Analysis
-
max time kernel
150s -
max time network
137s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
13/05/2021, 18:56
Static task
static1
Behavioral task
behavioral1
Sample
2051799f92fd036d6e1c8a9c06a4aea85a9509214cd06.exe
Resource
win7v20210410
General
-
Target
2051799f92fd036d6e1c8a9c06a4aea85a9509214cd06.exe
-
Size
731KB
-
MD5
105f97e06f45250a6448035b94f2ef2b
-
SHA1
3819346f3b8c05add77c89205a58533dabbc7249
-
SHA256
2051799f92fd036d6e1c8a9c06a4aea85a9509214cd0623c0df2fe62bd99986b
-
SHA512
9a57ebc3835d2abedb966a501bfb7c2d15769a8f3a95320c00dc91e892710d182fffd4f1971dda989c5129da493cb64ce329cb9b8a2aa1177167ecadd07cc3d7
Malware Config
Extracted
cryptbot
remdny42.top
morpgr04.top
-
payload_url
http://sulnom06.top/download.php?file=lv.exe
Extracted
danabot
1827
3
184.95.51.183:443
184.95.51.175:443
192.210.198.12:443
184.95.51.180:443
-
embedded_hash
AEF96B4D339B580ABB737F203C2D0F52
Signatures
-
CryptBot Payload 2 IoCs
resource yara_rule behavioral2/memory/3972-115-0x0000000000400000-0x00000000004E5000-memory.dmp family_cryptbot behavioral2/memory/3972-114-0x0000000002190000-0x0000000002271000-memory.dmp family_cryptbot -
Blocklisted process makes network request 8 IoCs
flow pid Process 39 740 RUNDLL32.EXE 41 4012 WScript.exe 43 4012 WScript.exe 45 4012 WScript.exe 47 4012 WScript.exe 48 740 RUNDLL32.EXE 49 740 RUNDLL32.EXE 52 740 RUNDLL32.EXE -
Downloads MZ/PE file
-
Executes dropped EXE 7 IoCs
pid Process 2740 GehhlV.exe 2104 vpn.exe 2372 4.exe 3972 SmartClock.exe 2160 Accostarmi.exe.com 428 Accostarmi.exe.com 2760 dhwefecxurd.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk 4.exe -
Loads dropped DLL 5 IoCs
pid Process 2740 GehhlV.exe 3952 rundll32.exe 3952 rundll32.exe 740 RUNDLL32.EXE 740 RUNDLL32.EXE -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 26 ip-api.com -
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files (x86)\foler\olader\acppage.dll GehhlV.exe File created C:\Program Files (x86)\foler\olader\adprovider.dll GehhlV.exe File created C:\Program Files (x86)\foler\olader\acledit.dll GehhlV.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 2051799f92fd036d6e1c8a9c06a4aea85a9509214cd06.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 2051799f92fd036d6e1c8a9c06a4aea85a9509214cd06.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Accostarmi.exe.com Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Accostarmi.exe.com -
Delays execution with timeout.exe 1 IoCs
pid Process 3864 timeout.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings Accostarmi.exe.com -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 WScript.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e WScript.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 3868 PING.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 3972 SmartClock.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3952 rundll32.exe Token: SeDebugPrivilege 740 RUNDLL32.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 3972 2051799f92fd036d6e1c8a9c06a4aea85a9509214cd06.exe 3972 2051799f92fd036d6e1c8a9c06a4aea85a9509214cd06.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3972 wrote to memory of 2152 3972 2051799f92fd036d6e1c8a9c06a4aea85a9509214cd06.exe 79 PID 3972 wrote to memory of 2152 3972 2051799f92fd036d6e1c8a9c06a4aea85a9509214cd06.exe 79 PID 3972 wrote to memory of 2152 3972 2051799f92fd036d6e1c8a9c06a4aea85a9509214cd06.exe 79 PID 2152 wrote to memory of 2740 2152 cmd.exe 81 PID 2152 wrote to memory of 2740 2152 cmd.exe 81 PID 2152 wrote to memory of 2740 2152 cmd.exe 81 PID 2740 wrote to memory of 2104 2740 GehhlV.exe 82 PID 2740 wrote to memory of 2104 2740 GehhlV.exe 82 PID 2740 wrote to memory of 2104 2740 GehhlV.exe 82 PID 2740 wrote to memory of 2372 2740 GehhlV.exe 83 PID 2740 wrote to memory of 2372 2740 GehhlV.exe 83 PID 2740 wrote to memory of 2372 2740 GehhlV.exe 83 PID 2104 wrote to memory of 1848 2104 vpn.exe 84 PID 2104 wrote to memory of 1848 2104 vpn.exe 84 PID 2104 wrote to memory of 1848 2104 vpn.exe 84 PID 2104 wrote to memory of 3456 2104 vpn.exe 86 PID 2104 wrote to memory of 3456 2104 vpn.exe 86 PID 2104 wrote to memory of 3456 2104 vpn.exe 86 PID 3972 wrote to memory of 4072 3972 cmd.exe 88 PID 3972 wrote to memory of 4072 3972 cmd.exe 88 PID 3972 wrote to memory of 4072 3972 cmd.exe 88 PID 2104 wrote to memory of 8 2104 vpn.exe 90 PID 2104 wrote to memory of 8 2104 vpn.exe 90 PID 2104 wrote to memory of 8 2104 vpn.exe 90 PID 4072 wrote to memory of 3864 4072 cmd.exe 92 PID 4072 wrote to memory of 3864 4072 cmd.exe 92 PID 4072 wrote to memory of 3864 4072 cmd.exe 92 PID 2104 wrote to memory of 3852 2104 vpn.exe 93 PID 2104 wrote to memory of 3852 2104 vpn.exe 93 PID 2104 wrote to memory of 3852 2104 vpn.exe 93 PID 2104 wrote to memory of 1060 2104 vpn.exe 124 PID 2104 wrote to memory of 1060 2104 vpn.exe 124 PID 2104 wrote to memory of 1060 2104 vpn.exe 124 PID 2104 wrote to memory of 1704 2104 vpn.exe 126 PID 2104 wrote to memory of 1704 2104 vpn.exe 126 PID 2104 wrote to memory of 1704 2104 vpn.exe 126 PID 2104 wrote to memory of 1844 2104 vpn.exe 99 PID 2104 wrote to memory of 1844 2104 vpn.exe 99 PID 2104 wrote to memory of 1844 2104 vpn.exe 99 PID 2104 wrote to memory of 4080 2104 vpn.exe 101 PID 2104 wrote to memory of 4080 2104 vpn.exe 101 PID 2104 wrote to memory of 4080 2104 vpn.exe 101 PID 2104 wrote to memory of 3608 2104 vpn.exe 103 PID 2104 wrote to memory of 3608 2104 vpn.exe 103 PID 2104 wrote to memory of 3608 2104 vpn.exe 103 PID 2104 wrote to memory of 1056 2104 vpn.exe 105 PID 2104 wrote to memory of 1056 2104 vpn.exe 105 PID 2104 wrote to memory of 1056 2104 vpn.exe 105 PID 2104 wrote to memory of 3948 2104 vpn.exe 107 PID 2104 wrote to memory of 3948 2104 vpn.exe 107 PID 2104 wrote to memory of 3948 2104 vpn.exe 107 PID 2104 wrote to memory of 1224 2104 vpn.exe 109 PID 2104 wrote to memory of 1224 2104 vpn.exe 109 PID 2104 wrote to memory of 1224 2104 vpn.exe 109 PID 2104 wrote to memory of 2588 2104 vpn.exe 111 PID 2104 wrote to memory of 2588 2104 vpn.exe 111 PID 2104 wrote to memory of 2588 2104 vpn.exe 111 PID 2104 wrote to memory of 2284 2104 vpn.exe 113 PID 2104 wrote to memory of 2284 2104 vpn.exe 113 PID 2104 wrote to memory of 2284 2104 vpn.exe 113 PID 2104 wrote to memory of 3572 2104 vpn.exe 115 PID 2104 wrote to memory of 3572 2104 vpn.exe 115 PID 2104 wrote to memory of 3572 2104 vpn.exe 115 PID 2104 wrote to memory of 3972 2104 vpn.exe 132
