Analysis
-
max time kernel
1200s -
max time network
681s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
09-07-2021 15:30
Behavioral task
behavioral1
Sample
REG.BR2.CGDCZJCFUNGBYDVNGJXGQIXMFMSMDFÒ.msi
Resource
win7v20210410
General
-
Target
REG.BR2.CGDCZJCFUNGBYDVNGJXGQIXMFMSMDFÒ.msi
-
Size
282KB
-
MD5
ccf235e43d3c30cada1d3cbc1e44ba51
-
SHA1
6040b0ad5a7bcdafefb94b7d515119ee449b16d7
-
SHA256
f905e9c4eddf8ce1d56241b41ba4bc68e01fa3898844d8e833980320ac22c1ef
-
SHA512
7d079684f317c783e3754f6bd1ebf015492e86ff67b715a632151acef736f02787cda8e2789bb2cff8775a0f150b1cae5580f85f99eed5b6adb74adbefb13a58
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Blocklisted process makes network request 1 IoCs
Processes:
MsiExec.exeflow pid process 1 1752 MsiExec.exe -
Executes dropped EXE 1 IoCs
Processes:
SCLDILBYMFVBEJSWWWRPTEQTSLRRSGWECQIÉ.exepid process 740 SCLDILBYMFVBEJSWWWRPTEQTSLRRSGWECQIÉ.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
SCLDILBYMFVBEJSWWWRPTEQTSLRRSGWECQIÉ.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion SCLDILBYMFVBEJSWWWRPTEQTSLRRSGWECQIÉ.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion SCLDILBYMFVBEJSWWWRPTEQTSLRRSGWECQIÉ.exe -
Drops startup file 1 IoCs
Processes:
MsiExec.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CAQCENCRYA.lnk MsiExec.exe -
Loads dropped DLL 6 IoCs
Processes:
MsiExec.exepowershell.exeSCLDILBYMFVBEJSWWWRPTEQTSLRRSGWECQIÉ.exepid process 1752 MsiExec.exe 1752 MsiExec.exe 1868 powershell.exe 740 SCLDILBYMFVBEJSWWWRPTEQTSLRRSGWECQIÉ.exe 740 SCLDILBYMFVBEJSWWWRPTEQTSLRRSGWECQIÉ.exe 740 SCLDILBYMFVBEJSWWWRPTEQTSLRRSGWECQIÉ.exe -
Processes:
resource yara_rule \Users\Public\Downloads\UMLENXHRLYSDDDBPLIJA\Avira.OE.NativeCore.dll themida C:\Users\Public\Downloads\UMLENXHRLYSDDDBPLIJA\Avira.OE.NativeCore.dll themida behavioral1/memory/740-106-0x000000006C910000-0x000000006EBA2000-memory.dmp themida -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
MsiExec.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\software\Microsoft\Windows\CurrentVersion\Run MsiExec.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\CAQCENCRYA = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\CAQCENCRYA.lnk" MsiExec.exe -
Processes:
SCLDILBYMFVBEJSWWWRPTEQTSLRRSGWECQIÉ.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SCLDILBYMFVBEJSWWWRPTEQTSLRRSGWECQIÉ.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\G: msiexec.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 7 ipinfo.io -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
SCLDILBYMFVBEJSWWWRPTEQTSLRRSGWECQIÉ.exedescription ioc process File opened for modification \??\PhysicalDrive0 SCLDILBYMFVBEJSWWWRPTEQTSLRRSGWECQIÉ.exe -
