Resubmissions
15/10/2024, 15:36
241015-s1zlzasdkc 1001/07/2024, 18:32
240701-w6yteawhmq 1001/07/2024, 14:52
240701-r82wmaxdnd 1001/07/2024, 14:52
240701-r8syqa1dpp 1011/03/2024, 21:22
240311-z8dsssgg58 1001/09/2021, 13:18
210901-5bmxjspa5s 1001/09/2021, 13:04
210901-te4btfspqa 1001/09/2021, 05:12
210901-4wnkwm1p3j 1031/08/2021, 21:47
210831-41rp97dma2 10Analysis
-
max time kernel
136s -
max time network
1833s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
27/08/2021, 15:40
General
-
Target
Setup (14).exe
-
Size
631KB
-
MD5
cb927513ff8ebff4dd52a47f7e42f934
-
SHA1
0de47c02a8adc4940a6c18621b4e4a619641d029
-
SHA256
fd5c970806fba1500cbb6af5328329aeb43b8de3f02d90ec5d8cd1d57711622f
-
SHA512
988c8fd886a9155b7d190faf2ce6b34d910efcffcf1c6251f18a9d0c804a0ea26a89679273033ac98b200363c536426efd1ae9de445c34e660369abb06f0071c
Score
10/10
Malware Config
Extracted
Family
vidar
Version
40.1
Botnet
937
C2
https://eduarroma.tumblr.com/
Attributes
-
profile_id
937
Extracted
Family
smokeloader
Version
2020
C2
http://aucmoney.com/upload/
http://thegymmum.com/upload/
http://atvcampingtrips.com/upload/
http://kuapakualaman.com/upload/
http://renatazarazua.com/upload/
http://nasufmutlu.com/upload/
http://readinglistforaugust1.xyz/
http://readinglistforaugust2.xyz/
http://readinglistforaugust3.xyz/
http://readinglistforaugust4.xyz/
http://readinglistforaugust5.xyz/
http://readinglistforaugust6.xyz/
http://readinglistforaugust7.xyz/
http://readinglistforaugust8.xyz/
http://readinglistforaugust9.xyz/
http://readinglistforaugust10.xyz/
http://readinglistforaugust1.site/
http://readinglistforaugust2.site/
http://readinglistforaugust3.site/
http://readinglistforaugust4.site/
rc4.i32
rc4.i32
rc4.i32
rc4.i32
Extracted
Family
metasploit
Version
windows/single_exec
Extracted
Family
redline
Botnet
27.08
C2
95.181.172.100:55640
Extracted
Family
redline
Botnet
ads
C2
45.93.4.12:80
Extracted
Family
redline
Botnet
installs8912
C2
185.186.142.245:22850
Extracted
Family
redline
Botnet
2608
C2
tambisup.com:9825
Extracted
Family
redline
C2
185.215.113.29:8678
205.185.119.191:18846
Extracted
Family
raccoon
Botnet
d02c5d65069fc7ce1993e7c52edf0c9c4c195c81
Attributes
-
url4cnc
https://telete.in/open3entershift
rc4.plain
rc4.plain
Extracted
Family
vidar
Version
40.1
Botnet
517
C2
https://eduarroma.tumblr.com/
Attributes
-
profile_id
517
Signatures
-
Glupteba
Glupteba is a modular loader written in Golang with various components.
-
Glupteba Payload 2 IoCs
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs
-
Raccoon
Simple but powerful infostealer which was very active in 2019.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 22 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Vidar Stealer 6 IoCs
-
Creates new service(s) 1 TTPs
-
Downloads MZ/PE file
-
Executes dropped EXE 27 IoCs
-
Modifies Windows Firewall 1 TTPs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL 39 IoCs
-
Modifies file permissions 1 TTPs 1 IoCs
-
Themida packer 6 IoCs
Detects Themida, an advanced Windows software protection system.
