b39a13030095984b1a1a5584c8aa7d974a40aa631ef5b27ab933cc5d40799deb

Analysis

max time kernel
135s
max time network
143s
platform
windows7_x64
resource
win7
submitted
19-07-2020 19:42

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

chthonic_2.23.17.10.vir.exe
Size

1.8MB
MD5

73613b116ebb614b2964038b3f937db0
SHA1

7872e57d9e89fb65f22f51d93a5ac3ca39fc30da
SHA256

b39a13030095984b1a1a5584c8aa7d974a40aa631ef5b27ab933cc5d40799deb
SHA512

5d87c3bf9e438bbee3287d00b267f31d7bcb93b1fbc1fbc6aa2035bc502f5ca73d4e03e2711b6dfc73b06044e746ae15b23b95bf8dce394889073bdc0890b334

Score

10^/10

evasion trojan discovery persistence

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

WScript.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	WScript.exe

Drops file in Program Files directory 125 IoCs

Processes:

update.exe

description	ioc	process
File created	C:\Program Files (x86)\Power Mixer\Lang\Afrikaans.lng	update.exe
File created	C:\Program Files (x86)\Power Mixer\Lang\Serbian (Latin).lng	update.exe
File created	C:\Program Files (x86)\Power Mixer\Res\Tray Icon\Horizontal Bar.bmp	update.exe
File opened for modification	C:\Program Files (x86)\Power Mixer\Res\Tray Icon\Vertical Bar.bmp	update.exe
File created	C:\Program Files (x86)\Power Mixer\pwmixer.dat	update.exe
File created	C:\Program Files (x86)\Power Mixer\history.txt	update.exe
File created	C:\Program Files (x86)\Power Mixer\srvman.dat	update.exe
File opened for modification	C:\Program Files (x86)\Power Mixer\Lang\Chinese (Simplified).lng	update.exe
File created	C:\Program Files (x86)\Power Mixer\readme.txt	update.exe
File created	C:\Program Files (x86)\Power Mixer\Tools\Default.csv	update.exe
File opened for modification	C:\Program Files (x86)\Power Mixer\Lang\Portuguese (Brazil).lng	update.exe
File opened for modification	C:\Program Files (x86)\Power Mixer\Res\Tray Icon\Chameleon (Light Text).bmp	update.exe
File created	C:\Program Files (x86)\Power Mixer\srvman.exe	update.exe
File opened for modification	C:\Program Files (x86)\Power Mixer\srvman.cfg	update.exe
File opened for modification	C:\Program Files (x86)\Power Mixer\Lang\Afrikaans.lng	update.exe
File created	C:\Program Files (x86)\Power Mixer\srvman.cfg	update.exe
File created	C:\Program Files (x86)\Power Mixer\Homepage.htm	update.exe
File created	C:\Program Files (x86)\Power Mixer\Lang\Dutch.lng	update.exe
File opened for modification	C:\Program Files (x86)\Power Mixer\Lang\Greek.lng	update.exe
File opened for modification	C:\Program Files (x86)\Power Mixer\Lang\Ukrainian.lng	update.exe
File created	C:\Program Files (x86)\Power Mixer\Res\Tray Icon\Chameleon.bmp	update.exe
File created	C:\Program Files (x86)\Power Mixer\Res\Tray Icon\LouderIT.bmp	update.exe
File opened for modification	C:\Program Files (x86)\Power Mixer\srvman.dat	update.exe
File opened for modification	C:\Program Files (x86)\Power Mixer\Tools\atedit.dat	update.exe
File opened for modification	C:\Program Files (x86)\Power Mixer\Lang\Chinese (Traditional).lng	update.exe
File opened for modification	C:\Program Files (x86)\Power Mixer\Res\Tray Icon\readme.txt	update.exe
File created	C:\Program Files (x86)\Power Mixer\Lang\Italian.lng	update.exe
File created	C:\Program Files (x86)\Power Mixer\Res\Sounds\osd.wav	update.exe
File created	C:\Program Files (x86)\Power Mixer\Tools\atedit.dat	update.exe
File created	C:\Program Files (x86)\Power Mixer\Lang\Catalan.lng	update.exe
File created	C:\Program Files (x86)\Power Mixer\Lang\Croatian.lng	update.exe
File created	C:\Program Files (x86)\Power Mixer\Lang\Portuguese (Brazil).lng	update.exe
File opened for modification	C:\Program Files (x86)\Power Mixer\Lang\Spanish.lng	update.exe
File opened for modification	C:\Program Files (x86)\Power Mixer\Lang\Turkish.lng	update.exe
File opened for modification	C:\Program Files (x86)\Power Mixer\Res\Tray Icon\Rainbow.bmp	update.exe
File created	C:\Program Files (x86)\Power Mixer\pwmixer.exe	update.exe
File opened for modification	C:\Program Files (x86)\Power Mixer\readme.txt	update.exe
File created	C:\Program Files (x86)\Power Mixer\Lang\Estonian.lng	update.exe
File created	C:\Program Files (x86)\Power Mixer\Lang\Danish.lng	update.exe
File created	C:\Program Files (x86)\Power Mixer\Register.htm	update.exe
File created	C:\Program Files (x86)\Power Mixer\Lang\Korean.lng	update.exe
File opened for modification	C:\Program Files (x86)\Power Mixer\Lang\Norwegian.lng	update.exe
File created	C:\Program Files (x86)\Power Mixer\Lang\Norwegian.lng	update.exe
File opened for modification	C:\Program Files (x86)\Power Mixer\Lang\English.lng	update.exe
File opened for modification	C:\Program Files (x86)\Power Mixer\Lang\Estonian.lng	update.exe
File created	C:\Program Files (x86)\Power Mixer\Lang\Ukrainian.lng	update.exe
File opened for modification	C:\Program Files (x86)\Power Mixer\Res\Tray Icon\Default.bmp	update.exe
File opened for modification	C:\Program Files (x86)\Power Mixer\Res\Tray Icon\Digits (Multicolor).bmp	update.exe
File opened for modification	C:\Program Files (x86)\Power Mixer\Res\Tray Icon\Horizontal Bar.bmp	update.exe
File created	C:\Program Files (x86)\Power Mixer\Res\Tray Icon\readme.txt	update.exe
File opened for modification	C:\Program Files (x86)\Power Mixer\Lang\Czech.lng	update.exe
File opened for modification	C:\Program Files (x86)\Power Mixer\Lang\Finnish.lng	update.exe
File created	C:\Program Files (x86)\Power Mixer\Lang\Magyar.lng	update.exe
File opened for modification	C:\Program Files (x86)\Power Mixer\Lang\Croatian.lng	update.exe
File opened for modification	C:\Program Files (x86)\Power Mixer\Lang\Italian.lng	update.exe
File created	C:\Program Files (x86)\Power Mixer\Res\Tray Icon\Default (Light Text).bmp	update.exe
File created	C:\Program Files (x86)\Power Mixer\license.txt	update.exe
File opened for modification	C:\Program Files (x86)\Power Mixer\Lang\French.lng	update.exe
File opened for modification	C:\Program Files (x86)\Power Mixer\Lang\Swedish.lng	update.exe
File created	C:\Program Files (x86)\Power Mixer\Res\Tray Icon\Basic.bmp	update.exe
File created	C:\Program Files (x86)\Power Mixer\Tools\atedit.exe	update.exe
File created	C:\Program Files (x86)\Power Mixer\Lang\Arabic.lng	update.exe
File created	C:\Program Files (x86)\Power Mixer\Lang\Spanish.lng	update.exe
File opened for modification	C:\Program Files (x86)\Power Mixer\Lang\Polish.lng	update.exe