Drops file in System32 directory 1 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
SCLDILBYMFVBEJSWWWRPTEQTSLRRSGWECQIÉ.exepid process 740 SCLDILBYMFVBEJSWWWRPTEQTSLRRSGWECQIÉ.exe -
Drops file in Windows directory 8 IoCs
Processes:
msiexec.exedescription ioc process File opened for modification C:\Windows\Installer\MSI712.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI85B.tmp msiexec.exe File created C:\Windows\Installer\f740669.ipi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSIA11.tmp msiexec.exe File opened for modification C:\Windows\Installer\f740669.ipi msiexec.exe File created C:\Windows\Installer\f740667.msi msiexec.exe File opened for modification C:\Windows\Installer\f740667.msi msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Script User-Agent 3 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 9 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 1 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 5 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
msiexec.exepowershell.exeSCLDILBYMFVBEJSWWWRPTEQTSLRRSGWECQIÉ.exepid process 1212 msiexec.exe 1212 msiexec.exe 1868 powershell.exe 1868 powershell.exe 740 SCLDILBYMFVBEJSWWWRPTEQTSLRRSGWECQIÉ.exe 740 SCLDILBYMFVBEJSWWWRPTEQTSLRRSGWECQIÉ.exe 740 SCLDILBYMFVBEJSWWWRPTEQTSLRRSGWECQIÉ.exe 740 SCLDILBYMFVBEJSWWWRPTEQTSLRRSGWECQIÉ.exe 740 SCLDILBYMFVBEJSWWWRPTEQTSLRRSGWECQIÉ.exe 740 SCLDILBYMFVBEJSWWWRPTEQTSLRRSGWECQIÉ.exe 740 SCLDILBYMFVBEJSWWWRPTEQTSLRRSGWECQIÉ.exe 740 SCLDILBYMFVBEJSWWWRPTEQTSLRRSGWECQIÉ.exe 740 SCLDILBYMFVBEJSWWWRPTEQTSLRRSGWECQIÉ.exe 740 SCLDILBYMFVBEJSWWWRPTEQTSLRRSGWECQIÉ.exe 740 SCLDILBYMFVBEJSWWWRPTEQTSLRRSGWECQIÉ.exe 740 SCLDILBYMFVBEJSWWWRPTEQTSLRRSGWECQIÉ.exe 740 SCLDILBYMFVBEJSWWWRPTEQTSLRRSGWECQIÉ.exe 740 SCLDILBYMFVBEJSWWWRPTEQTSLRRSGWECQIÉ.exe 740 SCLDILBYMFVBEJSWWWRPTEQTSLRRSGWECQIÉ.exe 740 SCLDILBYMFVBEJSWWWRPTEQTSLRRSGWECQIÉ.exe 740 SCLDILBYMFVBEJSWWWRPTEQTSLRRSGWECQIÉ.exe 740 SCLDILBYMFVBEJSWWWRPTEQTSLRRSGWECQIÉ.exe 740 SCLDILBYMFVBEJSWWWRPTEQTSLRRSGWECQIÉ.exe 740 SCLDILBYMFVBEJSWWWRPTEQTSLRRSGWECQIÉ.exe 740 SCLDILBYMFVBEJSWWWRPTEQTSLRRSGWECQIÉ.exe 740 SCLDILBYMFVBEJSWWWRPTEQTSLRRSGWECQIÉ.exe 740 SCLDILBYMFVBEJSWWWRPTEQTSLRRSGWECQIÉ.exe 740 SCLDILBYMFVBEJSWWWRPTEQTSLRRSGWECQIÉ.exe 740 SCLDILBYMFVBEJSWWWRPTEQTSLRRSGWECQIÉ.exe 740 SCLDILBYMFVBEJSWWWRPTEQTSLRRSGWECQIÉ.exe 740 SCLDILBYMFVBEJSWWWRPTEQTSLRRSGWECQIÉ.exe 740 SCLDILBYMFVBEJSWWWRPTEQTSLRRSGWECQIÉ.exe 740 SCLDILBYMFVBEJSWWWRPTEQTSLRRSGWECQIÉ.exe 740 SCLDILBYMFVBEJSWWWRPTEQTSLRRSGWECQIÉ.exe 740 SCLDILBYMFVBEJSWWWRPTEQTSLRRSGWECQIÉ.exe 740 SCLDILBYMFVBEJSWWWRPTEQTSLRRSGWECQIÉ.exe 740 SCLDILBYMFVBEJSWWWRPTEQTSLRRSGWECQIÉ.exe 