Analysis
-
max time kernel
6s -
max time network
160s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
14-08-2021 15:37
General
-
Target
D52860D6BE6EA1EC9F809D6527D46B06.exe
-
Size
8.5MB
-
MD5
d52860d6be6ea1ec9f809d6527d46b06
-
SHA1
9c5a0e6266eca4f86bd38efddc8551e95451158f
-
SHA256
39326cdd0c863e1766ecc3d119ec18fdaa93ef886cfbc887f76784f745df73e4
-
SHA512
64d356059ef696a8297a7e0f28b3108ee1a8bdb68edde0b52667fbff1b46e9daf0c42fdc545795443fbe7fe7db6734935d147f01bb3101f1f0d2fdf2e25a6000
Score
10/10
Malware Config
Extracted
Family
metasploit
Version
windows/single_exec
Extracted
Family
smokeloader
Version
2020
C2
http://aucmoney.com/upload/
http://thegymmum.com/upload/
http://atvcampingtrips.com/upload/
http://kuapakualaman.com/upload/
http://renatazarazua.com/upload/
http://nasufmutlu.com/upload/
http://readinglistforjuly1.xyz/
http://readinglistforjuly2.xyz/
http://readinglistforjuly3.xyz/
http://readinglistforjuly4.xyz/
http://readinglistforjuly5.xyz/
http://readinglistforjuly6.xyz/
http://readinglistforjuly7.xyz/
http://readinglistforjuly8.xyz/
http://readinglistforjuly9.xyz/
http://readinglistforjuly10.xyz/
http://readinglistforjuly1.site/
http://readinglistforjuly2.site/
http://readinglistforjuly3.site/
http://readinglistforjuly4.site/
rc4.i32
rc4.i32
rc4.i32
rc4.i32
Extracted
Family
raccoon
Botnet
7f2d7476ae0c3559a3dfab1f6e354e488b2429a1
Attributes
-
url4cnc
https://t.me/gishsunsetman
rc4.plain
rc4.plain
Extracted
Family
vidar
Version
40
Botnet
921
C2
https://lenak513.tumblr.com/
Attributes
-
profile_id
921
Extracted
Family
raccoon
Botnet
93d3ccba4a3cbd5e268873fc1760b2335272e198
Attributes
-
url4cnc
https://telete.in/opa4kiprivatem
rc4.plain
rc4.plain
Signatures
-
ElysiumStealer
ElysiumStealer (previously known as ZeromaxStealer) is an info stealer that can steal login credentials for various accounts.
-
Glupteba
Glupteba is a modular loader written in Golang with various components.
-
Glupteba Payload 2 IoCs
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Raccoon
Simple but powerful infostealer which was very active in 2019.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 5 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
-
Socelars Payload 2 IoCs
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
suricata: ET MALWARE Observed Elysium Stealer Variant CnC Domain (all-brain-company .xyz in TLS SNI)
suricata: ET MALWARE Observed Elysium Stealer Variant CnC Domain (all-brain-company .xyz in TLS SNI)
-
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
-
Vidar Stealer 2 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 8 IoCs
-
UPX packed file 4 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
VMProtect packed file 3 IoCs
Detects executables packed with VMProtect commercial packer.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Themida packer 1 IoCs
Detects Themida, an advanced Windows software protection system.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
autoit_exe 2 IoCs
AutoIT scripts compiled to PE executables.
