Analysis
-
max time kernel
144s -
max time network
156s -
platform
windows7_x64 -
resource
win7 -
submitted
08-07-2020 10:56
Static task
static1
Behavioral task
behavioral1
Sample
744ec52f480cb86b7e84fbbfe4b1880f57219dae5683b746f88d6ee4ba394751.exe
Resource
win7
Behavioral task
behavioral2
Sample
744ec52f480cb86b7e84fbbfe4b1880f57219dae5683b746f88d6ee4ba394751.exe
Resource
win10v200430
General
-
Target
744ec52f480cb86b7e84fbbfe4b1880f57219dae5683b746f88d6ee4ba394751.exe
-
Size
780KB
-
MD5
9bd737b220a4040dbcaf17f48be54a98
-
SHA1
9a64f521040e7250e8ae523cf2cc8f75753e4cf7
-
SHA256
744ec52f480cb86b7e84fbbfe4b1880f57219dae5683b746f88d6ee4ba394751
-
SHA512
135e292c99e65ad22b20d446130f4a96e1de896a642eb5cf262957ad5fe78f867cc980270d8e8b636615ecbf4f539f8330bf1664aea2a1c0005a441d0f838d68
Malware Config
Extracted
C:\_readme.txt
https://we.tl/t-9fpnK9F5nP
Signatures
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
powershell.exepowershell.exepowershell.exetaskkill.exedescription pid process Token: SeDebugPrivilege 1976 powershell.exe Token: SeDebugPrivilege 1284 powershell.exe Token: SeDebugPrivilege 1332 powershell.exe Token: SeDebugPrivilege 1988 taskkill.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
5.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 5.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 5.exe -
Checks for installed software on the system 1 TTPs 29 IoCs
Processes:
5.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB982573\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{BB8B979E-E336-47E7-96BC-1031C1B94561}\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IEData\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2151757\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-1033-7B44-A90000000001}\DisplayName 5.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2467173\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2549743\DisplayName 5.exe Key enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE40\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WIC\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2544655\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2565063\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132}.KB4087364\DisplayName 5.exe -
Suspicious use of WriteProcessMemory 77 IoCs
Processes:
744ec52f480cb86b7e84fbbfe4b1880f57219dae5683b746f88d6ee4ba394751.exe744ec52f480cb86b7e84fbbfe4b1880f57219dae5683b746f88d6ee4ba394751.exeupdatewin1.exeupdatewin1.exepowershell.exedescription pid process target process PID 616 wrote to memory of 1056 616 744ec52f480cb86b7e84fbbfe4b1880f57219dae5683b746f88d6ee4ba394751.exe icacls.exe PID 616 wrote to memory of 1056 616 744ec52f480cb86b7e84fbbfe4b1880f57219dae5683b746f88d6ee4ba394751.exe icacls.exe PID 616 wrote to memory of 1056 616 744ec52f480cb86b7e84fbbfe4b1880f57219dae5683b746f88d6ee4ba394751.exe icacls.exe PID 616 wrote to memory of 1056 616 744ec52f480cb86b7e84fbbfe4b1880f57219dae5683b746f88d6ee4ba394751.exe icacls.exe PID 616 wrote to memory of 1532 616 744ec52f480cb86b7e84fbbfe4b1880f57219dae5683b746f88d6ee4ba394751.exe 744ec52f480cb86b7e84fbbfe4b1880f57219dae5683b746f88d6ee4ba394751.exe PID 616 wrote to memory of 1532 616 744ec52f480cb86b7e84fbbfe4b1880f57219dae5683b746f88d6ee4ba394751.exe 744ec52f480cb86b7e84fbbfe4b1880f57219dae5683b746f88d6ee4ba394751.exe PID 616 wrote to memory of 1532 616 744ec52f480cb86b7e84fbbfe4b1880f57219dae5683b746f88d6ee4ba394751.exe 744ec52f480cb86b7e84fbbfe4b1880f57219dae5683b746f88d6ee4ba394751.exe PID 616 wrote to memory of 1532 616 744ec52f480cb86b7e84fbbfe4b1880f57219dae5683b746f88d6ee4ba394751.exe 744ec52f480cb86b7e84fbbfe4b1880f57219dae5683b746f88d6ee4ba394751.exe PID 