Modifies Internet Explorer settings 1 TTPs 6 IoCs

adware spyware

Modify Registry

T1112

Processes:

msiexec.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\PhishingFilter	msiexec.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\PhishingFilter\EnabledV8 = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\EnabledV9 = "0"	msiexec.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\PhishingFilter\EnabledV9 = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\PhishingFilter	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\EnabledV8 = "0"	msiexec.exe

Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 6 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Suspicious behavior: GetForegroundWindowSpam 4 IoCs

Processes:

logs.exemsiexec.exewnew.commsiexec.exe

pid process

1416 logs.exe
1116 msiexec.exe
1820 wnew.com
1084 msiexec.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

msiexec.exe

description pid process

Token: SeShutdownPrivilege 1116 msiexec.exe
Blacklisted process makes network request 1 IoCs

Processes:

WScript.exe

flow pid process

6 1288 WScript.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

msiexec.exemsiexec.exe

pid process

1116 msiexec.exe
1084 msiexec.exe

description	flow	ioc
HTTP User-Agent header	6	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

pid	process
1416	logs.exe
1116	msiexec.exe
1820	wnew.com
1084	msiexec.exe

description	pid	process
Token: SeShutdownPrivilege	1116	msiexec.exe

flow	pid	process
6	1288	WScript.exe

pid	process
1116	msiexec.exe
1084	msiexec.exe

Adds Run key to start application 2 TTPs 14 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

msiexec.exelogs.exeupdate.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\wnew = "C:\\Users\\Admin\\AppData\\Roaming\\wnew\\wnew.com"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SecurityHealth = "system"	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ynew = "C:\\Users\\Admin\\AppData\\Roaming\\Ynew\\Ynew.com"	logs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsDefender = "system"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\software\microsoft\windows\currentversion\Run	logs.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\SecurityHealth = "system"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDefender = "system"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AvastUI.exe = "AvastUI.exe"	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\AvastUI.exe = "AvastUI.exe"	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\Power Mixer = "\"C:\\Program Files (x86)\\Power Mixer\\pwmixer.exe\" /m"	update.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\software\microsoft\windows\currentversion\Run	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\	update.exe

