Analysis
-
max time kernel
168s -
max time network
160s -
platform
windows10_x64 -
resource
win10-en-20211104 -
submitted
08-12-2021 13:17
General
-
Target
https://mega.nz/file/jE10VaJZ#JUVA25eyV3D1NBdhFWfCxxIXcHOp2In2xQPftdkpMjU
Score
8/10
Malware Config
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
-
UPX packed file 3 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Drops file in Program Files directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Kills process with taskkill 23 IoCs
-
Modifies registry class 4 IoCs
-
Suspicious behavior: EnumeratesProcesses 27 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
-
Suspicious use of AdjustPrivilegeToken 40 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" https://mega.nz/file/jE10VaJZ#JUVA25eyV3D1NBdhFWfCxxIXcHOp2In2xQPftdkpMjU1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffb358f4f50,0x7ffb358f4f60,0x7ffb358f4f702⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1532,15587866119258827796,8547505705549826150,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1920 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1532,15587866119258827796,8547505705549826150,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1544 /prefetch:22⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1532,15587866119258827796,8547505705549826150,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2180 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1532,15587866119258827796,8547505705549826150,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2924 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1532,15587866119258827796,8547505705549826150,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2904 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1532,15587866119258827796,8547505705549826150,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4088 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1532,15587866119258827796,8547505705549826150,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4260 /prefetch:12⤵
-
C:\Windows\system32\control.exe"C:\Windows\system32\control.exe" /name Microsoft.DateAndTime2⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Windows\System32\shell32.dll,Control_RunDLL C:\Windows\System32\timedate.cpl3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1532,15587866119258827796,8547505705549826150,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3100 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1532,15587866119258827796,8547505705549826150,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4820 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1532,15587866119258827796,8547505705549826150,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4840 /prefetch:82⤵
-
C:\Windows\system32\control.exe"C:\Windows\system32\control.exe" /name Microsoft.DateAndTime2⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Windows\System32\shell32.dll,Control_RunDLL C:\Windows\System32\timedate.cpl3⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1532,15587866119258827796,8547505705549826150,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4828 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1532,15587866119258827796,8547505705549826150,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4212 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1532,15587866119258827796,8547505705549826150,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4852 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1532,15587866119258827796,8547505705549826150,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5028 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1532,15587866119258827796,8547505705549826150,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4848 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1532,15587866119258827796,8547505705549826150,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2280 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1532,15587866119258827796,8547505705549826150,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2104 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1532,15587866119258827796,8547505705549826150,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3528 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1532,15587866119258827796,8547505705549826150,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2512 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1532,15587866119258827796,8547505705549826150,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5152 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1532,15587866119258827796,8547505705549826150,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5060 /prefetch:12⤵
-
C:\Windows\system32\control.exe"C:\Windows\system32\control.exe" /name Microsoft.DateAndTime2⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Windows\System32\shell32.dll,Control_RunDLL C:\Windows\System32\timedate.cpl3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1532,15587866119258827796,8547505705549826150,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2204 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1532,15587866119258827796,8547505705549826150,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4912 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1532,15587866119258827796,8547505705549826150,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4448 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1532,15587866119258827796,8547505705549826150,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3024 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1532,15587866119258827796,8547505705549826150,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1516 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1532,15587866119258827796,8547505705549826150,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=2996 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1532,15587866119258827796,8547505705549826150,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5256 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1532,15587866119258827796,8547505705549826150,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4100 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1532,15587866119258827796,8547505705549826150,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5412 /prefetch:82⤵
- Drops file in Program Files directory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1532,15587866119258827796,8547505705549826150,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5676 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1532,15587866119258827796,8547505705549826150,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5796 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1532,15587866119258827796,8547505705549826150,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2112 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1532,15587866119258827796,8547505705549826150,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5520 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1532,15587866119258827796,8547505705549826150,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5056 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}1⤵
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}1⤵
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\Loader.rar"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Desktop\swz.exe"C:\Users\Admin\Desktop\swz.exe"1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c CLS2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /F /T /IM setuperr.exe2⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM setuperr.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c CLS2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /F /T /IM setuperr.exe2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c CLS2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /F /T /IM setuperr.exe2⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM setuperr.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c CLS2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /F /T /IM setuperr.exe2⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM setuperr.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c CLS2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /F /T /IM setuperr.exe2⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM setuperr.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /F /T /IM setuperr.exe2⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM setuperr.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c CLS2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /F /T /IM setuperr.exe2⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM setuperr.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c CLS2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /F /T /IM setuperr.exe2⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM setuperr.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c CLS2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /F /T /IM setuperr.exe2⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM setuperr.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c CLS2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /F /T /IM setuperr.exe2⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM setuperr.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c CLS2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /F /T /IM setuperr.exe2⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM setuperr.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c CLS2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /F /T /IM setuperr.exe2⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM setuperr.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c CLS2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /F /T /IM setuperr.exe2⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM setuperr.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c CLS2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /F /T /IM setuperr.exe2⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM setuperr.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c CLS2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /F /T /IM setuperr.exe2⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM setuperr.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c CLS2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /F /T /IM setuperr.exe2⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM setuperr.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c CLS2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /F /T /IM setuperr.exe2⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM setuperr.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c CLS2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /F /T /IM setuperr.exe2⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM setuperr.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c CLS2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /F /T /IM setuperr.exe2⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM setuperr.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c CLS2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /F /T /IM setuperr.exe2⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM setuperr.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c CLS2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /F /T /IM setuperr.exe2⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM setuperr.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c CLS2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /F /T /IM setuperr.exe2⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM setuperr.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c CLS2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /F /T /IM setuperr.exe2⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM setuperr.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c CLS2⤵
-
C:\Users\Admin\AppData\Local\Temp\xscT83UADnhAUXwhszShkELDsL5vmSD8Znd.exe"C:\Users\Admin\AppData\Local\Temp\xscT83UADnhAUXwhszShkELDsL5vmSD8Znd.exe"2⤵
- Executes dropped EXE
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM setuperr.exe1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\xscT83UADnhAUXwhszShkELDsL5vmSD8Znd.exeMD5
cd9b53c2e589361c01423639db787dd1
SHA191b4614e1b13ba2c697b0bb9dcc0e7975eee6283
SHA256ae63744f4e9f1e2b0e29a4073e1106337ee15dead315a117db3840717ed102bd
SHA512ddf8e0958229f4afc9d713e27f47b188d18405e5cf385144729a3cc607f2e86e048f908007818577c8d81eb7b2dfb84eeb92e2f9c7c88d1ddd9fddc8fd848aac
-
C:\Users\Admin\AppData\Local\Temp\xscT83UADnhAUXwhszShkELDsL5vmSD8Znd.exeMD5
cd9b53c2e589361c01423639db787dd1
SHA191b4614e1b13ba2c697b0bb9dcc0e7975eee6283
SHA256ae63744f4e9f1e2b0e29a4073e1106337ee15dead315a117db3840717ed102bd
SHA512ddf8e0958229f4afc9d713e27f47b188d18405e5cf385144729a3cc607f2e86e048f908007818577c8d81eb7b2dfb84eeb92e2f9c7c88d1ddd9fddc8fd848aac
-
C:\Users\Admin\Desktop\swz.exeMD5
86b0a59ac36bfc73dbed070457b51aa4
SHA11ae92612a11c3f2e3fa4faeea62e7e6de91fa551
SHA256d0508888c9b29031e9d5860dd8936ba07d4e7b482ee1f3a19a3dd4b6310ea484
SHA51240af67b66f9d70c2afcae96e57af1c14cdd1eff0813214402462d532b296eb245fc541078b66a5c21182ced1cdd2fb5f269e27ca3bc8463b3879fb3e13325fb6
-
C:\Users\Admin\Desktop\swz.exeMD5
86b0a59ac36bfc73dbed070457b51aa4
SHA11ae92612a11c3f2e3fa4faeea62e7e6de91fa551
SHA256d0508888c9b29031e9d5860dd8936ba07d4e7b482ee1f3a19a3dd4b6310ea484
SHA51240af67b66f9d70c2afcae96e57af1c14cdd1eff0813214402462d532b296eb245fc541078b66a5c21182ced1cdd2fb5f269e27ca3bc8463b3879fb3e13325fb6
-
C:\Users\Admin\Downloads\Loader.rarMD5
8c7ecef5b23bf1b1f19a4ec480c1ffa9
SHA1a1ae8c12b6b3e9d5d2e65747ab0c3d3f372104d5
SHA2560da48a27672c142fdc0409ab8ff7eb33b2432216a8d7ba474a91cb0d91e26bef
SHA51231c3469e7fcfbf7d10604a7e9de84dccb17c1cf6f7fe18e5aab44099742add28aa872ecdc12665eec3ea2df455df5f4ba81475eb5e20f52497325060c18c8c62
-
\??\pipe\crashpad_3676_CPDQPHXVFJTKVCYMMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/348-185-0x0000000000000000-mapping.dmp
-
memory/680-142-0x0000000000000000-mapping.dmp
-
memory/1012-164-0x0000000000000000-mapping.dmp
-
memory/1220-137-0x0000000000000000-mapping.dmp
-
memory/1268-121-0x0000000000000000-mapping.dmp
-
memory/1396-155-0x0000000000000000-mapping.dmp
-
memory/1476-156-0x0000000000000000-mapping.dmp
-
memory/1508-119-0x0000000000000000-mapping.dmp
-
memory/1584-159-0x0000000000000000-mapping.dmp
-
memory/1764-158-0x0000000000000000-mapping.dmp
-
memory/1920-157-0x0000000000000000-mapping.dmp
-
memory/1976-131-0x0000000000000000-mapping.dmp
-
memory/1992-132-0x0000000000000000-mapping.dmp
-
memory/1996-141-0x0000000000000000-mapping.dmp
-
memory/2004-167-0x0000000000000000-mapping.dmp
-
memory/2008-120-0x0000000000000000-mapping.dmp
-
memory/2056-123-0x0000000000000000-mapping.dmp
-
memory/2076-144-0x0000000000000000-mapping.dmp
-
memory/2132-140-0x0000000000000000-mapping.dmp
-
memory/2216-143-0x0000000000000000-mapping.dmp
-
memory/2240-161-0x0000000000000000-mapping.dmp
-
memory/2268-162-0x0000000000000000-mapping.dmp
-
memory/2304-163-0x0000000000000000-mapping.dmp
-
memory/2332-169-0x0000000000000000-mapping.dmp
-
memory/2404-165-0x0000000000000000-mapping.dmp
-
memory/2432-166-0x0000000000000000-mapping.dmp
-
memory/2676-160-0x0000000000000000-mapping.dmp
-
memory/2704-147-0x0000000000000000-mapping.dmp
-
memory/2872-181-0x0000000000000000-mapping.dmp
-
memory/2944-178-0x0000000000000000-mapping.dmp
-
memory/2956-136-0x0000000000000000-mapping.dmp
-
memory/2964-138-0x0000000000000000-mapping.dmp
-
memory/2972-139-0x0000000000000000-mapping.dmp
-
memory/3152-154-0x0000000000000000-mapping.dmp
-
memory/3184-182-0x0000000000000000-mapping.dmp
-
memory/3400-148-0x0000000000000000-mapping.dmp
-
memory/3448-179-0x0000000000000000-mapping.dmp
-
memory/3492-150-0x0000000000000000-mapping.dmp
-
memory/3628-149-0x0000000000000000-mapping.dmp
-
memory/3644-183-0x0000000000000000-mapping.dmp
-
memory/3700-130-0x0000000000000000-mapping.dmp
-
memory/3756-175-0x0000000000000000-mapping.dmp
-
memory/3864-152-0x0000000000000000-mapping.dmp
-
memory/3936-173-0x0000000000000000-mapping.dmp
-
memory/3972-146-0x0000000000000000-mapping.dmp
-
memory/4040-180-0x0000000000000000-mapping.dmp
-
memory/4076-145-0x0000000000000000-mapping.dmp
-
memory/4188-174-0x0000000000000000-mapping.dmp
-
memory/4232-135-0x0000000000000000-mapping.dmp
-
memory/4300-184-0x0000000000000000-mapping.dmp
-
memory/4312-186-0x0000000000000000-mapping.dmp
-
memory/4364-187-0x0000000000000000-mapping.dmp
-
memory/4408-153-0x0000000000000000-mapping.dmp
-
memory/4448-128-0x0000000140000000-0x0000000140807000-memory.dmpFilesize
8.0MB
-
memory/4448-129-0x00007FFB41EE0000-0x00007FFB41EE2000-memory.dmpFilesize
8KB
-
memory/4476-124-0x0000000000000000-mapping.dmp
-
memory/4488-172-0x0000000000000000-mapping.dmp
-
memory/4584-177-0x0000000000000000-mapping.dmp
-
memory/4592-133-0x0000000000000000-mapping.dmp
-
memory/4796-134-0x0000000000000000-mapping.dmp
-
memory/4888-122-0x0000000000000000-mapping.dmp
-
memory/4900-168-0x0000000000000000-mapping.dmp
-
memory/4916-170-0x0000000000000000-mapping.dmp
-
memory/4952-171-0x0000000000000000-mapping.dmp
-
memory/5036-151-0x0000000000000000-mapping.dmp
-
memory/5064-176-0x0000000000000000-mapping.dmp