Analysis
-
max time kernel
1787s -
max time network
1798s -
platform
windows10-2004_x64 -
resource
win10v2004-20220331-en -
submitted
07-04-2022 19:27
General
-
Target
VirusShare_41dd108ada487cb93a6e099e074f605b.exe
-
Size
382KB
-
MD5
41dd108ada487cb93a6e099e074f605b
-
SHA1
354f9fcee3214078d2bc5e3ea55c6b678c2fe2bf
-
SHA256
aebce4939ad8d8df9d1807debb140669e47a24c71b7978249362d3b0900c33f3
-
SHA512
33adb352e06e779871224ce094954756f15e49785fc14f8c8a02476b420b00907961d3489944c2da42fa84e8185f0f6bc7eefde58ebc4ae213fed9bfa1b5932b
Malware Config
Extracted
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\# DECRYPT MY FILES #.html
Extracted
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\# DECRYPT MY FILES #.txt
cerber
http://4kqd3hmqgptupi3p.wins4n.win/361E-2C46-C64F-0078-1CFC
http://4kqd3hmqgptupi3p.we34re.top/361E-2C46-C64F-0078-1CFC
http://4kqd3hmqgptupi3p.5kti58.top/361E-2C46-C64F-0078-1CFC
http://4kqd3hmqgptupi3p.vmckfi.top/361E-2C46-C64F-0078-1CFC
http://4kqd3hmqgptupi3p.onion.to/361E-2C46-C64F-0078-1CFC
http://4kqd3hmqgptupi3p.onion/361E-2C46-C64F-0078-1CFC
Extracted
C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html
http://4kqd3hmqgptupi3p.wins4n.win/361E-2C46-C64F-0078-1CFC
http://4kqd3hmqgptupi3p.we34re.top/361E-2C46-C64F-0078-1CFC
http://4kqd3hmqgptupi3p.5kti58.top/361E-2C46-C64F-0078-1CFC
http://4kqd3hmqgptupi3p.vmckfi.top/361E-2C46-C64F-0078-1CFC
http://4kqd3hmqgptupi3p.onion.to/361E-2C46-C64F-0078-1CFC
http://4kqd3hmqgptupi3p.onion/361E-2C46-C64F-0078-1CFC
Signatures
-
Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
-
Contacts a large (16422) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Adds policy Run key to start application 2 TTPs 2 IoCs
-
Executes dropped EXE 10 IoCs
-
Modifies extensions of user files 3 IoCs
Ransomware generally changes the extension on encrypted files.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 2 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 9 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
-
Drops file in Program Files directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Kills process with taskkill 3 IoCs
-
Modifies Control Panel 4 IoCs
-
Modifies registry class 2 IoCs
-
Runs ping.exe 1 TTPs 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 15 IoCs
-
Suspicious use of FindShellTrayWindow 3 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\VirusShare_41dd108ada487cb93a6e099e074f605b.exe"C:\Users\Admin\AppData\Local\Temp\VirusShare_41dd108ada487cb93a6e099e074f605b.exe"1⤵
- Adds policy Run key to start application
- Drops startup file
- Adds Run key to start application
- Modifies Control Panel
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\{8F96F56F-5268-382E-17C0-CEDE4D5A91E2}\bitsadmin.exe"C:\Users\Admin\AppData\Roaming\{8F96F56F-5268-382E-17C0-CEDE4D5A91E2}\bitsadmin.exe"2⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Modifies extensions of user files
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html3⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xf8,0x108,0x7ffa5a5d46f8,0x7ffa5a5d4708,0x7ffa5a5d47184⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,2592166406724061044,1600841099645066096,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:24⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,2592166406724061044,1600841099645066096,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2344 /prefetch:34⤵
