Analysis
-
max time kernel
1812s -
max time network
1815s -
platform
windows7_x64 -
resource
win7-fr -
submitted
11-09-2021 20:41
General
-
Target
setup_x86_x64_install.exe
-
Size
3.4MB
-
MD5
f59a5fd82eaf0088e7853c09922ce477
-
SHA1
969d1debc32996a4d53c4a36d2241511cb8b77ec
-
SHA256
291505b584fdf540a1590ce7181d85cee7967f99cbf05aeb7b7031b6a9b4f2cd
-
SHA512
344192b08874df2cf922f782400435f109eb5bab7c3c582f4eb3fe328cadcb2d2c3ddd02ba816663168f9c997766f089731e657afe2cefb7bda773e6e6dca71c
Score
10/10
Malware Config
Extracted
Path
C:\_readme.txt
Family
djvu
Ransom Note
ATTENTION!
Don't worry, you can return all your files!
All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key.
The only method of recovering files is to purchase decrypt tool and unique key for you.
This software will decrypt all your encrypted files.
What guarantees you have?
You can send one of your encrypted file from your PC and we decrypt it for free.
But we can decrypt only 1 file for free. File must not contain valuable information.
You can get and look video overview decrypt tool:
https://we.tl/t-CtDpAM1g5f
Price of private key and decrypt software is $980.
Discount 50% available if you contact us first 72 hours, that's price for you is $490.
Please note that you'll never restore your data without payment.
Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours.
To get this software you need write on our e-mail:
[email protected]
Reserve e-mail address to contact us:
[email protected]
Your personal ID:
0333gSd743dfRiXRqq62TeogIfmpihYZJ6wDmuUVD07WwczX6Bm
URLs
https://we.tl/t-CtDpAM1g5f
Extracted
Family
vidar
Version
40.5
Botnet
706
C2
https://gheorghip.tumblr.com/
Attributes
-
profile_id
706
Extracted
Family
smokeloader
Version
2020
C2
http://varmisende.com/upload/
http://fernandomayol.com/upload/
http://nextlytm.com/upload/
http://people4jan.com/upload/
http://asfaltwerk.com/upload/
rc4.i32
rc4.i32
Extracted
Family
vidar
Version
40.5
Botnet
517
C2
https://gheorghip.tumblr.com/
Attributes
-
profile_id
517
Extracted
Family
vidar
Version
40.5
Botnet
993
C2
https://gheorghip.tumblr.com/
Attributes
-
profile_id
993
Signatures
-
Detected Djvu ransomware 2 IoCs
-
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
Process spawned unexpected child process 2 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Raccoon
Simple but powerful infostealer which was very active in 2019.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 1 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
-
Socelars Payload 5 IoCs
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Vidar Stealer 5 IoCs
-
ASPack v2.12-2.42 6 IoCs
Detects executables packed with ASPack v2.12-2.42
-
Blocklisted process makes network request 64 IoCs
-
Downloads MZ/PE file
-
Drops file in Drivers directory 1 IoCs
-
Executes dropped EXE 64 IoCs
-
Modifies extensions of user files 12 IoCs
Ransomware generally changes the extension on encrypted files.
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Loads dropped DLL 64 IoCs
-
Modifies file permissions 1 TTPs 1 IoCs
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses 2FA software files, possible credential harvesting 2 TTPs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 24 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Suspicious use of SetThreadContext 34 IoCs
-
Drops file in Program Files directory 15 IoCs
-
Drops file in Windows directory 30 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 4 IoCs
-
Checks SCSI registry key(s) 3 TTPs 9 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 4 IoCs
-
Kills process with taskkill 8 IoCs
-
Modifies Internet Explorer settings 1 TTPs 64 IoCs
-
Modifies data under HKEY_USERS 3 IoCs
-
Modifies registry class 24 IoCs
-
Modifies system certificate store 2 TTPs 12 IoCs
-
Script User-Agent 2 IoCs
Uses user-agent string associated with script host/environment.
-
Suspicious behavior: CmdExeWriteProcessMemorySpam 4 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 6 IoCs
-
Suspicious behavior: MapViewOfSection 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 20 IoCs
-
Suspicious use of SendNotifyMessage 4 IoCs
-
Suspicious use of SetWindowsHookEx 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS0D696124\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zS0D696124\setup_install.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat191649b47c9e2.exe4⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\7zS0D696124\Sat191649b47c9e2.exeSat191649b47c9e2.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\795168.exe"C:\ProgramData\795168.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2872 -s 17327⤵
- Program crash
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\ProgramData\8209560.exe"C:\ProgramData\8209560.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"7⤵
- Executes dropped EXE
-
-
-
C:\ProgramData\6384253.exe"C:\ProgramData\6384253.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\6384253.exe"C:\ProgramData\6384253.exe"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2932 -s 7127⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\ProgramData\5771500.exe"C:\ProgramData\5771500.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vBSCrIPt: close ( crEateobJeCt ("wsCRIpT.sHEll" ). RUN ( "C:\Windows\system32\cmd.exe /q /C cOPy /Y ""C:\ProgramData\5771500.exe"" C3KHKEn~m73GVLA.exE && StArT C3KHKEN~m73GVlA.exE -P48RT5mWbqdvVNE0ZvDVppXXBhLw9 & If """"== """" for %l In ( ""C:\ProgramData\5771500.exe"") do taskkill -Im ""%~nxl"" /F " , 0 , TRuE) )7⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /q /C cOPy /Y "C:\ProgramData\5771500.exe" C3KHKEn~m73GVLA.exE && StArT C3KHKEN~m73GVlA.exE -P48RT5mWbqdvVNE0ZvDVppXXBhLw9 & If ""== "" for %l In ( "C:\ProgramData\5771500.exe") do taskkill -Im "%~nxl" /F8⤵
-
C:\Users\Admin\AppData\Local\Temp\C3KHKEn~m73GVLA.exEC3KHKEN~m73GVlA.exE -P48RT5mWbqdvVNE0ZvDVppXXBhLw99⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vBSCrIPt: close ( crEateobJeCt ("wsCRIpT.sHEll" ). RUN ( "C:\Windows\system32\cmd.exe /q /C cOPy /Y ""C:\Users\Admin\AppData\Local\Temp\C3KHKEn~m73GVLA.exE"" C3KHKEn~m73GVLA.exE && StArT C3KHKEN~m73GVlA.exE -P48RT5mWbqdvVNE0ZvDVppXXBhLw9 & If ""-P48RT5mWbqdvVNE0ZvDVppXXBhLw9 ""== """" for %l In ( ""C:\Users\Admin\AppData\Local\Temp\C3KHKEn~m73GVLA.exE"") do taskkill -Im ""%~nxl"" /F " , 0 , TRuE) )10⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /q /C cOPy /Y "C:\Users\Admin\AppData\Local\Temp\C3KHKEn~m73GVLA.exE" C3KHKEn~m73GVLA.exE && StArT C3KHKEN~m73GVlA.exE -P48RT5mWbqdvVNE0ZvDVppXXBhLw9 & If "-P48RT5mWbqdvVNE0ZvDVppXXBhLw9 "== "" for %l In ( "C:\Users\Admin\AppData\Local\Temp\C3KHKEn~m73GVLA.exE") do taskkill -Im "%~nxl" /F11⤵
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" .\zyYHQ.U,xGNjygcjY10⤵
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill -Im "5771500.exe" /F9⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
C:\ProgramData\7915684.exe"C:\ProgramData\7915684.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 560 -s 17607⤵
- Program crash
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat19e4750dd01.exe /mixone4⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\7zS0D696124\Sat19e4750dd01.exeSat19e4750dd01.exe /mixone5⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "Sat19e4750dd01.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zS0D696124\Sat19e4750dd01.exe" & exit6⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "Sat19e4750dd01.exe" /f7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat199ba8a4637dcb034.exe4⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\7zS0D696124\Sat199ba8a4637dcb034.exeSat199ba8a4637dcb034.exe5⤵
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat1946eb84e6.exe4⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\7zS0D696124\Sat1946eb84e6.exeSat1946eb84e6.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat196ac06a9e6.exe4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat19c6762a08beae.exe4⤵
- Loads dropped DLL
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat19e6a852f849bb2.exe4⤵
- Loads dropped DLL
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat19ba05e89ea6d406.exe4⤵
- Loads dropped DLL
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat19f84b58b3d7.exe4⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS0D696124\Sat196ac06a9e6.exeSat196ac06a9e6.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS0D696124\Sat19e6a852f849bb2.exeSat19e6a852f849bb2.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1660 -s 9762⤵
- Loads dropped DLL
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\7zS0D696124\Sat19c6762a08beae.exeSat19c6762a08beae.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\7zS0D696124\Sat19ba05e89ea6d406.exeSat19ba05e89ea6d406.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\is-SP2J3.tmp\Sat19ba05e89ea6d406.tmp"C:\Users\Admin\AppData\Local\Temp\is-SP2J3.tmp\Sat19ba05e89ea6d406.tmp" /SL5="$60136,506086,422400,C:\Users\Admin\AppData\Local\Temp\7zS0D696124\Sat19ba05e89ea6d406.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\is-1V4CJ.tmp\46807GHF____.exe"C:\Users\Admin\AppData\Local\Temp\is-1V4CJ.tmp\46807GHF____.exe" /S /UID=burnerch23⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
-
C:\Program Files\Mozilla Firefox\YFFUNBFGNC\ultramediaburner.exe"C:\Program Files\Mozilla Firefox\YFFUNBFGNC\ultramediaburner.exe" /VERYSILENT4⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\is-JOLEN.tmp\ultramediaburner.tmp"C:\Users\Admin\AppData\Local\Temp\is-JOLEN.tmp\ultramediaburner.tmp" /SL5="$30180,281924,62464,C:\Program Files\Mozilla Firefox\YFFUNBFGNC\ultramediaburner.exe" /VERYSILENT5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
-
C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe"C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu6⤵
- Executes dropped EXE
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\f5-5904a-b33-73c84-e4f8fc1c025d0\Vososamime.exe"C:\Users\Admin\AppData\Local\Temp\f5-5904a-b33-73c84-e4f8fc1c025d0\Vososamime.exe"4⤵
- Executes dropped EXE
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e65⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2552 CREDAT:275457 /prefetch:26⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2552 CREDAT:1586187 /prefetch:26⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2552 CREDAT:734242 /prefetch:26⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2552 CREDAT:1192990 /prefetch:26⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2552 CREDAT:799774 /prefetch:26⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2552 CREDAT:799796 /prefetch:26⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2552 CREDAT:734281 /prefetch:26⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2552 CREDAT:1258587 /prefetch:26⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2552 CREDAT:4011062 /prefetch:26⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2552 CREDAT:472177 /prefetch:26⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://www.profitabletrustednetwork.com/b1fsmdd9m?key=7e872dab99d78bffc4aa0c1e6b062dad5⤵
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://vexacion.com/afu.php?zoneid=18514835⤵
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://vexacion.com/afu.php?zoneid=18515135⤵
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://www.directdexchange.com/jump/next.php?r=20872155⤵
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://www.directdexchange.com/jump/next.php?r=42631195⤵
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://vexacion.com/afu.php?id=12942315⤵
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://vexacion.com/afu.php?zoneid=1492888&var=35⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\7e-3199b-ad4-385bd-5a896535a5cb6\Maeqeshyhoto.exe"C:\Users\Admin\AppData\Local\Temp\7e-3199b-ad4-385bd-5a896535a5cb6\Maeqeshyhoto.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\w0mdl44t.swb\GcleanerEU.exe /eufive & exit5⤵
-
C:\Users\Admin\AppData\Local\Temp\w0mdl44t.swb\GcleanerEU.exeC:\Users\Admin\AppData\Local\Temp\w0mdl44t.swb\GcleanerEU.exe /eufive6⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "GcleanerEU.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\w0mdl44t.swb\GcleanerEU.exe" & exit7⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "GcleanerEU.exe" /f8⤵
- Kills process with taskkill
-
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\jaoqpigf.zbc\installer.exe /qn CAMPAIGN="654" & exit5⤵
-
C:\Users\Admin\AppData\Local\Temp\jaoqpigf.zbc\installer.exeC:\Users\Admin\AppData\Local\Temp\jaoqpigf.zbc\installer.exe /qn CAMPAIGN="654"6⤵
- Executes dropped EXE
- Enumerates connected drives
- Modifies system certificate store
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\jaoqpigf.zbc\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\jaoqpigf.zbc\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1631133451 /qn CAMPAIGN=""654"" " CAMPAIGN="654"7⤵
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\uugw3lq1.b1o\anyname.exe & exit5⤵
-
C:\Users\Admin\AppData\Local\Temp\uugw3lq1.b1o\anyname.exeC:\Users\Admin\AppData\Local\Temp\uugw3lq1.b1o\anyname.exe6⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\paau0ga2.dmq\gcleaner.exe /mixfive & exit5⤵
-
C:\Users\Admin\AppData\Local\Temp\paau0ga2.dmq\gcleaner.exeC:\Users\Admin\AppData\Local\Temp\paau0ga2.dmq\gcleaner.exe /mixfive6⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "gcleaner.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\paau0ga2.dmq\gcleaner.exe" & exit7⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "gcleaner.exe" /f8⤵
- Kills process with taskkill
-
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\2po3pay4.up2\autosubplayer.exe /S & exit5⤵
-
-
-
-
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
- Loads dropped DLL
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 3357038103890CB74DA0F3E186CE311B C2⤵
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 9F390E3CD75E85D9C096B2FC1D2786C42⤵
- Blocklisted process makes network request
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f3⤵
- Kills process with taskkill
-
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding ADA8DC425C27DE4B120E8174DFE95230 M Global\MSI00002⤵
-
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\510D.exeC:\Users\Admin\AppData\Local\Temp\510D.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\6AA6.exeC:\Users\Admin\AppData\Local\Temp\6AA6.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\8BAE.exeC:\Users\Admin\AppData\Local\Temp\8BAE.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\8BAE.exeC:\Users\Admin\AppData\Local\Temp\8BAE.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\8eba5073-8b2a-4439-97a1-0cbad0b7ee97" /deny *S-1-1-0:(OI)(CI)(DE,DC)3⤵
- Modifies file permissions
-
-
C:\Users\Admin\AppData\Local\Temp\8BAE.exe"C:\Users\Admin\AppData\Local\Temp\8BAE.exe" --Admin IsNotAutoStart IsNotTask3⤵
-
C:\Users\Admin\AppData\Local\Temp\8BAE.exe"C:\Users\Admin\AppData\Local\Temp\8BAE.exe" --Admin IsNotAutoStart IsNotTask4⤵
- Executes dropped EXE
- Modifies extensions of user files
-
C:\Users\Admin\AppData\Local\affe4087-e0fd-4750-b505-c138bf12a05d\build2.exe"C:\Users\Admin\AppData\Local\affe4087-e0fd-4750-b505-c138bf12a05d\build2.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\affe4087-e0fd-4750-b505-c138bf12a05d\build2.exe"C:\Users\Admin\AppData\Local\affe4087-e0fd-4750-b505-c138bf12a05d\build2.exe"6⤵
- Executes dropped EXE
- Checks processor information in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im build2.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\affe4087-e0fd-4750-b505-c138bf12a05d\build2.exe" & del C:\ProgramData\*.dll & exit7⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im build2.exe /f8⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 68⤵
- Delays execution with timeout.exe
-
-
-
-
-
C:\Users\Admin\AppData\Local\affe4087-e0fd-4750-b505-c138bf12a05d\build3.exe"C:\Users\Admin\AppData\Local\affe4087-e0fd-4750-b505-c138bf12a05d\build3.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\affe4087-e0fd-4750-b505-c138bf12a05d\build3.exe"C:\Users\Admin\AppData\Local\affe4087-e0fd-4750-b505-c138bf12a05d\build3.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"7⤵
- Creates scheduled task(s)
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\BEEF.exeC:\Users\Admin\AppData\Local\Temp\BEEF.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.execmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\BEEF.exe"2⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /T 10 /NOBREAK3⤵
- Delays execution with timeout.exe
-
-
-
C:\Users\Admin\AppData\Local\Temp\WnUKuKwEyu.exe"C:\Users\Admin\AppData\Local\Temp\WnUKuKwEyu.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exe"3⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\system32\taskeng.exetaskeng.exe {9A49859D-4422-408C-A7FB-6EBFD1C6673C} S-1-5-21-1669990088-476967504-438132596-1000:KJUCCLUP\Admin:Interactive:[1]1⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"4⤵
- Creates scheduled task(s)
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
-
-
-
C:\Users\Admin\AppData\Roaming\avwvuuwC:\Users\Admin\AppData\Roaming\avwvuuw2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
-
-
-
C:\Users\Admin\AppData\Local\8eba5073-8b2a-4439-97a1-0cbad0b7ee97\8BAE.exeC:\Users\Admin\AppData\Local\8eba5073-8b2a-4439-97a1-0cbad0b7ee97\8BAE.exe --Task2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\8eba5073-8b2a-4439-97a1-0cbad0b7ee97\8BAE.exeC:\Users\Admin\AppData\Local\8eba5073-8b2a-4439-97a1-0cbad0b7ee97\8BAE.exe --Task3⤵
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
-
-
-
C:\Users\Admin\AppData\Roaming\avwvuuwC:\Users\Admin\AppData\Roaming\avwvuuw2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
-
-
-
C:\Users\Admin\AppData\Local\8eba5073-8b2a-4439-97a1-0cbad0b7ee97\8BAE.exeC:\Users\Admin\AppData\Local\8eba5073-8b2a-4439-97a1-0cbad0b7ee97\8BAE.exe --Task2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\8eba5073-8b2a-4439-97a1-0cbad0b7ee97\8BAE.exeC:\Users\Admin\AppData\Local\8eba5073-8b2a-4439-97a1-0cbad0b7ee97\8BAE.exe --Task3⤵
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
-
-
-
C:\Users\Admin\AppData\Local\8eba5073-8b2a-4439-97a1-0cbad0b7ee97\8BAE.exeC:\Users\Admin\AppData\Local\8eba5073-8b2a-4439-97a1-0cbad0b7ee97\8BAE.exe --Task2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\8eba5073-8b2a-4439-97a1-0cbad0b7ee97\8BAE.exeC:\Users\Admin\AppData\Local\8eba5073-8b2a-4439-97a1-0cbad0b7ee97\8BAE.exe --Task3⤵
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\4010.exeC:\Users\Admin\AppData\Local\Temp\4010.exe1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-244508444862206081-212929308874554396-3793658631545669950119089633970821402"1⤵
-
C:\Users\Admin\AppData\Local\Temp\629F.exeC:\Users\Admin\AppData\Local\Temp\629F.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im 629F.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\629F.exe" & del C:\ProgramData\*.dll & exit2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im 629F.exe /f3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 63⤵
- Delays execution with timeout.exe
-
-
-
C:\Users\Admin\AppData\Local\Temp\A8B4.exeC:\Users\Admin\AppData\Local\Temp\A8B4.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.execmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\A8B4.exe"2⤵
- Checks processor information in registry
-
C:\Windows\SysWOW64\timeout.exetimeout /T 10 /NOBREAK3⤵
- Delays execution with timeout.exe
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {7C2F96A0-D5EF-44D5-978F-EB09A410BAE3} S-1-5-18:NT AUTHORITY\System:Service:1⤵
-
C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe"C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 115 -t 80802⤵
- Executes dropped EXE
-
-
C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe"C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 114 -t 80802⤵
- Executes dropped EXE
-
-
C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe"C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 113 -t 80802⤵
- Executes dropped EXE
-
-
C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe"C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 112 -t 80802⤵
- Executes dropped EXE
-
-
C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe"C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 111 -t 80802⤵
- Executes dropped EXE
-
-
C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe"C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 110 -t 80802⤵
- Executes dropped EXE
-
-
C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe"C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 113 -t 80802⤵
-
-
C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe"C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 110 -t 80802⤵
-
-
C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe"C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 115 -t 80802⤵
-
-
C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe"C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 114 -t 80802⤵
-
Network
MITRE ATT&CK Enterprise v6
Defense Evasion
File and Directory Permissions Modification
1Install Root Certificate
1Modify Registry
3Virtualization/Sandbox Evasion
1Web Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
108KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
108KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
348KB
-
Filesize
4KB
-
Filesize
36KB
-
Filesize
19.5MB
-
Filesize
572KB
-
Filesize
572KB
-
Filesize
152KB
-
Filesize
100KB
-
Filesize
1.5MB
-
Filesize
100KB
-
Filesize
100KB
-
Filesize
1.5MB
-
Filesize
152KB
-
Filesize
100KB
-
Filesize
84KB
-
Filesize
39.4MB
-
Filesize
576KB
-
Filesize
29.5MB
-
Filesize
19.5MB
-
Filesize
16KB
-
Filesize
39.4MB
-
Filesize
288KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
19.9MB
-
Filesize
19.9MB
-
Filesize
436KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
19.6MB
-
Filesize
192KB
-
Filesize
8KB
-
Filesize
12.3MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
124KB
-
Filesize
840KB
-
Filesize
39.4MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
39.8MB
-
Filesize
836KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
1.2MB
-
Filesize
8KB
-
Filesize
3.0MB
-
Filesize
19.8MB
-
Filesize
576KB
-
Filesize
852KB
-
Filesize
728KB
-
Filesize
1.3MB
-
Filesize
4KB
-
Filesize
16KB
-
Filesize
1.1MB
-
Filesize
24KB
-
Filesize
96KB
-
Filesize
4KB
-
Filesize
120KB
-
Filesize
8KB
-
Filesize
16KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
88KB
-
Filesize
8KB
-
Filesize
3.0MB
-
Filesize
8KB
-
Filesize
124KB