-
Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
-
Kills process with taskkill 2 IoCs
-
Modifies system certificate store 2 TTPs 5 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Setup (14).exe"C:\Users\Admin\AppData\Local\Temp\Setup (14).exe"1⤵
- Checks computer location settings
- Loads dropped DLL
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Documents\w2y8P6POvbO0Q6BIBZMDaqjI.exe"C:\Users\Admin\Documents\w2y8P6POvbO0Q6BIBZMDaqjI.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Documents\nVwWkRQsPlq0Psj5W5EEX03V.exe"C:\Users\Admin\Documents\nVwWkRQsPlq0Psj5W5EEX03V.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\nVwWkRQsPlq0Psj5W5EEX03V.exe"C:\Users\Admin\Documents\nVwWkRQsPlq0Psj5W5EEX03V.exe"3⤵
-
-
-
C:\Users\Admin\Documents\8CtQGcS_cpQmRqf6cDKoc0Cs.exe"C:\Users\Admin\Documents\8CtQGcS_cpQmRqf6cDKoc0Cs.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\8CtQGcS_cpQmRqf6cDKoc0Cs.exe"C:\Users\Admin\Documents\8CtQGcS_cpQmRqf6cDKoc0Cs.exe"3⤵
-
-
-
C:\Users\Admin\Documents\2Ya678UWrcq5zWCNg4cfjLQj.exe"C:\Users\Admin\Documents\2Ya678UWrcq5zWCNg4cfjLQj.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\f2584ec8-e62b-45fe-bc0a-11d0f75cc3bc\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\f2584ec8-e62b-45fe-bc0a-11d0f75cc3bc\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\f2584ec8-e62b-45fe-bc0a-11d0f75cc3bc\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run3⤵
-
C:\Users\Admin\AppData\Local\Temp\f2584ec8-e62b-45fe-bc0a-11d0f75cc3bc\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\f2584ec8-e62b-45fe-bc0a-11d0f75cc3bc\AdvancedRun.exe" /SpecialRun 4101d8 28564⤵
-
-
-
-
C:\Users\Admin\Documents\XrNebqyjAfaN1SaqnP5JTtX_.exe"C:\Users\Admin\Documents\XrNebqyjAfaN1SaqnP5JTtX_.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\XrNebqyjAfaN1SaqnP5JTtX_.exe"C:\Users\Admin\Documents\XrNebqyjAfaN1SaqnP5JTtX_.exe"3⤵
-
-
-
C:\Users\Admin\Documents\bhVjgLESUa36iVabN3FtpOMo.exe"C:\Users\Admin\Documents\bhVjgLESUa36iVabN3FtpOMo.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exe"C:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exeC:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exe3⤵
-
-
C:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exeC:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exe3⤵
-
-
C:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exeC:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exe3⤵
-
-
C:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exeC:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exe3⤵
-
-
C:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exeC:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exe3⤵
-
-
C:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exeC:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exe3⤵
-
-
C:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exeC:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exe3⤵
-
-
C:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exeC:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exe3⤵
-
-
C:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exeC:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exe3⤵
-
-
C:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exeC:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exe3⤵
-
-
C:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exeC:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exe3⤵
-
-
C:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exeC:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exe3⤵
-
-
C:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exeC:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exe3⤵
-
-
C:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exeC:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exe3⤵
-
-
C:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exeC:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exe3⤵
-
-
C:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exeC:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exe3⤵
-
-
C:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exeC:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exe3⤵
-
-
C:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exeC:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exe3⤵
-
-
C:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exeC:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exe3⤵
-
-
C:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exeC:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exe3⤵
-
-
C:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exeC:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exe3⤵
-
-
C:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exeC:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exe3⤵
-
-
C:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exeC:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exe3⤵
-
-
C:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exeC:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exe3⤵
-
-
C:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exeC:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exe3⤵
-
-
C:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exeC:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exe3⤵
-
-
C:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exeC:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exe3⤵
-
-
C:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exeC:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exe3⤵
-
-
C:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exeC:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exe3⤵
-
-
C:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exeC:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exe3⤵
-
-
C:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exeC:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exe3⤵
-
-
C:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exeC:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exe3⤵
-
-
C:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exeC:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exe3⤵
-
-
C:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exeC:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exe3⤵
-
-
C:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exeC:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exe3⤵
-
-
C:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exeC:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exe3⤵
-
-
C:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exeC:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exe3⤵
-
-
C:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exeC:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exe3⤵
-
-
C:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exeC:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exe3⤵
-
-
C:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exeC:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exe3⤵
-
-
C:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exeC:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exe3⤵
-
-
C:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exeC:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exe3⤵
-
-
C:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exeC:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exe3⤵
-
-
C:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exeC:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exe3⤵
-
-
C:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exeC:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exe3⤵
-
-
C:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exeC:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exe3⤵
-
-
C:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exeC:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exe3⤵
-
-
C:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exeC:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exe3⤵
-
-
C:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exeC:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exe3⤵