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 17 IoCs
-
Delays execution with timeout.exe 1 IoCs
-
Kills process with taskkill 1 IoCs
-
Modifies registry class 62 IoCs
-
Suspicious use of AdjustPrivilegeToken 8 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 22 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\D52860D6BE6EA1EC9F809D6527D46B06.exe"C:\Users\Admin\AppData\Local\Temp\D52860D6BE6EA1EC9F809D6527D46B06.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Files.exe"C:\Users\Admin\AppData\Local\Temp\Files.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt3⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\KRSetp.exe"C:\Users\Admin\AppData\Local\Temp\KRSetp.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\2276682.exe"C:\Users\Admin\AppData\Roaming\2276682.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1580 -s 19404⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Roaming\2442876.exe"C:\Users\Admin\AppData\Roaming\2442876.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"4⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\AppData\Roaming\7293505.exe"C:\Users\Admin\AppData\Roaming\7293505.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Roaming\6403253.exe"C:\Users\Admin\AppData\Roaming\6403253.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1612 -s 20564⤵
- Program crash
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Install.exe"C:\Users\Admin\AppData\Local\Temp\Install.exe"2⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe4⤵
- Kills process with taskkill
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Folder.exe"C:\Users\Admin\AppData\Local\Temp\Folder.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\Folder.exe"C:\Users\Admin\AppData\Local\Temp\Folder.exe" -a3⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\Info.exe"C:\Users\Admin\AppData\Local\Temp\Info.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4508 -s 3843⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4508 -s 3683⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4508 -s 4003⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4508 -s 6203⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4508 -s 6563⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4508 -s 6923⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4508 -s 5843⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4508 -s 7043⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4508 -s 8563⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\Installation.exe"C:\Users\Admin\AppData\Local\Temp\Installation.exe"2⤵
-
C:\Users\Admin\Documents\8eY2DlRY8iauURMX9xdWkHUE.exe"C:\Users\Admin\Documents\8eY2DlRY8iauURMX9xdWkHUE.exe"3⤵
-
-
C:\Users\Admin\Documents\Y4Vvo3RbizTyWW6QEFFED_iA.exe"C:\Users\Admin\Documents\Y4Vvo3RbizTyWW6QEFFED_iA.exe"3⤵
-
C:\Users\Admin\Documents\Y4Vvo3RbizTyWW6QEFFED_iA.exeC:\Users\Admin\Documents\Y4Vvo3RbizTyWW6QEFFED_iA.exe4⤵
-
-
-
C:\Users\Admin\Documents\v7u5_Rty4LBwBMh7g97_jyes.exe"C:\Users\Admin\Documents\v7u5_Rty4LBwBMh7g97_jyes.exe"3⤵
-
-
C:\Users\Admin\Documents\9fLJ6_wHnfwJWTjAlwNysn0n.exe"C:\Users\Admin\Documents\9fLJ6_wHnfwJWTjAlwNysn0n.exe"3⤵
-
C:\Users\Admin\Documents\9fLJ6_wHnfwJWTjAlwNysn0n.exe"C:\Users\Admin\Documents\9fLJ6_wHnfwJWTjAlwNysn0n.exe"4⤵
-
-
-
C:\Users\Admin\Documents\J8OF39M0H96rOGHejh1iMFaJ.exe"C:\Users\Admin\Documents\J8OF39M0H96rOGHejh1iMFaJ.exe"3⤵
-
-
C:\Users\Admin\Documents\W11sKfsFg8eqY7KiVkVWOYqz.exe"C:\Users\Admin\Documents\W11sKfsFg8eqY7KiVkVWOYqz.exe"3⤵