740 SCLDILBYMFVBEJSWWWRPTEQTSLRRSGWECQIÉ.exe 740 SCLDILBYMFVBEJSWWWRPTEQTSLRRSGWECQIÉ.exe 740 SCLDILBYMFVBEJSWWWRPTEQTSLRRSGWECQIÉ.exe 740 SCLDILBYMFVBEJSWWWRPTEQTSLRRSGWECQIÉ.exe 740 SCLDILBYMFVBEJSWWWRPTEQTSLRRSGWECQIÉ.exe 740 SCLDILBYMFVBEJSWWWRPTEQTSLRRSGWECQIÉ.exe 740 SCLDILBYMFVBEJSWWWRPTEQTSLRRSGWECQIÉ.exe 740 SCLDILBYMFVBEJSWWWRPTEQTSLRRSGWECQIÉ.exe 740 SCLDILBYMFVBEJSWWWRPTEQTSLRRSGWECQIÉ.exe 740 SCLDILBYMFVBEJSWWWRPTEQTSLRRSGWECQIÉ.exe 740 SCLDILBYMFVBEJSWWWRPTEQTSLRRSGWECQIÉ.exe 740 SCLDILBYMFVBEJSWWWRPTEQTSLRRSGWECQIÉ.exe 740 SCLDILBYMFVBEJSWWWRPTEQTSLRRSGWECQIÉ.exe 740 SCLDILBYMFVBEJSWWWRPTEQTSLRRSGWECQIÉ.exe 740 SCLDILBYMFVBEJSWWWRPTEQTSLRRSGWECQIÉ.exe 740 SCLDILBYMFVBEJSWWWRPTEQTSLRRSGWECQIÉ.exe 740 SCLDILBYMFVBEJSWWWRPTEQTSLRRSGWECQIÉ.exe 740 SCLDILBYMFVBEJSWWWRPTEQTSLRRSGWECQIÉ.exe 740 SCLDILBYMFVBEJSWWWRPTEQTSLRRSGWECQIÉ.exe 740 SCLDILBYMFVBEJSWWWRPTEQTSLRRSGWECQIÉ.exe 740 SCLDILBYMFVBEJSWWWRPTEQTSLRRSGWECQIÉ.exe 740 SCLDILBYMFVBEJSWWWRPTEQTSLRRSGWECQIÉ.exe 740 SCLDILBYMFVBEJSWWWRPTEQTSLRRSGWECQIÉ.exe 740 SCLDILBYMFVBEJSWWWRPTEQTSLRRSGWECQIÉ.exe 740 SCLDILBYMFVBEJSWWWRPTEQTSLRRSGWECQIÉ.exe 740 SCLDILBYMFVBEJSWWWRPTEQTSLRRSGWECQIÉ.exe 740 SCLDILBYMFVBEJSWWWRPTEQTSLRRSGWECQIÉ.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
SCLDILBYMFVBEJSWWWRPTEQTSLRRSGWECQIÉ.exepid process 740 SCLDILBYMFVBEJSWWWRPTEQTSLRRSGWECQIÉ.exe -
Suspicious use of AdjustPrivilegeToken 55 IoCs
Processes:
msiexec.exemsiexec.exepowershell.exeSCLDILBYMFVBEJSWWWRPTEQTSLRRSGWECQIÉ.exedescription pid process Token: SeShutdownPrivilege 1996 msiexec.exe Token: SeIncreaseQuotaPrivilege 1996 msiexec.exe Token: SeRestorePrivilege 1212 msiexec.exe Token: SeTakeOwnershipPrivilege 1212 msiexec.exe Token: SeSecurityPrivilege 1212 msiexec.exe Token: SeCreateTokenPrivilege 1996 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1996 msiexec.exe Token: SeLockMemoryPrivilege 1996 msiexec.exe Token: SeIncreaseQuotaPrivilege 1996 msiexec.exe Token: SeMachineAccountPrivilege 1996 msiexec.exe Token: SeTcbPrivilege 1996 msiexec.exe Token: SeSecurityPrivilege 1996 msiexec.exe Token: SeTakeOwnershipPrivilege 1996 msiexec.exe Token: SeLoadDriverPrivilege 1996 msiexec.exe Token: SeSystemProfilePrivilege 1996 msiexec.exe Token: SeSystemtimePrivilege 1996 msiexec.exe Token: SeProfSingleProcessPrivilege 1996 msiexec.exe Token: SeIncBasePriorityPrivilege 1996 msiexec.exe Token: SeCreatePagefilePrivilege 1996 msiexec.exe Token: SeCreatePermanentPrivilege 1996 msiexec.exe Token: SeBackupPrivilege 1996 msiexec.exe Token: SeRestorePrivilege 1996 msiexec.exe Token: SeShutdownPrivilege 1996 msiexec.exe Token: SeDebugPrivilege 1996 msiexec.exe Token: SeAuditPrivilege 1996 msiexec.exe Token: SeSystemEnvironmentPrivilege 1996 msiexec.exe Token: SeChangeNotifyPrivilege 1996 msiexec.exe Token: SeRemoteShutdownPrivilege 1996 msiexec.exe Token: SeUndockPrivilege 1996 msiexec.exe Token: SeSyncAgentPrivilege 1996 msiexec.exe Token: SeEnableDelegationPrivilege 1996 msiexec.exe Token: SeManageVolumePrivilege 1996 msiexec.exe Token: SeImpersonatePrivilege 1996 msiexec.exe Token: SeCreateGlobalPrivilege 1996 msiexec.exe Token: SeRestorePrivilege 1212 msiexec.exe Token: SeTakeOwnershipPrivilege 1212 msiexec.exe Token: SeRestorePrivilege 1212 msiexec.exe Token: SeTakeOwnershipPrivilege 1212 msiexec.exe Token: SeRestorePrivilege 1212 msiexec.exe Token: SeTakeOwnershipPrivilege 1212 msiexec.exe Token: SeRestorePrivilege 1212 msiexec.exe Token: SeTakeOwnershipPrivilege 1212 msiexec.exe Token: SeRestorePrivilege 1212 msiexec.exe Token: SeTakeOwnershipPrivilege 1212 msiexec.exe Token: SeRestorePrivilege 1212 msiexec.exe Token: SeTakeOwnershipPrivilege 1212 msiexec.exe Token: SeRestorePrivilege 1212 msiexec.exe Token: SeTakeOwnershipPrivilege 1212 msiexec.exe Token: SeDebugPrivilege 1868 powershell.exe Token: 33 740 SCLDILBYMFVBEJSWWWRPTEQTSLRRSGWECQIÉ.exe Token: SeIncBasePriorityPrivilege 740 SCLDILBYMFVBEJSWWWRPTEQTSLRRSGWECQIÉ.exe Token: 33 740 SCLDILBYMFVBEJSWWWRPTEQTSLRRSGWECQIÉ.exe Token: SeIncBasePriorityPrivilege 740 SCLDILBYMFVBEJSWWWRPTEQTSLRRSGWECQIÉ.exe Token: 33 740 SCLDILBYMFVBEJSWWWRPTEQTSLRRSGWECQIÉ.exe Token: SeIncBasePriorityPrivilege 740 SCLDILBYMFVBEJSWWWRPTEQTSLRRSGWECQIÉ.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
msiexec.exeMsiExec.exepid process 1996 msiexec.exe 1752 MsiExec.exe 1996 msiexec.exe -
Suspicious use of SendNotifyMessage 1 IoCs
Processes:
MsiExec.exepid process 1752 MsiExec.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
msiexec.exeMsiExec.exepowershell.execmd.exedescription pid process target process PID 1212 wrote to memory of 1752 1212 msiexec.exe MsiExec.exe PID 1212 wrote to memory of 1752 1212 msiexec.exe MsiExec.exe PID 1212 wrote to memory of 1752 1212 msiexec.exe MsiExec.exe PID 1212 wrote to memory of 1752 1212 msiexec.exe MsiExec.exe PID 1212 wrote to memory of 1752 1212 msiexec.exe MsiExec.exe PID 1212 wrote to memory of 1752 1212 msiexec.exe MsiExec.exe PID 1212 wrote to memory of 1752 1212 msiexec.exe MsiExec.exe PID 1752 wrote to memory of 1868 1752 MsiExec.exe powershell.exe PID 1752 wrote to memory of 1868 1752 MsiExec.exe powershell.exe PID 1752 wrote to memory of 1868 1752 MsiExec.exe powershell.exe PID 1752 wrote to memory of 1868 1752 MsiExec.exe powershell.exe PID 1868 wrote to memory of 740 1868 powershell.exe SCLDILBYMFVBEJSWWWRPTEQTSLRRSGWECQIÉ.exe PID 1868 wrote to memory of 740 1868 powershell.exe SCLDILBYMFVBEJSWWWRPTEQTSLRRSGWECQIÉ.exe PID 1868 wrote to memory of 740 1868 powershell.exe SCLDILBYMFVBEJSWWWRPTEQTSLRRSGWECQIÉ.exe PID 1868 wrote to memory of 740 1868 powershell.exe SCLDILBYMFVBEJSWWWRPTEQTSLRRSGWECQIÉ.exe PID 2012 wrote to memory of 1016 2012 cmd.exe zmstage.exe PID 2012 wrote to memory of 1016 2012 cmd.exe zmstage.exe PID 2012 wrote to memory of 1016 2012 cmd.exe zmstage.exe
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\REG.BR2.CGDCZJCFUNGBYDVNGJXGQIXMFMSMDFÒ.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 3163D953B2B15124F25C24050EDF273C2⤵
- Blocklisted process makes network request
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" cd\;cd 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup';Start-Sleep -s 60;Invoke-Item 'CAQCENCRYA.lnk'3⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\Downloads\UMLENXHRLYSDDDBPLIJA\SCLDILBYMFVBEJSWWWRPTEQTSLRRSGWECQIÉ.exe"C:\Users\Public\Downloads\UMLENXHRLYSDDDBPLIJA\SCLDILBYMFVBEJSWWWRPTEQTSLRRSGWECQIÉ.exe"4⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"1⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\157393131\zmstage.exezmstage.exe2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MSI40426.LOGMD5
43e95a5bfaff34eeadb69da38123b22e
SHA1436e5d8e25090371b95a42395f8f50fee2e7e205
SHA256a20205dcc100e9c24c375f8dfabcd3fc05e6f5e41a64d5254034552f5bd35af8
SHA512f1b1fc52a849623cfbb28226fa4222517d5828a385ab9a3f9dea8ee5b81808e4988506dd98701e66f56feefe06fbc4a59ab39513afb8e806ee9fdbfa89b6402d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CAQCENCRYA.lnkMD5
05e8d6cd53a8700b3f4f98b75172ae08
SHA1cbdbbd892e40fa6c213d0f714572a594c3dc7450
SHA2560fdf0a002c2b362dfc55830cb28da58944526d79b02c37daeee2ff384c0a38e7
SHA51273ca71eaabf29e6770a6d9574dad64c40f846eaad88fec272dea124fe07edc85f2958b2f5184e861d6baa284ba8bce547449204b2487f5816911d2d35526be7f
-
C:\Users\Public\Downloads\UMLENXHRLYSDDDBPLIJA\Avira.OE.NativeCore.dllMD5
759bbd553496e0fad10ed1e89f83ecf9
SHA1240a2c2c465660e46f19de5bd5cb58a6f3a2d92a
SHA256568829dea29381ac4f997a1db9625e6619511b6849b1ddd0338a2a41f2710f72
SHA512186abbcf425b0d8f64c38aeaceac208df001321a49814642441bc236d14b8a82f3ebcb8e1eff839eef6ad0f00ba4388e4eb46bf5b43c8b3582f7573625a377ef
-
C:\Users\Public\Downloads\UMLENXHRLYSDDDBPLIJA\MSVCP120.dllMD5
fd5cabbe52272bd76007b68186ebaf00
SHA1efd1e306c1092c17f6944cc6bf9a1bfad4d14613
SHA25687c42ca155473e4e71857d03497c8cbc28fa8ff7f2c8d72e8a1f39b71078f608
SHA5121563c8257d85274267089cd4aeac0884a2a300ff17f84bdb64d567300543aa9cd57101d8408d0077b01a600ddf2e804f7890902c2590af103d2c53ff03d9e4a5
-
C:\Users\Public\Downloads\UMLENXHRLYSDDDBPLIJA\MSVCR120.dllMD5
034ccadc1c073e4216e9466b720f9849
SHA1f19e9d8317161edc7d3e963cc0fc46bd5e4a55a1
SHA25686e39b5995af0e042fcdaa85fe2aefd7c9ddc7ad65e6327bd5e7058bc3ab615f
SHA5125f11ef92d936669ee834a5cef5c7d0e7703bf05d03dc4f09b9dcfe048d7d5adfaab6a9c7f42e8080a5e9aad44a35f39f3940d5cca20623d9cafe373c635570f7
-
C:\Users\Public\Downloads\UMLENXHRLYSDDDBPLIJA\SCLDILBYMFVBEJSWWWRPTEQTSLRRSGWECQIÉ.exeMD5
8cbb75febfb4b0b7c3b6d3613386220c
SHA1ba5493b08354aee85151b7bbd15150a1c3f03d1d
SHA256f495d7c5c98457febc42ec96a959293788f6915e4245899d3bb1808ab84f0d9a
SHA5128cb5f08f9e21fb6648f364869366ad09908be9e0317f95708a9e1931d30855cdfab199464bf5d72675bc1e166e8ce4645e6d0dca0d8d1c78428fbc77d4dd25fd
-
C:\Users\Public\Downloads\UMLENXHRLYSDDDBPLIJA\SCLDILBYMFVBEJSWWWRPTEQTSLRRSGWECQIÉ.exeMD5
8cbb75febfb4b0b7c3b6d3613386220c
SHA1ba5493b08354aee85151b7bbd15150a1c3f03d1d
SHA256f495d7c5c98457febc42ec96a959293788f6915e4245899d3bb1808ab84f0d9a
SHA5128cb5f08f9e21fb6648f364869366ad09908be9e0317f95708a9e1931d30855cdfab199464bf5d72675bc1e166e8ce4645e6d0dca0d8d1c78428fbc77d4dd25fd
-
C:\Windows\Installer\MSI712.tmpMD5
5c5bef05b6f3806106f8f3ce13401cc1
SHA16005fbe17f6e917ac45317552409d7a60976db14
SHA256f2f3ae8ca06f5cf320ca1d234a623bf55cf2b84c1d6dea3d85d5392e29aaf437
SHA51297933227b6002127385ace025f85a26358e47ee79c883f03180d474c15dbaf28a88492c8e53aefc0d305872edd27db0b4468da13e6f0337988f58d2ee35fd797
-
C:\Windows\Installer\MSI85B.tmpMD5
5c5bef05b6f3806106f8f3ce13401cc1
SHA16005fbe17f6e917ac45317552409d7a60976db14
SHA256f2f3ae8ca06f5cf320ca1d234a623bf55cf2b84c1d6dea3d85d5392e29aaf437
SHA51297933227b6002127385ace025f85a26358e47ee79c883f03180d474c15dbaf28a88492c8e53aefc0d305872edd27db0b4468da13e6f0337988f58d2ee35fd797
-
\Users\Public\Downloads\UMLENXHRLYSDDDBPLIJA\Avira.OE.NativeCore.dllMD5
759bbd553496e0fad10ed1e89f83ecf9
SHA1240a2c2c465660e46f19de5bd5cb58a6f3a2d92a
SHA256568829dea29381ac4f997a1db9625e6619511b6849b1ddd0338a2a41f2710f72
SHA512186abbcf425b0d8f64c38aeaceac208df001321a49814642441bc236d14b8a82f3ebcb8e1eff839eef6ad0f00ba4388e4eb46bf5b43c8b3582f7573625a377ef
-
\Users\Public\Downloads\UMLENXHRLYSDDDBPLIJA\SCLDILBYMFVBEJSWWWRPTEQTSLRRSGWECQIÉ.exeMD5
8cbb75febfb4b0b7c3b6d3613386220c
SHA1ba5493b08354aee85151b7bbd15150a1c3f03d1d
SHA256f495d7c5c98457febc42ec96a959293788f6915e4245899d3bb1808ab84f0d9a
SHA5128cb5f08f9e21fb6648f364869366ad09908be9e0317f95708a9e1931d30855cdfab199464bf5d72675bc1e166e8ce4645e6d0dca0d8d1c78428fbc77d4dd25fd
-
\Users\Public\Downloads\UMLENXHRLYSDDDBPLIJA\msvcp120.dllMD5
fd5cabbe52272bd76007b68186ebaf00
SHA1efd1e306c1092c17f6944cc6bf9a1bfad4d14613
SHA25687c42ca155473e4e71857d03497c8cbc28fa8ff7f2c8d72e8a1f39b71078f608
SHA5121563c8257d85274267089cd4aeac0884a2a300ff17f84bdb64d567300543aa9cd57101d8408d0077b01a600ddf2e804f7890902c2590af103d2c53ff03d9e4a5
-
\Users\Public\Downloads\UMLENXHRLYSDDDBPLIJA\msvcr120.dllMD5
034ccadc1c073e4216e9466b720f9849
SHA1f19e9d8317161edc7d3e963cc0fc46bd5e4a55a1
SHA25686e39b5995af0e042fcdaa85fe2aefd7c9ddc7ad65e6327bd5e7058bc3ab615f
SHA5125f11ef92d936669ee834a5cef5c7d0e7703bf05d03dc4f09b9dcfe048d7d5adfaab6a9c7f42e8080a5e9aad44a35f39f3940d5cca20623d9cafe373c635570f7
-
\Windows\Installer\MSI712.tmpMD5
5c5bef05b6f3806106f8f3ce13401cc1
SHA16005fbe17f6e917ac45317552409d7a60976db14
SHA256f2f3ae8ca06f5cf320ca1d234a623bf55cf2b84c1d6dea3d85d5392e29aaf437
SHA51297933227b6002127385ace025f85a26358e47ee79c883f03180d474c15dbaf28a88492c8e53aefc0d305872edd27db0b4468da13e6f0337988f58d2ee35fd797
-
\Windows\Installer\MSI85B.tmpMD5
5c5bef05b6f3806106f8f3ce13401cc1
SHA16005fbe17f6e917ac45317552409d7a60976db14
SHA256f2f3ae8ca06f5cf320ca1d234a623bf55cf2b84c1d6dea3d85d5392e29aaf437
SHA51297933227b6002127385ace025f85a26358e47ee79c883f03180d474c15dbaf28a88492c8e53aefc0d305872edd27db0b4468da13e6f0337988f58d2ee35fd797
-
memory/740-106-0x000000006C910000-0x000000006EBA2000-memory.dmpFilesize
34.6MB
-
memory/740-107-0x000000006C911000-0x000000006CDB7000-memory.dmpFilesize
4.6MB
-
memory/740-108-0x00000000000E0000-0x00000000000E1000-memory.dmpFilesize
4KB
-
memory/740-97-0x0000000000000000-mapping.dmp
-
memory/1016-109-0x0000000000000000-mapping.dmp
-
memory/1752-63-0x0000000075D41000-0x0000000075D43000-memory.dmpFilesize
8KB
-
memory/1752-62-0x0000000000000000-mapping.dmp
-
memory/1868-70-0x0000000000F30000-0x0000000000F31000-memory.dmpFilesize
4KB
-
memory/1868-75-0x0000000005240000-0x0000000005241000-memory.dmpFilesize
4KB
-
memory/1868-92-0x0000000006240000-0x0000000006241000-memory.dmpFilesize
4KB
-
memory/1868-85-0x00000000060F0000-0x00000000060F1000-memory.dmpFilesize
4KB
-
memory/1868-84-0x000000007EF30000-0x000000007EF31000-memory.dmpFilesize
4KB
-
memory/1868-83-0x00000000056F0000-0x00000000056F1000-memory.dmpFilesize
4KB
-
memory/1868-78-0x0000000005660000-0x0000000005661000-memory.dmpFilesize
4KB
-
memory/1868-93-0x00000000062E0000-0x00000000062E1000-memory.dmpFilesize
4KB
-
memory/1868-74-0x00000000012C0000-0x00000000012C1000-memory.dmpFilesize
4KB
-
memory/1868-73-0x0000000000F82000-0x0000000000F83000-memory.dmpFilesize
4KB
-
memory/1868-72-0x0000000000F80000-0x0000000000F81000-memory.dmpFilesize
4KB
-
memory/1868-71-0x00000000047B0000-0x00000000047B1000-memory.dmpFilesize
4KB
-
memory/1868-68-0x0000000000000000-mapping.dmp
-
memory/1996-59-0x000007FEFB931000-0x000007FEFB933000-memory.dmpFilesize
8KB