Processes
-
C:\Users\Admin\AppData\Local\Temp\2051799f92fd036d6e1c8a9c06a4aea85a9509214cd06.exe"C:\Users\Admin\AppData\Local\Temp\2051799f92fd036d6e1c8a9c06a4aea85a9509214cd06.exe"1⤵
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3972 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\GehhlV.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\Users\Admin\AppData\Local\Temp\GehhlV.exe"C:\Users\Admin\AppData\Local\Temp\GehhlV.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Users\Admin\AppData\Local\Temp\New Feature\vpn.exe"C:\Users\Admin\AppData\Local\Temp\New Feature\vpn.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c IEupGZtiGuhYLuXTzhQLTFqwaOOuZUNPiXjCGSSBCwddKCJqvZSswXKrDtQRkYoManQNUcjBcfoRgKsQyNJZwvOljoY5⤵PID:1848
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c wqfETEXjLVywMsVMOSOTMqMbfoKWJGBLvKmxZEYKNytlIHjJAevzxyPwgRfKUwCyxxEeSBMpUtuHVBPHVqcHl5⤵PID:3456
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ssVbyofhQLCZQhelRYdjmfZiuNwIO5⤵PID:8
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c FVUjrhucvEUGgxyWLCELpvsYHwsOsauGnWuHtDlPrcCLsSwFepwmtrKoDWEwWartbgisgbRisOINUFGOqMMidHCcjXtiYpSKsngrLJsEaUifxWgYdQwpGWNQLLydzJooVXvv5⤵PID:3852
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c DrdciOcmhwdIyRoiJtcKnsZEqkIMZzbASGMMKOmiadnKOHhRZqjSqLSj5⤵PID:1060
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c LxVuJATDQQnycvUFhso5⤵PID:1704
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c fQaXQMYuEmuOmJZzDwIPFuYQOMEDahNzKxNVeXfXCNZdKKFMbBwkJzhoRBptoxOdLMryVrsFMLjSiHuriRuQkBKsuFtAOlPiYIEYHmQzlvmXucwpcyXdgXylwLZdZQRBW5⤵PID:1844
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c TmeovHqMGPeMkLDUyIhnSqDx5⤵PID:4080
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c VAAzzFXwqBCuhJffCsfigAhMyLogbjSVIkAiAahlyLlpwORYXpdJhjHcjNgHvIDOJGnepoOpryeDftLdTpdgWpIcDtUNrFNvovAxfPPPxuFiltuieXNhafRmYenthwunsGcSEdqtxBUQ5⤵PID:3608
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c AknYMKyRArSEqvhdKBaqiQDJhDLWJTRcwWbRquBdqGRDCgDUNNJZBQcKHOLoZooHjbDtYcdEqwZBYqiYqQpVpRTkA5⤵PID:1056
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c lkcadRbldtLnWavyZmQULHHMopZjbxEsDkkypIKirOJrhBUQmrSzcGwDEIpiSkMVmzVKisWsOIQXXDnHgpNxClWXpIBAnDfSeNDUGpJiiBFMPrFqlCS5⤵PID:3948
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c bazfbXAmPvSkzXVpqEqyAFjwFloyeBdWKGcJxhvJIpsLIzaRovZFBNoRyaKhPcvgyWBMCkOMisvdhBakRdXFBKxXbDEeDpThNrFMSGf5⤵PID:1224
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c HjnldSDDZncnbRMcCDgYGMpXboClWFzlwqYfklGFZqetNxQWdplgsdfVeAMifzHzykbvTbpaXJZGKypeaGTMctSKLejKbnfGzIYCXxrTqSdIsJkXsJPImVYqaNLQlnUmzahwuGyYDqLDN5⤵PID:2588
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c zwRgzNJGibKXlpIjIBXRgYvpRKEQympxhizJZV5⤵PID:2284
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c iPNkPsovVfsspGVVxEHbJpS5⤵PID:3572
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c HhfKeQYhMbQeBNHSIhIANoqNskYysncXWjDCwbzydrEMQTxGXPOcAsNmhCzQRTWgwSyglyRlUCpKEhXbRai5⤵
- Suspicious use of WriteProcessMemory
PID:3972
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c JZbEntgmtCgbifLYOuvSXDBXoeVZEWZmLzEwxAPyQausgMDgCZIKVfEunmvcofUiDPLNLJDgddeFvlJcmHbFhg5⤵PID:1176
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c vPnDVrzXBbYNmqPCTcxxEhZJhPwWBSgUgkfYjyHkWzBibvlxKtDlTTZoPPfyebcIptmgKQfNNpnlMRkRFGkbgtqxki5⤵PID:3952
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c bQConYSYzXWKTOQvKcOcYDnmcjXxtryeD5⤵PID:612
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵PID:1060
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c SWkqqjUTSUJWsJbHdZvLlTseNjwbTfSTukWTkJcCBtLEQmUgWvNyFSbYFojNkvZCePPuMEvGEUpuiNjhaMBvBMggOYgevHsyypCqJ5⤵PID:2384
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵PID:1704
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c BsquBLIsQRWZcnVCqfBBsOdxpWCtqYkkEElpvclCGbivybkTpCojnovNwFWEoDdRGKxRhLyFyYVTGTgLLJUnQYNcibiRnFzeidQcrzFnvCumhDuoslTmI5⤵PID:1812
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c QTiOfHdCBoHxLdwvwNIQbnNnOoEJqH & LsYakXYEXnGEvHrLYMdqwJpJayIqurHBTfWeNYPnroKaRTsQKbGWKGReogZufXnUQtKuLqYZWRXSYRSnNRfJvKRhbTUnYJpyKQBNpkyJnGZSJZtscBabHPnujvIRumwhIRi & fygCMGlPKZDnPDrbdMnVscAMCgDZFMpS & VwdjPLwEIchTlwDvEWWzjQUFBZbrkpYPLHTBMlAqvdIqhTajZCwPjnEyuLKPhYamvbiDowJzcVWViUsIHkrJioDjeOcwmLNnXpDQMPtYSIzsCJXjzeowUJshUUAzGI & KonXYsBWRiyQmPjKzRpIbCMDgSfWRgKalPJotLYVRudTPTRnIpiBbZcovUJywFtCvNFKurGHShQskSOxqRgIipVlzBMpwSTkeNbwhiaECmIpptWDygylsvchScsFdvGZzEfn & MiTnJyHALwgEptMNJUFslpSQNguTIPEPnoaijLIsOMuzeqiaTjKKJulDgeLxYOSWbm & qLEBYjgDbrnNNiNZvyTysXPTpqh & ZUpWDTiHfLMnxCNAQfXhkOcRDzOeVLsXYWDDTBlTquKLzcLPlfeUequkna & pttLDzOmbYpGftthytKniHZRFJbUYPayBiwOVxisEWhQwINPYNwuNTjByhyUVTB & FryirfsKXaTlxoQWVIWkOjsHUmJIgjcKcFlXDGLJcdpcZwiXvoYhXdTzMnjEGIvKWoPOXSzfWjPbrWHTsLkygoNyMRktzirMUnnRj & ZEPIdKAvdQRzjUbdcOcKeuGgWPpeCEbQGZLGdFReEfAchqUofEeKcBdTXAMB & nTMaqMhoQZQXauMFkwWUqMXBNxtISJQTfAyvOejhHZmFjNecDhMnQGALVlFGHEdioWHSqdRpOIhqhafZaJtE & seJZzAEvGFeJsvfulchvCKizAbCVGhYAMpRTYSGQhMirlsVWZTigRixHVfmWXJQaGCWoFvoaOvpQCtooBGVMuKIEPpYIaKTEWPvIcNsDLPmxYEtRudxdNtjWTsacbmZrDETNHANOgaqdlg & lyiCwdCQSCAOrcWyjPvQzKdlFDGecrVLFLifdXXNwOwkuMKaajOAOnjAOXWnKmcPGPpahGPgRIOFJyrTShKpgxWunHBzwmrCa & EsCsyLvAJuJHQITeFvPjAkSeTFychaFjhvBMdAiYMOL & bRRSmYTGMuLamAnAGqjdAvzxiiMtfQmMAwEeOjWfnZAuKojPeHaLBcdqbvLakOsVGZSbVcLxtXRBWhJYUWeHnOltLEFsADrJHEALdPUHVYGEDOrlMNbfMJvRONMsQ & TATiTaMYIyexLAiGBXAxENuOXYiIWCeDQBtyLcULbOyahsXWKokPQcPyxtlVltey & nElcwUuePWQIOBFqk & OdhNxMZLGlZAzMZfONNBIhyMqnYbGDFUZyhOOLpbvdgVrgDtInNRhJfAkBMVNBtrEtBhnkAeDfysYlJLVUOiPNHfPMDhZgKUjldYNfFbYKgXEYCqRqZSNWhRbjbLIjrgElyNTKYGgsptmJKRl & vYgRifXmAARUOLHZaxSOiiwzEcMosOBGBuQtqNrQQzpnOxDnbmddZvxgXUhLCOiMZkaIUDZFdwXNXDFpSgLRbk & tLBiymshejbnDwUDUALZXmHszftThrffNEgXzcTuZNVBAtwiXLRsMkIFrpNQcbZYWiLYNXpnHEqpDuRfhWWCjYDCVJTpIrLBN & EazrxZBaJikmwXanCnBbMXEpettqQETncHBmVpCWwTgcdvHWRpAjqdpGNlqdVBCyhNrxcTCaVEcTJpSFvooGtGbybULLpjqAspiCzjAYHiscUdXEsxTNaVwGfYXBiQpJEVBAwfjpHlYW & wluXuzOahiciAhcfZQQXHRYPbDwoJyiXtshNQDwvcdsNuaAeQTIx & ZHlksADaFJiqnrpZHmcPzCsAkJteYsP & NOyJrCmrbtPHpNHfsrpxhEObdKqHcAzhTKjJYmVyZssgMKdbwPLVoxpoqIaaCRIXLCNmAYs & ircVhmKGxCGGPnynArJfiCDoJxDlWRWrbUNyZgVBXMYZkwihbgYvgwKEAhkSVAJDFCoVKqmjiiaxEDWIjdNISAOvpoEMerFvecxITjCbPMgiIfqXdDFFNwKyNMLCcN & tCVsopgOqOdSukHNUiHcmbZJwLgUuAZwwCl & MXSNeOFQboEUuYRxOsKHDjdbVzHmOgQDqrwWfTzKRojSuzOoJEhKSCqAHcSJuywoawTeXVyUYZPxqndBEmQlwuKneBf & wKDMutAyAMkNnaMTNGAoystHgRukdcZvGkTgcrhVYlqShrLJxRKvquOJFWbfXgPtMPijnnbKzEpUdjzkyvRmKDcmbpImFYXKcWynVnlWzqevXUzaCjpBbfzoxIPgPYyxGmnxu & fHjVyKAYCDQdWaOvjyCXthJWuxVIQbcYkHWCfClJHcykbmeMFpjzSpReXfOKPSotoStfcjiKVSfIibnHaoeGlwyePUEZNmUOhqrFcNszeCbZTpUARuaGQBUuMwmBHoXvYAxuzSjFR & C:\Windows\system32\cmd < Sta.vssm5⤵PID:4020
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd6⤵PID:3856
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^hSpSigSzxLDGSondFTKDkxVhNUxDcdcqRWsJEwXjjqzRIWcClcFKPiZTXVtjTfXtfCOWROMEVndkqrEQnSaqLLlJWbMIWL$" Cui.vssm7⤵PID:1076
-
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Accostarmi.exe.comAccostarmi.exe.com c7⤵
- Executes dropped EXE
PID:2160 -
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Accostarmi.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Accostarmi.exe.com c8⤵
- Executes dropped EXE
- Checks processor information in registry
- Modifies registry class
PID:428 -
C:\Users\Admin\AppData\Local\Temp\dhwefecxurd.exe"C:\Users\Admin\AppData\Local\Temp\dhwefecxurd.exe"9⤵
- Executes dropped EXE
PID:2760 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\DHWEFE~1.DLL,Z C:\Users\Admin\AppData\Local\Temp\DHWEFE~1.EXE10⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:3952 -
C:\Windows\SysWOW64\RUNDLL32.EXEC:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\DHWEFE~1.DLL,XDoiLDZ4BaQ=11⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:740
-
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\uluswhprg.vbs"9⤵PID:3844
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\kuqfqsrpjcw.vbs"9⤵
- Blocklisted process makes network request
- Modifies system certificate store
PID:4012
-
-
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 307⤵
- Runs ping.exe
PID:3868
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\New Feature\4.exe"C:\Users\Admin\AppData\Local\Temp\New Feature\4.exe"4⤵
- Executes dropped EXE
- Drops startup file
PID:2372 -
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
PID:3972
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\jINZmHHD & timeout 3 & del /f /q "C:\Users\Admin\AppData\Local\Temp\2051799f92fd036d6e1c8a9c06a4aea85a9509214cd06.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4072 -
C:\Windows\SysWOW64\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:3864
-
-