-
-
C:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exeC:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exe3⤵
-
-
C:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exeC:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exe3⤵
-
-
C:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exeC:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exe3⤵
-
-
C:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exeC:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exe3⤵
-
-
C:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exeC:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exe3⤵
-
-
C:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exeC:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exe3⤵
-
-
C:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exeC:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exe3⤵
-
-
C:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exeC:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exe3⤵
-
-
C:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exeC:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exe3⤵
-
-
C:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exeC:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exe3⤵
-
-
C:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exeC:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exe3⤵
-
-
C:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exeC:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exe3⤵
-
-
C:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exeC:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exe3⤵
-
-
C:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exeC:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exe3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exeC:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exe3⤵
-
-
C:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exeC:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exe3⤵
-
-
C:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exeC:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exe3⤵
-
-
C:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exeC:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exe3⤵
-
-
C:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exeC:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exe3⤵
-
-
C:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exeC:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exe3⤵
-
-
C:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exeC:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exe3⤵
-
-
C:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exeC:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exe3⤵
-
-
C:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exeC:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exe3⤵
-
-
C:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exeC:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exe3⤵
-
-
C:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exeC:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exe3⤵
-
-
C:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exeC:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exe3⤵
-
-
C:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exeC:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exe3⤵
-
-
C:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exeC:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exe3⤵
-
-
C:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exeC:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exe3⤵
-
-
C:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exeC:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exe3⤵
-
-
C:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exeC:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exe3⤵
-
-
C:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exeC:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exe3⤵
-
-
C:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exeC:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exe3⤵