-
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txt3⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://4kqd3hmqgptupi3p.wins4n.win/361E-2C46-C64F-0078-1CFC3⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xd4,0x110,0x7ffa5a5d46f8,0x7ffa5a5d4708,0x7ffa5a5d47184⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,13249192152578827037,5569570586284849837,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:24⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2076,13249192152578827037,5569570586284849837,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2272 /prefetch:34⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2076,13249192152578827037,5569570586284849837,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2656 /prefetch:84⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,13249192152578827037,5569570586284849837,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3156 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,13249192152578827037,5569570586284849837,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3092 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,13249192152578827037,5569570586284849837,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4172 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,13249192152578827037,5569570586284849837,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5812 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,13249192152578827037,5569570586284849837,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5836 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,13249192152578827037,5569570586284849837,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5952 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2076,13249192152578827037,5569570586284849837,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3912 /prefetch:84⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,13249192152578827037,5569570586284849837,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6272 /prefetch:24⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,13249192152578827037,5569570586284849837,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6616 /prefetch:84⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,13249192152578827037,5569570586284849837,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6616 /prefetch:84⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings4⤵
- Drops file in Program Files directory
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xe4,0x114,0xf0,0x10c,0xdc,0x7ff74ad55460,0x7ff74ad55470,0x7ff74ad554805⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2076,13249192152578827037,5569570586284849837,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6664 /prefetch:84⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2076,13249192152578827037,5569570586284849837,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4952 /prefetch:84⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2076,13249192152578827037,5569570586284849837,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5720 /prefetch:84⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2076,13249192152578827037,5569570586284849837,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2016 /prefetch:84⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2076,13249192152578827037,5569570586284849837,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1308 /prefetch:84⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2076,13249192152578827037,5569570586284849837,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4196 /prefetch:84⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2076,13249192152578827037,5569570586284849837,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3516 /prefetch:84⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2076,13249192152578827037,5569570586284849837,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3132 /prefetch:84⤵
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbs"3⤵
-
-
C:\Windows\system32\cmd.exe/d /c taskkill /t /f /im "bitsadmin.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Roaming\{8F96F56F-5268-382E-17C0-CEDE4D5A91E2}\bitsadmin.exe" > NUL3⤵
-
C:\Windows\system32\taskkill.exetaskkill /t /f /im "bitsadmin.exe"4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\PING.EXEping -n 1 127.0.0.14⤵
- Runs ping.exe
-
-
-
-
C:\Windows\SysWOW64\cmd.exe/d /c taskkill /t /f /im "VirusShare_41dd108ada487cb93a6e099e074f605b.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Local\Temp\VirusShare_41dd108ada487cb93a6e099e074f605b.exe" > NUL2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /t /f /im "VirusShare_41dd108ada487cb93a6e099e074f605b.exe"3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\PING.EXEping -n 1 127.0.0.13⤵
- Runs ping.exe
-
-
-
C:\Users\Admin\AppData\Roaming\{8F96F56F-5268-382E-17C0-CEDE4D5A91E2}\bitsadmin.exeC:\Users\Admin\AppData\Roaming\{8F96F56F-5268-382E-17C0-CEDE4D5A91E2}\bitsadmin.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\{8F96F56F-5268-382E-17C0-CEDE4D5A91E2}\bitsadmin.exeC:\Users\Admin\AppData\Roaming\{8F96F56F-5268-382E-17C0-CEDE4D5A91E2}\bitsadmin.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\{8F96F56F-5268-382E-17C0-CEDE4D5A91E2}\bitsadmin.exeC:\Users\Admin\AppData\Roaming\{8F96F56F-5268-382E-17C0-CEDE4D5A91E2}\bitsadmin.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\{8F96F56F-5268-382E-17C0-CEDE4D5A91E2}\bitsadmin.exeC:\Users\Admin\AppData\Roaming\{8F96F56F-5268-382E-17C0-CEDE4D5A91E2}\bitsadmin.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\{8F96F56F-5268-382E-17C0-CEDE4D5A91E2}\bitsadmin.exeC:\Users\Admin\AppData\Roaming\{8F96F56F-5268-382E-17C0-CEDE4D5A91E2}\bitsadmin.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\{8F96F56F-5268-382E-17C0-CEDE4D5A91E2}\bitsadmin.exeC:\Users\Admin\AppData\Roaming\{8F96F56F-5268-382E-17C0-CEDE4D5A91E2}\bitsadmin.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\{8F96F56F-5268-382E-17C0-CEDE4D5A91E2}\bitsadmin.exeC:\Users\Admin\AppData\Roaming\{8F96F56F-5268-382E-17C0-CEDE4D5A91E2}\bitsadmin.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\{8F96F56F-5268-382E-17C0-CEDE4D5A91E2}\bitsadmin.exeC:\Users\Admin\AppData\Roaming\{8F96F56F-5268-382E-17C0-CEDE4D5A91E2}\bitsadmin.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x508 0x4e81⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Users\Admin\AppData\Roaming\{8F96F56F-5268-382E-17C0-CEDE4D5A91E2}\bitsadmin.exeC:\Users\Admin\AppData\Roaming\{8F96F56F-5268-382E-17C0-CEDE4D5A91E2}\bitsadmin.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe/d /c taskkill /t /f /im "" > NUL & ping -n 1 127.0.0.1 > NUL & del "" > NUL2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /t /f /im ""3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\PING.EXEping -n 1 127.0.0.13⤵
- Runs ping.exe
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s camsvc1⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
471B
MD5d2a99ffb2c73d006e4e8ffa26557ad1a
SHA1676a39fb0687a05570e66ed2a5fdbbd846168367
SHA25669ece1dfccce0a7eae10152fdfbecbc3cf8264bf981a55d141f5efa25d3d4aa9
SHA5129bdebd6569f028e239da76ed67a593c53da04fb2f73c325f88c1bd83416c93080d778604d9894d2a02276736ef30b4654040460cfb040d185147eee0d02c50ed
-
Filesize
446B
MD53c3af99524ce18a3fe0ceac73afb24f5
SHA12ec2881fc809068501f1a365c531647a80e6414b
SHA2560471481adbd04eac6649187d446e5871177815efe98dc3fbba01cf3ea765707d
SHA5128497a1e8a05e1529504c04ce742ebba723115fa49f8e8a8ddcff401aa98358100a2857f54b7c450ed38a2b02d94be3c2ad221bff79baed82a337cb94fcdbf2ef
-
Filesize
152B
MD57610889f134b713f224e9dc8dc2f1c47
SHA1ca99dadb458a7abb868bd65389ceac72dfb95f9b
SHA256127452182a479b418f3785541ab12c84105d6842d1800aea5a0473fe941f8d89
SHA5122a67d3ea68812f9fd8c58b6a2718133d7e69085e589f89e43ea12ec5ca3e006938144246560026415b4be8f30eabd88d3685f7780af1c143a43c822b7b5af312
-
Filesize
152B
MD57610889f134b713f224e9dc8dc2f1c47
SHA1ca99dadb458a7abb868bd65389ceac72dfb95f9b
SHA256127452182a479b418f3785541ab12c84105d6842d1800aea5a0473fe941f8d89
SHA5122a67d3ea68812f9fd8c58b6a2718133d7e69085e589f89e43ea12ec5ca3e006938144246560026415b4be8f30eabd88d3685f7780af1c143a43c822b7b5af312
-
Filesize
152B
MD57610889f134b713f224e9dc8dc2f1c47
SHA1ca99dadb458a7abb868bd65389ceac72dfb95f9b
SHA256127452182a479b418f3785541ab12c84105d6842d1800aea5a0473fe941f8d89
SHA5122a67d3ea68812f9fd8c58b6a2718133d7e69085e589f89e43ea12ec5ca3e006938144246560026415b4be8f30eabd88d3685f7780af1c143a43c822b7b5af312
-
Filesize
152B
MD57610889f134b713f224e9dc8dc2f1c47
SHA1ca99dadb458a7abb868bd65389ceac72dfb95f9b
SHA256127452182a479b418f3785541ab12c84105d6842d1800aea5a0473fe941f8d89
SHA5122a67d3ea68812f9fd8c58b6a2718133d7e69085e589f89e43ea12ec5ca3e006938144246560026415b4be8f30eabd88d3685f7780af1c143a43c822b7b5af312
-
Filesize
152B
MD57c709b14135a1c77814a526a2b460a97
SHA1547bd68514a32a612c7c98e5324a35ea5b39d7a2
SHA256ef9d2108ad41aa1480db4b633bcf66c964b5d8d8aab6f3372143242affd948d4
SHA512baeb04f10ec0383f15ed5cfdf3242b69cbe3f166872012e5b85e83ca95e276623f62a923accc615394fd4058abe61809645f2cdaa0fafee099962a04541021c4
-
Filesize
152B
MD57c709b14135a1c77814a526a2b460a97
SHA1547bd68514a32a612c7c98e5324a35ea5b39d7a2
SHA256ef9d2108ad41aa1480db4b633bcf66c964b5d8d8aab6f3372143242affd948d4
SHA512baeb04f10ec0383f15ed5cfdf3242b69cbe3f166872012e5b85e83ca95e276623f62a923accc615394fd4058abe61809645f2cdaa0fafee099962a04541021c4
-
Filesize
152B
MD57c709b14135a1c77814a526a2b460a97
SHA1547bd68514a32a612c7c98e5324a35ea5b39d7a2
SHA256ef9d2108ad41aa1480db4b633bcf66c964b5d8d8aab6f3372143242affd948d4
SHA512baeb04f10ec0383f15ed5cfdf3242b69cbe3f166872012e5b85e83ca95e276623f62a923accc615394fd4058abe61809645f2cdaa0fafee099962a04541021c4
-
Filesize
2KB
MD5ef1492c083146aa85ec95b607e781551
SHA1de1931540eabd9c57ad963da066d04a1f9c82da0
SHA25699c7ca9fdc2617e8437c42776516e013198dcb9941f67fca266ced43c7a5b305
SHA512cf8cf71b7d3fe22340dcda360e4659db4511b52b20001bb7a331b60282622d377af34e6a87621b277a935aa72e642db2665cc2d61efda2fe4caf57153a8235db
-
Filesize
24KB
MD54e9962558e74db5038d8073a5b3431aa
SHA13cd097d9dd4b16a69efbb0fd1efe862867822146
SHA2566f81212bd841eca89aa6f291818b4ad2582d7cdb4e488adea98261494bdcd279
SHA512fcd76bca998afc517c87de0db6ee54e45aa2263fa7b91653ac3adb34c41f3681fbe19d673ae9b24fdf3d53f5af4e4968e603a1eb557207f8860ac51372026b2e
-
Filesize
4KB
MD5fad197d6ffd32d1268b9e7e8d13ab32a
SHA1b0129887a75965bb2ef56a2c39d3231e5b87265d
SHA2564e446af739e1a06b48a73607e9441bc4aa34ceafd808ff845864408179a4d2c3
SHA51201d9f588bfa315e316ff0ff4a15a0a49144fd77ee89960882cd528d7f7a277b086667cea2357c3ca2bd16a2b3f4aeb7fcaf473501b499101be68acbe1e0126cb
-
Filesize
6KB
MD594c183b842784d0ae69f8aa57c8ac015
SHA1c5b1ebc2b5c140ccbb21cd377ca18f3c5d0b80cd
SHA256aa5c4d50684aa478d5982e509cbf1f8347fbc9cc75cb847d54915c16c3a33d25
SHA5125808ddb81657acf4712fa845c95aacbab32a414ffda3b9d1218637e2d53bd3e0d6b95c872779ead6eaa13b4d2d563494ad5587337958bd17f1e791fad5d822fb
-
Filesize
1KB
MD58c31feb9c3faaa9794aa22ce9f48bfbd
SHA1f5411608a15e803afc97961b310bb21a6a8bd5b6
SHA2566016fd3685046b33c7a2b1e785ac757df20e7c760abe0c27e1b8b0294222421d
SHA512ba4b5886c04ba8f7a7dbb87e96d639783a5969a245de181cf620b8f536e3ac95bbd910cd2f1f6aae6c3cd70fc1ef6209dc10d2b083ec51861b51d83f95811baa
-
Filesize
68KB
MD50d37c9d98f35f2c6524bd9b874ec93ed
SHA187d2d1149db8a1c2d91bc8d2d6e2827d2d8850f5
SHA25619ce05d2716fae5d0d6e2067a7a624c0fa7f8b02486d9469861fd30cf1c499ac
SHA51268e73804a144cbe7287c2136ab1986c4e2a97c497d5bfd36ef5db0f1fb1b4a28839d63d83019082ce61af9b42853934888ce05d6b28350742776b97fa310a575
-
Filesize
1KB
MD5b51076d21461e00fcbf3dbd2c9e96b2b
SHA131311536cf570f2f9c88d21f03a935ac6e233231
SHA25621a8d3e85d76761a1aab9dca765efef5dfa08d49db037befd91833e4639dd993
SHA5123e193220ddddc47ecea32a2f777e55faa12c7a8052323455c8d7a89c01048155c77ae009fd0f5bebea89f1fae4a88b6b3ceca4e808064f474ea5b3a9497598cb
-
Filesize
34B
MD5cd0395742b85e2b669eaec1d5f15b65b
SHA143c81d1c62fc7ff94f9364639c9a46a0747d122e
SHA2562b4a47b82cbe70e34407c7df126a24007aff8b45d5716db384d27cc1f3b30707
SHA5124df2ce734e2f7bc5f02bb7845ea801b57dcf649565dd94b1b71f578b453ba0a17c61ccee73e7cff8f23cdd6aa37e55be5cb15f4767ff88a9a06de3623604fbf0
-
Filesize
999B
MD5152b745da17397ed5a2f3059bb157600
SHA147bf4e575ba1acf47dcc99f1800f753b4cc65ef6
SHA256ef994058a637f7b1b47c31c8670977084d1f86cc21a196920aa87f8ed31e98e8
SHA5124984a8a46eb452b3c62f2c2ca8c9d999de37c39895ad9a9ed91d12a7731b1cd227f335829f7a6927f19cd8bf4dd7d6749fc853461a46fc97853d5b9e23171d31
-
Filesize
459B
MD5d024831cae8599f0edee70275d99e843
SHA169e08b543802b130da5305cbb0140bda5601079c
SHA2560b75817b9ce2164f52e537c66bbff0fe53024bf9a00fb193efd63fe48f34a978
SHA512ee1096446f6a17bc3fde9aadb418ca4b2db5132cdde1e429300487aaf4d8b9865a3bbc95d3a3198cde137a6395f69c035b74a72f74edc22a490bccc3320b0b03
-
Filesize
50B
MD54cefbb980962973a354915a49d1b0f4d
SHA11d20148cab5cdadb85fad6041262584a12c2745d
SHA25666de8db363de02974a1471153112e51f014bb05936ce870c433fd9a85b34455a
SHA5126a088bbc6c40454165ddee3183667d2997dca5fcc8312f69e3c2397e61255e49b5146b24c2c64cd3c8867289e3abfdf1155e47722fdd8276f96d51e8f311d4b0
-
Filesize
36B
MD57f077f40c2d1ce8e95faa8fdb23ed8b4
SHA12c329e3e20ea559974ddcaabc2c7c22de81e7ad2
SHA256bda08f8b53c121bbc03da1f5c870c016b06fa620a2c02375988555dd12889cdf
SHA512c1fb5d40491ae22a155a9bd115c32cbe9dbcba615545af2f1a252475f9d59844763cd7c177f08277d8ef59e873b7d885fda17f2a504d9ec2c181d0f793cb542b
-
Filesize
32B
MD54ec1eda0e8a06238ff5bf88569964d59
SHA1a2e78944fcac34d89385487ccbbfa4d8f078d612
SHA256696e930706b5d391eb8778f73b0627ffc2be7f6c9a3e7659170d9d37fc4a97b5
SHA512c9b1ed7b61f26d94d7f5eded2d42d40f3e4300eee2319fe28e04b25cdb6dd92daf67828bff453bf5fc8d7b6ceb58cab319fc0daac9b0050e27a89efe74d2734e
-
Filesize
110B
MD5a004023825237dadc8f934758ff9eaf2
SHA1c981a900b5ce63884635cedfe5ba722416021cb2
SHA2563c4e82aae615a7bed985b4544afecb774b728df1cc9f7561ea25b97482119ef7
SHA512e49667fca51a6497ccae9b881d679b857c025f2945ab93c9a6769b1c0a632329993daefab6eda9ed70a32a75630d7b3d93dda5acda8ff87ffe5f090ca7b35e4f
-
Filesize
75B
MD5c6c7f3ee1e17acbff6ac22aa89b02e4e
SHA1bdbd0220e54b80b3d2ffbbddadc89bfbb8e64a8b
SHA256a2f9f27d6938a74979d34484bced535412969c2533dc694bfa667fe81d66d7d4
SHA51286ed28ffdd00b4a397a20968792fcd30dd4a891a187a7789c00c88b64689b334a11fa087eb54ccee813c181cf891b43184dde7af9a6f33caed2a71e2c445a7b4
-
Filesize
35B
MD5976b1cf7e3442f88cd8ba26d3f0965bb
SHA1b75438dc71de4ac761d94a215ddbffadcd1225b0
SHA256decde67630f29fc003cb1f2ccbd7371a05079985a9cce93ec93c4fadd8dc5541
SHA512d0472fed72e1eb0a7747a693a0e654fbe92dd028db3cc42377810d90474dd4099ac981cca333eb52c18e75ed04a1f1f79f3bf5957fe8b16086f1252b3454b8d5
-
Filesize
519B
MD59ca5eb41a53645be63d247ad8a9a7869
SHA12e98b04b5a2efb04d20bc7fe51b05c4e4841205b
SHA256f67c58a61ddef715b01debc66ddc0e3c365295ac9870328f6b8bdbcb02a6b8c9
SHA5127dd7d295ccce957490f025eef124b22c809f140a96003126b801bbbdd94eb2115ee59e7d16dd1f020b1d6eaaff66853b9de2cbf7092c1692f40dbe21ab346fd8
-
Filesize
1KB
MD5d404c20aa696a2523b971878f564bafd
SHA12a5092d1268d5a1a3ec598860f8dbcd9babccfa9
SHA2567400bf65daaa42a40b4affff9146855916cb4601158dd240630c136336b9c413
SHA512448ad8ff67a8d2fd9ed11d5f3f189e288e1c42a5b97e42618c3bbe4edc5acc98cba75140446c268d7043cdfa2b3b3d5ca6d1bce6e272ce059d6c0bb2875627dc
-
Filesize
382KB
MD541dd108ada487cb93a6e099e074f605b
SHA1354f9fcee3214078d2bc5e3ea55c6b678c2fe2bf
SHA256aebce4939ad8d8df9d1807debb140669e47a24c71b7978249362d3b0900c33f3
SHA51233adb352e06e779871224ce094954756f15e49785fc14f8c8a02476b420b00907961d3489944c2da42fa84e8185f0f6bc7eefde58ebc4ae213fed9bfa1b5932b
-
Filesize
382KB
MD541dd108ada487cb93a6e099e074f605b
SHA1354f9fcee3214078d2bc5e3ea55c6b678c2fe2bf
SHA256aebce4939ad8d8df9d1807debb140669e47a24c71b7978249362d3b0900c33f3
SHA51233adb352e06e779871224ce094954756f15e49785fc14f8c8a02476b420b00907961d3489944c2da42fa84e8185f0f6bc7eefde58ebc4ae213fed9bfa1b5932b
-
Filesize
382KB
MD541dd108ada487cb93a6e099e074f605b
SHA1354f9fcee3214078d2bc5e3ea55c6b678c2fe2bf
SHA256aebce4939ad8d8df9d1807debb140669e47a24c71b7978249362d3b0900c33f3
SHA51233adb352e06e779871224ce094954756f15e49785fc14f8c8a02476b420b00907961d3489944c2da42fa84e8185f0f6bc7eefde58ebc4ae213fed9bfa1b5932b
-
Filesize
382KB
MD541dd108ada487cb93a6e099e074f605b
SHA1354f9fcee3214078d2bc5e3ea55c6b678c2fe2bf
SHA256aebce4939ad8d8df9d1807debb140669e47a24c71b7978249362d3b0900c33f3
SHA51233adb352e06e779871224ce094954756f15e49785fc14f8c8a02476b420b00907961d3489944c2da42fa84e8185f0f6bc7eefde58ebc4ae213fed9bfa1b5932b
-
Filesize
382KB
MD541dd108ada487cb93a6e099e074f605b
SHA1354f9fcee3214078d2bc5e3ea55c6b678c2fe2bf
SHA256aebce4939ad8d8df9d1807debb140669e47a24c71b7978249362d3b0900c33f3
SHA51233adb352e06e779871224ce094954756f15e49785fc14f8c8a02476b420b00907961d3489944c2da42fa84e8185f0f6bc7eefde58ebc4ae213fed9bfa1b5932b
-
Filesize
382KB
MD541dd108ada487cb93a6e099e074f605b
SHA1354f9fcee3214078d2bc5e3ea55c6b678c2fe2bf
SHA256aebce4939ad8d8df9d1807debb140669e47a24c71b7978249362d3b0900c33f3
SHA51233adb352e06e779871224ce094954756f15e49785fc14f8c8a02476b420b00907961d3489944c2da42fa84e8185f0f6bc7eefde58ebc4ae213fed9bfa1b5932b
-
Filesize
382KB
MD541dd108ada487cb93a6e099e074f605b
SHA1354f9fcee3214078d2bc5e3ea55c6b678c2fe2bf
SHA256aebce4939ad8d8df9d1807debb140669e47a24c71b7978249362d3b0900c33f3
SHA51233adb352e06e779871224ce094954756f15e49785fc14f8c8a02476b420b00907961d3489944c2da42fa84e8185f0f6bc7eefde58ebc4ae213fed9bfa1b5932b
-
Filesize
382KB
MD541dd108ada487cb93a6e099e074f605b
SHA1354f9fcee3214078d2bc5e3ea55c6b678c2fe2bf
SHA256aebce4939ad8d8df9d1807debb140669e47a24c71b7978249362d3b0900c33f3
SHA51233adb352e06e779871224ce094954756f15e49785fc14f8c8a02476b420b00907961d3489944c2da42fa84e8185f0f6bc7eefde58ebc4ae213fed9bfa1b5932b
-
Filesize
382KB
MD541dd108ada487cb93a6e099e074f605b
SHA1354f9fcee3214078d2bc5e3ea55c6b678c2fe2bf
SHA256aebce4939ad8d8df9d1807debb140669e47a24c71b7978249362d3b0900c33f3
SHA51233adb352e06e779871224ce094954756f15e49785fc14f8c8a02476b420b00907961d3489944c2da42fa84e8185f0f6bc7eefde58ebc4ae213fed9bfa1b5932b
-
Filesize
382KB
MD541dd108ada487cb93a6e099e074f605b
SHA1354f9fcee3214078d2bc5e3ea55c6b678c2fe2bf
SHA256aebce4939ad8d8df9d1807debb140669e47a24c71b7978249362d3b0900c33f3
SHA51233adb352e06e779871224ce094954756f15e49785fc14f8c8a02476b420b00907961d3489944c2da42fa84e8185f0f6bc7eefde58ebc4ae213fed9bfa1b5932b
-
Filesize
382KB
MD541dd108ada487cb93a6e099e074f605b
SHA1354f9fcee3214078d2bc5e3ea55c6b678c2fe2bf
SHA256aebce4939ad8d8df9d1807debb140669e47a24c71b7978249362d3b0900c33f3
SHA51233adb352e06e779871224ce094954756f15e49785fc14f8c8a02476b420b00907961d3489944c2da42fa84e8185f0f6bc7eefde58ebc4ae213fed9bfa1b5932b
-
Filesize
12KB
MD590c9098e2eb5062c38d773ed36e0a45d
SHA175452e3e075afed8ce58cf1437cba9c82e3e0500
SHA25626de924c9e2a7e4625b2d9d354bf9792b7c2929b4ab0def88f60ba6e8b7bb498
SHA512e540eaa97e9eaf393eeaa31ef4990d55256c048ea96a3245298a42eb01d10d1fb791e7f17b31d3d6fe35c553c59dcd08e8d5c0efc3179c6b4abff138a15d836d
-
Filesize
10KB
MD51688527450637fc2493851e18b60063d
SHA161c8b4417984a6d72376b9f3dd0660a15745a0f6
SHA256454ab36679a39e0caab39204e73d646f5234c21abcba0b4598d3e6e8a7bf3694
SHA5126d9d4dac4028d960127ec4288f02a3e2dbd8ac124f6f913f241a2305b6a09f5dc8303d6047db63135400ea40e1697249d7124809a67548a30ad64b195aa1dd9e
-
Filesize
231B
MD59d8c4bfbd009c4d6001e2125abaa8b02
SHA1cd040558172b5fca5b200447a281843956243741
SHA256a652297987f14317100f8c5f7eb26d1bc67eb8a64f0b39b72b5fd5046a9f29b0
SHA512c4c84f43642b805a105acce9ebc9f01aa0e6ef553ea32be3f8b890fc7440f0b7d3ddf99b9336bce20ce7a3d9b9f6434a704651a8af425ffc8407ba39d5de735f
-
Filesize
144KB
-
Filesize
392KB
-
Filesize
132KB
-
Filesize
392KB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
4KB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
144KB