPrivilege 2320 WMIC.exe Token: SeDebugPrivilege 2320 WMIC.exe Token: SeSystemEnvironmentPrivilege 2320 WMIC.exe Token: SeRemoteShutdownPrivilege 2320 WMIC.exe Token: SeUndockPrivilege 2320 WMIC.exe Token: SeManageVolumePrivilege 2320 WMIC.exe Token: 33 2320 WMIC.exe Token: 34 2320 WMIC.exe Token: 35 2320 WMIC.exe Token: 36 2320 WMIC.exe Token: SeBackupPrivilege 3844 vssvc.exe Token: SeRestorePrivilege 3844 vssvc.exe Token: SeAuditPrivilege 3844 vssvc.exe Token: SeDebugPrivilege 4204 powershell.exe -
Suspicious use of WriteProcessMemory 48 IoCs
description pid Process procid_target PID 1672 wrote to memory of 436 1672 c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b5.exe 84 PID 1672 wrote to memory of 436 1672 c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b5.exe 84 PID 1672 wrote to memory of 436 1672 c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b5.exe 84 PID 436 wrote to memory of 2268 436 cmd.exe 86 PID 436 wrote to memory of 2268 436 cmd.exe 86 PID 436 wrote to memory of 2268 436 cmd.exe 86 PID 1672 wrote to memory of 3864 1672 c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b5.exe 87 PID 1672 wrote to memory of 3864 1672 c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b5.exe 87 PID 1672 wrote to memory of 3864 1672 c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b5.exe 87 PID 3864 wrote to memory of 1768 3864 csc.exe 89 PID 3864 wrote to memory of 1768 3864 csc.exe 89 PID 3864 wrote to memory of 1768 3864 csc.exe 89 PID 1672 wrote to memory of 5072 1672 c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b5.exe 94 PID 1672 wrote to memory of 5072 1672 c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b5.exe 94 PID 1672 wrote to memory of 5072 1672 c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b5.exe 94 PID 1672 wrote to memory of 1888 1672 c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b5.exe 96 PID 1672 wrote to memory of 1888 1672 c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b5.exe 96 PID 1672 wrote to memory of 1888 1672 c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b5.exe 96 PID 1672 wrote to memory of 1944 1672 c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b5.exe 98 PID 1672 wrote to memory of 1944 1672 c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b5.exe 98 PID 1672 wrote to memory of 1944 1672 c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b5.exe 98 PID 1672 wrote to memory of 4084 1672 c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b5.exe 99 PID 1672 wrote to memory of 4084 1672 c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b5.exe 99 PID 1672 wrote to memory of 4084 1672 c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b5.exe 99 PID 1672 wrote to memory of 4788 1672 c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b5.exe 102 PID 1672 wrote to memory of 4788 1672 c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b5.exe 102 PID 1672 wrote to memory of 4788 1672 c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b5.exe 102 PID 1672 wrote to memory of 1260 1672 c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b5.exe 107 PID 1672 wrote to memory of 1260 1672 c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b5.exe 107 PID 1672 wrote to memory of 1260 1672 c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b5.exe 107 PID 1672 wrote to memory of 2936 1672 c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b5.exe 106 PID 1672 wrote to memory of 2936 1672 c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b5.exe 106 PID 1672 wrote to memory of 2936 1672 c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b5.exe 106 PID 1672 wrote to memory of 4684 1672 c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b5.exe 108 PID 1672 wrote to memory of 4684 1672 c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b5.exe 108 PID 1672 wrote to memory of 4684 1672 c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b5.exe 108 PID 1944 wrote to memory of 2320 1944 cmd.exe 110 PID 1944 wrote to memory of 2320 1944 cmd.exe 110 PID 1944 wrote to memory of 2320 1944 cmd.exe 110 PID 2936 wrote to memory of 4664 2936 cmd.exe 111 PID 2936 wrote to memory of 4664 2936 cmd.exe 111 PID 2936 wrote to memory of 4664 2936 cmd.exe 111 PID 4684 wrote to memory of 1468 4684 cmd.exe 112 PID 4684 wrote to memory of 1468 4684 cmd.exe 112 PID 4684 wrote to memory of 1468 4684 cmd.exe 112 PID 1672 wrote to memory of 4204 1672 c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b5.exe 117 PID 1672 wrote to memory of 4204 1672 c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b5.exe 117 PID 1672 wrote to memory of 4204 1672 c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b5.exe 117 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b5.exe"C:\Users\Admin\AppData\Local\Temp\c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b5.exe"1⤵
- Modifies Windows Defender Real-time Protection settings
- Modifies extensions of user files
- Checks computer location settings
- Drops startup file
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1672 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C schtasks /CREATE /SC ONLOGON /TN Loki /TR C:\Users\Admin\AppData\Roaming\winlogon.exe /RU SYSTEM /RL HIGHEST /F2⤵
- Suspicious use of WriteProcessMemory
PID:436 -
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /SC ONLOGON /TN Loki /TR C:\Users\Admin\AppData\Roaming\winlogon.exe /RU SYSTEM /RL HIGHEST /F3⤵
- Creates scheduled task(s)
PID:2268
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\anvwnf4w\anvwnf4w.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:3864 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC16.tmp" "c:\ProgramData\CSC2807E33C3EDF4A899AE39D86CF1DF944.TMP"3⤵PID:1768
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet2⤵PID:5072
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C wbadmin DELETE SYSTEMSTATEBACKUP2⤵PID:1888
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C wmic shadowcopy delete2⤵
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2320
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet2⤵PID:4084
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures2⤵PID:4788
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C netsh advfirewall set currentprofile state off2⤵
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Windows\SysWOW64\netsh.exenetsh advfirewall set currentprofile state off3⤵
- Modifies Windows Firewall
PID:4664
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} recoveryenabled no2⤵PID:1260
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C netsh firewall set opmode mode=disable2⤵
- Suspicious use of WriteProcessMemory
PID:4684 -
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode mode=disable3⤵
- Modifies Windows Firewall
PID:1468
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "Get-ADComputer -filter * -Searchbase '%s' | foreach{ Invoke-GPUpdate -computer $_.name -force -RandomDelayInMinutes 0}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4204
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3844
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
28KB
MD5f0a1fbdc996e2270064cbdcf448d320d
SHA1e984fb125e46a6549f010e422336823e6a59772f
SHA25669879475adcc67598616b2ae249f6bd2e835c1e0f574865f8b50c1799bd34a84
SHA5128cda066b5c52bbbf28705a7d17f6fbb0ab47a1d954c2e51a7299a1b6df5335ed40047c9a6437e20c759c8023d95caf2e881b67ff43c47d8dd4c3a66a9a7727e2
-
Filesize
518KB
MD5d03823a205919b6927f3fa3164be5ac5
SHA1409181132564166a62ee867321ebc07089e49085
SHA256c9b1665e58fe0bd5a47bac14d7f262fcb21a90775c97bd778288c21eaac7435b
SHA512b39a297dd63d9e52d9ccc50cdcb418a98d9e648a26af7a6fd31520f5299656e48dfd1b58174667a1b50410259cab62cffe9e8e549fb1fb3699150e22814204d2
-
Filesize
25KB
MD5eccca156453da49f9b1366f7ea998c7c
SHA1826a998e968f9364b11da76f149b524e35c460f6
SHA256f1f29d017dbf3a573d5202ad354fb8b23a29d867130dea8a40907562f824a586
SHA512d85f97b962699e747b648d6fc0f6f7ea9d476c2db30f827d654881de0a507da1c2cff4d773e4a9b3dec294293c61d5a211cf4327c46739c68a186a07ee8a2f2c
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
345B
MD57e0bb321581e4db9ae77e525e4ea8a5c
SHA10f9b00c0249e1d000a0116d941378f560241bc15
SHA2563c863f21253b27ed2fa82b329d2d3b2d449536f3d7e6310580049f6ced4e91c5
SHA51221b51f369f1c9d6f8af667287619c3a59f014ecfeb1a2c743196367876ed2f891bd1f49d31f804e0e921eb20f971abe372adb1491f00a21c7f60b43786d3b9ef
-
Filesize
3KB
MD57018f4740575f63dd83d97838cd17b37
SHA12728d72638f597db6362004cb529dae9b96bfcc0
SHA25679c9530617535b023ee486b33dc1c57867c8e65a53765b46f575367af17712d4
SHA5125c4d2303584080e70f5e44c4cd4ccbd1c14693e5c24f87d6b45083797df06f205fbca0f026a3851d8a08a57e29dd8ab3e645e9de3d3d514cd66cc0656759b7aa
-
Filesize
24KB
MD5fec10e894405ed950c372c09d8f3a8d4
SHA1132ee6af9eb6c9ff0cd76b8f272d742ccb481850
SHA25650d36e555eaee2e128e53115c51561d61bbaebd36f1d9fed300406ea8621c019
SHA512e9a2debd1b2a117e131537aa5f4daa0fa4dfea248c5e0d29ba84dd0c32f4ad34931feb929b333b014f264db00287c51e63ba769c4d38365421b90f431dec4719
-
Filesize
1KB
MD5bd561560bf301a069d142abf570f17f1
SHA1fe89f0a2d8ca36008714734726846f1655aa0ba9
SHA2567d5508b2b4c1b0b98e6120c738993acbc4f36f23ee327ec81377c4afa6676b1a
SHA512ddeb61ddb904a5f5d5e911d081aee20b3eee2ed69fd89c2fa32e1b1ec9de5ad70908e73527b5c2700d0a81bd05d56b1ac837a26cb58a98a21c658a06b11ad4a4
-
Filesize
236B
MD58b63fcbe50232c895419935257529976
SHA184d5879ce46d969de15bcb1a91b043facbcb12e1
SHA256c93d9a93661abb41452eb95c1aab28cbb1a57c152ca3887f4615f61d5826626c
SHA512049d2dd838a97b2ff99f0a1e93eb6290bccffe1a088d1a86d4e7b939cb723a21b1ece5cd620235a22b34d5d3b60cda349a8427177412e7cbe7f65b4b3e6c8fbf
-
Filesize
23KB
MD58c9a5448905c6ad6f5a15ad8f102fa56
SHA1185575a9708fe9ff122423e459eeed7098ad11d4
SHA256fc65491d373c30593f9ef53d83959625dc384bc42d551aa77a666d4e9b538104
SHA5122032d1f19ac0734339626531cd77ce0509dbba93260c87505d20998ab66aa3dceee4c94e10d8620cdcc62eacf9e63bbe5357afa2a09abdaa51ca0fde8b9aed50