-
-
C:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exeC:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exe3⤵
-
-
C:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exeC:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exe3⤵
-
-
C:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exeC:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exe3⤵
-
-
C:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exeC:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exe3⤵
-
-
C:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exeC:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exe3⤵
-
-
C:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exeC:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exe3⤵
-
-
C:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exeC:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exe3⤵
-
-
C:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exeC:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exe3⤵
-
-
C:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exeC:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exe3⤵
-
-
C:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exeC:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exe3⤵
-
-
C:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exeC:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exe3⤵
-
-
C:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exeC:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exe3⤵
-
-
C:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exeC:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exe3⤵
-
-
C:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exeC:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exe3⤵
-
-
C:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exeC:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exe3⤵
-
-
C:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exeC:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exe3⤵
-
-
C:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exeC:\Users\Admin\Documents\ILboVEutHK63TVNe7jmv52Cn.exe3⤵
-
-
-
C:\Users\Admin\Documents\rzSu3A4cWhgmB0HnQTULQAyl.exe"C:\Users\Admin\Documents\rzSu3A4cWhgmB0HnQTULQAyl.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Documents\ekxdmSjYbQjoGEG4VFKA3i3X.exe"C:\Users\Admin\Documents\ekxdmSjYbQjoGEG4VFKA3i3X.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "ekxdmSjYbQjoGEG4VFKA3i3X.exe" /f & erase "C:\Users\Admin\Documents\ekxdmSjYbQjoGEG4VFKA3i3X.exe" & exit3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "ekxdmSjYbQjoGEG4VFKA3i3X.exe" /f4⤵
- Kills process with taskkill
-
-
-
-
C:\Users\Admin\Documents\QdvZSH1wc_kMBoApiEYUVMHk.exe"C:\Users\Admin\Documents\QdvZSH1wc_kMBoApiEYUVMHk.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Documents\pAErkHZYIeM662xfhDdxa22O.exe"C:\Users\Admin\Documents\pAErkHZYIeM662xfhDdxa22O.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Documents\MvzOJOBbfGvM3JSGS_8hLmrm.exe"C:\Users\Admin\Documents\MvzOJOBbfGvM3JSGS_8hLmrm.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Documents\w21c0kFqSV8RO2WyXK2_KtNQ.exe"C:\Users\Admin\Documents\w21c0kFqSV8RO2WyXK2_KtNQ.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Documents\3SjaR2RE1L8knFIN61MJQ7QT.exe"C:\Users\Admin\Documents\3SjaR2RE1L8knFIN61MJQ7QT.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Documents\urbVrkevMi7RA399gutcgjLl.exe"C:\Users\Admin\Documents\urbVrkevMi7RA399gutcgjLl.exe"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "urbVrkevMi7RA399gutcgjLl.exe" /f & erase "C:\Users\Admin\Documents\urbVrkevMi7RA399gutcgjLl.exe" & exit3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "urbVrkevMi7RA399gutcgjLl.exe" /f4⤵
- Kills process with taskkill
-
-
-
-
C:\Users\Admin\Documents\9jbWbUg0EyclHsdrN5Cml41W.exe"C:\Users\Admin\Documents\9jbWbUg0EyclHsdrN5Cml41W.exe"2⤵
-
-
C:\Users\Admin\Documents\g3mUhYUSM9xw2JQiYDDGLXKg.exe"C:\Users\Admin\Documents\g3mUhYUSM9xw2JQiYDDGLXKg.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\g3mUhYUSM9xw2JQiYDDGLXKg.exe"C:\Users\Admin\Documents\g3mUhYUSM9xw2JQiYDDGLXKg.exe"3⤵