-
C:\Users\Admin\AppData\Roaming\2439151.exe"C:\Users\Admin\AppData\Roaming\2439151.exe"4⤵
-
-
C:\Users\Admin\AppData\Roaming\7237574.exe"C:\Users\Admin\AppData\Roaming\7237574.exe"4⤵
-
-
C:\Users\Admin\AppData\Roaming\2919019.exe"C:\Users\Admin\AppData\Roaming\2919019.exe"4⤵
-
-
C:\Users\Admin\AppData\Roaming\8975893.exe"C:\Users\Admin\AppData\Roaming\8975893.exe"4⤵
-
-
-
C:\Users\Admin\Documents\xMp92xsKnxulnbmsHi9djC5y.exe"C:\Users\Admin\Documents\xMp92xsKnxulnbmsHi9djC5y.exe"3⤵
-
C:\Users\Admin\Documents\xMp92xsKnxulnbmsHi9djC5y.exeC:\Users\Admin\Documents\xMp92xsKnxulnbmsHi9djC5y.exe4⤵
-
-
-
C:\Users\Admin\Documents\mnHDISIQGFb3uMJ5CzH9rEMk.exe"C:\Users\Admin\Documents\mnHDISIQGFb3uMJ5CzH9rEMk.exe"3⤵
-
-
C:\Users\Admin\Documents\REd0l14DcLJ_w2tsFQkRC37M.exe"C:\Users\Admin\Documents\REd0l14DcLJ_w2tsFQkRC37M.exe"3⤵
-
C:\Users\Admin\AppData\Roaming\6260374.exe"C:\Users\Admin\AppData\Roaming\6260374.exe"4⤵
-
-
C:\Users\Admin\AppData\Roaming\6716147.exe"C:\Users\Admin\AppData\Roaming\6716147.exe"4⤵
-
-
-
C:\Users\Admin\Documents\kiUhGJtCmjQSkWjugwiuuUkL.exe"C:\Users\Admin\Documents\kiUhGJtCmjQSkWjugwiuuUkL.exe"3⤵
-
C:\Users\Admin\AppData\Roaming\2526098.exe"C:\Users\Admin\AppData\Roaming\2526098.exe"4⤵
-
-
C:\Users\Admin\AppData\Roaming\3174481.exe"C:\Users\Admin\AppData\Roaming\3174481.exe"4⤵
-
-
-
C:\Users\Admin\Documents\SZCh8ZzoGuqD0ukTJLPgSVdc.exe"C:\Users\Admin\Documents\SZCh8ZzoGuqD0ukTJLPgSVdc.exe"3⤵
-
C:\Users\Admin\Documents\SZCh8ZzoGuqD0ukTJLPgSVdc.exeC:\Users\Admin\Documents\SZCh8ZzoGuqD0ukTJLPgSVdc.exe4⤵
-
-
-
C:\Users\Admin\Documents\F9OC9L7rcHhgYbni8x2fF2tB.exe"C:\Users\Admin\Documents\F9OC9L7rcHhgYbni8x2fF2tB.exe"3⤵
-
C:\Users\Admin\Documents\F9OC9L7rcHhgYbni8x2fF2tB.exeC:\Users\Admin\Documents\F9OC9L7rcHhgYbni8x2fF2tB.exe4⤵
-
-
-
C:\Users\Admin\Documents\3RGwgYhWEOs_H96WXkgbPhmr.exe"C:\Users\Admin\Documents\3RGwgYhWEOs_H96WXkgbPhmr.exe"3⤵
-
C:\Program Files (x86)\Company\NewProduct\customer3.exe"C:\Program Files (x86)\Company\NewProduct\customer3.exe"4⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt5⤵
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /DeleteCookiesWildcard "*.facebook.com"5⤵
-
-
-
C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"4⤵
-
-
C:\Program Files (x86)\Company\NewProduct\jooyu.exe"C:\Program Files (x86)\Company\NewProduct\jooyu.exe"4⤵
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt5⤵
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt5⤵
-
-
-
-
C:\Users\Admin\Documents\9iHqfzxGDkvOoe1VLycNZccD.exe"C:\Users\Admin\Documents\9iHqfzxGDkvOoe1VLycNZccD.exe"3⤵
-
-
C:\Users\Admin\Documents\AIaUTccYkhbfn9saQY1JTq5_.exe"C:\Users\Admin\Documents\AIaUTccYkhbfn9saQY1JTq5_.exe"3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3912 -s 6644⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3912 -s 6524⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3912 -s 6804⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3912 -s 6524⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3912 -s 10844⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3912 -s 12004⤵
- Program crash
-
-
-
C:\Users\Admin\Documents\F8l2q3I9UR1_KJ6n_2o7a4UY.exe"C:\Users\Admin\Documents\F8l2q3I9UR1_KJ6n_2o7a4UY.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
-
-
-
C:\Users\Admin\Documents\RqFQFigtP_VkJLC9f6szDLKI.exe"C:\Users\Admin\Documents\RqFQFigtP_VkJLC9f6szDLKI.exe"3⤵
-
C:\Users\Admin\Documents\RqFQFigtP_VkJLC9f6szDLKI.exeC:\Users\Admin\Documents\RqFQFigtP_VkJLC9f6szDLKI.exe4⤵
-
-
-
C:\Users\Admin\Documents\yorKPHiWXt1TCN2rMXCMddHB.exe"C:\Users\Admin\Documents\yorKPHiWXt1TCN2rMXCMddHB.exe"3⤵
-
-
C:\Users\Admin\Documents\FGCdS8W0Qo7r7z6rsb4vNv9H.exe"C:\Users\Admin\Documents\FGCdS8W0Qo7r7z6rsb4vNv9H.exe"3⤵
-
-
C:\Users\Admin\Documents\WVAFI630K8rp7n8RWv8IBy1b.exe"C:\Users\Admin\Documents\WVAFI630K8rp7n8RWv8IBy1b.exe"3⤵
-
C:\Users\Admin\Documents\WVAFI630K8rp7n8RWv8IBy1b.exeC:\Users\Admin\Documents\WVAFI630K8rp7n8RWv8IBy1b.exe4⤵
-
-
C:\Users\Admin\Documents\WVAFI630K8rp7n8RWv8IBy1b.exeC:\Users\Admin\Documents\WVAFI630K8rp7n8RWv8IBy1b.exe4⤵
-
-
C:\Users\Admin\Documents\WVAFI630K8rp7n8RWv8IBy1b.exeC:\Users\Admin\Documents\WVAFI630K8rp7n8RWv8IBy1b.exe4⤵
-
-
-
C:\Users\Admin\Documents\0n57Yz_V0SEoij1WyqsdGKFP.exe"C:\Users\Admin\Documents\0n57Yz_V0SEoij1WyqsdGKFP.exe"3⤵
-
-
C:\Users\Admin\Documents\mtyvsYE0VO0Dv16Avb3VXM4n.exe"C:\Users\Admin\Documents\mtyvsYE0VO0Dv16Avb3VXM4n.exe"3⤵
-
-
C:\Users\Admin\Documents\rJgvWlaDc9u6_URBwmDFIv06.exe"C:\Users\Admin\Documents\rJgvWlaDc9u6_URBwmDFIv06.exe"3⤵
-
-
C:\Users\Admin\Documents\ZMwR0RJOinOaJfWi7wDi2E4q.exe"C:\Users\Admin\Documents\ZMwR0RJOinOaJfWi7wDi2E4q.exe"3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsaF64A.tmp\tempfile.ps1"4⤵
-
-
-
C:\Users\Admin\Documents\OKEc2rhsW9XdegEJGmRUfBt_.exe"C:\Users\Admin\Documents\OKEc2rhsW9XdegEJGmRUfBt_.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\is-5JVBQ.tmp\OKEc2rhsW9XdegEJGmRUfBt_.tmp"C:\Users\Admin\AppData\Local\Temp\is-5JVBQ.tmp\OKEc2rhsW9XdegEJGmRUfBt_.tmp" /SL5="$70266,138429,56832,C:\Users\Admin\Documents\OKEc2rhsW9XdegEJGmRUfBt_.exe"4⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\pub2.exe"C:\Users\Admin\AppData\Local\Temp\pub2.exe"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe"C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Complete.exe"C:\Users\Admin\AppData\Local\Temp\Complete.exe"2⤵
-
C:\Users\Admin\Documents\UTvFxd3afeTVaxQcwahSFmTg.exe"C:\Users\Admin\Documents\UTvFxd3afeTVaxQcwahSFmTg.exe"3⤵
-
-
C:\Users\Admin\Documents\FH3OUvKXNZA7SZHZGk20zpC2.exe"C:\Users\Admin\Documents\FH3OUvKXNZA7SZHZGk20zpC2.exe"3⤵
-
-
C:\Users\Admin\Documents\SgZw6PuSbszxR5wxEi9LQ7hz.exe"C:\Users\Admin\Documents\SgZw6PuSbszxR5wxEi9LQ7hz.exe"3⤵
-
-
C:\Users\Admin\Documents\Id5oTYpCPO2TmLXMPr6lVzga.exe"C:\Users\Admin\Documents\Id5oTYpCPO2TmLXMPr6lVzga.exe"3⤵
-
-
C:\Users\Admin\Documents\NQnfnNAw8pyMBAg1IF4Jotp4.exe"C:\Users\Admin\Documents\NQnfnNAw8pyMBAg1IF4Jotp4.exe"3⤵
-
-
C:\Users\Admin\Documents\yS_FKIPY2wvojLV_zauEfkaI.exe"C:\Users\Admin\Documents\yS_FKIPY2wvojLV_zauEfkaI.exe"3⤵
-
-
C:\Users\Admin\Documents\DVF1gNNn3AuHGW1YimmTL4P6.exe"C:\Users\Admin\Documents\DVF1gNNn3AuHGW1YimmTL4P6.exe"3⤵
-
-
C:\Users\Admin\Documents\DxAS5YWXrhRxlhCWCQbujqdl.exe"C:\Users\Admin\Documents\DxAS5YWXrhRxlhCWCQbujqdl.exe"3⤵
-
-
C:\Users\Admin\Documents\BaeqNV5BTYaxG1U0sNAOZkFf.exe"C:\Users\Admin\Documents\BaeqNV5BTYaxG1U0sNAOZkFf.exe"3⤵
-
-
C:\Users\Admin\Documents\TkoHH5pAd_YQTfmNgez1lAgN.exe"C:\Users\Admin\Documents\TkoHH5pAd_YQTfmNgez1lAgN.exe"3⤵
-
-
C:\Users\Admin\Documents\SquvNxaoQ68fsTwznyy4dWCK.exe"C:\Users\Admin\Documents\SquvNxaoQ68fsTwznyy4dWCK.exe"3⤵
-
-
C:\Users\Admin\Documents\KKd1vB5uLFp90grydWZuGTLp.exe"C:\Users\Admin\Documents\KKd1vB5uLFp90grydWZuGTLp.exe"3⤵
-
-
C:\Users\Admin\Documents\BA7Lu7RPqq5IeL31zeVprgz0.exe"C:\Users\Admin\Documents\BA7Lu7RPqq5IeL31zeVprgz0.exe"3⤵
-
-
C:\Users\Admin\Documents\4W6B4vQsMSX2buoOii0H2S_S.exe"C:\Users\Admin\Documents\4W6B4vQsMSX2buoOii0H2S_S.exe"3⤵
-
-
C:\Users\Admin\Documents\DuUEgq42e93RXvTC30ebzVA8.exe"C:\Users\Admin\Documents\DuUEgq42e93RXvTC30ebzVA8.exe"3⤵
-
-
C:\Users\Admin\Documents\mAxh_vFzb0GkmPRgbE94N86Y.exe"C:\Users\Admin\Documents\mAxh_vFzb0GkmPRgbE94N86Y.exe"3⤵
-
-
C:\Users\Admin\Documents\5TYohOmJBy8v547fX85hcflS.exe"C:\Users\Admin\Documents\5TYohOmJBy8v547fX85hcflS.exe"3⤵
-
-
C:\Users\Admin\Documents\uFVVXUYu_cpe4AYssHDk_RQy.exe"C:\Users\Admin\Documents\uFVVXUYu_cpe4AYssHDk_RQy.exe"3⤵
-
-
C:\Users\Admin\Documents\f5car4ogoq5Red0xnvbo6mm5.exe"C:\Users\Admin\Documents\f5car4ogoq5Red0xnvbo6mm5.exe"3⤵
-
-
C:\Users\Admin\Documents\lbruHzbH8t_KkkiyfBICBHlg.exe"C:\Users\Admin\Documents\lbruHzbH8t_KkkiyfBICBHlg.exe"3⤵
-
-
C:\Users\Admin\Documents\oGAxeF9l6sioBm_wcfE7TVtQ.exe"C:\Users\Admin\Documents\oGAxeF9l6sioBm_wcfE7TVtQ.exe"3⤵
-
-
C:\Users\Admin\Documents\MqDHP2Yy6iS7M9OzUoS4TlKQ.exe"C:\Users\Admin\Documents\MqDHP2Yy6iS7M9OzUoS4TlKQ.exe"3⤵
-
-
C:\Users\Admin\Documents\RnBDhDPAGWk9MoSCue63AnxL.exe"C:\Users\Admin\Documents\RnBDhDPAGWk9MoSCue63AnxL.exe"3⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\mysetold.exe"C:\Users\Admin\AppData\Local\Temp\mysetold.exe"2⤵
-
C:\Users\Public\run.exeC:\Users\Public\run.exe3⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Public\run.exe"4⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /T 10 /NOBREAK5⤵
- Delays execution with timeout.exe
-
-
-
-
C:\Users\Public\run2.exeC:\Users\Public\run2.exe3⤵
-
-
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
-
C:\Windows\system32\rUNdlL32.eXerUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main2⤵
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SystemNetworkService1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\system32\werfault.exewerfault.exe /h /shared Global\78db5773302941058de47c5ab4f31cdb /t 2328 /p 50681⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SystemNetworkService1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\system32\werfault.exewerfault.exe /h /shared Global\47012da96eeb425e9d5b6e71b5846345 /t 0 /p 51321⤵
-
C:\Users\Admin\AppData\Local\Temp\60C9.exeC:\Users\Admin\AppData\Local\Temp\60C9.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\62BE.exeC:\Users\Admin\AppData\Local\Temp\62BE.exe1⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
452KB
-
Filesize
452KB
-
Filesize
452KB
-
Filesize
452KB
-
Filesize
452KB
-
Filesize
452KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
196KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
172KB
-
Filesize
4KB
-
Filesize
452KB
-
Filesize
4KB
-
Filesize
1.6MB
-
Filesize
452KB
-
Filesize
452KB
-
Filesize
452KB
-
Filesize
452KB
-
Filesize
452KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
92KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
28KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
228KB
-
Filesize
304KB
-
Filesize
452KB
-
Filesize
5.0MB
-
Filesize
1.3MB
-
Filesize
64KB
-
Filesize
696KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
452KB
-
Filesize
36KB
-
Filesize
44.6MB
-
Filesize
9.1MB
-
Filesize
1.2MB
-
Filesize
40.4MB
-
Filesize
1.3MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
1.6MB
-
Filesize
4KB
-
Filesize
4.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
1.0MB
-
Filesize
372KB
-
Filesize
32KB
-
Filesize
3.3MB
-
Filesize
64KB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
64KB
-
Filesize
8KB
-
Filesize
464KB
-
Filesize
312KB
-
Filesize
644KB
-
Filesize
572KB
-
Filesize
5.2MB
-
Filesize
8KB
-
Filesize
5.0MB
-
Filesize
5.0MB
-
Filesize
5.0MB
-
Filesize
1.3MB