1532 wrote to memory of 1788 1532 744ec52f480cb86b7e84fbbfe4b1880f57219dae5683b746f88d6ee4ba394751.exe updatewin1.exe PID 1532 wrote to memory of 1788 1532 744ec52f480cb86b7e84fbbfe4b1880f57219dae5683b746f88d6ee4ba394751.exe updatewin1.exe PID 1532 wrote to memory of 1788 1532 744ec52f480cb86b7e84fbbfe4b1880f57219dae5683b746f88d6ee4ba394751.exe updatewin1.exe PID 1532 wrote to memory of 1788 1532 744ec52f480cb86b7e84fbbfe4b1880f57219dae5683b746f88d6ee4ba394751.exe updatewin1.exe PID 1532 wrote to memory of 1788 1532 744ec52f480cb86b7e84fbbfe4b1880f57219dae5683b746f88d6ee4ba394751.exe updatewin1.exe PID 1532 wrote to memory of 1788 1532 744ec52f480cb86b7e84fbbfe4b1880f57219dae5683b746f88d6ee4ba394751.exe updatewin1.exe PID 1532 wrote to memory of 1788 1532 744ec52f480cb86b7e84fbbfe4b1880f57219dae5683b746f88d6ee4ba394751.exe updatewin1.exe PID 1532 wrote to memory of 1640 1532 744ec52f480cb86b7e84fbbfe4b1880f57219dae5683b746f88d6ee4ba394751.exe updatewin2.exe PID 1532 wrote to memory of 1640 1532 744ec52f480cb86b7e84fbbfe4b1880f57219dae5683b746f88d6ee4ba394751.exe updatewin2.exe PID 1532 wrote to memory of 1640 1532 744ec52f480cb86b7e84fbbfe4b1880f57219dae5683b746f88d6ee4ba394751.exe updatewin2.exe PID 1532 wrote to memory of 1640 1532 744ec52f480cb86b7e84fbbfe4b1880f57219dae5683b746f88d6ee4ba394751.exe updatewin2.exe PID 1532 wrote to memory of 1640 1532 744ec52f480cb86b7e84fbbfe4b1880f57219dae5683b746f88d6ee4ba394751.exe updatewin2.exe PID 1532 wrote to memory of 1640 1532 744ec52f480cb86b7e84fbbfe4b1880f57219dae5683b746f88d6ee4ba394751.exe updatewin2.exe PID 1532 wrote to memory of 1640 1532 744ec52f480cb86b7e84fbbfe4b1880f57219dae5683b746f88d6ee4ba394751.exe updatewin2.exe PID 1788 wrote to memory of 1660 1788 updatewin1.exe updatewin1.exe PID 1788 wrote to memory of 1660 1788 updatewin1.exe updatewin1.exe PID 1788 wrote to memory of 1660 1788 updatewin1.exe updatewin1.exe PID 1788 wrote to memory of 1660 1788 updatewin1.exe updatewin1.exe PID 1788 wrote to memory of 1660 1788 updatewin1.exe updatewin1.exe PID 1788 wrote to memory of 1660 1788 updatewin1.exe updatewin1.exe PID 1788 wrote to memory of 1660 1788 updatewin1.exe updatewin1.exe PID 1660 wrote to memory of 1976 1660 updatewin1.exe powershell.exe PID 1660 wrote to memory of 1976 1660 updatewin1.exe powershell.exe PID 1660 wrote to memory of 1976 1660 updatewin1.exe powershell.exe PID 1660 wrote to memory of 1976 1660 updatewin1.exe powershell.exe PID 1660 wrote to memory of 1976 1660 updatewin1.exe powershell.exe PID 1660 wrote to memory of 1976 1660 updatewin1.exe powershell.exe PID 1660 wrote to memory of 1976 1660 updatewin1.exe powershell.exe PID 1532 wrote to memory of 1108 1532 744ec52f480cb86b7e84fbbfe4b1880f57219dae5683b746f88d6ee4ba394751.exe 5.exe PID 1532 wrote to memory of 1108 1532 744ec52f480cb86b7e84fbbfe4b1880f57219dae5683b746f88d6ee4ba394751.exe 5.exe PID 1532 wrote to memory of 1108 1532 744ec52f480cb86b7e84fbbfe4b1880f57219dae5683b746f88d6ee4ba394751.exe 5.exe PID 1532 wrote to memory of 1108 1532 744ec52f480cb86b7e84fbbfe4b1880f57219dae5683b746f88d6ee4ba394751.exe 5.exe PID 1660 wrote to memory of 1284 1660 updatewin1.exe powershell.exe PID 1660 wrote to memory of 1284 1660 updatewin1.exe powershell.exe PID 1660 wrote to memory of 1284 1660 updatewin1.exe powershell.exe PID 1660 wrote to memory of 1284 1660 updatewin1.exe powershell.exe PID 1660 wrote to memory of 1284 1660 updatewin1.exe powershell.exe PID 1660 wrote to memory of 1284 1660 updatewin1.exe powershell.exe PID 1660 wrote to memory of 1284 1660 updatewin1.exe powershell.exe PID 1284 wrote to memory of 1332 1284 powershell.exe powershell.exe PID 1284 wrote to memory of 1332 1284 powershell.exe powershell.exe PID 1284 wrote to memory of 1332 1284 powershell.exe powershell.exe PID 1284 wrote to memory of 1332 1284 powershell.exe powershell.exe PID 1284 wrote to memory of 1332 1284 powershell.exe powershell.exe PID 1284 wrote to memory of 1332 1284 powershell.exe powershell.exe PID 1284 wrote to memory of 1332 1284 powershell.exe powershell.exe PID 1660 wrote to memory of 316 1660 updatewin1.exe mpcmdrun.exe PID 1660 wrote to memory of 316 1660 updatewin1.exe mpcmdrun.exe PID 1660 wrote to memory of 316 1660 updatewin1.exe mpcmdrun.exe PID 1660 wrote to memory of 316 1660 updatewin1.exe mpcmdrun.exe PID 1660 wrote to memory of 472 1660 updatewin1.exe cmd.exe PID 1660 wrote to memory of 472 1660 updatewin1.exe cmd.exe PID 1660 wrote to memory of 472 1660 updatewin1.exe cmd.exe PID 1660 wrote to memory of 472 1660 updatewin1.exe cmd.exe PID 1660 wrote to memory of 472 1660 updatewin1.exe cmd.exe PID 1660 wrote to memory of 472 1660 updatewin1.exe cmd.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Drops file in Drivers directory 1 IoCs
Processes:
updatewin2.exedescription ioc process File opened for modification C:\Windows\System32\drivers\etc\hosts updatewin2.exe -
Suspicious behavior: EnumeratesProcesses 15 IoCs
Processes:
744ec52f480cb86b7e84fbbfe4b1880f57219dae5683b746f88d6ee4ba394751.exe744ec52f480cb86b7e84fbbfe4b1880f57219dae5683b746f88d6ee4ba394751.exepowershell.exepowershell.exepowershell.exe5.exe744ec52f480cb86b7e84fbbfe4b1880f57219dae5683b746f88d6ee4ba394751.exepid process 616 744ec52f480cb86b7e84fbbfe4b1880f57219dae5683b746f88d6ee4ba394751.exe 616 744ec52f480cb86b7e84fbbfe4b1880f57219dae5683b746f88d6ee4ba394751.exe 1532 744ec52f480cb86b7e84fbbfe4b1880f57219dae5683b746f88d6ee4ba394751.exe 1976 powershell.exe 1976 powershell.exe 1976 powershell.exe 1284 powershell.exe 1284 powershell.exe 1332 powershell.exe 1108 5.exe 1108 5.exe 1108 5.exe 1108 5.exe 1532 744ec52f480cb86b7e84fbbfe4b1880f57219dae5683b746f88d6ee4ba394751.exe 572 744ec52f480cb86b7e84fbbfe4b1880f57219dae5683b746f88d6ee4ba394751.exe -
Modifies file permissions 1 TTPs 1 IoCs
-
Deletes Windows Defender Definitions 2 TTPs 1 IoCs
Uses mpcmdrun utility to delete all AV definitions.
Processes:
mpcmdrun.exepid process 316 mpcmdrun.exe -
Disables Task Manager via registry modification
-
Adds Run entry to start application 2 TTPs 1 IoCs
Processes:
744ec52f480cb86b7e84fbbfe4b1880f57219dae5683b746f88d6ee4ba394751.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\94afc097-55ed-44bc-97ae-9fa0ee4bac89\\744ec52f480cb86b7e84fbbfe4b1880f57219dae5683b746f88d6ee4ba394751.exe\" --AutoStart" 744ec52f480cb86b7e84fbbfe4b1880f57219dae5683b746f88d6ee4ba394751.exe -
Loads dropped DLL 16 IoCs
Processes:
744ec52f480cb86b7e84fbbfe4b1880f57219dae5683b746f88d6ee4ba394751.exeupdatewin1.exeupdatewin1.exe5.exepid process 1532 744ec52f480cb86b7e84fbbfe4b1880f57219dae5683b746f88d6ee4ba394751.exe 1788 updatewin1.exe 1788 updatewin1.exe 1788 updatewin1.exe 1532 744ec52f480cb86b7e84fbbfe4b1880f57219dae5683b746f88d6ee4ba394751.exe 1788 updatewin1.exe 1788 updatewin1.exe 1660 updatewin1.exe 1660 updatewin1.exe 1660 updatewin1.exe 1532 744ec52f480cb86b7e84fbbfe4b1880f57219dae5683b746f88d6ee4ba394751.exe 1532 744ec52f480cb86b7e84fbbfe4b1880f57219dae5683b746f88d6ee4ba394751.exe 1108 5.exe 1108 5.exe 1108 5.exe 1108 5.exe -
Executes dropped EXE 5 IoCs
Processes:
updatewin1.exeupdatewin2.exeupdatewin1.exe5.exe744ec52f480cb86b7e84fbbfe4b1880f57219dae5683b746f88d6ee4ba394751.exepid process 1788 updatewin1.exe 1640 updatewin2.exe 1660 updatewin1.exe 1108 5.exe 572 744ec52f480cb86b7e84fbbfe4b1880f57219dae5683b746f88d6ee4ba394751.exe -
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 1988 taskkill.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 22 ip-api.com
Processes
-
C:\Users\Admin\AppData\Local\Temp\744ec52f480cb86b7e84fbbfe4b1880f57219dae5683b746f88d6ee4ba394751.exe"C:\Users\Admin\AppData\Local\Temp\744ec52f480cb86b7e84fbbfe4b1880f57219dae5683b746f88d6ee4ba394751.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
- Adds Run entry to start application
PID:616 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\94afc097-55ed-44bc-97ae-9fa0ee4bac89" /deny *S-1-1-0:(OI)(CI)(DE,DC)2⤵
- Modifies file permissions
PID:1056 -
C:\Users\Admin\AppData\Local\Temp\744ec52f480cb86b7e84fbbfe4b1880f57219dae5683b746f88d6ee4ba394751.exe"C:\Users\Admin\AppData\Local\Temp\744ec52f480cb86b7e84fbbfe4b1880f57219dae5683b746f88d6ee4ba394751.exe" --Admin IsNotAutoStart IsNotTask2⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
- Loads dropped DLL
PID:1532 -
C:\Users\Admin\AppData\Local\f69a8ed6-a476-4acf-bea8-e257cfc477b8\updatewin1.exe"C:\Users\Admin\AppData\Local\f69a8ed6-a476-4acf-bea8-e257cfc477b8\updatewin1.exe"3⤵
- Suspicious use of WriteProcessMemory
- Loads dropped DLL
- Executes dropped EXE
PID:1788 -
C:\Users\Admin\AppData\Local\f69a8ed6-a476-4acf-bea8-e257cfc477b8\updatewin1.exe"C:\Users\Admin\AppData\Local\f69a8ed6-a476-4acf-bea8-e257cfc477b8\updatewin1.exe" --Admin4⤵
- Suspicious use of WriteProcessMemory
- Loads dropped DLL
- Executes dropped EXE
PID:1660 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command Set-ExecutionPolicy -Scope CurrentUser RemoteSigned5⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:1976 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -NoProfile -ExecutionPolicy Bypass -Command "& {Start-Process PowerShell -ArgumentList '-NoProfile -ExecutionPolicy Bypass -File ""C:\Users\Admin\AppData\Local\script.ps1""' -Verb RunAs}"5⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
PID:1284 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\script.ps16⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:1332 -
C:\Program Files\Windows Defender\mpcmdrun.exe"C:\Program Files\Windows Defender\mpcmdrun.exe" -removedefinitions -all5⤵
- Deletes Windows Defender Definitions
PID:316 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\delself.bat""5⤵PID:472
-
C:\Users\Admin\AppData\Local\f69a8ed6-a476-4acf-bea8-e257cfc477b8\updatewin2.exe"C:\Users\Admin\AppData\Local\f69a8ed6-a476-4acf-bea8-e257cfc477b8\updatewin2.exe"3⤵
- Drops file in Drivers directory
- Executes dropped EXE
PID:1640 -
C:\Users\Admin\AppData\Local\f69a8ed6-a476-4acf-bea8-e257cfc477b8\5.exe"C:\Users\Admin\AppData\Local\f69a8ed6-a476-4acf-bea8-e257cfc477b8\5.exe"3⤵
- Checks processor information in registry
- Checks for installed software on the system
- Suspicious behavior: EnumeratesProcesses
- Loads dropped DLL
- Executes dropped EXE
PID:1108 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im 5.exe /f & erase C:\Users\Admin\AppData\Local\f69a8ed6-a476-4acf-bea8-e257cfc477b8\5.exe & exit4⤵PID:1944
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im 5.exe /f5⤵
- Suspicious use of AdjustPrivilegeToken
- Kills process with taskkill
PID:1988
-
C:\Windows\system32\taskeng.exetaskeng.exe {E1879474-5954-4B97-88E2-A77F25952152} S-1-5-21-1131729243-447456001-3632642222-1000:AVGLFESB\Admin:Interactive:[1]1⤵PID:1660
-
C:\Users\Admin\AppData\Local\94afc097-55ed-44bc-97ae-9fa0ee4bac89\744ec52f480cb86b7e84fbbfe4b1880f57219dae5683b746f88d6ee4ba394751.exeC:\Users\Admin\AppData\Local\94afc097-55ed-44bc-97ae-9fa0ee4bac89\744ec52f480cb86b7e84fbbfe4b1880f57219dae5683b746f88d6ee4ba394751.exe --Task2⤵
- Suspicious behavior: EnumeratesProcesses
- Executes dropped EXE
PID:572