Suspicious use of WriteProcessMemory 73 IoCs

Processes:

chthonic_2.23.17.10.vir.exeMixer.exeWScript.execmd.exeupdate.exelogs.exemsiexec.execmd.exe

description	pid	process	target process
PID 900 wrote to memory of 1288	900	chthonic_2.23.17.10.vir.exe	WScript.exe
PID 900 wrote to memory of 1288	900	chthonic_2.23.17.10.vir.exe	WScript.exe
PID 900 wrote to memory of 1288	900	chthonic_2.23.17.10.vir.exe	WScript.exe
PID 900 wrote to memory of 1288	900	chthonic_2.23.17.10.vir.exe	WScript.exe
PID 900 wrote to memory of 1288	900	chthonic_2.23.17.10.vir.exe	WScript.exe
PID 900 wrote to memory of 1288	900	chthonic_2.23.17.10.vir.exe	WScript.exe
PID 900 wrote to memory of 1288	900	chthonic_2.23.17.10.vir.exe	WScript.exe
PID 900 wrote to memory of 1416	900	chthonic_2.23.17.10.vir.exe	logs.exe
PID 900 wrote to memory of 1416	900	chthonic_2.23.17.10.vir.exe	logs.exe
PID 900 wrote to memory of 1416	900	chthonic_2.23.17.10.vir.exe	logs.exe
PID 900 wrote to memory of 1416	900	chthonic_2.23.17.10.vir.exe	logs.exe
PID 900 wrote to memory of 1416	900	chthonic_2.23.17.10.vir.exe	logs.exe
PID 900 wrote to memory of 1416	900	chthonic_2.23.17.10.vir.exe	logs.exe
PID 900 wrote to memory of 1416	900	chthonic_2.23.17.10.vir.exe	logs.exe
PID 900 wrote to memory of 912	900	chthonic_2.23.17.10.vir.exe	Mixer.exe
PID 900 wrote to memory of 912	900	chthonic_2.23.17.10.vir.exe	Mixer.exe
PID 900 wrote to memory of 912	900	chthonic_2.23.17.10.vir.exe	Mixer.exe
PID 900 wrote to memory of 912	900	chthonic_2.23.17.10.vir.exe	Mixer.exe
PID 900 wrote to memory of 912	900	chthonic_2.23.17.10.vir.exe	Mixer.exe
PID 900 wrote to memory of 912	900	chthonic_2.23.17.10.vir.exe	Mixer.exe
PID 900 wrote to memory of 912	900	chthonic_2.23.17.10.vir.exe	Mixer.exe
PID 912 wrote to memory of 1084	912	Mixer.exe	WScript.exe
PID 912 wrote to memory of 1084	912	Mixer.exe	WScript.exe
PID 912 wrote to memory of 1084	912	Mixer.exe	WScript.exe
PID 912 wrote to memory of 1084	912	Mixer.exe	WScript.exe
PID 912 wrote to memory of 1084	912	Mixer.exe	WScript.exe
PID 912 wrote to memory of 1084	912	Mixer.exe	WScript.exe
PID 912 wrote to memory of 1084	912	Mixer.exe	WScript.exe
PID 1084 wrote to memory of 1828	1084	WScript.exe	cmd.exe
PID 1084 wrote to memory of 1828	1084	WScript.exe	cmd.exe
PID 1084 wrote to memory of 1828	1084	WScript.exe	cmd.exe
PID 1084 wrote to memory of 1828	1084	WScript.exe	cmd.exe
PID 1084 wrote to memory of 1828	1084	WScript.exe	cmd.exe
PID 1084 wrote to memory of 1828	1084	WScript.exe	cmd.exe
PID 1084 wrote to memory of 1828	1084	WScript.exe	cmd.exe
PID 1828 wrote to memory of 1264	1828	cmd.exe	update.exe
PID 1828 wrote to memory of 1264	1828	cmd.exe	update.exe
PID 1828 wrote to memory of 1264	1828	cmd.exe	update.exe
PID 1828 wrote to memory of 1264	1828	cmd.exe	update.exe
PID 1828 wrote to memory of 1264	1828	cmd.exe	update.exe
PID 1828 wrote to memory of 1264	1828	cmd.exe	update.exe
PID 1828 wrote to memory of 1264	1828	cmd.exe	update.exe
PID 1264 wrote to memory of 844	1264	update.exe	srvman.exe
PID 1264 wrote to memory of 844	1264	update.exe	srvman.exe
PID 1264 wrote to memory of 844	1264	update.exe	srvman.exe
PID 1264 wrote to memory of 844	1264	update.exe	srvman.exe
PID 1264 wrote to memory of 844	1264	update.exe	srvman.exe
PID 1264 wrote to memory of 844	1264	update.exe	srvman.exe
PID 1264 wrote to memory of 844	1264	update.exe	srvman.exe
PID 1416 wrote to memory of 1116	1416	logs.exe	msiexec.exe
PID 1416 wrote to memory of 1116	1416	logs.exe	msiexec.exe
PID 1416 wrote to memory of 1116	1416	logs.exe	msiexec.exe
PID 1416 wrote to memory of 1116	1416	logs.exe	msiexec.exe
PID 1416 wrote to memory of 1116	1416	logs.exe	msiexec.exe
PID 1416 wrote to memory of 1116	1416	logs.exe	msiexec.exe
PID 1416 wrote to memory of 1116	1416	logs.exe	msiexec.exe
PID 1416 wrote to memory of 1116	1416	logs.exe	msiexec.exe
PID 1116 wrote to memory of 872	1116	msiexec.exe	cmd.exe
PID 1116 wrote to memory of 872	1116	msiexec.exe	cmd.exe
PID 1116 wrote to memory of 872	1116	msiexec.exe	cmd.exe
PID 1116 wrote to memory of 872	1116	msiexec.exe	cmd.exe
PID 872 wrote to memory of 1820	872	cmd.exe	wnew.com
PID 872 wrote to memory of 1820	872	cmd.exe	wnew.com
PID 872 wrote to memory of 1820	872	cmd.exe	wnew.com

Executes dropped EXE 5 IoCs

Processes:

logs.exeMixer.exeupdate.exesrvman.exewnew.com

pid process

1416 logs.exe
912 Mixer.exe
1264 update.exe
844 srvman.exe
1820 wnew.com

pid	process
1416	logs.exe
912	Mixer.exe
1264	update.exe
844	srvman.exe
1820	wnew.com

System policy modification 1 TTPs 5 IoCs

evasion

Modify Registry

T1112

Processes:

msiexec.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\software\microsoft\windows\currentversion\policies\Explorer	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1"	msiexec.exe
Key created	\REGISTRY\MACHINE\software\microsoft\windows\currentversion\policies\system	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\TaskbarNoNotification = "1"	msiexec.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

msiexec.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1"	msiexec.exe

Modifies registry class 92 IoCs

Processes:

update.exemsiexec.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C04378F8-9992-4C12-94BE-5D6B539863F5}	update.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C04378F8-9992-4C12-94BE-5D6B539863F5}\TypeLib\ = "{0EAB4CE6-1931-4C2A-94CC-8257D2D400EB}"	update.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21A9D414-7066-4FA2-9B06-A7307195E52A}\ = "Power Mixer Control Property Page"	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Local Settings\Software\Microsoft	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0EAB4CE6-1931-4C2A-94CC-8257D2D400EB}\1.0\FLAGS	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{735C9E3E-9288-4D92-A5B7-13704D8A53E9}	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{04261676-A7DB-43B6-92FF-3A95CFFBFE92}\InprocServer32	update.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{04261676-A7DB-43B6-92FF-3A95CFFBFE92}\MiscStatus\ = "0"	update.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{04261676-A7DB-43B6-92FF-3A95CFFBFE92}\ = "Power Mixer Control"	update.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{04261676-A7DB-43B6-92FF-3A95CFFBFE92}\ProgID\ = "PowerMixer.Ctrl.1"	update.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{04261676-A7DB-43B6-92FF-3A95CFFBFE92}\Version\ = "1.0"	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0EAB4CE6-1931-4C2A-94CC-8257D2D400EB}\1.0\HELPDIR	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{735C9E3E-9288-4D92-A5B7-13704D8A53E9}\TypeLib	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C04378F8-9992-4C12-94BE-5D6B539863F5}\ProxyStubClsid32	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C04378F8-9992-4C12-94BE-5D6B539863F5}\TypeLib	update.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Local Settings\Software	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C04378F8-9992-4C12-94BE-5D6B539863F5}\TypeLib\Version = "1.0"	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21A9D414-7066-4FA2-9B06-A7307195E52A}	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{04261676-A7DB-43B6-92FF-3A95CFFBFE92}\Insertable	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0EAB4CE6-1931-4C2A-94CC-8257D2D400EB}\1.0	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C04378F8-9992-4C12-94BE-5D6B539863F5}\ProxyStubClsid32	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C04378F8-9992-4C12-94BE-5D6B539863F5}	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{04261676-A7DB-43B6-92FF-3A95CFFBFE92}\Version	update.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{04261676-A7DB-43B6-92FF-3A95CFFBFE92}\Insertable\	update.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PhishingFilter	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0EAB4CE6-1931-4C2A-94CC-8257D2D400EB}\1.0\ = "Power Mixer Control module"	update.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0EAB4CE6-1931-4C2A-94CC-8257D2D400EB}\1.0\HELPDIR\	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{735C9E3E-9288-4D92-A5B7-13704D8A53E9}\ProxyStubClsid32	update.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{04261676-A7DB-43B6-92FF-3A95CFFBFE92}\ToolboxBitmap32\ = "C:\\PROGRA~2\\POWERM~1\\pwmixer.ocx, 1"	update.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{04261676-A7DB-43B6-92FF-3A95CFFBFE92}\MiscStatus\1	update.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{04261676-A7DB-43B6-92FF-3A95CFFBFE92}\MiscStatus\1\ = "131473"	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PhishingFilter	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{735C9E3E-9288-4D92-A5B7-13704D8A53E9}\ProxyStubClsid32	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{735C9E3E-9288-4D92-A5B7-13704D8A53E9}\TypeLib	update.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C04378F8-9992-4C12-94BE-5D6B539863F5}\ = "IPowerMixerEvents"	update.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PowerMixer.Ctrl.1\CLSID\ = "{04261676-A7DB-43B6-92FF-3A95CFFBFE92}"	update.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PhishingFilter	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Local Settings	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PowerMixer.Ctrl.1\Insertable\	update.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0EAB4CE6-1931-4C2A-94CC-8257D2D400EB}\1.0\FLAGS\ = "2"	update.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C04378F8-9992-4C12-94BE-5D6B539863F5}\TypeLib\Version = "1.0"	update.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PowerMixer.Ctrl.1\ = "Power Mixer Control"	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{04261676-A7DB-43B6-92FF-3A95CFFBFE92}\MiscStatus	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21A9D414-7066-4FA2-9B06-A7307195E52A}\InprocServer32	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{04261676-A7DB-43B6-92FF-3A95CFFBFE92}\ProgID	update.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0EAB4CE6-1931-4C2A-94CC-8257D2D400EB}\1.0\0\win32\ = "C:\\Program Files (x86)\\Power Mixer\\pwmixer.ocx"	update.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C04378F8-9992-4C12-94BE-5D6B539863F5}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{04261676-A7DB-43B6-92FF-3A95CFFBFE92}\ToolboxBitmap32	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PowerMixer.Ctrl.1\Insertable	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0EAB4CE6-1931-4C2A-94CC-8257D2D400EB}\1.0\0	update.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C04378F8-9992-4C12-94BE-5D6B539863F5}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PowerMixer.Ctrl.1	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PowerMixer.Ctrl.1\CLSID	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{04261676-A7DB-43B6-92FF-3A95CFFBFE92}\TypeLib	update.exe

Disables taskbar notifications via registry modification
evasion

Modifies service 2 TTPs 2 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

msiexec.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\diagnosticshub.standardcollector.service	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\diagnosticshub.standardcollector.service\Start = "4"	msiexec.exe

Loads dropped DLL 97 IoCs

Processes:

chthonic_2.23.17.10.vir.execmd.exeupdate.exelogs.exe

pid	process
900	chthonic_2.23.17.10.vir.exe
900	chthonic_2.23.17.10.vir.exe
900	chthonic_2.23.17.10.vir.exe
900	chthonic_2.23.17.10.vir.exe
900	chthonic_2.23.17.10.vir.exe
900	chthonic_2.23.17.10.vir.exe
900	chthonic_2.23.17.10.vir.exe
900	chthonic_2.23.17.10.vir.exe
900	chthonic_2.23.17.10.vir.exe
1828	cmd.exe
1264	update.exe
1264	update.exe
1264	update.exe
1416	logs.exe
1264	update.exe
1264	update.exe
1264	update.exe
1264	update.exe
1264	update.exe
1264	update.exe
1264	update.exe
1264	update.exe
1264	update.exe
1264	update.exe
1264	update.exe
1264	update.exe
1264	update.exe
1264	update.exe
1264	update.exe
1264	update.exe
1264	update.exe
1264	update.exe
1264	update.exe
1264	update.exe
1264	update.exe
1264	update.exe
1264	update.exe
1264	update.exe
1264	update.exe
1264	update.exe
1264	update.exe
1264	update.exe
1264	update.exe
1264	update.exe
1264	update.exe
1264	update.exe
1264	update.exe
1264	update.exe
1264	update.exe
1264	update.exe
1264	update.exe
1264	update.exe
1264	update.exe
1264	update.exe
1264	update.exe
1264	update.exe
1264	update.exe
1264	update.exe
1264	update.exe
1264	update.exe
1264	update.exe
1264	update.exe
1264	update.exe
1264	update.exe

Suspicious use of UnmapMainImage 2 IoCs

Processes:

logs.exewnew.com

pid process

1416 logs.exe
1820 wnew.com

pid	process
1416	logs.exe
1820	wnew.com

C:\Users\Admin\AppData\Local\Temp\chthonic_2.23.17.10.vir.exe
"C:\Users\Admin\AppData\Local\Temp\chthonic_2.23.17.10.vir.exe"
1⤵
- Suspicious use of WriteProcessMemory
- Loads dropped DLL
PID:900

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ProgramData\MixerMood\informer.vbs"
2⤵
- Modifies system certificate store
- Blacklisted process makes network request
PID:1288

C:\ProgramData\MixerMood\logs.exe
"C:\ProgramData\MixerMood\logs.exe"
2⤵
- Suspicious behavior: GetForegroundWindowSpam
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of UnmapMainImage
PID:1416

C:\Windows\SysWOW64\msiexec.exe
C:\Windows\system32\msiexec.exe
3⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
- System policy modification
- Checks whether UAC is enabled
- Modifies registry class
- Modifies service
PID:1116

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\wnew\wnew.com"
4⤵
- Suspicious use of WriteProcessMemory
PID:872

C:\Users\Admin\AppData\Roaming\wnew\wnew.com
C:\Users\Admin\AppData\Roaming\wnew\wnew.com
5⤵
- Suspicious behavior: GetForegroundWindowSpam
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:1820

C:\Windows\SysWOW64\msiexec.exe
C:\Windows\system32\msiexec.exe
6⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: EnumeratesProcesses
PID:1084

C:\ProgramData\MixerMood\Mixer.exe
"C:\ProgramData\MixerMood\Mixer.exe"
2⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
PID:912

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ProgramData\ActualSoftware\cert.vbs"
3⤵
- Suspicious use of WriteProcessMemory
PID:1084

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\ProgramData\ActualSoftware\logs.bat" "
4⤵
- Suspicious use of WriteProcessMemory
- Loads dropped DLL
PID:1828

C:\ProgramData\ActualSoftware\update.exe
update.exe /S
5⤵
- Drops file in Program Files directory
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
- Modifies registry class
- Loads dropped DLL
PID:1264

C:\Program Files (x86)\Power Mixer\srvman.exe
"C:\Program Files (x86)\Power Mixer\srvman.exe" -u
6⤵
- Executes dropped EXE
PID:844

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:1884

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:1508

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Install Root Certificate

T1130

Bypass User Account Control

T1088

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Power Mixer\srvman.cfg

Download Submit
C:\Program Files (x86)\Power Mixer\srvman.exe

Download Submit
C:\ProgramData\ActualSoftware\cert.vbs

Download Submit
C:\ProgramData\ActualSoftware\logs.bat

Download Submit
C:\ProgramData\ActualSoftware\update.exe

Download Submit
C:\ProgramData\ActualSoftware\update.exe

Download Submit
C:\ProgramData\MixerMood\Mixer.exe

Download Submit
C:\ProgramData\MixerMood\Mixer.exe

Download Submit
C:\ProgramData\MixerMood\informer.vbs

Download Submit
C:\ProgramData\MixerMood\logs.exe

Download Submit
C:\ProgramData\MixerMood\logs.exe

Download Submit
C:\Users\Admin\AppData\Roaming\wnew\wnew.com

Download Submit
C:\Users\Admin\AppData\Roaming\wnew\wnew.com

Download Submit
\Program Files (x86)\Power Mixer\Tools\atedit.exe

Download Submit
\Program Files (x86)\Power Mixer\Uninst.exe

Download Submit
\Program Files (x86)\Power Mixer\pwmixer.exe

Download Submit
\Program Files (x86)\Power Mixer\pwmixer.ocx

Download Submit
\Program Files (x86)\Power Mixer\srvman.exe

Download Submit
\Program Files (x86)\Power Mixer\srvman.exe

Download Submit
\ProgramData\ActualSoftware\update.exe

Download Submit
\ProgramData\MixerMood\Mixer.exe

Download Submit
\ProgramData\MixerMood\Mixer.exe

Download Submit
\ProgramData\MixerMood\Mixer.exe

Download Submit
\ProgramData\MixerMood\Mixer.exe

Download Submit
\ProgramData\MixerMood\logs.exe

Download Submit
\ProgramData\MixerMood\logs.exe

Download Submit
\ProgramData\MixerMood\logs.exe

Download Submit
\ProgramData\MixerMood\logs.exe

Download Submit
\ProgramData\MixerMood\logs.exe

Download Submit
\Users\Admin\AppData\Local\Temp\2818.tmp

Download Submit
\Users\Admin\AppData\Local\Temp\4341CCE.tmp

Download Submit
\Users\Admin\AppData\Local\Temp\473C.tmp

Download Submit
\Users\Admin\AppData\Local\Temp\52441F0.tmp

Download Submit
\Users\Admin\AppData\Local\Temp\nsf1739.tmp\GetVersion.dll

Download Submit
\Users\Admin\AppData\Local\Temp\nsf1739.tmp\GetVersion.dll

Download Submit
\Users\Admin\AppData\Local\Temp\nsf1739.tmp\Service.dll

Download Submit
\Users\Admin\AppData\Local\Temp\nsf1739.tmp\Service.dll

Download Submit
\Users\Admin\AppData\Local\Temp\nsf1739.tmp\Service.dll

Download Submit
\Users\Admin\AppData\Local\Temp\nsf1739.tmp\Service.dll

Download Submit
\Users\Admin\AppData\Local\Temp\nsf1739.tmp\Service.dll

Download Submit
\Users\Admin\AppData\Local\Temp\nsf1739.tmp\Service.dll

Download Submit
\Users\Admin\AppData\Local\Temp\nsf1739.tmp\Service.dll

Download Submit
\Users\Admin\AppData\Local\Temp\nsf1739.tmp\SetupCfg.dll

Download Submit
\Users\Admin\AppData\Local\Temp\nsf1739.tmp\System.dll

Download Submit
\Users\Admin\AppData\Local\Temp\nsf1739.tmp\System.dll

Download Submit
\Users\Admin\AppData\Local\Temp\nsf1739.tmp\System.dll

Download Submit
\Users\Admin\AppData\Local\Temp\nsf1739.tmp\System.dll

Download Submit
\Users\Admin\AppData\Local\Temp\nsf1739.tmp\System.dll

Download Submit
\Users\Admin\AppData\Local\Temp\nsf1739.tmp\System.dll

Download Submit
\Users\Admin\AppData\Local\Temp\nsf1739.tmp\System.dll

Download Submit
\Users\Admin\AppData\Local\Temp\nsf1739.tmp\System.dll

Download Submit
\Users\Admin\AppData\Local\Temp\nsf1739.tmp\System.dll

Download Submit
\Users\Admin\AppData\Local\Temp\nsf1739.tmp\System.dll

Download Submit
\Users\Admin\AppData\Local\Temp\nsf1739.tmp\System.dll

Download Submit
\Users\Admin\AppData\Local\Temp\nsf1739.tmp\System.dll

Download Submit
\Users\Admin\AppData\Local\Temp\nsf1739.tmp\System.dll

Download Submit
\Users\Admin\AppData\Local\Temp\nsf1739.tmp\System.dll

Download Submit
\Users\Admin\AppData\Local\Temp\nsf1739.tmp\System.dll

Download Submit
\Users\Admin\AppData\Local\Temp\nsf1739.tmp\System.dll

Download Submit
\Users\Admin\AppData\Local\Temp\nsf1739.tmp\System.dll

Download Submit
\Users\Admin\AppData\Local\Temp\nsf1739.tmp\System.dll

Download Submit
\Users\Admin\AppData\Local\Temp\nsf1739.tmp\System.dll

Download Submit
\Users\Admin\AppData\Local\Temp\nsf1739.tmp\System.dll

Download Submit
\Users\Admin\AppData\Local\Temp\nsf1739.tmp\System.dll