-
-
-
C:\Users\Admin\Documents\T92m2IBFxQyYZXYShPO3bZiV.exe"C:\Users\Admin\Documents\T92m2IBFxQyYZXYShPO3bZiV.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Documents\9ywwgXCsNu0X6SImXG8HhnN7.exe"C:\Users\Admin\Documents\9ywwgXCsNu0X6SImXG8HhnN7.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Documents\45myt_OeBMbZKMCspyUxwF5d.exe"C:\Users\Admin\Documents\45myt_OeBMbZKMCspyUxwF5d.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Documents\C6CKIkJEBldz95HuUruUiaMk.exe"C:\Users\Admin\Documents\C6CKIkJEBldz95HuUruUiaMk.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\C6CKIkJEBldz95HuUruUiaMk.exeC:\Users\Admin\Documents\C6CKIkJEBldz95HuUruUiaMk.exe3⤵
-
-
C:\Users\Admin\Documents\C6CKIkJEBldz95HuUruUiaMk.exeC:\Users\Admin\Documents\C6CKIkJEBldz95HuUruUiaMk.exe3⤵
-
-
C:\Users\Admin\Documents\C6CKIkJEBldz95HuUruUiaMk.exeC:\Users\Admin\Documents\C6CKIkJEBldz95HuUruUiaMk.exe3⤵
-
-
C:\Users\Admin\Documents\C6CKIkJEBldz95HuUruUiaMk.exeC:\Users\Admin\Documents\C6CKIkJEBldz95HuUruUiaMk.exe3⤵
-
-
C:\Users\Admin\Documents\C6CKIkJEBldz95HuUruUiaMk.exeC:\Users\Admin\Documents\C6CKIkJEBldz95HuUruUiaMk.exe3⤵
-
-
C:\Users\Admin\Documents\C6CKIkJEBldz95HuUruUiaMk.exeC:\Users\Admin\Documents\C6CKIkJEBldz95HuUruUiaMk.exe3⤵
-
-
C:\Users\Admin\Documents\C6CKIkJEBldz95HuUruUiaMk.exeC:\Users\Admin\Documents\C6CKIkJEBldz95HuUruUiaMk.exe3⤵
-
-
C:\Users\Admin\Documents\C6CKIkJEBldz95HuUruUiaMk.exeC:\Users\Admin\Documents\C6CKIkJEBldz95HuUruUiaMk.exe3⤵
-
-
C:\Users\Admin\Documents\C6CKIkJEBldz95HuUruUiaMk.exeC:\Users\Admin\Documents\C6CKIkJEBldz95HuUruUiaMk.exe3⤵
-
-
C:\Users\Admin\Documents\C6CKIkJEBldz95HuUruUiaMk.exeC:\Users\Admin\Documents\C6CKIkJEBldz95HuUruUiaMk.exe3⤵
-
-
C:\Users\Admin\Documents\C6CKIkJEBldz95HuUruUiaMk.exeC:\Users\Admin\Documents\C6CKIkJEBldz95HuUruUiaMk.exe3⤵
-
-
C:\Users\Admin\Documents\C6CKIkJEBldz95HuUruUiaMk.exeC:\Users\Admin\Documents\C6CKIkJEBldz95HuUruUiaMk.exe3⤵
-
-
C:\Users\Admin\Documents\C6CKIkJEBldz95HuUruUiaMk.exeC:\Users\Admin\Documents\C6CKIkJEBldz95HuUruUiaMk.exe3⤵
-
-
C:\Users\Admin\Documents\C6CKIkJEBldz95HuUruUiaMk.exeC:\Users\Admin\Documents\C6CKIkJEBldz95HuUruUiaMk.exe3⤵
-
-
C:\Users\Admin\Documents\C6CKIkJEBldz95HuUruUiaMk.exeC:\Users\Admin\Documents\C6CKIkJEBldz95HuUruUiaMk.exe3⤵
-
-
C:\Users\Admin\Documents\C6CKIkJEBldz95HuUruUiaMk.exeC:\Users\Admin\Documents\C6CKIkJEBldz95HuUruUiaMk.exe3⤵
-
-
C:\Users\Admin\Documents\C6CKIkJEBldz95HuUruUiaMk.exeC:\Users\Admin\Documents\C6CKIkJEBldz95HuUruUiaMk.exe3⤵
-
-
C:\Users\Admin\Documents\C6CKIkJEBldz95HuUruUiaMk.exeC:\Users\Admin\Documents\C6CKIkJEBldz95HuUruUiaMk.exe3⤵
-
-
C:\Users\Admin\Documents\C6CKIkJEBldz95HuUruUiaMk.exeC:\Users\Admin\Documents\C6CKIkJEBldz95HuUruUiaMk.exe3⤵
-
-
C:\Users\Admin\Documents\C6CKIkJEBldz95HuUruUiaMk.exeC:\Users\Admin\Documents\C6CKIkJEBldz95HuUruUiaMk.exe3⤵
-
-
C:\Users\Admin\Documents\C6CKIkJEBldz95HuUruUiaMk.exeC:\Users\Admin\Documents\C6CKIkJEBldz95HuUruUiaMk.exe3⤵
-
-
C:\Users\Admin\Documents\C6CKIkJEBldz95HuUruUiaMk.exeC:\Users\Admin\Documents\C6CKIkJEBldz95HuUruUiaMk.exe3⤵
-
-
C:\Users\Admin\Documents\C6CKIkJEBldz95HuUruUiaMk.exeC:\Users\Admin\Documents\C6CKIkJEBldz95HuUruUiaMk.exe3⤵
-
-
C:\Users\Admin\Documents\C6CKIkJEBldz95HuUruUiaMk.exeC:\Users\Admin\Documents\C6CKIkJEBldz95HuUruUiaMk.exe3⤵
-
-
C:\Users\Admin\Documents\C6CKIkJEBldz95HuUruUiaMk.exeC:\Users\Admin\Documents\C6CKIkJEBldz95HuUruUiaMk.exe3⤵
-
-
C:\Users\Admin\Documents\C6CKIkJEBldz95HuUruUiaMk.exeC:\Users\Admin\Documents\C6CKIkJEBldz95HuUruUiaMk.exe3⤵
-
-
C:\Users\Admin\Documents\C6CKIkJEBldz95HuUruUiaMk.exeC:\Users\Admin\Documents\C6CKIkJEBldz95HuUruUiaMk.exe3⤵
-
-
C:\Users\Admin\Documents\C6CKIkJEBldz95HuUruUiaMk.exeC:\Users\Admin\Documents\C6CKIkJEBldz95HuUruUiaMk.exe3⤵
-
-
C:\Users\Admin\Documents\C6CKIkJEBldz95HuUruUiaMk.exeC:\Users\Admin\Documents\C6CKIkJEBldz95HuUruUiaMk.exe3⤵
-
-
C:\Users\Admin\Documents\C6CKIkJEBldz95HuUruUiaMk.exeC:\Users\Admin\Documents\C6CKIkJEBldz95HuUruUiaMk.exe3⤵
-
-
C:\Users\Admin\Documents\C6CKIkJEBldz95HuUruUiaMk.exeC:\Users\Admin\Documents\C6CKIkJEBldz95HuUruUiaMk.exe3⤵
-
-
C:\Users\Admin\Documents\C6CKIkJEBldz95HuUruUiaMk.exeC:\Users\Admin\Documents\C6CKIkJEBldz95HuUruUiaMk.exe3⤵
-
-
C:\Users\Admin\Documents\C6CKIkJEBldz95HuUruUiaMk.exeC:\Users\Admin\Documents\C6CKIkJEBldz95HuUruUiaMk.exe3⤵
-
-
C:\Users\Admin\Documents\C6CKIkJEBldz95HuUruUiaMk.exeC:\Users\Admin\Documents\C6CKIkJEBldz95HuUruUiaMk.exe3⤵
-
-
C:\Users\Admin\Documents\C6CKIkJEBldz95HuUruUiaMk.exeC:\Users\Admin\Documents\C6CKIkJEBldz95HuUruUiaMk.exe3⤵
-
-
C:\Users\Admin\Documents\C6CKIkJEBldz95HuUruUiaMk.exeC:\Users\Admin\Documents\C6CKIkJEBldz95HuUruUiaMk.exe3⤵
-
-
C:\Users\Admin\Documents\C6CKIkJEBldz95HuUruUiaMk.exeC:\Users\Admin\Documents\C6CKIkJEBldz95HuUruUiaMk.exe3⤵
-
-
C:\Users\Admin\Documents\C6CKIkJEBldz95HuUruUiaMk.exeC:\Users\Admin\Documents\C6CKIkJEBldz95HuUruUiaMk.exe3⤵
-
-
C:\Users\Admin\Documents\C6CKIkJEBldz95HuUruUiaMk.exeC:\Users\Admin\Documents\C6CKIkJEBldz95HuUruUiaMk.exe3⤵
-
-
C:\Users\Admin\Documents\C6CKIkJEBldz95HuUruUiaMk.exeC:\Users\Admin\Documents\C6CKIkJEBldz95HuUruUiaMk.exe3⤵
-
-
-
C:\Users\Admin\Documents\pt_HHX7QX6eQqiX3tC0pLXhw.exe"C:\Users\Admin\Documents\pt_HHX7QX6eQqiX3tC0pLXhw.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1648 -s 8683⤵
- Program crash
-
-
-
C:\Users\Admin\Documents\MnYj2xz4QUDigOr8I_UNKkCj.exe"C:\Users\Admin\Documents\MnYj2xz4QUDigOr8I_UNKkCj.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Documents\8tzM1Ds2SJ4KC_QiMa5GB6yG.exe"C:\Users\Admin\Documents\8tzM1Ds2SJ4KC_QiMa5GB6yG.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Ou3tPfureT.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Ou3tPfureT.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"4⤵
-
-
-
-
C:\Users\Admin\Documents\tjowZ3D2kH_sUhKGuCb1I6Nk.exe"C:\Users\Admin\Documents\tjowZ3D2kH_sUhKGuCb1I6Nk.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Documents\loqO_u75LQ6wutazA9ovcMqt.exe"C:\Users\Admin\Documents\loqO_u75LQ6wutazA9ovcMqt.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Documents\qfg6XGEB4yHQdpUslQgS2_zK.exe"C:\Users\Admin\Documents\qfg6XGEB4yHQdpUslQgS2_zK.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Documents\d1hAduCvAvhrFHQnjSYAZjuV.exe"C:\Users\Admin\Documents\d1hAduCvAvhrFHQnjSYAZjuV.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\8095.exeC:\Users\Admin\AppData\Local\Temp\8095.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\8095.exeC:\Users\Admin\AppData\Local\Temp\8095.exe2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\d8c3f4c9-824b-4ebb-a508-0b378a1ddfed" /deny *S-1-1-0:(OI)(CI)(DE,DC)3⤵
- Modifies file permissions
-
-
C:\Users\Admin\AppData\Local\Temp\8095.exe"C:\Users\Admin\AppData\Local\Temp\8095.exe" --Admin IsNotAutoStart IsNotTask3⤵
-
C:\Users\Admin\AppData\Local\Temp\8095.exe"C:\Users\Admin\AppData\Local\Temp\8095.exe" --Admin IsNotAutoStart IsNotTask4⤵
-
C:\Users\Admin\AppData\Local\95ee40cb-b37b-4190-bc9c-70489f41110a\build2.exe"C:\Users\Admin\AppData\Local\95ee40cb-b37b-4190-bc9c-70489f41110a\build2.exe"5⤵
-
C:\Users\Admin\AppData\Local\95ee40cb-b37b-4190-bc9c-70489f41110a\build2.exe"C:\Users\Admin\AppData\Local\95ee40cb-b37b-4190-bc9c-70489f41110a\build2.exe"6⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1704 -s 9007⤵
- Program crash
-
-
-
-
C:\Users\Admin\AppData\Local\95ee40cb-b37b-4190-bc9c-70489f41110a\build3.exe"C:\Users\Admin\AppData\Local\95ee40cb-b37b-4190-bc9c-70489f41110a\build3.exe"5⤵
-
C:\Users\Admin\AppData\Local\95ee40cb-b37b-4190-bc9c-70489f41110a\build3.exe"C:\Users\Admin\AppData\Local\95ee40cb-b37b-4190-bc9c-70489f41110a\build3.exe"6⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"7⤵
- Creates scheduled task(s)
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\A2A6.exeC:\Users\Admin\AppData\Local\Temp\A2A6.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\E85E.exeC:\Users\Admin\AppData\Local\Temp\E85E.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\1690.exeC:\Users\Admin\AppData\Local\Temp\1690.exe1⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\1690.exe"2⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /T 10 /NOBREAK3⤵
- Delays execution with timeout.exe
-
-
-
C:\Users\Admin\AppData\Local\Temp\83wyPamxz7.exe"C:\Users\Admin\AppData\Local\Temp\83wyPamxz7.exe"2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'DriverService';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'DriverService' -Value '"C:\Users\Admin\AppData\Roaming\WinServices\DriversService.exe"' -PropertyType 'String'3⤵
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe --algo rx/0 --donate-level 0 --max-cpu-usage 50 -o xmr.2miners.com:2222 -u 44F6hYbmZKLNA5hqDbu3LEMF74E4A6FqXB6GZSaamunHC569o4HBeDwd8jp2ac7RjqMijmGSWKDRMFgFXC9TTSarFzGpC3M -p x3⤵
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {42436F4F-408F-4848-B2A4-186D2089AE5B} S-1-5-21-2513283230-931923277-594887482-1000:MRBKYMNO\Admin:Interactive:[1]1⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
-
-
-
C:\Users\Admin\AppData\Local\d8c3f4c9-824b-4ebb-a508-0b378a1ddfed\8095.exeC:\Users\Admin\AppData\Local\d8c3f4c9-824b-4ebb-a508-0b378a1ddfed\8095.exe --Task2⤵
-
C:\Users\Admin\AppData\Local\d8c3f4c9-824b-4ebb-a508-0b378a1ddfed\8095.exeC:\Users\Admin\AppData\Local\d8c3f4c9-824b-4ebb-a508-0b378a1ddfed\8095.exe --Task3⤵
-
-
-
C:\Users\Admin\AppData\Roaming\auwcjuhC:\Users\Admin\AppData\Roaming\auwcjuh2⤵
-
-
C:\Users\Admin\AppData\Roaming\cvwcjuhC:\Users\Admin\AppData\Roaming\cvwcjuh2⤵
-
C:\Users\Admin\AppData\Roaming\cvwcjuhC:\Users\Admin\AppData\Roaming\cvwcjuh3⤵
-
-
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\8FD5.exeC:\Users\Admin\AppData\Local\Temp\8FD5.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\4002.exeC:\Users\Admin\AppData\Local\Temp\4002.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\CBAF.exeC:\Users\Admin\AppData\Local\Temp\CBAF.exe1⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\zzoijuqq\2⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\xrnteogm.exe" C:\Windows\SysWOW64\zzoijuqq\2⤵
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create zzoijuqq binPath= "C:\Windows\SysWOW64\zzoijuqq\xrnteogm.exe /d\"C:\Users\Admin\AppData\Local\Temp\CBAF.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description zzoijuqq "wifi internet conection"2⤵
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start zzoijuqq2⤵
-
-
C:\Windows\SysWOW64\zzoijuqq\xrnteogm.exeC:\Windows\SysWOW64\zzoijuqq\xrnteogm.exe /d"C:\Users\Admin\AppData\Local\Temp\CBAF.exe"1⤵
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
-
C:\Windows\SysWOW64\svchost.exesvchost.exe -o fastpool.xyz:10060 -u 9rLbTvsApFs3i3ojk5hDKicMNRQbxxFGwJA2hNC6NoZZDQN5tTFbhviFm4W3koxSrPg87Lnif7qxFYh9xpTJz1cT6B17Ph4.50000 -p x -k -a cn/half3⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\8D78.exeC:\Users\Admin\AppData\Local\Temp\8D78.exe1⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
40.8MB
-
Filesize
8KB
-
Filesize
112KB
-
Filesize
104KB
-
Filesize
188KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
4KB
-
Filesize
188KB
-
Filesize
31.7MB
-
Filesize
4KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
40KB
-
Filesize
628KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
40.8MB
-
Filesize
192KB
-
Filesize
32.0MB
-
Filesize
628KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
1.2MB
-
Filesize
24KB
-
Filesize
36KB
-
Filesize
31.7MB
-
Filesize
644KB
-
Filesize
4KB
-
Filesize
128KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
120KB
-
Filesize
4KB
-
Filesize
120KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
456KB
-
Filesize
4KB
-
Filesize
35.8MB
-
Filesize
9.1MB
-
Filesize
428KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
112KB
-
Filesize
116KB
-
Filesize
8KB
-
Filesize
31.7MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
192KB
-
Filesize
4KB
-
Filesize
31.9MB
-
Filesize
572KB
-
Filesize
36KB
-
Filesize
632KB
-
Filesize
4KB
-
Filesize
1.1MB
-
Filesize
4KB
-
Filesize
136KB
-
Filesize
136KB
-
Filesize
16KB
-
Filesize
4KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB