Analysis
-
max time kernel
147s -
max time network
136s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
14/05/2021, 10:02
Static task
static1
Behavioral task
behavioral1
Sample
fe68a629898384bb2edf90406da4c9d6764fd04e53375.exe
Resource
win7v20210410
General
-
Target
fe68a629898384bb2edf90406da4c9d6764fd04e53375.exe
-
Size
745KB
-
MD5
4f47f2fa563304efe9fffb13b32427f4
-
SHA1
97cc4db66c9636bd47031cb9e4a667643be9ee89
-
SHA256
fe68a629898384bb2edf90406da4c9d6764fd04e5337514e7edd9c2c608d2242
-
SHA512
a359e40931c6124e6b2dfce44b107fdad8e439d10dc1dba018d4c62c9bbca88f8bb2788249d810c3c91dd542461dd659b0472af746fd79455c246b7e5dddec03
Malware Config
Extracted
cryptbot
remdny42.top
morpgr04.top
-
payload_url
http://sulnom06.top/download.php?file=lv.exe
Extracted
danabot
1827
3
184.95.51.183:443
184.95.51.175:443
192.210.198.12:443
184.95.51.180:443
-
embedded_hash
AEF96B4D339B580ABB737F203C2D0F52
Signatures
-
CryptBot Payload 4 IoCs
resource yara_rule behavioral2/memory/3984-114-0x0000000002170000-0x0000000002251000-memory.dmp family_cryptbot behavioral2/memory/3984-115-0x0000000000400000-0x00000000004E5000-memory.dmp family_cryptbot behavioral2/memory/2768-171-0x00000000004F0000-0x000000000063A000-memory.dmp family_cryptbot behavioral2/memory/3296-174-0x0000000000470000-0x00000000005BA000-memory.dmp family_cryptbot -
Blocklisted process makes network request 5 IoCs
flow pid Process 39 416 RUNDLL32.EXE 41 3968 WScript.exe 43 3968 WScript.exe 45 3968 WScript.exe 47 3968 WScript.exe -
Downloads MZ/PE file
-
Executes dropped EXE 7 IoCs
pid Process 1348 SfPFs.exe 2612 vpn.exe 2768 4.exe 3296 SmartClock.exe 3648 Accostarmi.exe.com 1492 Accostarmi.exe.com 2432 fkwvufq.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk 4.exe -
Loads dropped DLL 4 IoCs
pid Process 1348 SfPFs.exe 2072 rundll32.exe 416 RUNDLL32.EXE 416 RUNDLL32.EXE -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 26 ip-api.com -
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files (x86)\foler\olader\acppage.dll SfPFs.exe File created C:\Program Files (x86)\foler\olader\adprovider.dll SfPFs.exe File created C:\Program Files (x86)\foler\olader\acledit.dll SfPFs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 fe68a629898384bb2edf90406da4c9d6764fd04e53375.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString fe68a629898384bb2edf90406da4c9d6764fd04e53375.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Accostarmi.exe.com Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Accostarmi.exe.com Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString RUNDLL32.EXE -
Delays execution with timeout.exe 1 IoCs
pid Process 2120 timeout.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings Accostarmi.exe.com -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 WScript.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e WScript.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 684 PING.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 3296 SmartClock.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 2268 powershell.exe 2268 powershell.exe 2268 powershell.exe 416 RUNDLL32.EXE 416 RUNDLL32.EXE 196 powershell.exe 196 powershell.exe 196 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2072 rundll32.exe Token: SeDebugPrivilege 416 RUNDLL32.EXE Token: SeDebugPrivilege 2268 powershell.exe Token: SeDebugPrivilege 196 powershell.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 3984 fe68a629898384bb2edf90406da4c9d6764fd04e53375.exe 3984 fe68a629898384bb2edf90406da4c9d6764fd04e53375.exe 416 RUNDLL32.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3984 wrote to memory of 3476 3984 fe68a629898384bb2edf90406da4c9d6764fd04e53375.exe 79 PID 3984 wrote to memory of 3476 3984 fe68a629898384bb2edf90406da4c9d6764fd04e53375.exe 79 PID 3984 wrote to memory of 3476 3984 fe68a629898384bb2edf90406da4c9d6764fd04e53375.exe 79 PID 3476 wrote to memory of 1348 3476 cmd.exe 81 PID 3476 wrote to memory of 1348 3476 cmd.exe 81 PID 3476 wrote to memory of 1348 3476 cmd.exe 81 PID 1348 wrote to memory of 2612 1348 SfPFs.exe 82 PID 1348 wrote to memory of 2612 1348 SfPFs.exe 82 PID 1348 wrote to memory of 2612 1348 SfPFs.exe 82 PID 1348 wrote to memory of 2768 1348 SfPFs.exe 83 PID 1348 wrote to memory of 2768 1348 SfPFs.exe 83 PID 1348 wrote to memory of 2768 1348 SfPFs.exe 83 PID 2612 wrote to memory of 1176 2612 vpn.exe 84 PID 2612 wrote to memory of 1176 2612 vpn.exe 84 PID 2612 wrote to memory of 1176 2612 vpn.exe 84 PID 2612 wrote to memory of 2428 2612 vpn.exe 86 PID 2612 wrote to memory of 2428 2612 vpn.exe 86 PID 2612 wrote to memory of 2428 2612 vpn.exe 86 PID 2612 wrote to memory of 2756 2612 vpn.exe 88 PID 2612 wrote to memory of 2756 2612 vpn.exe 88 PID 2612 wrote to memory of 2756 2612 vpn.exe 88 PID 2612 wrote to memory of 736 2612 vpn.exe 90 PID 2612 wrote to memory of 736 2612 vpn.exe 90 PID 2612 wrote to memory of 736 2612 vpn.exe 90 PID 2612 wrote to memory of 2040 2612 vpn.exe 92 PID 2612 wrote to memory of 2040 2612 vpn.exe 92 PID 2612 wrote to memory of 2040 2612 vpn.exe 92 PID 2612 wrote to memory of 3244 2612 vpn.exe 94 PID 2612 wrote to memory of 3244 2612 vpn.exe 94 PID 2612 wrote to memory of 3244 2612 vpn.exe 94 PID 2612 wrote to memory of 184 2612 vpn.exe 99 PID 2612 wrote to memory of 184 2612 vpn.exe 99 PID 2612 wrote to memory of 184 2612 vpn.exe 99 PID 3984 wrote to memory of 2848 3984 fe68a629898384bb2edf90406da4c9d6764fd04e53375.exe 96 PID 3984 wrote to memory of 2848 3984 fe68a629898384bb2edf90406da4c9d6764fd04e53375.exe 96 PID 3984 wrote to memory of 2848 3984 fe68a629898384bb2edf90406da4c9d6764fd04e53375.exe 96 PID 2612 wrote to memory of 2972 2612 vpn.exe 102 PID 2612 wrote to memory of 2972 2612 vpn.exe 102 PID 2612 wrote to memory of 2972 2612 vpn.exe 102 PID 2848 wrote to memory of 2120 2848 cmd.exe 100 PID 2848 wrote to memory of 2120 2848 cmd.exe 100 PID 2848 wrote to memory of 2120 2848 cmd.exe 100 PID 2612 wrote to memory of 1200 2612 vpn.exe 103 PID 2612 wrote to memory of 1200 2612 vpn.exe 103 PID 2612 wrote to memory of 1200 2612 vpn.exe 103 PID 2612 wrote to memory of 2436 2612 vpn.exe 105 PID 2612 wrote to memory of 2436 2612 vpn.exe 105 PID 2612 wrote to memory of 2436 2612 vpn.exe 105 PID 2612 wrote to memory of 3996 2612 vpn.exe 107 PID 2612 wrote to memory of 3996 2612 vpn.exe 107 PID 2612 wrote to memory of 3996 2612 vpn.exe 107 PID 2612 wrote to memory of 2080 2612 vpn.exe 109 PID 2612 wrote to memory of 2080 2612 vpn.exe 109 PID 2612 wrote to memory of 2080 2612 vpn.exe 109 PID 2612 wrote to memory of 1760 2612 vpn.exe 111 PID 2612 wrote to memory of 1760 2612 vpn.exe 111 PID 2612 wrote to memory of 1760 2612 vpn.exe 111 PID 2612 wrote to memory of 772 2612 vpn.exe 113 PID 2612 wrote to memory of 772 2612 vpn.exe 113 PID 2612 wrote to memory of 772 2612 vpn.exe 113 PID 2612 wrote to memory of 732 2612 vpn.exe 115 PID 2612 wrote to memory of 732 2612 vpn.exe 115 PID 2612 wrote to memory of 732 2612 vpn.exe 115 PID 2612 wrote to memory of 684 2612 vpn.exe 117
Processes
-
C:\Users\Admin\AppData\Local\Temp\fe68a629898384bb2edf90406da4c9d6764fd04e53375.exe"C:\Users\Admin\AppData\Local\Temp\fe68a629898384bb2edf90406da4c9d6764fd04e53375.exe"1⤵
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3984 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\SfPFs.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3476 -
C:\Users\Admin\AppData\Local\Temp\SfPFs.exe"C:\Users\Admin\AppData\Local\Temp\SfPFs.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1348 -
C:\Users\Admin\AppData\Local\Temp\New Feature\vpn.exe"C:\Users\Admin\AppData\Local\Temp\New Feature\vpn.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c IEupGZtiGuhYLuXTzhQLTFqwaOOuZUNPiXjCGSSBCwddKCJqvZSswXKrDtQRkYoManQNUcjBcfoRgKsQyNJZwvOljoY5⤵PID:1176
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c wqfETEXjLVywMsVMOSOTMqMbfoKWJGBLvKmxZEYKNytlIHjJAevzxyPwgRfKUwCyxxEeSBMpUtuHVBPHVqcHl5⤵PID:2428
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ssVbyofhQLCZQhelRYdjmfZiuNwIO5⤵PID:2756
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c FVUjrhucvEUGgxyWLCELpvsYHwsOsauGnWuHtDlPrcCLsSwFepwmtrKoDWEwWartbgisgbRisOINUFGOqMMidHCcjXtiYpSKsngrLJsEaUifxWgYdQwpGWNQLLydzJooVXvv5⤵PID:736
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c DrdciOcmhwdIyRoiJtcKnsZEqkIMZzbASGMMKOmiadnKOHhRZqjSqLSj5⤵PID:2040
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c LxVuJATDQQnycvUFhso5⤵PID:3244
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c fQaXQMYuEmuOmJZzDwIPFuYQOMEDahNzKxNVeXfXCNZdKKFMbBwkJzhoRBptoxOdLMryVrsFMLjSiHuriRuQkBKsuFtAOlPiYIEYHmQzlvmXucwpcyXdgXylwLZdZQRBW5⤵PID:184
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c TmeovHqMGPeMkLDUyIhnSqDx5⤵PID:2972
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c VAAzzFXwqBCuhJffCsfigAhMyLogbjSVIkAiAahlyLlpwORYXpdJhjHcjNgHvIDOJGnepoOpryeDftLdTpdgWpIcDtUNrFNvovAxfPPPxuFiltuieXNhafRmYenthwunsGcSEdqtxBUQ5⤵PID:1200
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c AknYMKyRArSEqvhdKBaqiQDJhDLWJTRcwWbRquBdqGRDCgDUNNJZBQcKHOLoZooHjbDtYcdEqwZBYqiYqQpVpRTkA5⤵PID:2436
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c lkcadRbldtLnWavyZmQULHHMopZjbxEsDkkypIKirOJrhBUQmrSzcGwDEIpiSkMVmzVKisWsOIQXXDnHgpNxClWXpIBAnDfSeNDUGpJiiBFMPrFqlCS5⤵PID:3996
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c bazfbXAmPvSkzXVpqEqyAFjwFloyeBdWKGcJxhvJIpsLIzaRovZFBNoRyaKhPcvgyWBMCkOMisvdhBakRdXFBKxXbDEeDpThNrFMSGf5⤵PID:2080
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c HjnldSDDZncnbRMcCDgYGMpXboClWFzlwqYfklGFZqetNxQWdplgsdfVeAMifzHzykbvTbpaXJZGKypeaGTMctSKLejKbnfGzIYCXxrTqSdIsJkXsJPImVYqaNLQlnUmzahwuGyYDqLDN5⤵PID:1760
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c zwRgzNJGibKXlpIjIBXRgYvpRKEQympxhizJZV5⤵PID:772
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c iPNkPsovVfsspGVVxEHbJpS5⤵PID:732
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c HhfKeQYhMbQeBNHSIhIANoqNskYysncXWjDCwbzydrEMQTxGXPOcAsNmhCzQRTWgwSyglyRlUCpKEhXbRai5⤵PID:684
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c JZbEntgmtCgbifLYOuvSXDBXoeVZEWZmLzEwxAPyQausgMDgCZIKVfEunmvcofUiDPLNLJDgddeFvlJcmHbFhg5⤵PID:3028
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c vPnDVrzXBbYNmqPCTcxxEhZJhPwWBSgUgkfYjyHkWzBibvlxKtDlTTZoPPfyebcIptmgKQfNNpnlMRkRFGkbgtqxki5⤵PID:2132
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c bQConYSYzXWKTOQvKcOcYDnmcjXxtryeD5⤵PID:2484
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c SWkqqjUTSUJWsJbHdZvLlTseNjwbTfSTukWTkJcCBtLEQmUgWvNyFSbYFojNkvZCePPuMEvGEUpuiNjhaMBvBMggOYgevHsyypCqJ5⤵PID:2976
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c BsquBLIsQRWZcnVCqfBBsOdxpWCtqYkkEElpvclCGbivybkTpCojnovNwFWEoDdRGKxRhLyFyYVTGTgLLJUnQYNcibiRnFzeidQcrzFnvCumhDuoslTmI5⤵PID:2044
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c QTiOfHdCBoHxLdwvwNIQbnNnOoEJqH & LsYakXYEXnGEvHrLYMdqwJpJayIqurHBTfWeNYPnroKaRTsQKbGWKGReogZufXnUQtKuLqYZWRXSYRSnNRfJvKRhbTUnYJpyKQBNpkyJnGZSJZtscBabHPnujvIRumwhIRi & fygCMGlPKZDnPDrbdMnVscAMCgDZFMpS & VwdjPLwEIchTlwDvEWWzjQUFBZbrkpYPLHTBMlAqvdIqhTajZCwPjnEyuLKPhYamvbiDowJzcVWViUsIHkrJioDjeOcwmLNnXpDQMPtYSIzsCJXjzeowUJshUUAzGI & KonXYsBWRiyQmPjKzRpIbCMDgSfWRgKalPJotLYVRudTPTRnIpiBbZcovUJywFtCvNFKurGHShQskSOxqRgIipVlzBMpwSTkeNbwhiaECmIpptWDygylsvchScsFdvGZzEfn & MiTnJyHALwgEptMNJUFslpSQNguTIPEPnoaijLIsOMuzeqiaTjKKJulDgeLxYOSWbm & qLEBYjgDbrnNNiNZvyTysXPTpqh & ZUpWDTiHfLMnxCNAQfXhkOcRDzOeVLsXYWDDTBlTquKLzcLPlfeUequkna & pttLDzOmbYpGftthytKniHZRFJbUYPayBiwOVxisEWhQwINPYNwuNTjByhyUVTB & FryirfsKXaTlxoQWVIWkOjsHUmJIgjcKcFlXDGLJcdpcZwiXvoYhXdTzMnjEGIvKWoPOXSzfWjPbrWHTsLkygoNyMRktzirMUnnRj & ZEPIdKAvdQRzjUbdcOcKeuGgWPpeCEbQGZLGdFReEfAchqUofEeKcBdTXAMB & nTMaqMhoQZQXauMFkwWUqMXBNxtISJQTfAyvOejhHZmFjNecDhMnQGALVlFGHEdioWHSqdRpOIhqhafZaJtE & seJZzAEvGFeJsvfulchvCKizAbCVGhYAMpRTYSGQhMirlsVWZTigRixHVfmWXJQaGCWoFvoaOvpQCtooBGVMuKIEPpYIaKTEWPvIcNsDLPmxYEtRudxdNtjWTsacbmZrDETNHANOgaqdlg & lyiCwdCQSCAOrcWyjPvQzKdlFDGecrVLFLifdXXNwOwkuMKaajOAOnjAOXWnKmcPGPpahGPgRIOFJyrTShKpgxWunHBzwmrCa & EsCsyLvAJuJHQITeFvPjAkSeTFychaFjhvBMdAiYMOL & bRRSmYTGMuLamAnAGqjdAvzxiiMtfQmMAwEeOjWfnZAuKojPeHaLBcdqbvLakOsVGZSbVcLxtXRBWhJYUWeHnOltLEFsADrJHEALdPUHVYGEDOrlMNbfMJvRONMsQ & TATiTaMYIyexLAiGBXAxENuOXYiIWCeDQBtyLcULbOyahsXWKokPQcPyxtlVltey & nElcwUuePWQIOBFqk & OdhNxMZLGlZAzMZfONNBIhyMqnYbGDFUZyhOOLpbvdgVrgDtInNRhJfAkBMVNBtrEtBhnkAeDfysYlJLVUOiPNHfPMDhZgKUjldYNfFbYKgXEYCqRqZSNWhRbjbLIjrgElyNTKYGgsptmJKRl & vYgRifXmAARUOLHZaxSOiiwzEcMosOBGBuQtqNrQQzpnOxDnbmddZvxgXUhLCOiMZkaIUDZFdwXNXDFpSgLRbk & tLBiymshejbnDwUDUALZXmHszftThrffNEgXzcTuZNVBAtwiXLRsMkIFrpNQcbZYWiLYNXpnHEqpDuRfhWWCjYDCVJTpIrLBN & EazrxZBaJikmwXanCnBbMXEpettqQETncHBmVpCWwTgcdvHWRpAjqdpGNlqdVBCyhNrxcTCaVEcTJpSFvooGtGbybULLpjqAspiCzjAYHiscUdXEsxTNaVwGfYXBiQpJEVBAwfjpHlYW & wluXuzOahiciAhcfZQQXHRYPbDwoJyiXtshNQDwvcdsNuaAeQTIx & ZHlksADaFJiqnrpZHmcPzCsAkJteYsP & NOyJrCmrbtPHpNHfsrpxhEObdKqHcAzhTKjJYmVyZssgMKdbwPLVoxpoqIaaCRIXLCNmAYs & ircVhmKGxCGGPnynArJfiCDoJxDlWRWrbUNyZgVBXMYZkwihbgYvgwKEAhkSVAJDFCoVKqmjiiaxEDWIjdNISAOvpoEMerFvecxITjCbPMgiIfqXdDFFNwKyNMLCcN & tCVsopgOqOdSukHNUiHcmbZJwLgUuAZwwCl & MXSNeOFQboEUuYRxOsKHDjdbVzHmOgQDqrwWfTzKRojSuzOoJEhKSCqAHcSJuywoawTeXVyUYZPxqndBEmQlwuKneBf & wKDMutAyAMkNnaMTNGAoystHgRukdcZvGkTgcrhVYlqShrLJxRKvquOJFWbfXgPtMPijnnbKzEpUdjzkyvRmKDcmbpImFYXKcWynVnlWzqevXUzaCjpBbfzoxIPgPYyxGmnxu & fHjVyKAYCDQdWaOvjyCXthJWuxVIQbcYkHWCfClJHcykbmeMFpjzSpReXfOKPSotoStfcjiKVSfIibnHaoeGlwyePUEZNmUOhqrFcNszeCbZTpUARuaGQBUuMwmBHoXvYAxuzSjFR & C:\Windows\system32\cmd < Sta.vssm5⤵PID:1336
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd6⤵PID:192
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^hSpSigSzxLDGSondFTKDkxVhNUxDcdcqRWsJEwXjjqzRIWcClcFKPiZTXVtjTfXtfCOWROMEVndkqrEQnSaqLLlJWbMIWL$" Cui.vssm7⤵PID:3928
-
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Accostarmi.exe.comAccostarmi.exe.com c7⤵
- Executes dropped EXE
PID:3648 -
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Accostarmi.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Accostarmi.exe.com c8⤵
- Executes dropped EXE
- Checks processor information in registry
- Modifies registry class
PID:1492 -
C:\Users\Admin\AppData\Local\Temp\fkwvufq.exe"C:\Users\Admin\AppData\Local\Temp\fkwvufq.exe"9⤵
- Executes dropped EXE
PID:2432 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\FKWVUF~1.DLL,Z C:\Users\Admin\AppData\Local\Temp\fkwvufq.exe10⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2072 -
C:\Windows\SysWOW64\RUNDLL32.EXEC:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\FKWVUF~1.DLL,VUwJLDbbBYw=11⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:416 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp8444.tmp.ps1"12⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2268
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp9945.tmp.ps1"12⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:196 -
C:\Windows\SysWOW64\nslookup.exe"C:\Windows\system32\nslookup.exe" -type=any localhost13⤵PID:2272
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /End /tn \Microsoft\Windows\Wininet\CacheTask12⤵PID:3524
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask12⤵PID:2348
-
-
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\exuirdymvtr.vbs"9⤵PID:4020
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\sycamsasstse.vbs"9⤵
- Blocklisted process makes network request
- Modifies system certificate store
PID:3968
-
-
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 307⤵
- Runs ping.exe
PID:684
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\New Feature\4.exe"C:\Users\Admin\AppData\Local\Temp\New Feature\4.exe"4⤵
- Executes dropped EXE
- Drops startup file
PID:2768 -
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
PID:3296
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\npjIgdZuyT & timeout 3 & del /f /q "C:\Users\Admin\AppData\Local\Temp\fe68a629898384bb2edf90406da4c9d6764fd04e53375.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\SysWOW64\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:2120
-
-