Download Submit
\Users\Admin\AppData\Local\Temp\nsf1739.tmp\System.dll

Download Submit
\Users\Admin\AppData\Local\Temp\nsf1739.tmp\System.dll

Download Submit
\Users\Admin\AppData\Local\Temp\nsf1739.tmp\System.dll

Download Submit
\Users\Admin\AppData\Local\Temp\nsf1739.tmp\System.dll

Download Submit
\Users\Admin\AppData\Local\Temp\nsf1739.tmp\System.dll

Download Submit
\Users\Admin\AppData\Local\Temp\nsf1739.tmp\System.dll

Download Submit
\Users\Admin\AppData\Local\Temp\nsf1739.tmp\System.dll

Download Submit
\Users\Admin\AppData\Local\Temp\nsf1739.tmp\System.dll

Download Submit
\Users\Admin\AppData\Local\Temp\nsf1739.tmp\System.dll

Download Submit
\Users\Admin\AppData\Local\Temp\nsf1739.tmp\System.dll

Download Submit
\Users\Admin\AppData\Local\Temp\nsf1739.tmp\System.dll

Download Submit
\Users\Admin\AppData\Local\Temp\nsf1739.tmp\System.dll

Download Submit
\Users\Admin\AppData\Local\Temp\nsf1739.tmp\System.dll

Download Submit
\Users\Admin\AppData\Local\Temp\nsf1739.tmp\System.dll

Download Submit
\Users\Admin\AppData\Local\Temp\nsf1739.tmp\System.dll

Download Submit
\Users\Admin\AppData\Local\Temp\nsf1739.tmp\System.dll

Download Submit
\Users\Admin\AppData\Local\Temp\nsf1739.tmp\System.dll

Download Submit
\Users\Admin\AppData\Local\Temp\nsf1739.tmp\System.dll

Download Submit
\Users\Admin\AppData\Local\Temp\nsf1739.tmp\System.dll

Download Submit
\Users\Admin\AppData\Local\Temp\nsf1739.tmp\System.dll

Download Submit
\Users\Admin\AppData\Local\Temp\nsf1739.tmp\System.dll

Download Submit
\Users\Admin\AppData\Local\Temp\nsf1739.tmp\System.dll

Download Submit
\Users\Admin\AppData\Local\Temp\nsf1739.tmp\System.dll

Download Submit
\Users\Admin\AppData\Local\Temp\nsf1739.tmp\System.dll

Download Submit
\Users\Admin\AppData\Local\Temp\nsf1739.tmp\System.dll

Download Submit
\Users\Admin\AppData\Local\Temp\nsf1739.tmp\System.dll

Download Submit
\Users\Admin\AppData\Local\Temp\nsf1739.tmp\System.dll

Download Submit
\Users\Admin\AppData\Local\Temp\nsf1739.tmp\System.dll

Download Submit
\Users\Admin\AppData\Local\Temp\nsf1739.tmp\System.dll

Download Submit
\Users\Admin\AppData\Local\Temp\nsf1739.tmp\System.dll

Download Submit
\Users\Admin\AppData\Local\Temp\nsf1739.tmp\System.dll

Download Submit
\Users\Admin\AppData\Local\Temp\nsf1739.tmp\System.dll

Download Submit
\Users\Admin\AppData\Local\Temp\nsf1739.tmp\System.dll

Download Submit
\Users\Admin\AppData\Local\Temp\nsf1739.tmp\System.dll

Download Submit
\Users\Admin\AppData\Local\Temp\nsf1739.tmp\System.dll

Download Submit
\Users\Admin\AppData\Local\Temp\nsf1739.tmp\System.dll

Download Submit
\Users\Admin\AppData\Local\Temp\nsf1739.tmp\System.dll

Download Submit
\Users\Admin\AppData\Local\Temp\nsf1739.tmp\System.dll

Download Submit
\Users\Admin\AppData\Local\Temp\nsf1739.tmp\System.dll

Download Submit
\Users\Admin\AppData\Local\Temp\nsf1739.tmp\System.dll

Download Submit
\Users\Admin\AppData\Local\Temp\nsf1739.tmp\System.dll

Download Submit
\Users\Admin\AppData\Local\Temp\nsf1739.tmp\System.dll

Download Submit
\Users\Admin\AppData\Local\Temp\nsf1739.tmp\UserInfo.dll

Download Submit
\Users\Admin\AppData\Local\Temp\nsf1739.tmp\UserInfo.dll

Download Submit
\Users\Admin\AppData\Roaming\wnew\wnew.com

Download Submit
\Users\Admin\AppData\Roaming\wnew\wnew.com

Download Submit
memory/844-112-0x0000000000000000-mapping.dmp

Download
memory/872-121-0x0000000000000000-mapping.dmp

Download
memory/912-16-0x0000000002350000-0x0000000002351000-memory.dmp

Filesize
4KB

Download
memory/912-13-0x0000000000000000-mapping.dmp

Download
memory/1084-24-0x00000000028D0000-0x00000000028D4000-memory.dmp

Filesize
16KB

Download
memory/1084-128-0x0000000000000000-mapping.dmp

Download
memory/1084-19-0x0000000000000000-mapping.dmp

Download
memory/1116-119-0x0000000000000000-mapping.dmp

Download
memory/1264-29-0x0000000000000000-mapping.dmp

Download
memory/1264-27-0x0000000000000000-mapping.dmp

Download
memory/1264-108-0x00000000036A0000-0x00000000036A1000-memory.dmp

Filesize
4KB

Download
memory/1288-0-0x0000000000000000-mapping.dmp

Download
memory/1288-21-0x0000000002790000-0x0000000002794000-memory.dmp

Filesize
16KB

Download
memory/1416-7-0x0000000000000000-mapping.dmp

Download
memory/1820-125-0x0000000000000000-mapping.dmp

Download
memory/1828-23-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads